Reject certificates that are valid for too long.

net/cert/cert_verify_proc.h

Index: net/cert/cert_verify_proc.h
diff --git a/net/cert/cert_verify_proc.h b/net/cert/cert_verify_proc.h
index 4feae19182551e01de6c6e1d22e7e78e50a758f6..371cd10ef08307d5941a5487b92df56adc2bc988 100644
--- a/net/cert/cert_verify_proc.h
+++ b/net/cert/cert_verify_proc.h
@@ -102,6 +102,17 @@ class NET_EXPORT CertVerifyProc
   // ranges.
   static bool IsHostnameNonUnique(const std::string& hostname);
 
+  // The CA/Browser Forum's Baseline Requirements specify maximum validity
+  // periods (https://cabforum.org/Baseline_Requirements_V1.pdf):
+  //
+  // For certificates issued after 1 July 2012: 60 months.
+  // For certificates issued after 1 April 2015: 39 months.

[Ryan Sleevi, 2013/08/19 17:57:50]

This is not correct. After 1 April 2015, it IS permissible to be > 39 months,
but <= 60 months, provided you meet the criteria.

While I support this change in spirit, I'm not sure what ill-effects will be
seen from the 39-month (if any), so I think we need to be careful.

[palmer, 2013/08/21 01:26:25]

Shall we just go with 60 months then?

[Ryan Sleevi, 2013/08/21 20:07:41]

I'm fine landing this as the plan of record, and going back on that if
necessary.

I don't think we can safely histogram this either. We can just work to publicize
it as "It's acceptable for CAs to do so for legacy hardware/clients, but if
you're wanting to talk to Chrome, 39 months". This doesn't mean CAs are
violating the BRs though - just that Chrome's policy is security.

May affect the interstitial warnings.

[palmer, 2013/08/21 22:24:15]

Can you suggest accurate wording for the comment?

+  //
+  // There are no guidelines for certificates issued before the BRs were
+  // set, but we clamp them at 120 months, and they must expire within 7
+  // years after the BRs (i.e. by July 2019).

[Ryan Sleevi, 2013/08/19 17:57:50]

comment nit: rephrase this part without the pronouns, as "we" is unclear here.

// For certificates issued before the BRs took effect, there were no
// guidelines, but clamp them at a maximum of 10 year validity, with
// the requirement they expire within 7 years after the effective
// date of the BRs (i.e. by 1 July 2019).

[palmer, 2013/08/21 01:26:25]

Done. Your fixation is odd. :)

+  static bool HasTooLongValidity(const X509Certificate& cert);

[Ryan Sleevi, 2013/08/19 17:57:50]

There's no need to make this a static function, as opposed to within an unnamed
namespace, since this is used (internally) by the CertVerifyProc, and isn't
being unittested.

[palmer, 2013/08/21 01:26:25]

I see it as being like |IsHostnameNonUnique| and so on, and perhaps should be
unit-tested?

[Ryan Sleevi, 2013/08/21 20:07:41]

Glad you just volunteered to write unit tests ;) That was the goal :)

[palmer, 2013/08/21 22:24:15]

Done.

+
   DISALLOW_COPY_AND_ASSIGN(CertVerifyProc);
 };