Implement SHA-256 fingerprint support

net/base/x509_cert_types.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERT_TYPES_H_
 #define NET_BASE_X509_CERT_TYPES_H_
 
 #include <string.h>
 
+#include <algorithm>
 #include <set>
 #include <string>
 #include <vector>
 
+#include "base/logging.h"
 #include "base/string_piece.h"
 #include "build/build_config.h"
 #include "net/base/net_export.h"
 
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 #include <Security/x509defs.h>
 #endif
 
 namespace base {
 class Time;
 }  // namespace base
 
 namespace net {
 
 class X509Certificate;
 
 // SHA-1 fingerprint (160 bits) of a certificate.
-struct NET_EXPORT SHA1Fingerprint {
-  bool Equals(const SHA1Fingerprint& other) const {
+struct NET_EXPORT SHA1HashValue {
+  bool Equals(const SHA1HashValue& other) const {
     return memcmp(data, other.data, sizeof(data)) == 0;
   }
 
   unsigned char data[20];
 };
 
-// In the future there will be a generic Fingerprint type, with at least two
-// implementations: SHA1 and SHA256. See http://crbug.com/117914. Until that
-// work is done (in a separate patch) this typedef bridges the gap.
-typedef SHA1Fingerprint Fingerprint;
-
-typedef std::vector<Fingerprint> FingerprintVector;
-
-class NET_EXPORT SHA1FingerprintLessThan {
+class NET_EXPORT SHA1HashValueLessThan {
  public:
-  bool operator() (const SHA1Fingerprint& lhs,
-                   const SHA1Fingerprint& rhs) const {
+  bool operator() (const SHA1HashValue& lhs,

[Ryan Sleevi, 2012/08/23 22:48:20]

nit: "operator() (" -> "operator()("

See also line 95

[palmer, 2012/08/29 00:01:24]

Done.

+                   const SHA1HashValue& rhs) const {
     return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0;
   }
 };
 
+struct NET_EXPORT SHA256HashValue {
+  bool Equals(const SHA256HashValue& other) const {
+    return memcmp(data, other.data, sizeof(data)) == 0;
+  }
+
+  unsigned char data[32];
+};
+
+class NET_EXPORT SHA256HashValueLessThan {
+ public:
+  bool operator() (const SHA256HashValue& lhs,
+                   const SHA256HashValue& rhs) const {
+    return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0;
+  }
+};
+
+enum HashValueTag {
+  HASH_VALUE_SHA1,
+  HASH_VALUE_SHA256,
+
+  // This must always be last.
+  HASH_VALUE_TAGS_COUNT
+};
+
+class NET_EXPORT HashValue {
+ public:
+  explicit HashValue(HashValueTag tag) : tag(tag) {}
+  HashValue() : tag(HASH_VALUE_SHA1) {}
+
+  bool Equals(const HashValue& other) const;
+  size_t size() const;
+  unsigned char* data();
+  const unsigned char* data() const;
+  const char* label() const;
+
+  HashValueTag tag;
+
+ private:
+  union {
+    SHA1HashValue sha1;
+    SHA256HashValue sha256;
+  } fingerprint;
+};
+
+class NET_EXPORT HashValueLessThan {
+ public:
+  bool operator() (const HashValue& lhs,
+                   const HashValue& rhs) const {
+    size_t lhs_size = lhs.size();
+    size_t rhs_size = rhs.size();
+
+    if (lhs_size != rhs_size)
+      return lhs_size < rhs_size;
+
+    return memcmp(lhs.data(), rhs.data(), std::min(lhs_size, rhs_size)) < 0;

[Ryan Sleevi, 2012/08/23 22:48:20]

nit: remove use of std::min, you've already guaranteed they're equal (line 100).
Just use lhs_size

[palmer, 2012/08/29 00:01:24]

Done.

+  }
+};
+
+typedef std::vector<HashValue> HashValueVector;
+
 // IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted
 // array of SHA1 hashes.
-bool NET_EXPORT IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
+bool NET_EXPORT IsSHA1HashInSortedArray(const SHA1HashValue& hash,
                                         const uint8* array,
                                         size_t array_byte_len);
 
 // CertPrincipal represents the issuer or subject field of an X.509 certificate.
 struct NET_EXPORT CertPrincipal {
   CertPrincipal();
   explicit CertPrincipal(const std::string& name);
   ~CertPrincipal();
 
 #if (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_WIN)
@@ skipping 56 matching lines @@
   void Deny(X509Certificate* cert);
 
   // Returns true if this policy has allowed at least one certificate.
   bool HasAllowedCert() const;
 
   // Returns true if this policy has denied at least one certificate.
   bool HasDeniedCert() const;
 
  private:
   // The set of fingerprints of allowed certificates.
-  std::set<SHA1Fingerprint, SHA1FingerprintLessThan> allowed_;
+  std::set<SHA1HashValue, SHA1HashValueLessThan> allowed_;
 
   // The set of fingerprints of denied certificates.
-  std::set<SHA1Fingerprint, SHA1FingerprintLessThan> denied_;
+  std::set<SHA1HashValue, SHA1HashValueLessThan> denied_;
 };
 
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 // Compares two OIDs by value.
 inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) {
   return oid1->Length == oid2->Length &&
   (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0);
 }
 #endif
 
@@ skipping 10 matching lines @@
 // Attempts to parse |raw_date|, an ASN.1 date/time string encoded as
 // |format|, and writes the result into |*time|. If an invalid date is
 // specified, or if parsing fails, returns false, and |*time| will not be
 // updated.
 bool ParseCertificateDate(const base::StringPiece& raw_date,
                           CertDateFormat format,
                           base::Time* time);
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERT_TYPES_H_