Certificate Transparency: Code for unpacking EV cert hashes whitelist

net/cert/x509_certificate_win.cc

Index: net/cert/x509_certificate_win.cc
diff --git a/net/cert/x509_certificate_win.cc b/net/cert/x509_certificate_win.cc
index c679107371a8594e8202b725bf4078d46f7b8074..7927fb6123218c810daedbf4a6e0f0b11662fb14 100644
--- a/net/cert/x509_certificate_win.cc
+++ b/net/cert/x509_certificate_win.cc
@@ -14,6 +14,7 @@
 #include "base/strings/utf_string_conversions.h"
 #include "crypto/capi_util.h"
 #include "crypto/scoped_capi_types.h"
+#include "crypto/sha2.h"
 #include "net/base/net_errors.h"
 
 #pragma comment(lib, "crypt32.lib")
@@ -313,6 +314,47 @@ SHA1HashValue X509Certificate::CalculateFingerprint(
   return sha1;
 }
 
+// static
+SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) {
+  DCHECK(NULL != cert->pbCertEncoded);
+  DCHECK_NE(static_cast<DWORD>(0), cert->cbCertEncoded);
+
+  HCRYPTPROV csp_provider;
+  SHA256HashValue sha256;
+  DWORD sha256_size = sizeof(sha256.data);
+
+  if (!CryptAcquireContext(&csp_provider,

[Ryan Sleevi, 2014/09/08 19:48:00]

1) Not LGTM.

There's zero reason to go through a CSP for this, and significant overhead.

2) The code is bugged for XP SP3
3) Don't remark about the library in use (NSS or BoringSSL is opaque to you
here)

TL;DR:

return crytpo::SHA256HashString(der_cert);

[Eran Messeri, 2014/09/10 12:42:25]

Done, I'm happy to get rid of this CryptAcquireContext shenanigans.
Is there *any* benefit to using CryptHashCertificate over
crypto::SHA256HashString? Not that I want to use it, I'm just curious why the
SHA-1 fingerprinting is done that way.

+                           NULL,
+                           MS_ENH_RSA_AES_PROV,
+                           PROV_RSA_AES,
+                           CRYPT_VERIFYCONTEXT)) {
+    // Fall back to third-party NSS code for SHA-256 calculation if the desired
+    // CSP is not available (Happens on Windows XP).
+    base::StringPiece der_cert(
+        reinterpret_cast<const char*>(cert->pbCertEncoded),
+        cert->cbCertEncoded);
+    crypto::SHA256HashString(der_cert, sha256.data, sha256_size);
+    return sha256;
+  }
+
+  BOOL rv;
+  rv = CryptHashCertificate(csp_provider,
+                            CALG_SHA_256,
+                            0,
+                            cert->pbCertEncoded,
+                            cert->cbCertEncoded,
+                            sha256.data,
+                            &sha256_size);
+
+  DCHECK(rv && sha256_size == sizeof(sha256.data));
+  if (!rv)
+    memset(sha256.data, 0, sizeof(sha256.data));
+
+  if (csp_provider)
+    CryptReleaseContext(csp_provider, 0);
+  return sha256;
+}
+
 // TODO(wtc): This function is implemented with NSS low-level hash
 // functions to ensure it is fast.  Reimplement this function with
 // CryptoAPI.  May need to cache the HCRYPTPROV to reduce the overhead.