Certificate Transparency: Code for unpacking EV cert hashes whitelist

net/cert/x509_certificate_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
 #include <blapi.h>  // Implement CalculateChainFingerprint() with NSS.
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "crypto/capi_util.h"
 #include "crypto/scoped_capi_types.h"
+#include "crypto/sha2.h"
 #include "net/base/net_errors.h"
 
 #pragma comment(lib, "crypt32.lib")
 
 using base::Time;
 
 namespace net {
 
 namespace {
 
@@ skipping 279 matching lines @@
   SHA1HashValue sha1;
   DWORD sha1_size = sizeof(sha1.data);
   rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded,
                             cert->cbCertEncoded, sha1.data, &sha1_size);
   DCHECK(rv && sha1_size == sizeof(sha1.data));
   if (!rv)
     memset(sha1.data, 0, sizeof(sha1.data));
   return sha1;
 }
 
+// static
+SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) {
+  DCHECK(NULL != cert->pbCertEncoded);
+  DCHECK_NE(static_cast<DWORD>(0), cert->cbCertEncoded);
+
+  SHA256HashValue sha256;
+  DWORD sha256_size = sizeof(sha256.data);
+
+  // The reason crypto::SHA256HashString is used here rather than
+  // CryptHashCertificate (which is used for SHA1) is that:
+  // * On Windows XP there is no CSP that supports SHA-256.
+  // * On Windows Vista it is necessary to acquire a non-default CSP
+  //   to get SHA-256 capabilities, which introduces significant overhead.

[Ryan Sleevi, 2014/09/11 23:44:39]

So, I should have been clearer on the comment. The reason why
CryptHashCertificate is used above is that it's just a shim for
CertGetCertificateContextProperty(), but in a foward-compatible way.

That is, Windows maintains a SHA-1 hash for all certificates, always,
internally, but they reserve the right to change that (but largely, wont)

I'd simply update this comment
// Use crypto::SHA256HashString for two reasons:
// * < Windows Vista does not have universal SHA-256 support
// * It's more efficient for > Windows Vista (less overhead)

[Eran Messeri, 2014/10/01 16:08:36]

Done, thanks for the explanation.

+  base::StringPiece der_cert(reinterpret_cast<const char*>(cert->pbCertEncoded),
+                             cert->cbCertEncoded);
+  crypto::SHA256HashString(der_cert, sha256.data, sha256_size);
+  return sha256;
+}
+
 // TODO(wtc): This function is implemented with NSS low-level hash
 // functions to ensure it is fast.  Reimplement this function with
 // CryptoAPI.  May need to cache the HCRYPTPROV to reduce the overhead.
 // static
 SHA1HashValue X509Certificate::CalculateCAFingerprint(
     const OSCertHandles& intermediates) {
   SHA1HashValue sha1;
   memset(sha1.data, 0, sizeof(sha1.data));
 
   SHA1Context* sha1_ctx = SHA1_NewContext();
@@ skipping 119 matching lines @@
     if (IsCertNameBlobInIssuerList(&(*it)->pCertInfo->Issuer,
                                    valid_issuers)) {
       return true;
     }
   }
 
   return false;
 }
 
 }  // namespace net