Implement SHA-256 fingerprint support

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 113 matching lines @@
 // set on Windows XP without error. There is some overhead from the server
 // sending the OCSP response if it supports the extension, for the subset of
 // XP clients who will request it but be unable to use it, but this is an
 // acceptable trade-off for simplicity of implementation.
 static bool IsOCSPStaplingSupported() {
   return true;
 }
 #elif defined(USE_NSS)
 typedef SECStatus
 (*CacheOCSPResponseFromSideChannelFunction)(
-    CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time,
-    SECItem *encodedResponse, void *pwArg);
+    CERTCertDBHandle* handle, CERTCertificate* cert, PRTime time,
+    SECItem* encodedResponse, void* pwArg);

[Ryan Sleevi, 2012/08/11 01:39:55]

nit: Not sure this change is necessary. The style violation is in part to match
the NSS function signature, which uses the original style.

[palmer, 2012/08/14 19:40:42]

Ok, in that case I'll change it back.

 
 // On Linux, we dynamically link against the system version of libnss3.so. In
 // order to continue working on systems without up-to-date versions of NSS we
 // lookup CERT_CacheOCSPResponseFromSideChannel with dlsym.
 
 // RuntimeLibNSSFunctionPointers is a singleton which caches the results of any
 // runtime symbol resolution that we need.
 class RuntimeLibNSSFunctionPointers {
  public:
   CacheOCSPResponseFromSideChannelFunction
@@ skipping 2610 matching lines @@
   if (core_->state().server_cert_chain.empty() ||
       !core_->state().server_cert_chain[0]) {
     return false;
   }
 
   ssl_info->cert_status = server_cert_verify_result_.cert_status;
   ssl_info->cert = server_cert_verify_result_.verified_cert;
   ssl_info->connection_status =
       core_->state().ssl_connection_status;
   ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes;
-  for (std::vector<SHA1Fingerprint>::const_iterator
-       i = side_pinned_public_keys_.begin();
-       i != side_pinned_public_keys_.end(); i++) {
-    ssl_info->public_key_hashes.push_back(*i);
+  // TODO(palmer) TODO(agl): Do side pins need to be in both SHA1 and SHA256
+  // forms? If consumers of side pins only care about SHA1, it is OK to put
+  // them only in the HASH_VALUE_SHA1 vector.

[Ryan Sleevi, 2012/08/11 01:39:55]

(file a) BUG or it didn't happen?

[palmer, 2012/08/14 19:40:42]

agl is OK with leaving it as-is, so I'll remove the TODOs but leave the
explanatory comment.

+  HashValueVector& sha1_hashes =
+      ssl_info->public_key_hashes[HASH_VALUE_SHA1];
+  for (HashValueVector::const_iterator i = side_pinned_public_keys_.begin();
+       i != side_pinned_public_keys_.end(); ++i) {
+    sha1_hashes.push_back(*i);
   }
   ssl_info->is_issued_by_known_root =
       server_cert_verify_result_.is_issued_by_known_root;
   ssl_info->client_cert_sent =
       ssl_config_.send_client_cert && ssl_config_.client_cert;
   ssl_info->channel_id_sent = WasChannelIDSent();
 
   PRUint16 cipher_suite = SSLConnectionStatusToCipherSuite(
       core_->state().ssl_connection_status);
   SSLCipherSuiteInfo cipher_info;
@@ skipping 728 matching lines @@
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net