Fix validity times on certificates issued by the Darwin framework. #20637
+7
−3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pullapprove
bot
requested review from
andy31415,
anush-apple,
arkq,
Byungjoo-Lee,
carol-apple,
chrisdecenzo,
chshu,
chulspro,
Damian-Nordic,
dhrishi,
electrocucaracha,
emargolis,
franck-apple,
gjc13,
harimau-qirex,
harsha-rajendran,
hawk248,
isiu-apple,
jelderton,
jepenven-silabs,
jmartinez-silabs,
jtung-apple,
kpschoedel,
lazarkov,
LuDuda,
mlepage-google,
mrjerryjohns,
msandstedt and
mspang
pullapprove
bot
requested review from
mspang,
rgoliver,
saurabhst,
selissia,
tcarmelveilleux,
tecimovic,
turon,
vijs,
vivien-apple,
wbschiller,
woody-apple and
xylophone21
|
PR #20637: Size comparison from 57cb679 to ae3a9e8 Increases (28 builds for bl602, cc13x2_26x2, cyw30739, linux, mbed, nrfconnect, p6, telink)
Decreases (4 builds for cc13x2_26x2, cyw30739)
Full report (36 builds for bl602, cc13x2_26x2, cyw30739, k32w, linux, mbed, nrfconnect, p6, telink)
|
The Darwin framework was using the current timezone, not UTC, when determining the Matter epoch time corresponding to a given offset from now. This caused the epoch times it computed to be off by the offset from UTC. In timezones ahead of UTC, this could easily lead to certificates with mNotBeforeTime set to a value larger than the current UTC time, which would then cause those certificates to be considered not-yet-valid. Fixes project-chip#20302
bzbarsky-apple
force-pushed
the
fix-darwin-cert-times
branch
from
ae3a9e8 to
5fe6b01
Compare
|
PR #20637: Size comparison from 01a11aa to 5fe6b01 Increases (34 builds for bl602, cc13x2_26x2, cyw30739, efr32, esp32, linux, mbed, nrfconnect, p6, telink)
Decreases (4 builds for cc13x2_26x2, cyw30739)
Full report (43 builds for bl602, cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, p6, telink)
|
andy31415
approved these changes
Jul 12, 2022
emargolis
approved these changes
Jul 12, 2022
Damian-Nordic
approved these changes
Jul 13, 2022
github-actions bot
pushed a commit
that referenced
this pull request
Jul 13, 2022
…20637) The Darwin framework was using the current timezone, not UTC, when determining the Matter epoch time corresponding to a given offset from now. This caused the epoch times it computed to be off by the offset from UTC. In timezones ahead of UTC, this could easily lead to certificates with mNotBeforeTime set to a value larger than the current UTC time, which would then cause those certificates to be considered not-yet-valid. Fixes #20302
andy31415
pushed a commit
that referenced
this pull request
Jul 13, 2022
…20637) (#20669) The Darwin framework was using the current timezone, not UTC, when determining the Matter epoch time corresponding to a given offset from now. This caused the epoch times it computed to be off by the offset from UTC. In timezones ahead of UTC, this could easily lead to certificates with mNotBeforeTime set to a value larger than the current UTC time, which would then cause those certificates to be considered not-yet-valid. Fixes #20302 Co-authored-by: Boris Zbarsky <[email protected]>
ajwak
pushed a commit
to ajwak/connectedhomeip
that referenced
this pull request
Jul 13, 2022
…roject-chip#20637) The Darwin framework was using the current timezone, not UTC, when determining the Matter epoch time corresponding to a given offset from now. This caused the epoch times it computed to be off by the offset from UTC. In timezones ahead of UTC, this could easily lead to certificates with mNotBeforeTime set to a value larger than the current UTC time, which would then cause those certificates to be considered not-yet-valid. Fixes project-chip#20302
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Darwin framework was using the current timezone, not UTC, when determining
the Matter epoch time corresponding to a given offset from now. This caused the
epoch times it computed to be off by the offset from UTC. In timezones ahead of
UTC, this could easily lead to certificates with mNotBeforeTime set to a value
larger than the current UTC time, which would then cause those certificates to
be considered not-yet-valid.
Fixes #20302
Problem
See above.
Change overview
Use
componentsInTimeZonewith the UTC timezone to get the right values.Testing
Checked the times logged in ValidateCert per the logging suggested in #20302 and verified that I was getting mNotBeforeTime hours off from "now" (corresponding to my timezone) before this PR and get times that are almost now after this PR.