Fix the "certificate is not yet valid" error for server certificates

net/base/x509_certificate_win.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
@@ skipping 523 matching lines @@
                             &cert_handle_->pCertInfo->Issuer,
                             CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG,
                             WriteInto(&issuer_info, name_size), name_size);
   ParsePrincipal(WideToUTF8(subject_info), &subject_);
   ParsePrincipal(WideToUTF8(issuer_info), &issuer_);
 
   valid_start_ = Time::FromFileTime(cert_handle_->pCertInfo->NotBefore);
   valid_expiry_ = Time::FromFileTime(cert_handle_->pCertInfo->NotAfter);
 
   fingerprint_ = CalculateFingerprint(cert_handle_);
+  chain_fingerprint_ = CalculateChainFingerprint();
 
   const CRYPT_INTEGER_BLOB* serial = &cert_handle_->pCertInfo->SerialNumber;
   scoped_array<uint8> serial_bytes(new uint8[serial->cbData]);
   for (unsigned i = 0; i < serial->cbData; i++)
     serial_bytes[i] = serial->pbData[serial->cbData - i - 1];
   serial_number_ = std::string(
       reinterpret_cast<char*>(serial_bytes.get()), serial->cbData);
   // Remove leading zeros.
   while (serial_number_.size() > 1 && serial_number_[0] == 0)
     serial_number_ = serial_number_.substr(1, serial_number_.size() - 1);
@@ skipping 457 matching lines @@
   SHA1Fingerprint sha1;
   DWORD sha1_size = sizeof(sha1.data);
   rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded,
                             cert->cbCertEncoded, sha1.data, &sha1_size);
   DCHECK(rv && sha1_size == sizeof(sha1.data));
   if (!rv)
     memset(sha1.data, 0, sizeof(sha1.data));
   return sha1;
 }
 
+SHA1Fingerprint X509Certificate::CalculateChainFingerprint() const {
+  // TODO(wtc): implement this.

[agl, 2011/10/28 23:45:47]

It's not clear how this can be a TODO if the change is to fix the bug. Will this
not result in the current behaviour? Are you assuming that it's not urgent to
fix on Windows because we don't have any reports of problems on Windows? Ok if
so.

[Ryan Sleevi, 2011/10/28 23:55:03]

I fear once http://codereview.chromium.org/7324039/ lands that this will become
an issue, which is why I'm holding on to it for now.

It would be good if you could implement it here on Windows, as I think it is
potentially a concern there as well. Two reasons why I think it's possible on
Windows:
1) The cert may not have AIA info, preventing CryptoAPI from network fetching
2) Because of the thread-safety concerns with cert_store(), the newly added
(from the network) cert may be skipped when the CryptoAPI verification routines
are enumerating the PCCERT_CONTEXT->hCertStore, thus not picking them up and
using them.

[wtc, 2011/10/29 01:32:03]

Sorry about the confusion.  I have implemented this function
now.

I didn't use CryptoAPI because it was considered too slow
before.  I use NSS to implement this function.

+  return CalculateFingerprint(cert_handle_);
+}
+
 // static
 X509Certificate::OSCertHandle
 X509Certificate::ReadOSCertHandleFromPickle(const Pickle& pickle,
                                             void** pickle_iter) {
   const char* data;
   int length;
   if (!pickle.ReadData(pickle_iter, &data, &length))
     return NULL;
 
   OSCertHandle cert_handle = NULL;
@@ skipping 21 matching lines @@
   if (!CertSerializeCertificateStoreElement(cert_handle, 0, &buffer[0],
                                             &length)) {
     return false;
   }
 
   return pickle->WriteData(reinterpret_cast<const char*>(&buffer[0]),
                            length);
 }
 
 }  // namespace net