When ordering client certificates, use a constant time for determining validity.

This avoids possible strict weak ordering issues if a certificate expires
while being evaluated for expiration. The effect of such a violation would be
that an expired certificate might be sorted as more preferable than a valid
certificate, but only if it just expired, and dependent on the number of
certs being compared.

BUG=89267


Review URL: https://chromiumcodereview.appspot.com/11388004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@166588 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 3 deletions

diff --git a/net/base/x509_util.cc b/net/base/x509_util.cc
index a272470..2e09a0f 100644
--- a/net/base/x509_util.cc
+++ b/net/base/x509_util.cc
@@ -11,6 +11,8 @@ namespace net {
 
 namespace x509_util {
 
+ClientCertSorter::ClientCertSorter() : now_(base::Time::Now()) {}
+
 bool ClientCertSorter::operator()(
     const scoped_refptr<X509Certificate>& a,
     const scoped_refptr<X509Certificate>& b) const {
@@ -19,9 +21,8 @@ bool ClientCertSorter::operator()(
     return a.get() && !b.get();
 
   // Certificates that are expired/not-yet-valid are sorted last.
-  base::Time now = base::Time::Now();
-  bool a_is_valid = now >= a->valid_start() && now <= a->valid_expiry();
-  bool b_is_valid = now >= b->valid_start() && now <= b->valid_expiry();
+  bool a_is_valid = now_ >= a->valid_start() && now_ <= a->valid_expiry();
+  bool b_is_valid = now_ >= b->valid_start() && now_ <= b->valid_expiry();
   if (a_is_valid != b_is_valid)
     return a_is_valid && !b_is_valid;