Limit lifetime of self-signed certificate used for TLS on Cast channel

extensions/browser/api/cast_channel/cast_socket.cc

Index: extensions/browser/api/cast_channel/cast_socket.cc
diff --git a/extensions/browser/api/cast_channel/cast_socket.cc b/extensions/browser/api/cast_channel/cast_socket.cc
index 83994df6b1c413a28d43401689a4db0c8b973224..fc72453e51dbcf2b730c840f363a28e80721c093 100644
--- a/extensions/browser/api/cast_channel/cast_socket.cc
+++ b/extensions/browser/api/cast_channel/cast_socket.cc
@@ -163,6 +163,15 @@ bool CastSocket::ExtractPeerCert(std::string* cert) {
 
   logger_->LogSocketEvent(channel_id_, proto::SSL_INFO_OBTAINED);
 
+  // we need to ensure that the peer cert (which is self-signed) doesn't have an

[mark a. foltz, 2014/11/21 00:14:53]

Nit: Start sentence with "Ensure"

+  // excessive life-time (i.e. no more than 2 days).
+  base::Time expiry = ssl_info.cert->valid_expiry();
+  if (expiry.is_null() ||
+      expiry > base::Time::Now() + base::TimeDelta::FromDays(2)) {

[mark a. foltz, 2014/11/21 00:14:53]

Please declare a constant for "2" for the maximum lifetime in days.

+    LOG(ERROR) << "Peer cert has excessive lifetime. expiry=" << expiry;

[mark a. foltz, 2014/11/21 00:14:53]

We'll want to log a socket event for an expired cert.

- Add an enum value SSL_CERT_EXPIRED to the proto here:
https://code.google.com/p/chromium/codesearch#chromium/src/extensions/common/...

- Call logger_->LogSocketEventWithDetails(channel_id_, SSL_CERT_EXPIRED, ...)
with the expiry time as the detail message

[Kevin Marshall, 2014/11/21 00:41:13]

Also log the IP endpoint.

+    return false;
+  }
+
   bool result = net::X509Certificate::GetDEREncoded(
      ssl_info.cert->os_cert_handle(), cert);
   if (result) {