Implement x509_util::IsSupportedValidityRange() for Android / openssl.

The previous UNIMPLEMENTED() appears a lot is warnings/errors during
net_unittests otherwise.

BUG=


Review URL: https://chromiumcodereview.appspot.com/11348128

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@169279 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 53 insertions, 3 deletions

diff --git a/net/base/x509_util_openssl.cc b/net/base/x509_util_openssl.cc
index 8e84985..142bf77 100644
--- a/net/base/x509_util_openssl.cc
+++ b/net/base/x509_util_openssl.cc
@@ -17,9 +17,34 @@ namespace x509_util {
 
 bool IsSupportedValidityRange(base::Time not_valid_before,
                               base::Time not_valid_after) {
-  // TODO(mattm): The validity field of a certificate can only encode years
-  // 1-9999.
-  NOTIMPLEMENTED();
+  if (not_valid_before > not_valid_after)
+    return false;
+
+  // The validity field of a certificate can only encode years 1-9999.
+
+  // Compute the base::Time values corresponding to Jan 1st,0001 and
+  // Jan 1st, 10000 respectively. Done by using the pre-computed numbers
+  // of days between these dates and the Unix epoch, i.e. Jan 1st, 1970,
+  // using the following Python script:
+  //
+  //     from datetime import date as D
+  //     print (D(1970,1,1)-D(1,1,1))        # -> 719162 days
+  //     print (D(9999,12,31)-D(1970,1,1))   # -> 2932896 days
+  //
+  // Note: This ignores leap seconds, but should be enough in practice.
+  //
+  const int64 kDaysFromYear0001ToUnixEpoch = 719162;
+  const int64 kDaysFromUnixEpochToYear10000 = 2932896 + 1;
+  const base::Time kEpoch = base::Time::UnixEpoch();
+  const base::Time kYear0001 = kEpoch -
+      base::TimeDelta::FromDays(kDaysFromYear0001ToUnixEpoch);
+  const base::Time kYear10000 = kEpoch +
+      base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000);
+
+  if (not_valid_before < kYear0001 || not_valid_before >= kYear10000 ||
+      not_valid_after < kYear0001 || not_valid_after >= kYear10000)
+    return false;
+
   return true;
 }
 
diff --git a/net/base/x509_util_openssl_unittest.cc b/net/base/x509_util_openssl_unittest.cc
index 2067505..eea3984 100644
--- a/net/base/x509_util_openssl_unittest.cc
+++ b/net/base/x509_util_openssl_unittest.cc
@@ -10,6 +10,31 @@
 
 namespace net {
 
+TEST(X509UtilOpenSSLTest, IsSupportedValidityRange) {
+  base::Time now = base::Time::Now();
+  EXPECT_TRUE(x509_util::IsSupportedValidityRange(now, now));
+  EXPECT_FALSE(x509_util::IsSupportedValidityRange(
+      now, now - base::TimeDelta::FromSeconds(1)));
+
+  // See x509_util_openssl.cc to see how these were computed.
+  const int64 kDaysFromYear0001ToUnixEpoch = 719162;
+  const int64 kDaysFromUnixEpochToYear10000 = 2932896 + 1;
+
+  // When computing too_old / too_late, add one day to account for
+  // possible leap seconds.
+  base::Time too_old = base::Time::UnixEpoch() -
+      base::TimeDelta::FromDays(kDaysFromYear0001ToUnixEpoch + 1);
+
+  base::Time too_late = base::Time::UnixEpoch() +
+      base::TimeDelta::FromDays(kDaysFromUnixEpochToYear10000 + 1);
+
+  EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, too_old));
+  EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_old, now));
+
+  EXPECT_FALSE(x509_util::IsSupportedValidityRange(now, too_late));
+  EXPECT_FALSE(x509_util::IsSupportedValidityRange(too_late, too_late));
+}
+
 // For OpenSSL, x509_util::CreateDomainBoundCertEC() is not yet implemented
 // and should return false.  This unit test ensures that a stub implementation
 // is present.