Handle Origin Bound Certificate expiration.

net/base/x509_util_nss.cc

Index: net/base/x509_util_nss.cc
diff --git a/net/base/x509_util_nss.cc b/net/base/x509_util_nss.cc
index 61126af6a1fbc68f65e5f664fc17103a33505b94..4ec0401d8e369b0b5c998ce6126cfbe6f1a80006 100644
--- a/net/base/x509_util_nss.cc
+++ b/net/base/x509_util_nss.cc
@@ -78,7 +78,8 @@ CERTCertificate* CreateCertificate(
     SECKEYPublicKey* public_key,
     const std::string& subject,
     uint32 serial_number,
-    base::TimeDelta valid_duration) {
+    base::Time not_valid_before,
+    base::Time not_valid_after) {
   // Create info about public key.
   CERTSubjectPublicKeyInfo* spki =
       SECKEY_CreateSubjectPublicKeyInfo(public_key);
@@ -99,11 +100,9 @@ CERTCertificate* CreateCertificate(
     return NULL;
   }
 
-  PRTime now = PR_Now();
-  PRTime not_after = now + valid_duration.InMicroseconds();
-
-  // Note that the time is now in micro-second unit.
-  CERTValidity* validity = CERT_CreateValidity(now, not_after);
+  CERTValidity* validity = CERT_CreateValidity(
+      crypto::BaseTimeToPRTime(not_valid_before),
+      crypto::BaseTimeToPRTime(not_valid_after));
   CERTCertificate* cert = CERT_CreateCertificate(serial_number, subject_name,
                                                  validity, cert_request);
   if (!cert) {
@@ -176,13 +175,15 @@ bool CreateOriginBoundCertInternal(
     SECKEYPrivateKey* private_key,
     const std::string& origin,
     uint32 serial_number,
-    base::TimeDelta valid_duration,
+    base::Time not_valid_before,
+    base::Time not_valid_after,
     std::string* der_cert) {
 
   CERTCertificate* cert = CreateCertificate(public_key,
                                             "CN=anonymous.invalid",
                                             serial_number,
-                                            valid_duration);
+                                            not_valid_before,
+                                            not_valid_after);
 
   if (!cert)
     return false;
@@ -255,10 +256,13 @@ CERTCertificate* CreateSelfSignedCert(
     const std::string& subject,
     uint32 serial_number,
     base::TimeDelta valid_duration) {

[wtc, 2011/12/20 19:46:55]

Is it more convenient for the CreateSelfSignedCert method
to take a valid_duration parameter?

For API consistency, it looks bad for one function to take
valid_duration and two functions to take not_valid_before and
not_valid_after.  Ideally we should fix this.  You can handle
this as a TODO.

[mattm, 2011/12/20 20:38:55]

Yeah, I was initially looking at updating this all the way up to the
X509Certificate API, but the mac API that's used for generated the self signed
certs actually takes the param as a delta.  (Could just calculate back from the
absolute times, but it would be weird if you ask for one time and the returned
cert has a slightly different time than you asked for.)  So then I gave up, but
really I could just change the x509_util api and keep the X509Certificate API. 

done.

+  base::Time not_valid_before = base::Time::Now();
+  base::Time not_valid_after = not_valid_before + valid_duration;
   CERTCertificate* cert = CreateCertificate(public_key,
                                             subject,
                                             serial_number,
-                                            valid_duration);
+                                            not_valid_before,
+                                            not_valid_after);
   if (!cert)
     return NULL;
 
@@ -274,7 +278,8 @@ bool CreateOriginBoundCertRSA(
     crypto::RSAPrivateKey* key,
     const std::string& origin,
     uint32 serial_number,
-    base::TimeDelta valid_duration,
+    base::Time not_valid_before,
+    base::Time not_valid_after,
     std::string* der_cert) {
   DCHECK(key);
 
@@ -329,7 +334,8 @@ bool CreateOriginBoundCertRSA(
                                        private_key,
                                        origin,
                                        serial_number,
-                                       valid_duration,
+                                       not_valid_before,
+                                       not_valid_after,
                                        der_cert);
 }
 
@@ -337,14 +343,16 @@ bool CreateOriginBoundCertEC(
     crypto::ECPrivateKey* key,
     const std::string& origin,
     uint32 serial_number,
-    base::TimeDelta valid_duration,
+    base::Time not_valid_before,
+    base::Time not_valid_after,
     std::string* der_cert) {
   DCHECK(key);
   return CreateOriginBoundCertInternal(key->public_key(),
                                        key->key(),
                                        origin,
                                        serial_number,
-                                       valid_duration,
+                                       not_valid_before,
+                                       not_valid_after,
                                        der_cert);
 }