Remove the fingerprint and ca_fingerprint from X509Certificate

net/cert/x509_certificate.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
 #include <limits.h>
 #include <stdlib.h>
 
 #include <algorithm>
 #include <map>
 #include <memory>
 #include <string>
 #include <vector>
 
 #include "base/base64.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/pickle.h"
 #include "base/profiler/scoped_tracker.h"
-#include "base/sha1.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "base/synchronization/lock.h"
 #include "base/time/time.h"
 #include "crypto/secure_hash.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/base/url_util.h"
 #include "net/cert/pem_tokenizer.h"
 #include "url/url_canon.h"
 
@@ skipping 41 matching lines @@
   void InsertOrUpdate(X509Certificate::OSCertHandle* cert_handle);
 
   // Decrements the cache reference count for |cert_handle|, a handle that was
   // previously obtained by calling InsertOrUpdate(). If this is the last
   // cached reference held, this will remove the handle from the cache. The
   // caller retains ownership of |cert_handle| and remains responsible for
   // calling FreeOSCertHandle() to release the underlying OS certificate
   void Remove(X509Certificate::OSCertHandle cert_handle);
 
  private:
-  // A single entry in the cache. Certificates will be keyed by their SHA1
+  // A single entry in the cache. Certificates will be keyed by their SHA-256
   // fingerprints, but will not be considered equivalent unless the entire
   // certificate data matches.
   struct Entry {
     Entry() : cert_handle(NULL), ref_count(0) {}
 
     X509Certificate::OSCertHandle cert_handle;
 
     // Increased by each call to InsertOrUpdate(), and balanced by each call
     // to Remove(). When it equals 0, all references created by
     // InsertOrUpdate() have been released, so the cache entry will be removed
     // the cached OS certificate handle will be freed.
     int ref_count;
   };
-  typedef std::map<SHA1HashValue, Entry, SHA1HashValueLessThan> CertMap;
+  typedef std::map<SHA256HashValue, Entry, SHA256HashValueLessThan> CertMap;
 
   // Obtain an instance of X509CertificateCache via a LazyInstance.
   X509CertificateCache() {}
   ~X509CertificateCache() {}
   friend struct base::DefaultLazyInstanceTraits<X509CertificateCache>;
 
   // You must acquire this lock before using any private data of this object
   // You must not block while holding this lock.
   base::Lock lock_;
 
   // The certificate cache.  You must acquire |lock_| before using |cache_|.
   CertMap cache_;
 
   DISALLOW_COPY_AND_ASSIGN(X509CertificateCache);
 };
 
 base::LazyInstance<X509CertificateCache>::Leaky
     g_x509_certificate_cache = LAZY_INSTANCE_INITIALIZER;
 
 void X509CertificateCache::InsertOrUpdate(
     X509Certificate::OSCertHandle* cert_handle) {
   DCHECK(cert_handle);
-  SHA1HashValue fingerprint =
-      X509Certificate::CalculateFingerprint(*cert_handle);
+  SHA256HashValue fingerprint =
+      X509Certificate::CalculateFingerprint256(*cert_handle);
 
   X509Certificate::OSCertHandle old_handle = NULL;
   {
     base::AutoLock lock(lock_);
     CertMap::iterator pos = cache_.find(fingerprint);
     if (pos == cache_.end()) {
       // A cached entry was not found, so initialize a new entry. The entry
       // assumes ownership of the current |*cert_handle|.
       Entry cache_entry;
       cache_entry.cert_handle = *cert_handle;
       cache_entry.ref_count = 0;
       CertMap::value_type cache_value(fingerprint, cache_entry);
       pos = cache_.insert(cache_value).first;
     } else {
       bool is_same_cert =
           X509Certificate::IsSameOSCert(*cert_handle, pos->second.cert_handle);
       if (!is_same_cert) {
-        // Two certificates don't match, due to a SHA1 hash collision. Given
+        // Two certificates don't match, due to a SHA-256 hash collision. Given
         // the low probability, the simplest solution is to not cache the
         // certificate, which should not affect performance too negatively.
         return;
       }
       // A cached entry was found and will be used instead of the caller's
       // handle. Ensure the caller's original handle will be freed, since
       // ownership is assumed.
       old_handle = *cert_handle;
     }
     // Whether an existing cached handle or a new handle, increment the
     // cache's reference count and return a handle that the caller can own.
     ++pos->second.ref_count;
     *cert_handle = X509Certificate::DupOSCertHandle(pos->second.cert_handle);
   }
   // If the caller's handle was replaced with a cached handle, free the
   // original handle now. This is done outside of the lock because
   // |old_handle| may be the only handle for this particular certificate, so
   // freeing it may be complex or resource-intensive and does not need to
   // be guarded by the lock.
   if (old_handle) {
     X509Certificate::FreeOSCertHandle(old_handle);
 #ifndef NDEBUG
     LOCAL_HISTOGRAM_BOOLEAN("X509CertificateReuseCount", true);
 #endif
   }
 }
 
 void X509CertificateCache::Remove(X509Certificate::OSCertHandle cert_handle) {
-  SHA1HashValue fingerprint =
-      X509Certificate::CalculateFingerprint(cert_handle);
+  SHA256HashValue fingerprint =
+      X509Certificate::CalculateFingerprint256(cert_handle);
   base::AutoLock lock(lock_);
 
   CertMap::iterator pos = cache_.find(fingerprint);
   if (pos == cache_.end())
     return;  // A hash collision where the winning cert was already freed.
 
   bool is_same_cert = X509Certificate::IsSameOSCert(cert_handle,
                                                     pos->second.cert_handle);
   if (!is_same_cert)
     return;  // A hash collision where the winning cert is still around.
@@ skipping 35 matching lines @@
     *left = src;
     right->clear();
   } else {
     *left = src.substr(0, pos);
     *right = src.substr(pos);
   }
 }
 
 }  // namespace
 
-bool X509Certificate::LessThan::operator()(
-    const scoped_refptr<X509Certificate>& lhs,
-    const scoped_refptr<X509Certificate>& rhs) const {
-  if (lhs.get() == rhs.get())
-    return false;
-
-  int rv = memcmp(lhs->fingerprint_.data, rhs->fingerprint_.data,
-                  sizeof(lhs->fingerprint_.data));
-  if (rv != 0)
-    return rv < 0;
-
-  rv = memcmp(lhs->ca_fingerprint_.data, rhs->ca_fingerprint_.data,
-              sizeof(lhs->ca_fingerprint_.data));
-  return rv < 0;
-}
-
 X509Certificate::X509Certificate(const std::string& subject,
                                  const std::string& issuer,
                                  base::Time start_date,
                                  base::Time expiration_date)
     : subject_(subject),
       issuer_(issuer),
       valid_start_(start_date),
       valid_expiry_(expiration_date),
       cert_handle_(NULL) {
-  memset(fingerprint_.data, 0, sizeof(fingerprint_.data));
-  memset(ca_fingerprint_.data, 0, sizeof(ca_fingerprint_.data));
 }
 
 // static
 scoped_refptr<X509Certificate> X509Certificate::CreateFromHandle(
     OSCertHandle cert_handle,
     const OSCertHandles& intermediates) {
   DCHECK(cert_handle);
   return new X509Certificate(cert_handle, intermediates);
 }
 
@@ skipping 438 matching lines @@
   for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
     if (!GetPEMEncoded(intermediate_ca_certs_[i], &pem_data))
       return false;
     encoded_chain.push_back(pem_data);
   }
   pem_encoded->swap(encoded_chain);
   return true;
 }
 
 // static
-SHA256HashValue X509Certificate::CalculateCAFingerprint256(
-    const OSCertHandles& intermediates) {
-  SHA256HashValue sha256;
-  memset(sha256.data, 0, sizeof(sha256.data));
-
-  std::unique_ptr<crypto::SecureHash> hash(
-      crypto::SecureHash::Create(crypto::SecureHash::SHA256));
-
-  for (size_t i = 0; i < intermediates.size(); ++i) {
-    std::string der_encoded;
-    if (!GetDEREncoded(intermediates[i], &der_encoded))
-      return sha256;
-    hash->Update(der_encoded.data(), der_encoded.length());
-  }
-  hash->Finish(sha256.data, sizeof(sha256.data));
-
-  return sha256;
-}
-
-// static
 SHA256HashValue X509Certificate::CalculateChainFingerprint256(
     OSCertHandle leaf,
     const OSCertHandles& intermediates) {
   OSCertHandles chain;
   chain.push_back(leaf);
   chain.insert(chain.end(), intermediates.begin(), intermediates.end());
 
   return CalculateCAFingerprint256(chain);
 }
 
@@ skipping 19 matching lines @@
     RemoveFromCache(cert_handle_);
     FreeOSCertHandle(cert_handle_);
   }
   for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
     RemoveFromCache(intermediate_ca_certs_[i]);
     FreeOSCertHandle(intermediate_ca_certs_[i]);
   }
 }
 
 }  // namespace net