diff options
| author | digit@chromium.org <digit@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-11-22 17:04:21 +0000 |
|---|---|---|
| committer | digit@chromium.org <digit@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-11-22 17:04:21 +0000 |
| commit | 3d41975570b7c46049ef9e3e2c22bef5727e62ea (patch) | |
| tree | bf202ff97a7da5bc5346b16389dc3c850d401570 | |
| parent | 7f828fd2440991e4b28b7ed60a75d294a81d64ff (diff) | |
| download | chromium_src-3d41975570b7c46049ef9e3e2c22bef5727e62ea.zip chromium_src-3d41975570b7c46049ef9e3e2c22bef5727e62ea.tar.gz chromium_src-3d41975570b7c46049ef9e3e2c22bef5727e62ea.tar.bz2 | |
Implement x509_util::IsSupportedValidityRange() for Android / openssl.
The previous UNIMPLEMENTED() appears a lot is warnings/errors during
net_unittests otherwise.
BUG=
Review URL: https://chromiumcodereview.appspot.com/11348128
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@169279 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | net/base/x509_util_openssl.cc | 31 | ||||
| -rw-r--r-- | net/base/x509_util_openssl_unittest.cc | 25 |
2 files changed, 53 insertions, 3 deletions
diff --git a/net/base/x509_util_openssl.cc b/net/base/x509_util_openssl.cc index 8e84985..142bf77 100644 --- a/net/base/x509_util_openssl.cc +++ b/net/base/x509_util_openssl.cc @@ -17,9 +17,34 @@ namespace x509_util { bool IsSupportedValidityRange(base::Time not_valid_before, base::Time not_valid_after) { - // TODO(mattm): The validity field of a certificate can only encode years - // 1-9999. - NOTIMPLEMENTED(); + if (not_valid_before > not_valid_after) + return false; + + // The validity field of a certificate can only encode years 1-9999. + + // Compute the base::Time values corresponding to Jan 1st,0001 and + // Jan 1st, 10000 respectively. Done by using the pre-computed numbers + // of days between these dates and the Unix epoch, i.e. Jan 1st, 1970, + // using the following Python script: + // + // from datetime import date as D + // print (D(1970,1,1)-D(1,1,1)) # -> 719162 days + // print (D(9999,12,31)-D(1970,1,1)) # -> 2932896 days + // + // Note: This ignores leap seconds, but should be enough in practice. + // + const int64 kDaysFromYear0001ToUnixEpoch = 719162; + const int64 kDaysFromUnixEpochToYear10000 = 2932896 + 1; + const base::Time kEpoch = base::Time::UnixEpoch(); + const base::Time kYear0001 = kEpoch - + base::TimeDelta::FromDays(kDaysFromYear0001ToUnixEpoch); + const base::Time kYear10000 = kEpoch + + base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000); + + if (not_valid_before < kYear0001 || not_valid_before >= kYear10000 || + not_valid_after < kYear0001 || not_valid_after >= kYear10000) + return false; + return true; } diff --git a/net/base/x509_util_openssl_unittest.cc b/net/base/x509_util_openssl_unittest.cc index 2067505..eea3984 100644 --- a/net/base/x509_util_openssl_unittest.cc +++ b/net/base/x509_util_openssl_unittest.cc @@ -10,6 +10,31 @@ namespace net { +TEST(X509UtilOpenSSLTest, IsSupportedValidityRange) { + base::Time now = base::Time::Now(); + EXPECT_TRUE(x509_util::IsSupportedValidityRange(now, now)); + EXPECT_FALSE(x509_util::IsSupportedValidityRange( + now, now - base::TimeDelta::FromSeconds(1))); + + // See x509_util_openssl.cc to see how these were computed. + const int64 kDaysFromYear0001ToUnixEpoch = 719162; + const int64 kDaysFromUnixEpochToYear10000 = 2932896 + 1; + + // When computing too_old / too_late, add one day to account for + // possible leap seconds. + base::Time too_old = base::Time::UnixEpoch() - + base::TimeDelta::FromDays(kDaysFromYear0001ToUnixEpoch + 1); + + base::Time too_late = base::Time::UnixEpoch() + + base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000 + 1); + + EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, too_old)); + EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, now)); + + EXPECT_FALSE(x509_util::IsSupportedValidityRange(now, too_late)); + EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_late, too_late)); +} + // For OpenSSL, x509_util::CreateDomainBoundCertEC() is not yet implemented // and should return false. This unit test ensures that a stub implementation // is present. |