Implement SHA-256 fingerprint support

net/base/cert_verify_proc_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/cert_verify_proc_win.h"
 
+#include <string>
+#include <vector>
+
 #include "base/memory/scoped_ptr.h"
 #include "base/sha1.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
 #include "crypto/capi_util.h"
 #include "crypto/scoped_capi_types.h"
 #include "crypto/sha2.h"
 #include "net/base/asn1_util.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
@@ skipping 258 matching lines @@
 // which we recognise as a standard root.
 // static
 bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context) {
   PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0];
   int num_elements = first_chain->cElement;
   if (num_elements < 1)
     return false;
   PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;
   PCCERT_CONTEXT cert = element[num_elements - 1]->pCertContext;
 
-  SHA1Fingerprint hash = X509Certificate::CalculateFingerprint(cert);
+  SHA1HashValue hash = X509Certificate::CalculateFingerprint(cert);
   return IsSHA1HashInSortedArray(
       hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes));
 }
 
 // Saves some information about the certificate chain |chain_context| in
 // |*verify_result|. The caller MUST initialize |*verify_result| before
 // calling this function.
 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
                       CertVerifyResult* verify_result) {
   if (chain_context->cChain == 0)
@@ skipping 138 matching lines @@
       default:
         NOTREACHED();
         continue;
     }
   }
 
   return true;
 }
 
 void AppendPublicKeyHashes(PCCERT_CHAIN_CONTEXT chain,
-                           std::vector<SHA1Fingerprint>* hashes) {
+                           std::vector<HashValueVector>* hashes) {
   if (chain->cChain == 0)
     return;
 
   PCERT_SIMPLE_CHAIN first_chain = chain->rgpChain[0];
   PCERT_CHAIN_ELEMENT* const element = first_chain->rgpElement;
 
   const DWORD num_elements = first_chain->cElement;
   for (DWORD i = 0; i < num_elements; i++) {
     PCCERT_CONTEXT cert = element[i]->pCertContext;
 
     base::StringPiece der_bytes(
         reinterpret_cast<const char*>(cert->pbCertEncoded),
         cert->cbCertEncoded);
     base::StringPiece spki_bytes;
     if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
       continue;
 
-    SHA1Fingerprint hash;
+    HashValue sha1;
+    sha1.tag = HASH_VALUE_SHA1;
     base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()),
-                        spki_bytes.size(), hash.data);
-    hashes->push_back(hash);
+                        spki_bytes.size(), sha1.data());
+    (*hashes)[HASH_VALUE_SHA1].push_back(sha1);
+
+    HashValue sha256;
+    sha256.tag = HASH_VALUE_SHA256;
+    crypto::SHA256HashString(spki_bytes, sha1.data(), crypto::kSHA256Length);
+    (*hashes)[HASH_VALUE_SHA256].push_back(sha256);
   }
 }
 
 // Returns true if the certificate is an extended-validation certificate.
 //
 // This function checks the certificatePolicies extensions of the
 // certificates in the certificate chain according to Section 7 (pp. 11-12)
 // of the EV Certificate Guidelines Version 1.0 at
 // http://cabforum.org/EV_Certificate_Guidelines.pdf.
 bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
@@ skipping 20 matching lines @@
   // Check the end certificate simple chain (chain_context->rgpChain[0]).
   // If the end certificate's certificatePolicies extension contains the
   // EV policy OID of the root CA, return true.
   PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement;
   int num_elements = chain_context->rgpChain[0]->cElement;
   if (num_elements < 2)
     return false;
 
   // Look up the EV policy OID of the root CA.
   PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext;
-  SHA1Fingerprint fingerprint =
+  SHA1HashValue fingerprint =
       X509Certificate::CalculateFingerprint(root_cert);
   EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
   return metadata->HasEVPolicyOID(fingerprint, policy_oid);
 }
 
 }  // namespace
 
 CertVerifyProcWin::CertVerifyProcWin() {}
 
 CertVerifyProcWin::~CertVerifyProcWin() {}
@@ skipping 216 matching lines @@
   verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context);
 
   if (ev_policy_oid &&
       CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) {
     verify_result->cert_status |= CERT_STATUS_IS_EV;
   }
   return OK;
 }
 
 }  // namespace net