Remove the fingerprint and ca_fingerprint from X509Certificate

net/cert/cert_verify_proc_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc_nss.h"
 
 #include <cert.h>
 #include <nss.h>
 #include <prerror.h>
 #include <secerr.h>
 #include <sechash.h>
 #include <sslerr.h>
 
 #include <memory>
 #include <string>
 #include <vector>
 
 #include "base/logging.h"
 #include "base/macros.h"
+#include "base/sha1.h"
 #include "build/build_config.h"
 #include "crypto/nss_util.h"
 #include "crypto/scoped_nss_types.h"
 #include "crypto/sha2.h"
 #include "net/base/net_errors.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/ev_root_ca_metadata.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util_nss.h"
 
-#if defined(OS_IOS)
-#include <CommonCrypto/CommonDigest.h>
-#include "net/cert/x509_util_ios.h"
-#endif  // defined(OS_IOS)
-
-#if defined(USE_NSS_CERTS)
 #include <dlfcn.h>
-#else
-#include <ocsp.h>
-#endif
 
 namespace net {
 
 namespace {
 
 typedef std::unique_ptr<
     CERTCertificatePolicies,
     crypto::NSSDestroyer<CERTCertificatePolicies,
                          CERT_DestroyCertificatePoliciesExtension>>
     ScopedCERTCertificatePolicies;
@@ skipping 166 matching lines @@
         if (i == 0)
           verify_result->has_sha1_leaf = true;
         break;
       default:
         break;
     }
   }
 
   if (root_cert)
     verified_chain.push_back(root_cert);
-#if defined(OS_IOS)
-  verify_result->verified_cert =
-      x509_util_ios::CreateCertFromNSSHandles(verified_cert, verified_chain);
-#else
   verify_result->verified_cert =
       X509Certificate::CreateFromHandle(verified_cert, verified_chain);
-#endif  // defined(OS_IOS)
 }
 
 // IsKnownRoot returns true if the given certificate is one that we believe
 // is a standard (as opposed to user-installed) root.
 bool IsKnownRoot(CERTCertificate* root) {
   if (!root || !root->slot)
     return false;
 
   // This magic name is taken from
   // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79
@@ skipping 406 matching lines @@
   // default description here.  The description doesn't need to be unique for
   // each OID.
   od.desc = "a certificate policy";
   od.mechanism = CKM_INVALID_MECHANISM;
   od.supportedExtension = INVALID_CERT_EXTENSION;
   return SECOID_AddEntry(&od);
 }
 
 HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) {
   HashValue hash(HASH_VALUE_SHA1);
-#if defined(OS_IOS)
-  CC_SHA1(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
-#else
   SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(),
                               cert->derPublicKey.data, cert->derPublicKey.len);
   DCHECK_EQ(SECSuccess, rv);
-#endif
   return hash;
 }
 
 HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) {
   HashValue hash(HASH_VALUE_SHA256);
-#if defined(OS_IOS)
-  CC_SHA256(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
-#else
   SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(),
                               cert->derPublicKey.data, cert->derPublicKey.len);
   DCHECK_EQ(rv, SECSuccess);
-#endif
   return hash;
 }
 
 void AppendPublicKeyHashes(CERTCertList* cert_list,
                            CERTCertificate* root_cert,
                            HashValueVector* hashes) {
   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
        !CERT_LIST_END(node, cert_list);
        node = CERT_LIST_NEXT(node)) {
     hashes->push_back(CertPublicKeyHashSHA1(node->cert));
@@ skipping 85 matching lines @@
   // the old path, might have been revoked.
   if (crl_set) {
     CRLSetResult crl_set_result = CheckRevocationWithCRLSet(
         cvout[cvout_cert_list_index].value.pointer.chain,
         cvout[cvout_trust_anchor_index].value.pointer.cert,
         crl_set);
     if (crl_set_result == kCRLSetRevoked)
       return false;
   }
 
-#if defined(OS_IOS)
-  SHA1HashValue fingerprint = x509_util_ios::CalculateFingerprintNSS(root_ca);
-#else
-  SHA1HashValue fingerprint =
-      X509Certificate::CalculateFingerprint(root_ca);
-#endif
-  return metadata->HasEVPolicyOID(fingerprint, ev_policy_oid);
+  SHA1HashValue weak_fingerprint;
+  base::SHA1HashBytes(root_ca->derCert.data, root_ca->derCert.len,
+                      weak_fingerprint.data);
+  return metadata->HasEVPolicyOID(weak_fingerprint, ev_policy_oid);
 }
 
 CERTCertList* CertificateListToCERTCertList(const CertificateList& list) {
   CERTCertList* result = CERT_NewCertList();
   for (size_t i = 0; i < list.size(); ++i) {
-#if defined(OS_IOS)
-    // X509Certificate::os_cert_handle() on iOS is a SecCertificateRef; convert
-    // it to an NSS CERTCertificate.
-    CERTCertificate* cert = x509_util_ios::CreateNSSCertHandleFromOSHandle(
-        list[i]->os_cert_handle());
-#else
     CERTCertificate* cert = list[i]->os_cert_handle();
-#endif
     CERT_AddCertToListTail(result, CERT_DupCertificate(cert));
   }
   return result;
 }
 
 }  // namespace
 
 CertVerifyProcNSS::CertVerifyProcNSS()
-#if defined(USE_NSS_CERTS)
     : cache_ocsp_response_from_side_channel_(
           reinterpret_cast<CacheOCSPResponseFromSideChannelFunction>(
               dlsym(RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel")))
-#else
-    : cache_ocsp_response_from_side_channel_(
-          &CERT_CacheOCSPResponseFromSideChannel)
-#endif
 {
 }
 
 CertVerifyProcNSS::~CertVerifyProcNSS() {}
 
 bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
   return true;
 }
 
 bool CertVerifyProcNSS::SupportsOCSPStapling() const {
   return cache_ocsp_response_from_side_channel_;
 }
 
 int CertVerifyProcNSS::VerifyInternalImpl(
     X509Certificate* cert,
     const std::string& hostname,
     const std::string& ocsp_response,
     int flags,
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
     CERTChainVerifyCallback* chain_verify_callback,
     CertVerifyResult* verify_result) {
-#if defined(OS_IOS)
-  // For iOS, the entire chain must be loaded into NSS's in-memory certificate
-  // store.
-  x509_util_ios::NSSCertChain scoped_chain(cert);
-  CERTCertificate* cert_handle = scoped_chain.cert_handle();
-#else
   CERTCertificate* cert_handle = cert->os_cert_handle();
-#endif  // defined(OS_IOS)
 
   if (!ocsp_response.empty() && cache_ocsp_response_from_side_channel_) {
     // Note: NSS uses a thread-safe global hash table, so this call will
     // affect any concurrent verification operations on |cert| or copies of
     // the same certificate. This is an unavoidable limitation of NSS's OCSP
     // API.
     SECItem ocsp_response_item;
     ocsp_response_item.data = reinterpret_cast<unsigned char*>(
         const_cast<char*>(ocsp_response.data()));
     ocsp_response_item.len = ocsp_response.size();
@@ skipping 163 matching lines @@
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
     CertVerifyResult* verify_result) {
   return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set,
                             additional_trust_anchors,
                             NULL,  // chain_verify_callback
                             verify_result);
 }
 
 }  // namespace net