Fix the "certificate is not yet valid" error for server certificates

issued by a VeriSign intermediate CA.

Change the CertVerifier cache to identify a certificate chain by the
hash of the entire chain rather than just the server certificate.

This requires adding X509Certificate::chain_fingerprint(), and the
X509Certificate::CalculateChainFingerprint() method to compute the
chain fingerprint.

R=agl@chromium.org,rsleevi@chromium.org
BUG=101555
TEST=X509CertificateTest.ChainFingerprints and
CertVerifierTest.DifferentCACerts in net_unittests

Review URL: http://codereview.chromium.org/8400075

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@107888 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 2 insertions, 2 deletions

diff --git a/net/base/cert_verifier.cc b/net/base/cert_verifier.cc
index 90a728c..1a80b40 100644
--- a/net/base/cert_verifier.cc
+++ b/net/base/cert_verifier.cc
@@ -364,7 +364,7 @@ int CertVerifier::Verify(X509Certificate* cert,
 
   requests_++;
 
-  const RequestParams key = {cert->fingerprint(), hostname, flags};
+  const RequestParams key = {cert->chain_fingerprint(), hostname, flags};
   // First check the cache.
   std::map<RequestParams, CachedCertVerifyResult>::iterator i;
   i = cache_.find(key);
@@ -449,7 +449,7 @@ void CertVerifier::HandleResult(X509Certificate* cert,
   uint32 ttl = kTTLSecs;
   cached_result.expiry = current_time + base::TimeDelta::FromSeconds(ttl);
 
-  const RequestParams key = {cert->fingerprint(), hostname, flags};
+  const RequestParams key = {cert->chain_fingerprint(), hostname, flags};
 
   DCHECK_GE(max_cache_entries_, 1u);
   DCHECK_LE(cache_.size(), max_cache_entries_);