Consider the verification time as well as the expiration time when caching certificate verification…

net/base/multi_threaded_cert_verifier.h

Index: net/base/multi_threaded_cert_verifier.h
diff --git a/net/base/multi_threaded_cert_verifier.h b/net/base/multi_threaded_cert_verifier.h
index 632ae443370f5a3fa1180dd830db63518f284ab4..675360f949ef2152741e31e1f23307682178ff01 100644
--- a/net/base/multi_threaded_cert_verifier.h
+++ b/net/base/multi_threaded_cert_verifier.h
@@ -108,6 +108,30 @@ class NET_EXPORT_PRIVATE MultiThreadedCertVerifier
     CertVerifyResult result;  // The output of CertVerifier::Verify.
   };
 
+  // Rather than having a single validity point along a monotonically increasing
+  // timeline, certificate verification is based on falling within a range of
+  // the certificate's NotBefore and NotAfter and based on what the current
+  // system clock says (which may advance forwards or backwards as users correct
+  // clock skew). ValidityRange and CompareValidityFn are helpers to ensure that
+  // expiration is measured both by the 'general' case (now + cache TTL) and by
+  // whether or not significant enough clock skew was introduced since the last
+  // verification.
+  struct ValidityRange {

[wtc, 2012/06/18 22:10:38]

Nit: this seems to be more commonly called the validity period.

[Ryan Sleevi, 2012/06/19 00:59:28]

To some degree, I think I wanted to avoid that term, because this is not tied to
the certificate's validity period (as szym pointed out), but instead part of the
cache's validity period. However, period vs range may not be as significant as
'validity' in terms of naming.

CacheValidityPeriod is perhaps a better name, if wordier.

+    explicit ValidityRange(const base::Time& now);
+    ValidityRange(const base::Time& now, const base::Time& expiration);
+
+    base::Time verification_time;
+    base::Time expiration_time;
+  };
+
+  typedef bool (*CompareValidityFn)(const ValidityRange&, const ValidityRange&);
+  typedef ExpiringCache<RequestParams, CachedResult, ValidityRange,
+                        CompareValidityFn> CertVerifierCache;
+
+  // Returns true if |now| is within the validity range of |expiration|.
+  static bool CompareValidityRange(const ValidityRange& now,
+                                   const ValidityRange& expiration);
+
   void HandleResult(X509Certificate* cert,
                     const std::string& hostname,
                     int flags,
@@ -126,7 +150,6 @@ class NET_EXPORT_PRIVATE MultiThreadedCertVerifier
   void SetCertVerifyProc(CertVerifyProc* verify_proc);
 
   // cache_ maps from a request to a cached result.
-  typedef ExpiringCache<RequestParams, CachedResult> CertVerifierCache;
   CertVerifierCache cache_;
 
   // inflight_ maps from a request to an active verification which is taking