cert_verify_tool: Verify using the new pathbuilder too.

net/tools/cert_verify_tool/cert_verify_tool.cc

Index: net/tools/cert_verify_tool/cert_verify_tool.cc
diff --git a/net/tools/cert_verify_tool/cert_verify_tool.cc b/net/tools/cert_verify_tool/cert_verify_tool.cc
index 794fb5e2a3c4ed96bd8a05f4687ba5b3ab96e6a7..53de7622fdc6b65d7ba7507350063533b8a33729 100644
--- a/net/tools/cert_verify_tool/cert_verify_tool.cc
+++ b/net/tools/cert_verify_tool/cert_verify_tool.cc
@@ -11,6 +11,7 @@
 #include "base/time/time.h"
 #include "net/tools/cert_verify_tool/cert_verify_tool_util.h"
 #include "net/tools/cert_verify_tool/verify_using_cert_verify_proc.h"
+#include "net/tools/cert_verify_tool/verify_using_path_builder.h"
 
 namespace {
 
@@ -24,6 +25,10 @@ void PrintUsage(const char* argv0) {
   std::cerr << " --intermediates=<certs path>\n";
   std::cerr << " <certs path> should be a file containing a single DER cert or "
                "one or more PEM CERTIFICATE blocks.\n";
+  std::cerr << " --time=<localtime>\n";
+  std::cerr << " Use <localtime> instead of the current system time.\n";

[eroman, 2016/07/07 00:07:19]

can you add an explanation of what the format is? Maybe just an example like
"Tue, 15 Nov 1994 12:45:26" is sufficient

[mattm, 2016/07/07 00:49:55]

Done.

+  std::cerr << " --utctime=<utctime>\n";
+  std::cerr << " Use <utctime> instead of the current system time.\n";

[eroman, 2016/07/07 00:07:19]

I would say that --time is sufficient, since it can be suffixed with the
timezone, as in "Tue, 15 Nov 1994 12:45:26 GMT".

But I am fine with having redundant flags.

[mattm, 2016/07/07 00:49:55]

I switched to just having one flag since it simplifies things.

   std::cerr << " --dump=<file prefix>\n";
   std::cerr << " Dumps the verified chain to PEM files starting with <file "
                "prefix>.\n";
@@ -59,6 +64,27 @@ int main(int argc, char** argv) {
     return 1;
   }
 
+  base::Time verify_time;
+  std::string time_flag = command_line.GetSwitchValueASCII("time");
+  std::string utctime_flag = command_line.GetSwitchValueASCII("utctime");
+  if (!time_flag.empty() && !utctime_flag.empty()) {
+    std::cerr << "ERROR: Only one of --time and --utctime may be specified.\n";
+    return 1;
+  }
+  if (!time_flag.empty()) {
+    if (!base::Time::FromString(time_flag.c_str(), &verify_time)) {
+      std::cerr << "Error parsing --time flag\n";
+      return 1;
+    }
+  } else if (!utctime_flag.empty()) {
+    if (!base::Time::FromUTCString(utctime_flag.c_str(), &verify_time)) {
+      std::cerr << "Error parsing --utctime flag\n";
+      return 1;
+    }
+  } else {
+    verify_time = base::Time::Now();
+  }
+
   base::FilePath roots_path = command_line.GetSwitchValuePath("roots");
   base::FilePath intermediates_path =
       command_line.GetSwitchValuePath("intermediates");
@@ -82,9 +108,20 @@ int main(int argc, char** argv) {
   }
 
   std::cout << "CertVerifyProc:\n";
-  bool verify_ok = VerifyUsingCertVerifyProc(target_der_cert, hostname,
-                                             intermediate_der_certs,
-                                             root_der_certs, dump_prefix_path);
+  bool cert_verify_proc_ok = true;
+  if (!time_flag.empty() || !utctime_flag.empty()) {

[eroman, 2016/07/07 00:07:19]

nit: would !verify_time.is_null() be more concise?

[mattm, 2016/07/07 00:49:55]

If the flags aren't present, verify_time is still set to Time::Now above.

[eroman, 2016/07/07 01:21:44]

acknowledged

+    std::cerr << "ERROR: --time/--utctime is not supported with "
+                 "CertVerifyProc, skipping.\n";
+  } else {
+    cert_verify_proc_ok = VerifyUsingCertVerifyProc(
+        target_der_cert, hostname, intermediate_der_certs, root_der_certs,
+        dump_prefix_path);
+  }
+
+  std::cout << "\nCertPathBuilder:\n";
+  bool path_builder_ok =
+      VerifyUsingPathBuilder(target_der_cert, intermediate_der_certs,
+                             root_der_certs, verify_time, dump_prefix_path);
 
-  return verify_ok ? 0 : 1;
+  return (cert_verify_proc_ok && path_builder_ok) ? 0 : 1;
 }