It looks like we can get the creation and expiry times for each certificate. How about we pick the most recently created cert from an acceptable issuer that has not yet expired? That should ignore certs for which a replacement has been issued, but which have not yet expired.

As an aside, does it ever make sense for the issuer policy to be '*'? It seems like that's very fragile and should be called out as an error case.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e4807badb80cef2a24ffd3fdb3b8c28859c65a5c

commit e4807badb80cef2a24ffd3fdb3b8c28859c65a5c
Author: yuweih <yuweih@chromium.org>
Date: Fri Sep 30 00:56:54 2016

[Remoting Host] Select Latest Valid Cert

Currently TokenValidatorBase will always select the first certificate for
third-party authentication that matches the issuer but sometimes an incorrect
certificate will be selected.

This CL tries to improve this by:
* Not selecting certificate that is obviously expired (now > valid_expiry).
* Selecting the certificate with latest |valid_start| time.
* Selecting the certifiacte with latest |valid_expiry| time when |valid_start|
  is the same.

BUG= 646944 

Review-Url: https://codereview.chromium.org/2369193002
Cr-Commit-Position: refs/heads/master@{#422001}

[modify] https://crrev.com/e4807badb80cef2a24ffd3fdb3b8c28859c65a5c/remoting/host/BUILD.gn
[modify] https://crrev.com/e4807badb80cef2a24ffd3fdb3b8c28859c65a5c/remoting/host/token_validator_base.cc
[modify] https://crrev.com/e4807badb80cef2a24ffd3fdb3b8c28859c65a5c/remoting/host/token_validator_base.h
[add] https://crrev.com/e4807badb80cef2a24ffd3fdb3b8c28859c65a5c/remoting/host/token_validator_base_unittest.cc