Add SHA-256 fingerprint functions to x509 certs.

net/cert/x509_certificate.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <map>
 #include <string>
 #include <vector>
 
 #include "base/base64.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
+#include "base/memory/scoped_ptr.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "base/synchronization/lock.h"
 #include "base/time/time.h"
+#include "crypto/secure_hash.h"
 #include "net/base/net_util.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/cert/pem_tokenizer.h"
 #include "url/url_canon.h"
 
 namespace net {
 
 namespace {
 
 // Indicates the order to use when trying to decode binary data, which is
@@ skipping 663 matching lines @@
   encoded_chain.push_back(pem_data);
   for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
     if (!GetPEMEncoded(intermediate_ca_certs_[i], &pem_data))
       return false;
     encoded_chain.push_back(pem_data);
   }
   pem_encoded->swap(encoded_chain);
   return true;
 }
 
+// static
+SHA256HashValue X509Certificate::CalculateCAFingerprint256(
+    const OSCertHandles& intermediates) {
+  SHA256HashValue sha256;
+  memset(sha256.data, 0, sizeof(sha256.data));
+
+  scoped_ptr<crypto::SecureHash> hash(
+      crypto::SecureHash::Create(crypto::SecureHash::SHA256));
+
+  for (size_t i = 0; i < intermediates.size(); ++i) {
+    std::string der_encoded;
+    if (!GetDEREncoded(intermediates[i], &der_encoded))
+      return sha256;
+    hash->Update(der_encoded.c_str(), der_encoded.length());

[wtc, 2014/07/28 17:29:52]

Nit: use data() instead of c_str() because we don't need a C string here.

[jww, 2014/07/28 18:36:13]

Done.

+  }
+  hash->Finish(sha256.data, sizeof(sha256.data));
+
+  return sha256;
+}
+
+// static
+SHA256HashValue X509Certificate::CalculateChainFingerprint256(
+    const OSCertHandle& leaf,
+    const OSCertHandles& intermediates) {
+  OSCertHandles chain;
+  chain.push_back(leaf);
+  chain.insert(chain.end(), intermediates.begin(), intermediates.end());
+
+  return CalculateCAFingerprint256(chain);
+}
+
 X509Certificate::X509Certificate(OSCertHandle cert_handle,
                                  const OSCertHandles& intermediates)
     : cert_handle_(DupOSCertHandle(cert_handle)) {
   InsertOrUpdateCache(&cert_handle_);
   for (size_t i = 0; i < intermediates.size(); ++i) {
     // Duplicate the incoming certificate, as the caller retains ownership
     // of |intermediates|.
     OSCertHandle intermediate = DupOSCertHandle(intermediates[i]);
     // Update the cache, which will assume ownership of the duplicated
     // handle and return a suitable equivalent, potentially from the cache.
     InsertOrUpdateCache(&intermediate);
     intermediate_ca_certs_.push_back(intermediate);
   }
   // Platform-specific initialization.
   Initialize();
 }
 
 X509Certificate::~X509Certificate() {
   if (cert_handle_) {
     RemoveFromCache(cert_handle_);
     FreeOSCertHandle(cert_handle_);
   }
   for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
     RemoveFromCache(intermediate_ca_certs_[i]);
     FreeOSCertHandle(intermediate_ca_certs_[i]);
   }
 }
 
 }  // namespace net