| Index: net/base/origin_bound_cert_service.cc
|
| diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc
|
| index f86d82ce1537e8e5fb0e0e9dd4d858ebeedd4bad..110290c37a89a43e6d0bb42ffbe3f79ceec551e2 100644
|
| --- a/net/base/origin_bound_cert_service.cc
|
| +++ b/net/base/origin_bound_cert_service.cc
|
| @@ -132,6 +132,7 @@ class OriginBoundCertServiceWorker {
|
| error_ = OriginBoundCertService::GenerateCert(origin_,
|
| type_,
|
| serial_number_,
|
| + &expiration_time_,
|
| &private_key_,
|
| &cert_);
|
| #if defined(USE_NSS)
|
| @@ -157,8 +158,8 @@ class OriginBoundCertServiceWorker {
|
| // memory leaks or worse errors.
|
| base::AutoLock locked(lock_);
|
| if (!canceled_) {
|
| - origin_bound_cert_service_->HandleResult(origin_, error_, type_,
|
| - private_key_, cert_);
|
| + origin_bound_cert_service_->HandleResult(
|
| + origin_, error_, type_, expiration_time_, private_key_, cert_);
|
| }
|
| }
|
| delete this;
|
| @@ -206,6 +207,7 @@ class OriginBoundCertServiceWorker {
|
| bool canceled_;
|
|
|
| int error_;
|
| + base::Time expiration_time_;
|
| std::string private_key_;
|
| std::string cert_;
|
|
|
| @@ -320,20 +322,26 @@ int OriginBoundCertService::GetOriginBoundCert(
|
| requests_++;
|
|
|
| // Check if an origin bound cert of an acceptable type already exists for this
|
| - // origin.
|
| + // origin, and that it has not expired.
|
| + base::Time now = base::Time::Now();
|
| + base::Time expiration_time;
|
| if (origin_bound_cert_store_->GetOriginBoundCert(origin,
|
| type,
|
| + &expiration_time,
|
| private_key,
|
| cert)) {
|
| - if (IsSupportedCertType(*type) &&
|
| - std::find(requested_types.begin(), requested_types.end(), *type) !=
|
| - requested_types.end()) {
|
| + if (expiration_time < now) {
|
| + DVLOG(1) << "Cert store had expired cert for " << origin;
|
| + } else if (!IsSupportedCertType(*type) ||
|
| + std::find(requested_types.begin(), requested_types.end(),
|
| + *type) == requested_types.end()) {
|
| + DVLOG(1) << "Cert store had cert of wrong type " << *type << " for "
|
| + << origin;
|
| + } else {
|
| cert_store_hits_++;
|
| *out_req = NULL;
|
| return OK;
|
| }
|
| - DVLOG(1) << "Cert store had cert of wrong type " << *type << " for "
|
| - << origin;
|
| }
|
|
|
| // |origin_bound_cert_store_| has no cert for this origin. See if an
|
| @@ -361,8 +369,10 @@ int OriginBoundCertService::GetOriginBoundCert(
|
| inflight_joins_++;
|
| } else {
|
| // Need to make a new request.
|
| - OriginBoundCertServiceWorker* worker =
|
| - new OriginBoundCertServiceWorker(origin, preferred_type, this);
|
| + OriginBoundCertServiceWorker* worker = new OriginBoundCertServiceWorker(
|
| + origin,
|
| + preferred_type,
|
| + this);
|
| job = new OriginBoundCertServiceJob(worker, preferred_type);
|
| if (!worker->Start()) {
|
| delete job;
|
| @@ -386,8 +396,11 @@ int OriginBoundCertService::GetOriginBoundCert(
|
| int OriginBoundCertService::GenerateCert(const std::string& origin,
|
| SSLClientCertType type,
|
| uint32 serial_number,
|
| + base::Time* expiration_time,
|
| std::string* private_key,
|
| std::string* cert) {
|
| + base::Time now = base::Time::Now();
|
| + *expiration_time = now + base::TimeDelta::FromDays(kValidityPeriodInDays);
|
| std::string der_cert;
|
| std::vector<uint8> private_key_info;
|
| switch (type) {
|
| @@ -402,7 +415,8 @@ int OriginBoundCertService::GenerateCert(const std::string& origin,
|
| key.get(),
|
| origin,
|
| serial_number,
|
| - base::TimeDelta::FromDays(kValidityPeriodInDays),
|
| + now,
|
| + *expiration_time,
|
| &der_cert)) {
|
| DLOG(ERROR) << "Unable to create x509 cert for client";
|
| return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED;
|
| @@ -424,7 +438,8 @@ int OriginBoundCertService::GenerateCert(const std::string& origin,
|
| key.get(),
|
| origin,
|
| serial_number,
|
| - base::TimeDelta::FromDays(kValidityPeriodInDays),
|
| + now,
|
| + *expiration_time,
|
| &der_cert)) {
|
| DLOG(ERROR) << "Unable to create x509 cert for client";
|
| return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED;
|
| @@ -463,11 +478,13 @@ void OriginBoundCertService::CancelRequest(RequestHandle req) {
|
| void OriginBoundCertService::HandleResult(const std::string& origin,
|
| int error,
|
| SSLClientCertType type,
|
| + base::Time expiration_time,
|
| const std::string& private_key,
|
| const std::string& cert) {
|
| DCHECK(CalledOnValidThread());
|
|
|
| - origin_bound_cert_store_->SetOriginBoundCert(origin, type, private_key, cert);
|
| + origin_bound_cert_store_->SetOriginBoundCert(
|
| + origin, type, expiration_time, private_key, cert);
|
|
|
| std::map<std::string, OriginBoundCertServiceJob*>::iterator j;
|
| j = inflight_.find(origin);
|
|
|
Chromium Code Reviews
Issue 8890073:
Handle Origin Bound Certificate expiration. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src