Fix the "certificate is not yet valid" error for server certificates

net/base/x509_certificate_openssl.cc

Index: net/base/x509_certificate_openssl.cc
===================================================================
--- net/base/x509_certificate_openssl.cc	(revision 107789)
+++ net/base/x509_certificate_openssl.cc	(working copy)
@@ -325,6 +325,7 @@
 void X509Certificate::Initialize() {
   crypto::EnsureOpenSSLInit();
   fingerprint_ = CalculateFingerprint(cert_handle_);
+  chain_fingerprint_ = CalculateChainFingerprint();
 
   ASN1_INTEGER* num = X509_get_serialNumber(cert_handle_);
   if (num) {
@@ -347,6 +348,7 @@
   X509InitSingleton::GetInstance()->ResetCertStore();
 }
 
+// static
 SHA1Fingerprint X509Certificate::CalculateFingerprint(OSCertHandle cert) {
   SHA1Fingerprint sha1;
   unsigned int sha1_size = static_cast<unsigned int>(sizeof(sha1.data));
@@ -356,6 +358,26 @@
   return sha1;
 }
 
+SHA1Fingerprint X509Certificate::CalculateChainFingerprint() const {
+  SHA1Fingerprint sha1;
+  memset(sha1.data, 0, sizeof(sha1.data));
+
+  SHA_CTX sha1_ctx;
+  SHA1_Init(&sha1_ctx);
+  DERCache der_cache;
+  if (!GetDERAndCacheIfNeeded(cert_handle_, &der_cache))
+    return sha1;
+  SHA1_Update(&sha1_ctx, der_cache.data, der_cache.data_length);
+  for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
+    if (!GetDERAndCacheIfNeeded(intermediate_ca_certs_[i], &der_cache))
+      return sha1;

[Ryan Sleevi, 2011/10/28 23:55:03]

BUG: sha1_ctx is leaked/improperly cleaned up here

+    SHA1_Update(&sha1_ctx, der_cache.data, der_cache.data_length);
+  }
+  SHA1_Final(sha1.data, &sha1_ctx);
+
+  return sha1;
+}
+
 // static
 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
     const char* data, int length) {