Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(451)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/base/multi_threaded_cert_verifier.h

Issue 10556022: Consider the verification time as well as the expiration time when caching certificate verification… (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Now with less const Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/base/host_cache.cc ('k') | net/base/multi_threaded_cert_verifier.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/multi_threaded_cert_verifier.h
diff --git a/net/base/multi_threaded_cert_verifier.h b/net/base/multi_threaded_cert_verifier.h
index 632ae443370f5a3fa1180dd830db63518f284ab4..d901bfcbcfb042dd6cd5a2fe569b5b7a4be0454f 100644
--- a/net/base/multi_threaded_cert_verifier.h
+++ b/net/base/multi_threaded_cert_verifier.h
@@ -108,6 +108,31 @@ class NET_EXPORT_PRIVATE MultiThreadedCertVerifier
CertVerifyResult result; // The output of CertVerifier::Verify.
};
+ // Rather than having a single validity point along a monotonically increasing
+ // timeline, certificate verification is based on falling within a range of
+ // the certificate's NotBefore and NotAfter and based on what the current
+ // system clock says (which may advance forwards or backwards as users correct
+ // clock skew). CacheValidityPeriod and CacheExpirationFunctor are helpers to
+ // ensure that expiration is measured both by the 'general' case (now + cache
+ // TTL) and by whether or not significant enough clock skew was introduced
+ // since the last verification.
+ struct CacheValidityPeriod {
+ explicit CacheValidityPeriod(const base::Time& now);
+ CacheValidityPeriod(const base::Time& now, const base::Time& expiration);
+
+ base::Time verification_time;
+ base::Time expiration_time;
+ };
+
+ struct CacheExpirationFunctor {
+ // Returns true iff |now| is within the validity period of |expiration|.
+ bool operator()(const CacheValidityPeriod& now,
+ const CacheValidityPeriod& expiration) const;
+ };
+
+ typedef ExpiringCache<RequestParams, CachedResult, CacheValidityPeriod,
+ CacheExpirationFunctor> CertVerifierCache;
+
void HandleResult(X509Certificate* cert,
const std::string& hostname,
int flags,
@@ -126,7 +151,6 @@ class NET_EXPORT_PRIVATE MultiThreadedCertVerifier
void SetCertVerifyProc(CertVerifyProc* verify_proc);
// cache_ maps from a request to a cached result.
- typedef ExpiringCache<RequestParams, CachedResult> CertVerifierCache;
CertVerifierCache cache_;
// inflight_ maps from a request to an active verification which is taking
« no previous file with comments | « net/base/host_cache.cc ('k') | net/base/multi_threaded_cert_verifier.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698