Fix the "certificate is not yet valid" error for server certificates

net/base/x509_certificate_win.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
+#include <sechash.h>  // Implement CalculateChainFingerprint() with NSS.
+
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/string_tokenizer.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
 #include "crypto/rsa_private_key.h"
 #include "crypto/scoped_capi_types.h"
 #include "net/base/asn1_util.h"
@@ skipping 517 matching lines @@
                             &cert_handle_->pCertInfo->Issuer,
                             CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG,
                             WriteInto(&issuer_info, name_size), name_size);
   ParsePrincipal(WideToUTF8(subject_info), &subject_);
   ParsePrincipal(WideToUTF8(issuer_info), &issuer_);
 
   valid_start_ = Time::FromFileTime(cert_handle_->pCertInfo->NotBefore);
   valid_expiry_ = Time::FromFileTime(cert_handle_->pCertInfo->NotAfter);
 
   fingerprint_ = CalculateFingerprint(cert_handle_);
+  chain_fingerprint_ = CalculateChainFingerprint();
 
   const CRYPT_INTEGER_BLOB* serial = &cert_handle_->pCertInfo->SerialNumber;
   scoped_array<uint8> serial_bytes(new uint8[serial->cbData]);
   for (unsigned i = 0; i < serial->cbData; i++)
     serial_bytes[i] = serial->pbData[serial->cbData - i - 1];
   serial_number_ = std::string(
       reinterpret_cast<char*>(serial_bytes.get()), serial->cbData);
   // Remove leading zeros.
   while (serial_number_.size() > 1 && serial_number_[0] == 0)
     serial_number_ = serial_number_.substr(1, serial_number_.size() - 1);
@@ skipping 457 matching lines @@
   SHA1Fingerprint sha1;
   DWORD sha1_size = sizeof(sha1.data);
   rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded,
                             cert->cbCertEncoded, sha1.data, &sha1_size);
   DCHECK(rv && sha1_size == sizeof(sha1.data));
   if (!rv)
     memset(sha1.data, 0, sizeof(sha1.data));
   return sha1;
 }
 
+SHA1Fingerprint X509Certificate::CalculateChainFingerprint() const {
+  SHA1Fingerprint sha1;

[Ryan Sleevi, 2011/10/29 02:53:15]

Perhaps document here (or on line 7), why NSS was used. It seems out of place
compared to, say, the CryptoAPI calls, such as on line 1016.

[wtc, 2011/10/29 05:08:34]

Done.

In Patch Set 5 I also switched to the NSS low-level hash
functions to ensure this is fast.  The high-level hash
functions require NSS to be initialized, so I'd also need a
crypto::EnsureNSSInit() call.

+  memset(sha1.data, 0, sizeof(sha1.data));
+
+  HASHContext* sha1_ctx = HASH_Create(HASH_AlgSHA1);
+  if (!sha1_ctx)
+    return sha1;
+  HASH_Begin(sha1_ctx);
+  HASH_Update(sha1_ctx, cert_handle_->pbCertEncoded,
+              cert_handle_->cbCertEncoded);
+  for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
+    PCCERT_CONTEXT ca_cert = intermediate_ca_certs_[i];
+    HASH_Update(sha1_ctx, ca_cert->pbCertEncoded, ca_cert->cbCertEncoded);
+  }
+  unsigned int result_len;
+  HASH_End(sha1_ctx, sha1.data, &result_len, HASH_ResultLenContext(sha1_ctx));
+  HASH_Destroy(sha1_ctx);
+
+  return sha1;
+}
+
 // static
 X509Certificate::OSCertHandle
 X509Certificate::ReadOSCertHandleFromPickle(const Pickle& pickle,
                                             void** pickle_iter) {
   const char* data;
   int length;
   if (!pickle.ReadData(pickle_iter, &data, &length))
     return NULL;
 
   OSCertHandle cert_handle = NULL;
@@ skipping 21 matching lines @@
   if (!CertSerializeCertificateStoreElement(cert_handle, 0, &buffer[0],
                                             &length)) {
     return false;
   }
 
   return pickle->WriteData(reinterpret_cast<const char*>(&buffer[0]),
                            length);
 }
 
 }  // namespace net