Remove the fingerprint and ca_fingerprint from X509Certificate

net/cert/x509_certificate.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_X509_CERTIFICATE_H_
 #define NET_CERT_X509_CERTIFICATE_H_
 
 #include <stddef.h>
 #include <string.h>
 
@@ skipping 63 matching lines @@
 
   enum PublicKeyType {
     kPublicKeyTypeUnknown,
     kPublicKeyTypeRSA,
     kPublicKeyTypeDSA,
     kPublicKeyTypeECDSA,
     kPublicKeyTypeDH,
     kPublicKeyTypeECDH
   };
 
-  // Predicate functor used in maps when X509Certificate is used as the key.
+  // Predicate functor used to sort X509Certificates.
   class NET_EXPORT LessThan {
    public:
     bool operator()(const scoped_refptr<X509Certificate>& lhs,
                     const scoped_refptr<X509Certificate>& rhs) const;
   };
 
   enum Format {
     // The data contains a single DER-encoded certificate, or a PEM-encoded
     // DER certificate with the PEM encoding block name of "CERTIFICATE".
     // Any subsequent blocks will be ignored.
@@ skipping 111 matching lines @@
   const CertPrincipal& issuer() const { return issuer_; }
 
   // Time period during which the certificate is valid.  More precisely, this
   // certificate is invalid before the |valid_start| date and invalid after
   // the |valid_expiry| date.
   // If we were unable to parse either date from the certificate (or if the cert
   // lacks either date), the date will be null (i.e., is_null() will be true).
   const base::Time& valid_start() const { return valid_start_; }
   const base::Time& valid_expiry() const { return valid_expiry_; }
 
-  // The fingerprint of this certificate.
-  const SHA1HashValue& fingerprint() const { return fingerprint_; }
-
-  // The fingerprint of the intermediate CA certificates.
-  const SHA1HashValue& ca_fingerprint() const {
-    return ca_fingerprint_;
-  }
-
   // Gets the DNS names in the certificate.  Pursuant to RFC 2818, Section 3.1
   // Server Identity, if the certificate has a subjectAltName extension of
   // type dNSName, this method gets the DNS names in that extension.
   // Otherwise, it gets the common name in the subject field.
   void GetDNSNames(std::vector<std::string>* dns_names) const;
 
   // Gets the subjectAltName extension field from the certificate, if any.
   // For future extension; currently this only returns those name types that
   // are required for HTTP certificate name verification - see VerifyHostname.
   // Unrequired parameters may be passed as NULL.
@@ skipping 144 matching lines @@
   static OSCertHandles CreateOSCertHandlesFromBytes(const char* data,
                                                     size_t length,
                                                     Format format);
 
   // Duplicates (or adds a reference to) an OS certificate handle.
   static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
 
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
 
-  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
-  // (all zero) fingerprint on failure.
-  //
-  // For calculating fingerprints, prefer SHA-1 for performance when indexing,
-  // but callers should use IsSameOSCert() before assuming two certificates are

[eroman, 2016/05/30 20:20:30]

Do you want to provide similar guidance for CalculateFingerprint256 ? Or rename
it to CalculateStrongFingerprint() and make SHA256 an internal detail?

[Ryan Sleevi, 2016/05/31 15:40:13]

The SHA-256 is an external detail - we need it exposed because PKP relies on
SHA-256.

I suppose I didn't explain my concerns well for the disconnect between "Why do
we use SHA-256 for PKP, but not use it internally" - my goal is to try to
minimize the surface area of SHA-[1/256] between internal and external.

That is, it's easy to remember to fix SHA exposure in public API surfaces (e.g.
certificates, PKP), but easy to miss the internal surfaces. External surfaces
people file bugs about and yell about - internal surfaces no one thinks about.
We need to expose some of this for external, but I want to discourage its use
internal.

To that end, adding the comment would be consistent, yes.

-  // the same.
-  static SHA1HashValue CalculateFingerprint(OSCertHandle cert_handle);
-
   // Calculates the SHA-256 fingerprint of the certificate.  Returns an empty
   // (all zero) fingerprint on failure.
   static SHA256HashValue CalculateFingerprint256(OSCertHandle cert_handle);
 
-  // Calculates the SHA-1 fingerprint of the intermediate CA certificates.
-  // Returns an empty (all zero) fingerprint on failure.
-  //
-  // See SHA-1 caveat on CalculateFingerprint().
-  static SHA1HashValue CalculateCAFingerprint(
-      const OSCertHandles& intermediates);
-
   // Calculates the SHA-256 fingerprint of the intermediate CA certificates.
   // Returns an empty (all zero) fingerprint on failure.
   //
   // As part of the cross-platform implementation of this function, it currently
   // copies the certificate bytes into local variables which makes it
   // potentially slower than implementing it directly for each platform. For
   // now, the expected consumers are not performance critical, but if
   // performance is a concern going forward, it may warrant implementing this on
   // a per-platform basis.
   static SHA256HashValue CalculateCAFingerprint256(
@@ skipping 70 matching lines @@
 
   // The issuer of the certificate.
   CertPrincipal issuer_;
 
   // This certificate is not valid before |valid_start_|
   base::Time valid_start_;
 
   // This certificate is not valid after |valid_expiry_|
   base::Time valid_expiry_;
 
-  // The fingerprint of this certificate.
-  SHA1HashValue fingerprint_;
-
-  // The fingerprint of the intermediate CA certificates.
-  SHA1HashValue ca_fingerprint_;
-
   // The serial number of this certificate, DER encoded.
   std::string serial_number_;
 
   // A handle to the certificate object in the underlying crypto library.
   OSCertHandle cert_handle_;
 
   // Untrusted intermediate certificates associated with this certificate
   // that may be needed for chain building.
   OSCertHandles intermediate_ca_certs_;
 
 #if defined(USE_NSS_CERTS)
   // This stores any default nickname that has been set on the certificate
   // at creation time with CreateFromBytesWithNickname.
   // If this is empty, then GetDefaultNickname will return a generated name
   // based on the type of the certificate.
   std::string default_nickname_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_X509_CERTIFICATE_H_