Index: net/cert/x509_certificate_win.cc |
diff --git a/net/cert/x509_certificate_win.cc b/net/cert/x509_certificate_win.cc |
index c679107371a8594e8202b725bf4078d46f7b8074..6b7a6d2bf1e1c75d4fdba3753b19becc9a0257eb 100644 |
--- a/net/cert/x509_certificate_win.cc |
+++ b/net/cert/x509_certificate_win.cc |
@@ -14,6 +14,7 @@ |
#include "base/strings/utf_string_conversions.h" |
#include "crypto/capi_util.h" |
#include "crypto/scoped_capi_types.h" |
+#include "crypto/sha2.h" |
#include "net/base/net_errors.h" |
#pragma comment(lib, "crypt32.lib") |
@@ -313,6 +314,25 @@ SHA1HashValue X509Certificate::CalculateFingerprint( |
return sha1; |
} |
+// static |
+SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { |
+ DCHECK(NULL != cert->pbCertEncoded); |
+ DCHECK_NE(static_cast<DWORD>(0), cert->cbCertEncoded); |
+ |
+ SHA256HashValue sha256; |
+ DWORD sha256_size = sizeof(sha256.data); |
+ |
+ // The reason crypto::SHA256HashString is used here rather than |
+ // CryptHashCertificate (which is used for SHA1) is that: |
+ // * On Windows XP there is no CSP that supports SHA-256. |
+ // * On Windows Vista it is necessary to acquire a non-default CSP |
+ // to get SHA-256 capabilities, which introduces significant overhead. |
Ryan Sleevi
2014/09/11 23:44:39
So, I should have been clearer on the comment. The
Eran Messeri
2014/10/01 16:08:36
Done, thanks for the explanation.
|
+ base::StringPiece der_cert(reinterpret_cast<const char*>(cert->pbCertEncoded), |
+ cert->cbCertEncoded); |
+ crypto::SHA256HashString(der_cert, sha256.data, sha256_size); |
+ return sha256; |
+} |
+ |
// TODO(wtc): This function is implemented with NSS low-level hash |
// functions to ensure it is fast. Reimplement this function with |
// CryptoAPI. May need to cache the HCRYPTPROV to reduce the overhead. |