Handle Origin Bound Certificate expiration.

net/base/origin_bound_cert_store.h

Index: net/base/origin_bound_cert_store.h
diff --git a/net/base/origin_bound_cert_store.h b/net/base/origin_bound_cert_store.h
index 094839b1e8f52bac105d8b65698e996b4c350220..bad9f20a200af8c4c1380e018e29db6c08ab442b 100644
--- a/net/base/origin_bound_cert_store.h
+++ b/net/base/origin_bound_cert_store.h
@@ -9,6 +9,7 @@
 #include <string>
 #include <vector>
 
+#include "base/time.h"
 #include "net/base/net_export.h"
 #include "net/base/ssl_client_cert_type.h"
 
@@ -30,6 +31,7 @@ class NET_EXPORT OriginBoundCertStore {
     OriginBoundCert();
     OriginBoundCert(const std::string& origin,
                     SSLClientCertType type,
+                    base::Time expiration_time,
                     const std::string& private_key,
                     const std::string& cert);
     ~OriginBoundCert();
@@ -38,6 +40,8 @@ class NET_EXPORT OriginBoundCertStore {
     const std::string& origin() const { return origin_; }
     // TLS ClientCertificateType.
     SSLClientCertType type() const { return type_; }
+    // The time after which this certificate is no longer valid.
+    base::Time expiration_time() const { return expiration_time_; }
     // The encoding of the private key depends on the type.
     // rsa_sign: DER-encoded PrivateKeyInfo struct.
     // ecdsa_sign: DER-encoded EncryptedPrivateKeyInfo struct.
@@ -48,6 +52,7 @@ class NET_EXPORT OriginBoundCertStore {
    private:
     std::string origin_;
     SSLClientCertType type_;
+    base::Time expiration_time_;
     std::string private_key_;
     std::string cert_;
   };
@@ -57,12 +62,14 @@ class NET_EXPORT OriginBoundCertStore {
   // TODO(rkn): File I/O may be required, so this should have an asynchronous
   // interface.
   // Returns true on success. |private_key_result| stores a DER-encoded
-  // PrivateKeyInfo struct and |cert_result| stores a DER-encoded
-  // certificate. Returns false if no origin bound cert exists for the
-  // specified origin.
+  // PrivateKeyInfo struct, |cert_result| stores a DER-encoded certificate,
+  // |type| is the ClientCertificateType of the returned key, and

[wtc, 2011/12/20 19:46:55]

Nit: returned key => returned certificate

I think you can change "Validity notAfter" to simply
"expiration".

[mattm, 2011/12/20 20:38:55]

Done.

+  // |expiration_time| is the Validity notAfter time of the certificate.
+  // Returns false if no origin bound cert exists for the specified origin.
   virtual bool GetOriginBoundCert(
       const std::string& origin,
       SSLClientCertType* type,
+      base::Time* expiration_time,
       std::string* private_key_result,
       std::string* cert_result) = 0;
 
@@ -70,6 +77,7 @@ class NET_EXPORT OriginBoundCertStore {
   virtual void SetOriginBoundCert(
       const std::string& origin,
       SSLClientCertType type,
+      base::Time expiration_time,
       const std::string& private_key,
       const std::string& cert) = 0;