Reject certificates that are valid for too long.

net/cert/cert_verify_proc.h

Index: net/cert/cert_verify_proc.h
diff --git a/net/cert/cert_verify_proc.h b/net/cert/cert_verify_proc.h
index 95e464e1595b97fe627c33fee9cfa39a095489f8..f60ed6d9232631f1ae2e0fcefb27a373bfe20d08 100644
--- a/net/cert/cert_verify_proc.h
+++ b/net/cert/cert_verify_proc.h
@@ -73,6 +73,7 @@ class NET_EXPORT CertVerifyProc
  private:
   friend class base::RefCountedThreadSafe<CertVerifyProc>;
   FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts);
+  FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, TestHasTooLongValidity);
 
   // Performs the actual verification using the desired underlying
   // cryptographic library.
@@ -99,6 +100,18 @@ class NET_EXPORT CertVerifyProc
       const std::vector<std::string>& dns_names,
       const std::vector<std::string>& ip_addrs);
 
+  // The CA/Browser Forum's Baseline Requirements specify maximum validity
+  // periods (https://cabforum.org/Baseline_Requirements_V1.pdf):
+  //
+  // For certificates issued after 1 July 2012: 60 months.
+  // For certificates issued after 1 April 2015: 39 months.
+  //
+  // For certificates issued before the BRs took effect, there were no
+  // guidelines, but clamp them at a maximum of 10 year validity, with the
+  // requirement they expire within 7 years after the effective date of the BRs
+  // (i.e. by 1 July 2019).
+  static bool HasTooLongValidity(const X509Certificate& cert);
+
   DISALLOW_COPY_AND_ASSIGN(CertVerifyProc);
 };