Handle Origin Bound Certificate expiration.

net/base/x509_util_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_util.h"
 #include "net/base/x509_util_nss.h"
 
 #include <cert.h>
 #include <cryptohi.h>
 #include <pk11pub.h>
@@ skipping 60 matching lines @@
 
 // Creates a Certificate object that may be passed to the SignCertificate
 // method to generate an X509 certificate.
 // Returns NULL if an error is encountered in the certificate creation
 // process.
 // Caller responsible for freeing returned certificate object.
 CERTCertificate* CreateCertificate(
     SECKEYPublicKey* public_key,
     const std::string& subject,
     uint32 serial_number,
-    base::TimeDelta valid_duration) {
+    base::Time not_valid_before,
+    base::Time not_valid_after) {
   // Create info about public key.
   CERTSubjectPublicKeyInfo* spki =
       SECKEY_CreateSubjectPublicKeyInfo(public_key);
   if (!spki)
     return NULL;
 
   // Create the certificate request.
   CERTName* subject_name =
       CERT_AsciiToName(const_cast<char*>(subject.c_str()));
   CERTCertificateRequest* cert_request =
       CERT_CreateCertificateRequest(subject_name, spki, NULL);
   SECKEY_DestroySubjectPublicKeyInfo(spki);
 
   if (!cert_request) {
     PRErrorCode prerr = PR_GetError();
     LOG(ERROR) << "Failed to create certificate request: " << prerr;
     CERT_DestroyName(subject_name);
     return NULL;
   }
 
-  PRTime now = PR_Now();
-  PRTime not_after = now + valid_duration.InMicroseconds();
-
-  // Note that the time is now in micro-second unit.
-  CERTValidity* validity = CERT_CreateValidity(now, not_after);
+  CERTValidity* validity = CERT_CreateValidity(
+      crypto::BaseTimeToPRTime(not_valid_before),
+      crypto::BaseTimeToPRTime(not_valid_after));
   CERTCertificate* cert = CERT_CreateCertificate(serial_number, subject_name,
                                                  validity, cert_request);
   if (!cert) {
     PRErrorCode prerr = PR_GetError();
     LOG(ERROR) << "Failed to create certificate: " << prerr;
   }
 
   // Cleanup for resources used to generate the cert.
   CERT_DestroyName(subject_name);
   CERT_DestroyValidity(validity);
@@ skipping 52 matching lines @@
   cert->derCert = *result;
 
   return true;
 }
 
 bool CreateOriginBoundCertInternal(
     SECKEYPublicKey* public_key,
     SECKEYPrivateKey* private_key,
     const std::string& origin,
     uint32 serial_number,
-    base::TimeDelta valid_duration,
+    base::Time not_valid_before,
+    base::Time not_valid_after,
     std::string* der_cert) {
 
   CERTCertificate* cert = CreateCertificate(public_key,
                                             "CN=anonymous.invalid",
                                             serial_number,
-                                            valid_duration);
+                                            not_valid_before,
+                                            not_valid_after);
 
   if (!cert)
     return false;
 
   // Create opaque handle used to add extensions later.
   void* cert_handle;
   if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) {
     LOG(ERROR) << "Unable to get opaque handle for adding extensions";
     CERT_DestroyCertificate(cert);
     return false;
@@ skipping 51 matching lines @@
 
 namespace net {
 
 namespace x509_util {
 
 CERTCertificate* CreateSelfSignedCert(
     SECKEYPublicKey* public_key,
     SECKEYPrivateKey* private_key,
     const std::string& subject,
     uint32 serial_number,
     base::TimeDelta valid_duration) {

[wtc, 2011/12/20 19:46:55]

Is it more convenient for the CreateSelfSignedCert method
to take a valid_duration parameter?

For API consistency, it looks bad for one function to take
valid_duration and two functions to take not_valid_before and
not_valid_after.  Ideally we should fix this.  You can handle
this as a TODO.

[mattm, 2011/12/20 20:38:55]

Yeah, I was initially looking at updating this all the way up to the
X509Certificate API, but the mac API that's used for generated the self signed
certs actually takes the param as a delta.  (Could just calculate back from the
absolute times, but it would be weird if you ask for one time and the returned
cert has a slightly different time than you asked for.)  So then I gave up, but
really I could just change the x509_util api and keep the X509Certificate API. 

done.

+  base::Time not_valid_before = base::Time::Now();
+  base::Time not_valid_after = not_valid_before + valid_duration;
   CERTCertificate* cert = CreateCertificate(public_key,
                                             subject,
                                             serial_number,
-                                            valid_duration);
+                                            not_valid_before,
+                                            not_valid_after);
   if (!cert)
     return NULL;
 
   if (!SignCertificate(cert, private_key)) {
     CERT_DestroyCertificate(cert);
     return NULL;
   }
 
   return cert;
 }
 
 bool CreateOriginBoundCertRSA(
     crypto::RSAPrivateKey* key,
     const std::string& origin,
     uint32 serial_number,
-    base::TimeDelta valid_duration,
+    base::Time not_valid_before,
+    base::Time not_valid_after,
     std::string* der_cert) {
   DCHECK(key);
 
   SECKEYPublicKey* public_key;
   SECKEYPrivateKey* private_key;
 #if defined(USE_NSS)
   public_key = key->public_key();
   private_key = key->key();
 #else
   crypto::ScopedSECKEYPublicKey scoped_public_key;
@@ skipping 34 matching lines @@
       return NULL;
     }
     scoped_public_key.reset(public_key);
   }
 #endif
 
   return CreateOriginBoundCertInternal(public_key,
                                        private_key,
                                        origin,
                                        serial_number,
-                                       valid_duration,
+                                       not_valid_before,
+                                       not_valid_after,
                                        der_cert);
 }
 
 bool CreateOriginBoundCertEC(
     crypto::ECPrivateKey* key,
     const std::string& origin,
     uint32 serial_number,
-    base::TimeDelta valid_duration,
+    base::Time not_valid_before,
+    base::Time not_valid_after,
     std::string* der_cert) {
   DCHECK(key);
   return CreateOriginBoundCertInternal(key->public_key(),
                                        key->key(),
                                        origin,
                                        serial_number,
-                                       valid_duration,
+                                       not_valid_before,
+                                       not_valid_after,
                                        der_cert);
 }
 
 } // namespace x509_util
 
 } // namespace net