Add SHA-256 fingerprint functions to x509 certs.

net/cert/x509_certificate.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <map>
 #include <string>
 #include <vector>
 
 #include "base/base64.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
+#include "base/memory/scoped_ptr.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "base/synchronization/lock.h"
 #include "base/time/time.h"
+#include "crypto/secure_hash.h"
 #include "net/base/net_util.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/cert/pem_tokenizer.h"
 #include "url/url_canon.h"
 
 namespace net {
 
 namespace {
 
 // Indicates the order to use when trying to decode binary data, which is
@@ skipping 663 matching lines @@
   encoded_chain.push_back(pem_data);
   for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
     if (!GetPEMEncoded(intermediate_ca_certs_[i], &pem_data))
       return false;
     encoded_chain.push_back(pem_data);
   }
   pem_encoded->swap(encoded_chain);
   return true;
 }
 
+// static
+SHA256HashValue X509Certificate::CalculateCAFingerprint256(

[wtc, 2014/07/26 01:25:12]

You can move the code of this function to your code. Every function you use is
public.

[jww, 2014/07/26 01:30:47]

sleevi suggested that we want this as a generic way, going forward, of having
secure fingerprints for x509 certs. True enough that we can move this to our
specific code for now, but it seems likely that we'll want secure fingerprints
elsewhere in the future, no?

+    const OSCertHandles& intermediates) {
+  SHA256HashValue sha256;
+  memset(sha256.data, 0, sizeof(sha256.data));
+
+  scoped_ptr<crypto::SecureHash> hash(
+      crypto::SecureHash::Create(crypto::SecureHash::Algorithm::SHA256));
+
+  for (size_t i = 0; i < intermediates.size(); ++i) {
+    std::string der_encoded;
+    if (!GetDEREncoded(intermediates[i], &der_encoded))

[Ryan Sleevi, 2014/07/25 00:21:34]

The only benefit to the platform implementation (and I think you'd still call
crypto::SecureHash, FWIW) is that you could avoid the extra copy to get the cert
data.

+      return sha256;
+    hash->Update(der_encoded.c_str(), der_encoded.length());
+  }
+  hash->Finish(sha256.data, sizeof(sha256.data));
+
+  return sha256;
+}
+
+// static
+SHA256HashValue X509Certificate::CalculateFullChainFingerprint256(
+    const OSCertHandle& leaf,
+    const OSCertHandles& intermediates) {
+  OSCertHandles chain;
+  chain.push_back(leaf);
+  chain.insert(chain.end(), intermediates.begin(), intermediates.end());
+
+  return CalculateCAFingerprint256(chain);
+}
+
 X509Certificate::X509Certificate(OSCertHandle cert_handle,
                                  const OSCertHandles& intermediates)
     : cert_handle_(DupOSCertHandle(cert_handle)) {
   InsertOrUpdateCache(&cert_handle_);
   for (size_t i = 0; i < intermediates.size(); ++i) {
     // Duplicate the incoming certificate, as the caller retains ownership
     // of |intermediates|.
     OSCertHandle intermediate = DupOSCertHandle(intermediates[i]);
     // Update the cache, which will assume ownership of the duplicated
     // handle and return a suitable equivalent, potentially from the cache.
     InsertOrUpdateCache(&intermediate);
     intermediate_ca_certs_.push_back(intermediate);
   }
   // Platform-specific initialization.
   Initialize();
 }
 
 X509Certificate::~X509Certificate() {
   if (cert_handle_) {
     RemoveFromCache(cert_handle_);
     FreeOSCertHandle(cert_handle_);
   }
   for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
     RemoveFromCache(intermediate_ca_certs_[i]);
     FreeOSCertHandle(intermediate_ca_certs_[i]);
   }
 }
 
 }  // namespace net