Remove the fingerprint and ca_fingerprint from X509Certificate

net/cert/x509_certificate.h

Index: net/cert/x509_certificate.h
diff --git a/net/cert/x509_certificate.h b/net/cert/x509_certificate.h
index d70e62922580189fad99733ee6f3c89f88809c4c..14828b92a6425a9736912c43cafdb8cd2dbc4024 100644
--- a/net/cert/x509_certificate.h
+++ b/net/cert/x509_certificate.h
@@ -81,7 +81,7 @@ class NET_EXPORT X509Certificate
     kPublicKeyTypeECDH
   };
 
-  // Predicate functor used in maps when X509Certificate is used as the key.
+  // Predicate functor used to sort X509Certificates.
   class NET_EXPORT LessThan {
    public:
     bool operator()(const scoped_refptr<X509Certificate>& lhs,
@@ -213,14 +213,6 @@ class NET_EXPORT X509Certificate
   const base::Time& valid_start() const { return valid_start_; }
   const base::Time& valid_expiry() const { return valid_expiry_; }
 
-  // The fingerprint of this certificate.
-  const SHA1HashValue& fingerprint() const { return fingerprint_; }
-
-  // The fingerprint of the intermediate CA certificates.
-  const SHA1HashValue& ca_fingerprint() const {
-    return ca_fingerprint_;
-  }
-
   // Gets the DNS names in the certificate.  Pursuant to RFC 2818, Section 3.1
   // Server Identity, if the certificate has a subjectAltName extension of
   // type dNSName, this method gets the DNS names in that extension.
@@ -385,25 +377,10 @@ class NET_EXPORT X509Certificate
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
 
-  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
-  // (all zero) fingerprint on failure.
-  //
-  // For calculating fingerprints, prefer SHA-1 for performance when indexing,
-  // but callers should use IsSameOSCert() before assuming two certificates are

[eroman, 2016/05/30 20:20:30]

Do you want to provide similar guidance for CalculateFingerprint256 ? Or rename
it to CalculateStrongFingerprint() and make SHA256 an internal detail?

[Ryan Sleevi, 2016/05/31 15:40:13]

The SHA-256 is an external detail - we need it exposed because PKP relies on
SHA-256.

I suppose I didn't explain my concerns well for the disconnect between "Why do
we use SHA-256 for PKP, but not use it internally" - my goal is to try to
minimize the surface area of SHA-[1/256] between internal and external.

That is, it's easy to remember to fix SHA exposure in public API surfaces (e.g.
certificates, PKP), but easy to miss the internal surfaces. External surfaces
people file bugs about and yell about - internal surfaces no one thinks about.
We need to expose some of this for external, but I want to discourage its use
internal.

To that end, adding the comment would be consistent, yes.

-  // the same.
-  static SHA1HashValue CalculateFingerprint(OSCertHandle cert_handle);
-
   // Calculates the SHA-256 fingerprint of the certificate.  Returns an empty
   // (all zero) fingerprint on failure.
   static SHA256HashValue CalculateFingerprint256(OSCertHandle cert_handle);
 
-  // Calculates the SHA-1 fingerprint of the intermediate CA certificates.
-  // Returns an empty (all zero) fingerprint on failure.
-  //
-  // See SHA-1 caveat on CalculateFingerprint().
-  static SHA1HashValue CalculateCAFingerprint(
-      const OSCertHandles& intermediates);
-
   // Calculates the SHA-256 fingerprint of the intermediate CA certificates.
   // Returns an empty (all zero) fingerprint on failure.
   //
@@ -494,12 +471,6 @@ class NET_EXPORT X509Certificate
   // This certificate is not valid after |valid_expiry_|
   base::Time valid_expiry_;
 
-  // The fingerprint of this certificate.
-  SHA1HashValue fingerprint_;
-
-  // The fingerprint of the intermediate CA certificates.
-  SHA1HashValue ca_fingerprint_;
-
   // The serial number of this certificate, DER encoded.
   std::string serial_number_;