net/cert/x509_util.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/x509_util.h"
   6
   7 #include "base/time.h"
   8 #include "net/cert/x509_certificate.h"
   9
  10 namespace net {
  11
  12 namespace x509_util {
  13
  14 ClientCertSorter::ClientCertSorter() : now_(base::Time::Now()) {}
  15
  16 bool ClientCertSorter::operator()(
  17     const scoped_refptr<X509Certificate>& a,
  18     const scoped_refptr<X509Certificate>& b) const {
  19   // Certificates that are null are sorted last.
  20   if (!a.get() || !b.get())
  21     return a.get() && !b.get();
  22
  23   // Certificates that are expired/not-yet-valid are sorted last.
  24   bool a_is_valid = now_ >= a->valid_start() && now_ <= a->valid_expiry();
  25   bool b_is_valid = now_ >= b->valid_start() && now_ <= b->valid_expiry();
  26   if (a_is_valid != b_is_valid)
  27     return a_is_valid && !b_is_valid;
  28
  29   // Certificates with longer expirations appear as higher priority (less
  30   // than) certificates with shorter expirations.
  31   if (a->valid_expiry() != b->valid_expiry())
  32     return a->valid_expiry() > b->valid_expiry();
  33
  34   // If the expiration dates are equivalent, certificates that were issued
  35   // more recently should be prioritized over older certificates.
  36   if (a->valid_start() != b->valid_start())
  37     return a->valid_start() > b->valid_start();
  38
  39   // Otherwise, prefer client certificates with shorter chains.
  40   const X509Certificate::OSCertHandles& a_intermediates =
  41       a->GetIntermediateCertificates();
  42   const X509Certificate::OSCertHandles& b_intermediates =
  43       b->GetIntermediateCertificates();
  44   return a_intermediates.size() < b_intermediates.size();
  45 }
  46
  47 }  // namespace x509_util
  48
  49 }  // namespace net