Fix the "certificate is not yet valid" error for server certificates

net/base/x509_certificate_openssl.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <openssl/asn1.h>
 #include <openssl/crypto.h>
 #include <openssl/obj_mac.h>
 #include <openssl/pem.h>
@@ skipping 307 matching lines @@
 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
   // Decrement the ref-count for the cert and, if all references are gone,
   // free the memory and any application-specific data associated with the
   // certificate.
   X509_free(cert_handle);
 }
 
 void X509Certificate::Initialize() {
   crypto::EnsureOpenSSLInit();
   fingerprint_ = CalculateFingerprint(cert_handle_);
+  chain_fingerprint_ = CalculateChainFingerprint();
 
   ASN1_INTEGER* num = X509_get_serialNumber(cert_handle_);
   if (num) {
     serial_number_ = std::string(
         reinterpret_cast<char*>(num->data),
         num->length);
     // Remove leading zeros.
     while (serial_number_.size() > 1 && serial_number_[0] == 0)
       serial_number_ = serial_number_.substr(1, serial_number_.size() - 1);
   }
 
   ParsePrincipal(cert_handle_, X509_get_subject_name(cert_handle_), &subject_);
   ParsePrincipal(cert_handle_, X509_get_issuer_name(cert_handle_), &issuer_);
   x509_util::ParseDate(X509_get_notBefore(cert_handle_), &valid_start_);
   x509_util::ParseDate(X509_get_notAfter(cert_handle_), &valid_expiry_);
 }
 
 // static
 void X509Certificate::ResetCertStore() {
   X509InitSingleton::GetInstance()->ResetCertStore();
 }
 
+// static
 SHA1Fingerprint X509Certificate::CalculateFingerprint(OSCertHandle cert) {
   SHA1Fingerprint sha1;
   unsigned int sha1_size = static_cast<unsigned int>(sizeof(sha1.data));
   int ret = X509_digest(cert, EVP_sha1(), sha1.data, &sha1_size);
   CHECK(ret);
   CHECK_EQ(sha1_size, sizeof(sha1.data));
   return sha1;
 }
 
+SHA1Fingerprint X509Certificate::CalculateChainFingerprint() const {
+  SHA1Fingerprint sha1;
+  memset(sha1.data, 0, sizeof(sha1.data));
+
+  SHA_CTX sha1_ctx;
+  SHA1_Init(&sha1_ctx);
+  DERCache der_cache;
+  if (!GetDERAndCacheIfNeeded(cert_handle_, &der_cache))
+    return sha1;
+  SHA1_Update(&sha1_ctx, der_cache.data, der_cache.data_length);
+  for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
+    if (!GetDERAndCacheIfNeeded(intermediate_ca_certs_[i], &der_cache))
+      return sha1;

[Ryan Sleevi, 2011/10/28 23:55:03]

BUG: sha1_ctx is leaked/improperly cleaned up here

+    SHA1_Update(&sha1_ctx, der_cache.data, der_cache.data_length);
+  }
+  SHA1_Final(sha1.data, &sha1_ctx);
+
+  return sha1;
+}
+
 // static
 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
     const char* data, int length) {
   if (length < 0)
     return NULL;
   crypto::EnsureOpenSSLInit();
   const unsigned char* d2i_data =
       reinterpret_cast<const unsigned char*>(data);
   // Don't cache this data via SetDERCache as this wire format may be not be
   // identical from the i2d_X509 roundtrip.
@@ skipping 184 matching lines @@
   DERCache der_cache;
   if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache))
     return false;
 
   return pickle->WriteData(
       reinterpret_cast<const char*>(der_cache.data),
       der_cache.data_length);
 }
 
 }  // namespace net