Remove the fingerprint and ca_fingerprint from X509Certificate

ios/web/navigation/crw_session_certificate_policy_manager.mm

 // Copyright 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "ios/web/navigation/crw_session_certificate_policy_manager.h"
 
 #include <map>
 #include <set>
 
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/strings/sys_string_conversions.h"
 #include "ios/web/public/certificate_policy_cache.h"
 #include "ios/web/public/web_thread.h"
+#include "net/base/hash_value.h"
 #include "net/cert/x509_certificate.h"
 
 // Break if we detect that CertStatus values changed, because we persist them on
 // disk and thus require them to be consistent.
 static_assert(net::CERT_STATUS_ALL_ERRORS == 0xFFFF,
               "The value of CERT_STATUS_ALL_ERRORS changed!");
 static_assert(net::CERT_STATUS_COMMON_NAME_INVALID == 1 << 0,
               "The value of CERT_STATUS_COMMON_NAME_INVALID changed!");
 static_assert(net::CERT_STATUS_DATE_INVALID == 1 << 1,
               "The value of CERT_STATUS_DATE_INVALID changed!");
@@ skipping 17 matching lines @@
               "The value of CERT_STATUS_IS_EV changed!");
 static_assert(net::CERT_STATUS_REV_CHECKING_ENABLED == 1 << 17,
               "The value of CERT_STATUS_REV_CHECKING_ENABLED changed!");
 
 namespace {
 
 NSString* const kAllowedCertificatesKey = @"allowedCertificates";
 
 struct AllowedCertificate {
   scoped_refptr<net::X509Certificate> certificate;
+  net::SHA256HashValue certificateHash;
   std::string host;
 };
 
 class LessThan {
  public:
   bool operator() (const AllowedCertificate& lhs,
                    const AllowedCertificate& rhs) const {
     if (lhs.host != rhs.host)
       return lhs.host < rhs.host;
-    return certificateCompare_(lhs.certificate, rhs.certificate);
+    return hashCompare_(lhs.certificateHash, rhs.certificateHash);

[eroman, 2016/06/09 23:16:17]

Why is it that we don't just have an operator<() on SHA256HashValue?

i.e. then we could just one-liner this using std::tie().

   }
  private:
-  net::X509Certificate::LessThan certificateCompare_;
+  const net::SHA256HashValueLessThan hashCompare_;
 };
 
 typedef std::map<AllowedCertificate, net::CertStatus, LessThan>
     AllowedCertificates;
 
 NSData* CertificateToNSData(net::X509Certificate* certificate) {
   std::string s;
   bool success =
       net::X509Certificate::GetDEREncoded(certificate->os_cert_handle(), &s);
   DCHECK(success);
@@ skipping 22 matching lines @@
  @private
   AllowedCertificates allowed_;
 }
 
 - (void)registerAllowedCertificate:
             (const scoped_refptr<net::X509Certificate>)certificate
                            forHost:(const std::string&)host
                             status:(net::CertStatus)status {
   DCHECK([NSThread isMainThread]);
   DCHECK(certificate);
-  AllowedCertificate allowedCertificate = {certificate, host};
+  AllowedCertificate allowedCertificate = {
+      certificate, host, net::X509Certificate::CalculateChainFingerprint256(
+                             certificate->os_cert_handle(),
+                             certificate->GetIntermediateCertificates())};
   allowed_[allowedCertificate] = status;
 }
 
 - (void)clearCertificates {
   DCHECK([NSThread isMainThread]);
   allowed_.clear();
 }
 
 - (void)updateCertificatePolicyCache:
     (const scoped_refptr<web::CertificatePolicyCache>&)cache {
@@ skipping 56 matching lines @@
 }
 
 - (id)copyWithZone:(NSZone*)zone {
   DCHECK([NSThread isMainThread]);
   CRWSessionCertificatePolicyManager* copy = [[[self class] alloc] init];
   copy->allowed_ = allowed_;
   return copy;
 }
 
 @end