Add base::UnguessableToken

base/unguessable_token.cc

Index: base/unguessable_token.cc
diff --git a/base/unguessable_token.cc b/base/unguessable_token.cc
new file mode 100644
index 0000000000000000000000000000000000000000..2073fda53024abb59a84e17a2a5fcb1413c3c521
--- /dev/null
+++ b/base/unguessable_token.cc
@@ -0,0 +1,45 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/unguessable_token.h"
+
+#include "base/format_macros.h"
+#include "base/rand_util.h"
+#include "base/strings/stringprintf.h"
+
+namespace base {
+
+UnguessableToken::UnguessableToken(uint64_t high, uint64_t low)
+    : high_(high), low_(low) {}
+
+std::string UnguessableToken::ToString() const {
+  return base::StringPrintf("(%" PRIu64 ":%" PRIu64 ")", high_, low_);

[sandersd (OOO until July 31), 2016/09/16 22:13:55]

I would suggest 0-padded hex rather than exposing the internal structure.

[tguilbert, 2016/09/16 22:48:14]

Done and added UT.

+}
+
+// static
+UnguessableToken UnguessableToken::Create() {
+  UnguessableToken token;
+  // Use base::RandBytes instead of crypto::RandBytes, because crypto calls the
+  // base version directly, and to prevent the dependency from base/ to crypto/.
+  base::RandBytes(&token, sizeof(token));
+  return token;
+}
+
+void UnguessableToken::Serialize(uint64_t* high_out, uint64_t* low_out) const {
+  // Serializing an uninitialized UnguessableToken is a security issue.
+  // Use base::Optional if there is a valid use for sending "no token".
+  DCHECK(!is_empty());
+  *high_out = high_;
+  *low_out = low_;
+}
+
+// static
+UnguessableToken UnguessableToken::Deserialize(uint64_t high, uint64_t low) {
+  // Receiving a zeroed out UnguessableToken from another process means that it
+  // was never initialized via Create(). Treat this case as a security issue.
+  DCHECK(!(high == 0 && low == 0));
+  return UnguessableToken(high, low);
+}
+
+}  // namespace base