Add SHA-256 fingerprint functions to x509 certs.

net/cert/x509_certificate.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_X509_CERTIFICATE_H_
 #define NET_CERT_X509_CERTIFICATE_H_
 
 #include <string.h>
 
 #include <string>
@@ skipping 371 matching lines @@
       Format format);
 
   // Duplicates (or adds a reference to) an OS certificate handle.
   static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
 
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
 
   // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
   // (all zero) fingerprint on failure.
+  //
+  // For calculating fingerprints, prefer SHA-1 for performance when indexing,
+  // but callers should use IsSameOSCert() before assuming two certificates are
+  // the same.
   static SHA1HashValue CalculateFingerprint(OSCertHandle cert_handle);
 
   // Calculates the SHA-1 fingerprint of the intermediate CA certificates.
   // Returns an empty (all zero) fingerprint on failure.
+  //
+  // See SHA-1 caveat on CalculateFingerprint().
   static SHA1HashValue CalculateCAFingerprint(
       const OSCertHandles& intermediates);
 
+  // Calculates the SHA-256 fingerprint of the intermediate CA certificates.
+  // Returns an empty (all zero) fingerprint on failure.
+  //
+  // The implementation currently relies on the crypto::SecureHash utilities,

[wtc, 2014/07/28 17:29:52]

Nit: it seems that the performance issue is caused by the need to copy the
certificate bytes into local variables, rather than the use of
crypto::SecureHash.

[jww, 2014/07/28 18:36:14]

Done.

+  // which are not as fast as implementing this directly for each platform since
+  // the consumers are not expected to be performance critical. If performance
+  // is a concern going forward, it may be warranted to implement this on a
+  // per-platform basis.
+  static SHA256HashValue CalculateCAFingerprint256(
+      const OSCertHandles& intermediates);
+
+  // Calculates the SHA-256 fingerprint for the complete chain, including the
+  // leaf certificate and all intermediate CA certificates. Returns an empty
+  // (all zero) fingerprint on failure.
+  static SHA256HashValue CalculateChainFingerprint256(

[wtc, 2014/07/28 17:29:52]

For a minimal API, this method can be subsumed by the previous method, and the
previous method can be renamed to avoid reference to CA certificates, for
example,

  static SHA256HashValue CalculateCertArrayFingerprint256(
      const OSCertHandles& cert_handles);

or

  static SHA256HashValue CalculateOSCertListFingerprint256(
      const OSCertHandles& cert_handles);

[jww, 2014/07/28 18:36:13]

This would make it inconsistent with the SHA1 API, so I'll let you and rsleevi
duke it out on the new CL :-)

+      const OSCertHandle& leaf,

[wtc, 2014/07/28 17:29:52]

Please pass a single OSCertHandle by value. It is a (platform-dependent) pointer
type.

[jww, 2014/07/28 18:36:13]

Done.

+      const OSCertHandles& intermediates);
+
  private:
   friend class base::RefCountedThreadSafe<X509Certificate>;
   friend class TestRootCerts;  // For unit tests
 
   FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers);
 
   // Construct an X509Certificate from a handle to the certificate object
   // in the underlying crypto library.
   X509Certificate(OSCertHandle cert_handle,
@@ skipping 76 matching lines @@
   // based on the type of the certificate.
   std::string default_nickname_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_X509_CERTIFICATE_H_