Implement certificate lifetime parameter as required by WebRTC RFC.

webrtc/base/opensslidentity.cc

Index: webrtc/base/opensslidentity.cc
diff --git a/webrtc/base/opensslidentity.cc b/webrtc/base/opensslidentity.cc
index 7185571102d9341d201cfb768c1b280b691f4475..ba8b125ffbe8a0d937cb8ad3a5f4a9bd6140971d 100644
--- a/webrtc/base/opensslidentity.cc
+++ b/webrtc/base/opensslidentity.cc
@@ -36,12 +36,6 @@ namespace rtc {
 // Random bits for certificate serial number
 static const int SERIAL_RAND_BITS = 64;
 
-// Certificate validity lifetime
-static const int CERTIFICATE_LIFETIME = 60*60*24*30;  // 30 days, arbitrarily
-// Certificate validity window.
-// This is to compensate for slightly incorrect system clocks.
-static const int CERTIFICATE_WINDOW = -60*60*24;
-
 // Generate a key pair. Caller is responsible for freeing the returned object.
 static EVP_PKEY* MakeKey(const KeyParams& key_params) {
   LOG(LS_INFO) << "Making key pair";
@@ -414,13 +408,15 @@ OpenSSLIdentity* OpenSSLIdentity::GenerateInternal(
 }
 
 OpenSSLIdentity* OpenSSLIdentity::Generate(const std::string& common_name,
-                                           const KeyParams& key_params) {
+                                           const KeyParams& key_params,
+                                           time_t certificate_lifetime) {

[tommi, 2016/02/11 16:59:30]

does it make sense to DCHECK the validity of the certificate_lifetime value?

[torbjorng (webrtc), 2016/02/12 10:54:32]

Reply below.

   SSLIdentityParams params;
   params.key_params = key_params;
   params.common_name = common_name;
   time_t now = time(NULL);
   params.not_before = now + CERTIFICATE_WINDOW;
-  params.not_after = now + CERTIFICATE_LIFETIME;
+  params.not_after = now + certificate_lifetime;
+  RTC_DCHECK(params.not_before < params.not_after);

[tommi, 2016/02/11 16:59:30]

ah, perhaps this is enough... unless now is bogus.

[torbjorng (webrtc), 2016/02/12 10:54:32]

This is an intentionally somewhat week assertion, intended to avoid problems in
the low-level crypto library.

We set the not_before field (which is part of every certificate) to now - 1 day,
a behaviour which might be debatable but I retain. This CL allows explicit
setting of not_after (but not not_before), supplanting the previously hardwired
30 days.

Setting not_after to a (relative to now) negative value makes little sense
except for testing some predicate functions. It will cause peer rejection, which
is a benign failure.

   return GenerateInternal(params);
 }