Consider the verification time as well as the expiration time when caching certificate verification…

net/base/multi_threaded_cert_verifier.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_MULTI_THREADED_CERT_VERIFIER_H_
 #define NET_BASE_MULTI_THREADED_CERT_VERIFIER_H_
 #pragma once
 
 #include <map>
 #include <string>
@@ skipping 90 matching lines @@
 
   // CachedResult contains the result of a certificate verification.
   struct CachedResult {
     CachedResult();
     ~CachedResult();
 
     int error;  // The return value of CertVerifier::Verify.
     CertVerifyResult result;  // The output of CertVerifier::Verify.
   };
 
+  // Rather than having a single validity point along a monotonically increasing
+  // timeline, certificate verification is based on falling within a range of
+  // the certificate's NotBefore and NotAfter and based on what the current
+  // system clock says (which may advance forwards or backwards as users correct
+  // clock skew). ValidityRange and CompareValidityFn are helpers to ensure that
+  // expiration is measured both by the 'general' case (now + cache TTL) and by
+  // whether or not significant enough clock skew was introduced since the last
+  // verification.
+  struct ValidityRange {

[wtc, 2012/06/18 22:10:38]

Nit: this seems to be more commonly called the validity period.

[Ryan Sleevi, 2012/06/19 00:59:28]

To some degree, I think I wanted to avoid that term, because this is not tied to
the certificate's validity period (as szym pointed out), but instead part of the
cache's validity period. However, period vs range may not be as significant as
'validity' in terms of naming.

CacheValidityPeriod is perhaps a better name, if wordier.

+    explicit ValidityRange(const base::Time& now);
+    ValidityRange(const base::Time& now, const base::Time& expiration);
+
+    base::Time verification_time;
+    base::Time expiration_time;
+  };
+
+  typedef bool (*CompareValidityFn)(const ValidityRange&, const ValidityRange&);
+  typedef ExpiringCache<RequestParams, CachedResult, ValidityRange,
+                        CompareValidityFn> CertVerifierCache;
+
+  // Returns true if |now| is within the validity range of |expiration|.
+  static bool CompareValidityRange(const ValidityRange& now,
+                                   const ValidityRange& expiration);
+
   void HandleResult(X509Certificate* cert,
                     const std::string& hostname,
                     int flags,
                     int error,
                     const CertVerifyResult& verify_result);
 
   // CertDatabase::Observer methods:
   virtual void OnCertTrustChanged(const X509Certificate* cert) OVERRIDE;
 
   // For unit testing.
   void ClearCache() { cache_.Clear(); }
   size_t GetCacheSize() const { return cache_.size(); }
   uint64 cache_hits() const { return cache_hits_; }
   uint64 requests() const { return requests_; }
   uint64 inflight_joins() const { return inflight_joins_; }
   void SetCertVerifyProc(CertVerifyProc* verify_proc);
 
   // cache_ maps from a request to a cached result.
-  typedef ExpiringCache<RequestParams, CachedResult> CertVerifierCache;
   CertVerifierCache cache_;
 
   // inflight_ maps from a request to an active verification which is taking
   // place.
   std::map<RequestParams, CertVerifierJob*> inflight_;
 
   uint64 requests_;
   uint64 cache_hits_;
   uint64 inflight_joins_;
 
   scoped_refptr<CertVerifyProc> verify_proc_;
 
   DISALLOW_COPY_AND_ASSIGN(MultiThreadedCertVerifier);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_MULTI_THREADED_CERT_VERIFIER_H_