| Index: net/base/origin_bound_cert_service.cc
|
| diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc
|
| index 762255f3a261c90d4ad7f3e63ba8bdab4f3700b9..246383eeea66f67abb3d2a74ecba702ba80569fd 100644
|
| --- a/net/base/origin_bound_cert_service.cc
|
| +++ b/net/base/origin_bound_cert_service.cc
|
| @@ -134,6 +134,7 @@ class OriginBoundCertServiceWorker {
|
| error_ = OriginBoundCertService::GenerateCert(origin_,
|
| type_,
|
| serial_number_,
|
| + &expiration_time_,
|
| &private_key_,
|
| &cert_);
|
| #if defined(USE_NSS)
|
| @@ -159,8 +160,8 @@ class OriginBoundCertServiceWorker {
|
| // memory leaks or worse errors.
|
| base::AutoLock locked(lock_);
|
| if (!canceled_) {
|
| - origin_bound_cert_service_->HandleResult(origin_, error_, type_,
|
| - private_key_, cert_);
|
| + origin_bound_cert_service_->HandleResult(
|
| + origin_, error_, type_, expiration_time_, private_key_, cert_);
|
| }
|
| }
|
| delete this;
|
| @@ -208,6 +209,7 @@ class OriginBoundCertServiceWorker {
|
| bool canceled_;
|
|
|
| int error_;
|
| + base::Time expiration_time_;
|
| std::string private_key_;
|
| std::string cert_;
|
|
|
| @@ -322,20 +324,26 @@ int OriginBoundCertService::GetOriginBoundCert(
|
| requests_++;
|
|
|
| // Check if an origin bound cert of an acceptable type already exists for this
|
| - // origin.
|
| + // origin, and that it has not expired.
|
| + base::Time now = base::Time::Now();
|
| + base::Time expiration_time;
|
| if (origin_bound_cert_store_->GetOriginBoundCert(origin,
|
| type,
|
| + &expiration_time,
|
| private_key,
|
| cert)) {
|
| - if (IsSupportedCertType(*type) &&
|
| - std::find(requested_types.begin(), requested_types.end(), *type) !=
|
| - requested_types.end()) {
|
| + if (expiration_time < now) {
|
| + DVLOG(1) << "Cert store had expired cert for " << origin;
|
| + } else if (!IsSupportedCertType(*type) ||
|
| + std::find(requested_types.begin(), requested_types.end(),
|
| + *type) == requested_types.end()) {
|
| + DVLOG(1) << "Cert store had cert of wrong type " << *type << " for "
|
| + << origin;
|
| + } else {
|
| cert_store_hits_++;
|
| *out_req = NULL;
|
| return OK;
|
| }
|
| - DVLOG(1) << "Cert store had cert of wrong type " << *type << " for "
|
| - << origin;
|
| }
|
|
|
| // |origin_bound_cert_store_| has no cert for this origin. See if an
|
| @@ -363,8 +371,10 @@ int OriginBoundCertService::GetOriginBoundCert(
|
| inflight_joins_++;
|
| } else {
|
| // Need to make a new request.
|
| - OriginBoundCertServiceWorker* worker =
|
| - new OriginBoundCertServiceWorker(origin, preferred_type, this);
|
| + OriginBoundCertServiceWorker* worker = new OriginBoundCertServiceWorker(
|
| + origin,
|
| + preferred_type,
|
| + this);
|
| job = new OriginBoundCertServiceJob(worker, preferred_type);
|
| if (!worker->Start()) {
|
| delete job;
|
| @@ -388,8 +398,12 @@ int OriginBoundCertService::GetOriginBoundCert(
|
| int OriginBoundCertService::GenerateCert(const std::string& origin,
|
| SSLClientCertType type,
|
| uint32 serial_number,
|
| + base::Time* expiration_time,
|
| std::string* private_key,
|
| std::string* cert) {
|
| + base::Time now = base::Time::Now();
|
| + base::Time not_valid_after =
|
| + now + base::TimeDelta::FromDays(kValidityPeriodInDays);
|
| std::string der_cert;
|
| std::vector<uint8> private_key_info;
|
| switch (type) {
|
| @@ -404,7 +418,8 @@ int OriginBoundCertService::GenerateCert(const std::string& origin,
|
| key.get(),
|
| origin,
|
| serial_number,
|
| - base::TimeDelta::FromDays(kValidityPeriodInDays),
|
| + now,
|
| + not_valid_after,
|
| &der_cert)) {
|
| DLOG(ERROR) << "Unable to create x509 cert for client";
|
| return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED;
|
| @@ -426,7 +441,8 @@ int OriginBoundCertService::GenerateCert(const std::string& origin,
|
| key.get(),
|
| origin,
|
| serial_number,
|
| - base::TimeDelta::FromDays(kValidityPeriodInDays),
|
| + now,
|
| + not_valid_after,
|
| &der_cert)) {
|
| DLOG(ERROR) << "Unable to create x509 cert for client";
|
| return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED;
|
| @@ -450,6 +466,7 @@ int OriginBoundCertService::GenerateCert(const std::string& origin,
|
|
|
| private_key->swap(key_out);
|
| cert->swap(der_cert);
|
| + *expiration_time = not_valid_after;
|
| return OK;
|
| }
|
|
|
| @@ -465,11 +482,13 @@ void OriginBoundCertService::CancelRequest(RequestHandle req) {
|
| void OriginBoundCertService::HandleResult(const std::string& origin,
|
| int error,
|
| SSLClientCertType type,
|
| + base::Time expiration_time,
|
| const std::string& private_key,
|
| const std::string& cert) {
|
| DCHECK(CalledOnValidThread());
|
|
|
| - origin_bound_cert_store_->SetOriginBoundCert(origin, type, private_key, cert);
|
| + origin_bound_cert_store_->SetOriginBoundCert(
|
| + origin, type, expiration_time, private_key, cert);
|
|
|
| std::map<std::string, OriginBoundCertServiceJob*>::iterator j;
|
| j = inflight_.find(origin);
|
|
|
Chromium Code Reviews
Issue 8890073:
Handle Origin Bound Certificate expiration. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src