Don't expire certs used as channel IDs.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 980 matching lines @@
   if (rv != SECSuccess) {
     LogFailedNSSFunction(*weak_net_log_, "SSL_GetClientAuthDataHook", "");
     return false;
   }
 
   if (ssl_config_.channel_id_enabled) {
     if (!server_bound_cert_service_) {
       DVLOG(1) << "NULL server_bound_cert_service_, not enabling channel ID.";
     } else if (!crypto::ECPrivateKey::IsSupported()) {
       DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID.";
-    } else if (!server_bound_cert_service_->IsSystemTimeValid()) {
-      DVLOG(1) << "System time is weird, not enabling channel ID.";

[mattm, 2013/03/29 02:59:48]

Can not remove this (and associated stuff), since the code still uses the system
time when creating the cert in server_bound_cert_service.cc:GenerateCert.

[thaidn_google, 2013/03/29 18:48:01]

Done.

     } else {
       rv = SSL_SetClientChannelIDCallback(
           nss_fd_, SSLClientSocketNSS::Core::ClientChannelIDHandler, this);
       if (rv != SECSuccess)
         LogFailedNSSFunction(*weak_net_log_, "SSL_SetClientChannelIDCallback",
                              "");
     }
   }
 
   rv = SSL_HandshakeCallback(
@@ skipping 1523 matching lines @@
 void SSLClientSocketNSS::Core::RecordChannelIDSupport() const {
   if (nss_handshake_state_.resumed_handshake)
     return;
 
   // Since this enum is used for a histogram, do not change or re-use values.
   enum {
     DISABLED = 0,
     CLIENT_ONLY = 1,
     CLIENT_AND_SERVER = 2,
     CLIENT_NO_ECC = 3,
-    CLIENT_BAD_SYSTEM_TIME = 4,
-    CLIENT_NO_SERVER_BOUND_CERT_SERVICE = 5,
+    CLIENT_NO_SERVER_BOUND_CERT_SERVICE = 4,

[mattm, 2013/03/29 02:59:48]

see comment above ("Since this enum is used for a histogram, do not change or
re-use values.")

[thaidn_google, 2013/03/29 18:48:01]

Done.

     DOMAIN_BOUND_CERT_USAGE_MAX
   } supported = DISABLED;
   if (channel_id_xtn_negotiated_) {
     supported = CLIENT_AND_SERVER;
   } else if (ssl_config_.channel_id_enabled) {
     if (!server_bound_cert_service_)
       supported = CLIENT_NO_SERVER_BOUND_CERT_SERVICE;
     else if (!crypto::ECPrivateKey::IsSupported())
       supported = CLIENT_NO_ECC;
-    else if (!server_bound_cert_service_->IsSystemTimeValid())
-      supported = CLIENT_BAD_SYSTEM_TIME;
     else
       supported = CLIENT_ONLY;
   }
   UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported,
                             DOMAIN_BOUND_CERT_USAGE_MAX);
 }
 
 int SSLClientSocketNSS::Core::DoBufferRecv(IOBuffer* read_buffer, int len) {
   DCHECK(OnNetworkTaskRunner());
   DCHECK_GT(len, 0);
@@ skipping 961 matching lines @@
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net