Index: net/cert/x509_certificate_win.cc |
diff --git a/net/cert/x509_certificate_win.cc b/net/cert/x509_certificate_win.cc |
index c679107371a8594e8202b725bf4078d46f7b8074..7927fb6123218c810daedbf4a6e0f0b11662fb14 100644 |
--- a/net/cert/x509_certificate_win.cc |
+++ b/net/cert/x509_certificate_win.cc |
@@ -14,6 +14,7 @@ |
#include "base/strings/utf_string_conversions.h" |
#include "crypto/capi_util.h" |
#include "crypto/scoped_capi_types.h" |
+#include "crypto/sha2.h" |
#include "net/base/net_errors.h" |
#pragma comment(lib, "crypt32.lib") |
@@ -313,6 +314,47 @@ SHA1HashValue X509Certificate::CalculateFingerprint( |
return sha1; |
} |
+// static |
+SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { |
+ DCHECK(NULL != cert->pbCertEncoded); |
+ DCHECK_NE(static_cast<DWORD>(0), cert->cbCertEncoded); |
+ |
+ HCRYPTPROV csp_provider; |
+ SHA256HashValue sha256; |
+ DWORD sha256_size = sizeof(sha256.data); |
+ |
+ if (!CryptAcquireContext(&csp_provider, |
Ryan Sleevi
2014/09/08 19:48:00
1) Not LGTM.
There's zero reason to go through a
Eran Messeri
2014/09/10 12:42:25
Done, I'm happy to get rid of this CryptAcquireCon
|
+ NULL, |
+ MS_ENH_RSA_AES_PROV, |
+ PROV_RSA_AES, |
+ CRYPT_VERIFYCONTEXT)) { |
+ // Fall back to third-party NSS code for SHA-256 calculation if the desired |
+ // CSP is not available (Happens on Windows XP). |
+ base::StringPiece der_cert( |
+ reinterpret_cast<const char*>(cert->pbCertEncoded), |
+ cert->cbCertEncoded); |
+ crypto::SHA256HashString(der_cert, sha256.data, sha256_size); |
+ return sha256; |
+ } |
+ |
+ BOOL rv; |
+ rv = CryptHashCertificate(csp_provider, |
+ CALG_SHA_256, |
+ 0, |
+ cert->pbCertEncoded, |
+ cert->cbCertEncoded, |
+ sha256.data, |
+ &sha256_size); |
+ |
+ DCHECK(rv && sha256_size == sizeof(sha256.data)); |
+ if (!rv) |
+ memset(sha256.data, 0, sizeof(sha256.data)); |
+ |
+ if (csp_provider) |
+ CryptReleaseContext(csp_provider, 0); |
+ return sha256; |
+} |
+ |
// TODO(wtc): This function is implemented with NSS low-level hash |
// functions to ensure it is fast. Reimplement this function with |
// CryptoAPI. May need to cache the HCRYPTPROV to reduce the overhead. |