Implement SHA-256 fingerprint support

net/base/cert_verify_proc_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/cert_verify_proc_nss.h"
 
+#include <string>
+#include <vector>
+
 #include <cert.h>
 #include <nss.h>
 #include <prerror.h>
 #include <secerr.h>
 #include <sechash.h>
 #include <sslerr.h>
 
 #include "base/logging.h"
 #include "crypto/nss_util.h"
 #include "crypto/scoped_nss_types.h"
@@ skipping 542 matching lines @@
   od.offset = SEC_OID_UNKNOWN;
   // NSS doesn't allow us to pass an empty description, so I use a hardcoded,
   // default description here.  The description doesn't need to be unique for
   // each OID.
   od.desc = "a certificate policy";
   od.mechanism = CKM_INVALID_MECHANISM;
   od.supportedExtension = INVALID_CERT_EXTENSION;
   return SECOID_AddEntry(&od);
 }
 
-SHA1Fingerprint CertPublicKeyHash(CERTCertificate* cert) {
-  SHA1Fingerprint hash;
-  SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data,
+HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) {
+  HashValue hash(HASH_VALUE_SHA1);
+  SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(),
+                              cert->derPublicKey.data, cert->derPublicKey.len);
+  DCHECK_EQ(rv, SECSuccess);
+  return hash;
+}
+
+HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) {
+  HashValue hash(HASH_VALUE_SHA256);
+  SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(),
                               cert->derPublicKey.data, cert->derPublicKey.len);
   DCHECK_EQ(rv, SECSuccess);
   return hash;
 }
 
 void AppendPublicKeyHashes(CERTCertList* cert_list,
                            CERTCertificate* root_cert,
-                           std::vector<SHA1Fingerprint>* hashes) {
+                           HashValueVector* hashes) {
   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
        !CERT_LIST_END(node, cert_list);
        node = CERT_LIST_NEXT(node)) {
-    hashes->push_back(CertPublicKeyHash(node->cert));
+    hashes->push_back(CertPublicKeyHashSHA1(node->cert));
+    hashes->push_back(CertPublicKeyHashSHA256(node->cert));
   }
-  if (root_cert)
-    hashes->push_back(CertPublicKeyHash(root_cert));
+  if (root_cert) {
+    hashes->push_back(CertPublicKeyHashSHA1(root_cert));
+    hashes->push_back(CertPublicKeyHashSHA256(root_cert));
+  }
 }
 
 // Returns true if |cert_handle| contains a policy OID that is an EV policy
 // OID according to |metadata|, storing the resulting policy OID in
 // |*ev_policy_oid|. A true return is not sufficient to establish that a
 // certificate is EV, but a false return is sufficient to establish the
 // certificate cannot be EV.
 bool IsEVCandidate(EVRootCAMetadata* metadata,
                    CERTCertificate* cert_handle,
                    SECOidTag* ev_policy_oid) {
@@ skipping 67 matching lines @@
   // the old path, might have been revoked.
   if (crl_set) {
     CRLSetResult crl_set_result = CheckRevocationWithCRLSet(
         cvout[cvout_cert_list_index].value.pointer.chain,
         cvout[cvout_trust_anchor_index].value.pointer.cert,
         crl_set);
     if (crl_set_result == kCRLSetRevoked)
       return false;
   }
 
-  SHA1Fingerprint fingerprint =
+  SHA1HashValue fingerprint =
       X509Certificate::CalculateFingerprint(root_ca);
   return metadata->HasEVPolicyOID(fingerprint, ev_policy_oid);
 }
 
 }  // namespace
 
 CertVerifyProcNSS::CertVerifyProcNSS() {}
 
 CertVerifyProcNSS::~CertVerifyProcNSS() {}
 
@@ skipping 88 matching lines @@
 
   if ((flags & X509Certificate::VERIFY_EV_CERT) && is_ev_candidate &&
       VerifyEV(cert_handle, flags, crl_set, metadata, ev_policy_oid)) {
     verify_result->cert_status |= CERT_STATUS_IS_EV;
   }
 
   return OK;
 }
 
 }  // namespace net