[refactor] Extract the CertVerifyResult assignment of has_md2, has_md4,

net/cert/x509_certificate.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_X509_CERTIFICATE_H_
 #define NET_CERT_X509_CERTIFICATE_H_
 
 #include <stddef.h>
 #include <string.h>
 
@@ skipping 62 matching lines @@
 
   enum PublicKeyType {
     kPublicKeyTypeUnknown,
     kPublicKeyTypeRSA,
     kPublicKeyTypeDSA,
     kPublicKeyTypeECDSA,
     kPublicKeyTypeDH,
     kPublicKeyTypeECDH
   };
 
+  // Enumeration for weak hashing algorithms.

[Ryan Sleevi, 2017/01/05 22:48:24]

This feels very much like a tighter coupling.

That is, the logical question is "Why should X509Certificate know what's
considered weak or not" - and historically, it hasn't (policy is left to
CertVerifyProc).

Since we're moving this code to X509Certificate, I'm curious whether it makes to
expand this enum (to include the other algorithms), or, simply from a design
standpoint, remove the comments about 'weak' and let it be extended (if needed)

// The digest algorithm used for the certificate's signature.

[eroman, 2017/01/05 23:21:53]

Sure, I will remove the comment about it being "weak" ones.

[eroman, 2017/01/05 23:36:30]

Done.

+  enum SignatureHashAlgorithm {
+    kSignatureHashAlgorithmMd2,
+    kSignatureHashAlgorithmMd4,
+    kSignatureHashAlgorithmMd5,
+    kSignatureHashAlgorithmSha1,
+    kSignatureHashAlgorithmOther,
+  };
+
   enum Format {
     // The data contains a single DER-encoded certificate, or a PEM-encoded
     // DER certificate with the PEM encoding block name of "CERTIFICATE".
     // Any subsequent blocks will be ignored.
     FORMAT_SINGLE_CERTIFICATE = 1 << 0,
 
     // The data contains a sequence of one or more PEM-encoded, DER
     // certificates, with the PEM encoding block name of "CERTIFICATE".
     // All PEM blocks will be parsed, until the first error is encountered.
     FORMAT_PEM_CERT_SEQUENCE = 1 << 1,
@@ skipping 227 matching lines @@
   // the first element.
   bool GetPEMEncodedChain(std::vector<std::string>* pem_encoded) const;
 
   // Sets |*size_bits| to be the length of the public key in bits, and sets
   // |*type| to one of the |PublicKeyType| values. In case of
   // |kPublicKeyTypeUnknown|, |*size_bits| will be set to 0.
   static void GetPublicKeyInfo(OSCertHandle cert_handle,
                                size_t* size_bits,
                                PublicKeyType* type);
 
+  // Returns the hashing algorithm used by |cert_handle|. If the hashing
+  // algorithm is NOT one of the enumerated weak ones, OR the implementation
+  // fails, then will return kSignatureHashAlgorithmOther.

[Ryan Sleevi, 2017/01/05 22:48:24]

// Returns the digest algorithm used in |cert_handle|'s signature.
// If the digest algorithm cannot be determined, or if it is not one
// of the explicitly enumerated values, kSignatureHashAlgorithmOther
// will be returned.
// NOTE: No validation of the signature is performed, and thus invalid
// signatures may result in seemingly meaningful values.

[eroman, 2017/01/05 23:36:30]

Done.

+  static SignatureHashAlgorithm GetSignatureHashAlgorithm(
+      OSCertHandle cert_handle);
+
   // Returns the OSCertHandle of this object. Because of caching, this may
   // differ from the OSCertHandle originally supplied during initialization.
   // Note: On Windows, CryptoAPI may return unexpected results if this handle
   // is used across multiple threads. For more details, see
   // CreateOSCertChainForCert().
   OSCertHandle os_cert_handle() const { return cert_handle_; }
 
   // Returns true if two OSCertHandles refer to identical certificates.
   static bool IsSameOSCert(OSCertHandle a, OSCertHandle b);
 
@@ skipping 128 matching lines @@
   // based on the type of the certificate.
   std::string default_nickname_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_X509_CERTIFICATE_H_