Implement certificate lifetime parameter as required by WebRTC RFC.

webrtc/base/sslidentity_unittest.cc

 /*
  *  Copyright 2011 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 369 matching lines @@
       size_t length = strlen(entry.string);
       memcpy(buf, entry.string, length);    // Copy the ASN1 string...
       buf[length] = rtc::CreateRandomId();  // ...and terminate it with junk.
       int64_t res = rtc::ASN1TimeToSec(buf, length - 1, entry.long_format);
       LOG(LS_VERBOSE) << entry.string;
       ASSERT_EQ(-1, res);
     }
   }
 
   void TestExpireTime(int times) {
+    // We test just ECDSA here since what we're out to exercise is the
+    // interfaces for expiration setting and reading.
     for (int i = 0; i < times; i++) {
-      rtc::SSLIdentityParams params;
-      params.common_name = "";
-      params.not_before = 0;
       // We limit the time to < 2^31 here, i.e., we stay before 2038, since else
       // we hit time offset limitations in OpenSSL on some 32-bit systems.
-      params.not_after = rtc::CreateRandomId() % 0x80000000;
-      // We test just ECDSA here since what we're out to exercise here is the
-      // code for expiration setting and reading.
-      params.key_params = rtc::KeyParams::ECDSA(rtc::EC_NIST_P256);
-      SSLIdentity* identity = rtc::SSLIdentity::GenerateForTest(params);

[hbos, 2016/02/11 11:25:17]

Is GenerateForTest still needed after this CL or can we nuke it?

[torbjorng (webrtc), 2016/02/11 13:41:48]

It is still used elsewhere (in sslstreamadapter_unittest.cc and
rtccertificate_unittests.cc).

[hbos, 2016/02/11 14:56:45]

Maybe have a TODO to clean it up some time in the future? :)

[torbjorng (webrtc), 2016/02/11 15:26:00]

Done.

-      EXPECT_EQ(params.not_after,
+      time_t now = time(NULL);
+      time_t lifetime = rtc::CreateRandomId() % (0x80000000 - now);

[hbos, 2016/02/11 11:25:17]

What about negative lifetimes? Generating an already expired certificate.

[torbjorng (webrtc), 2016/02/11 13:41:48]

That's an odd thing to do, and I don't think enforcing any particular behaviour
for that case is important. Note also that the interface will then get notBefore
> notAfter, something which could rightfully upset the low-level code.

[hbos, 2016/02/11 14:56:45]

I think it could be fine to require it to be positive, but right now it is
possible to provide a negative one, and its not clear what happens if notBefore
> notAfter. I think we should either support it or DCHECK.

[torbjorng (webrtc), 2016/02/11 15:26:00]

Done.

+      rtc::KeyParams key_params = rtc::KeyParams::ECDSA(rtc::EC_NIST_P256);
+      SSLIdentity* identity =
+          rtc::SSLIdentity::Generate("", key_params, lifetime);
+      EXPECT_EQ(now + lifetime,
                 identity->certificate().CertificateExpirationTime());
       delete identity;
     }
   }
 };
 
 TEST_F(SSLIdentityExpirationTest, TestASN1TimeToSec) {
   TestASN1TimeToSec();
 }
 
 TEST_F(SSLIdentityExpirationTest, TestExpireTime) {
   TestExpireTime(500);
 }