Implement SHA-256 fingerprint support

net/base/cert_verify_proc_mac.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/cert_verify_proc_mac.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 
+#include <string>
+#include <vector>
+
 #include "base/logging.h"
 #include "base/mac/mac_logging.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/sha1.h"
 #include "base/string_piece.h"
 #include "crypto/nss_util.h"
 #include "crypto/sha2.h"
 #include "net/base/asn1_util.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
@@ skipping 203 matching lines @@
     }
   }
   if (!verified_cert)
     return;
 
   verify_result->verified_cert =
       X509Certificate::CreateFromHandle(verified_cert, verified_chain);
 }
 
 void AppendPublicKeyHashes(CFArrayRef chain,
-                           std::vector<SHA1Fingerprint>* hashes) {
+                           std::vector<HashValueVector>* hashes) {
   const CFIndex n = CFArrayGetCount(chain);
   for (CFIndex i = 0; i < n; i++) {
     SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
         const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));
 
     CSSM_DATA cert_data;
     OSStatus err = SecCertificateGetData(cert, &cert_data);
     DCHECK_EQ(err, noErr);
     base::StringPiece der_bytes(reinterpret_cast<const char*>(cert_data.Data),
                                cert_data.Length);
     base::StringPiece spki_bytes;
     if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
       continue;
 
-    SHA1Fingerprint hash;
-    CC_SHA1(spki_bytes.data(), spki_bytes.size(), hash.data);
-    hashes->push_back(hash);
+    HashValue sha1;
+    sha1.tag = HASH_VALUE_SHA1;
+    CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data());
+    (*hashes)[HASH_VALUE_SHA1].push_back(sha1);
+
+    HashValue sha256;
+    sha256.tag = HASH_VALUE_SHA256;
+    CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data());
+    (*hashes)[HASH_VALUE_SHA256].push_back(sha256);
   }
 }
 
 bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) {
   if (CFArrayGetCount(chain) == 0)
     return true;
 
   // We iterate from the root certificate down to the leaf, keeping track of
   // the issuer's SPKI at each step.
   std::string issuer_spki_hash;
@@ skipping 56 matching lines @@
 
 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA
 // that we recognise as a standard root.
 // static
 bool IsIssuedByKnownRoot(CFArrayRef chain) {
   int n = CFArrayGetCount(chain);
   if (n < 1)
     return false;
   SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>(
       const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1)));
-  SHA1Fingerprint hash = X509Certificate::CalculateFingerprint(root_ref);
+  SHA1HashValue hash = X509Certificate::CalculateFingerprint(root_ref);
   return IsSHA1HashInSortedArray(
       hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes));
 }
 
 }  // namespace
 
 CertVerifyProcMac::CertVerifyProcMac() {}
 
 CertVerifyProcMac::~CertVerifyProcMac() {}
 
@@ skipping 231 matching lines @@
     }
   }
 
   AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes);
   verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain);
 
   return OK;
 }
 
 }  // namespace net