Implement SHA-256 fingerprint support.

The HTTP-based Public Key Pinning Internet Draft
(tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this.

Per wtc, give the *Fingeprint* types more meaningful *HashValue* names.

Cleaning up lint along the way.

This CL reverts 149268, which reverted 149261 the previous version of this
CL. It includes a fix to the compile problem that necessitated 149268.

BUG=117914
TEST=net_unittests, unit_tests TransportSecurityPersisterTest
Review URL: https://chromiumcodereview.appspot.com/10836062

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@150124 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 71 insertions, 30 deletions

diff --git a/chrome/browser/net/transport_security_persister.cc b/chrome/browser/net/transport_security_persister.cc
index 76bc514..c6a27d2 100644
--- a/chrome/browser/net/transport_security_persister.cc
+++ b/chrome/browser/net/transport_security_persister.cc
@@ -20,32 +20,46 @@
 #include "net/base/x509_certificate.h"
 
 using content::BrowserThread;
-using net::Fingerprint;
-using net::FingerprintVector;
+using net::HashValue;
+using net::HashValueTag;
+using net::HashValueVector;
 using net::TransportSecurityState;
 
 namespace {
 
-ListValue* SPKIHashesToListValue(const FingerprintVector& hashes) {
+ListValue* SPKIHashesToListValue(const HashValueVector& hashes) {
   ListValue* pins = new ListValue;
 
-  for (FingerprintVector::const_iterator i = hashes.begin();
+  for (HashValueVector::const_iterator i = hashes.begin();
        i != hashes.end(); ++i) {
-    std::string hash_str(reinterpret_cast<const char*>(i->data),
-                         sizeof(i->data));
+    std::string label;
+    switch (i->tag) {
+      case net::HASH_VALUE_SHA1:
+        label = "sha1/";
+        break;
+      case net::HASH_VALUE_SHA256:
+        label = "sha256/";
+        break;
+      default:
+        LOG(WARNING) << "Skipping invalid fingerprint with unknown type "
+                     << i->tag;
+        continue;
+    }
+
+    std::string hash_str(reinterpret_cast<const char*>(i->data()), i->size());
     std::string b64;
     base::Base64Encode(hash_str, &b64);
-    pins->Append(new StringValue("sha1/" + b64));
+    pins->Append(new StringValue(label + b64));
   }
 
   return pins;
 }
 
-void SPKIHashesFromListValue(const ListValue& pins, FingerprintVector* hashes) {
+void SPKIHashesFromListValue(const ListValue& pins, HashValueVector* hashes) {
   size_t num_pins = pins.GetSize();
   for (size_t i = 0; i < num_pins; ++i) {
     std::string type_and_base64;
-    Fingerprint fingerprint;
+    HashValue fingerprint;
     if (pins.GetString(i, &type_and_base64) &&
         TransportSecurityState::ParsePin(type_and_base64, &fingerprint)) {
       hashes->push_back(fingerprint);
diff --git a/chrome/browser/net/transport_security_persister_unittest.cc b/chrome/browser/net/transport_security_persister_unittest.cc
index 2607a09..fcde3f8 100644
--- a/chrome/browser/net/transport_security_persister_unittest.cc
+++ b/chrome/browser/net/transport_security_persister_unittest.cc
@@ -6,6 +6,7 @@
 
 #include <map>
 #include <string>
+#include <vector>
 
 #include "base/file_path.h"
 #include "base/file_util.h"
@@ -96,10 +97,12 @@ TEST_F(TransportSecurityPersisterTest, SerializeData2) {
 
 TEST_F(TransportSecurityPersisterTest, SerializeData3) {
   // Add an entry.
-  net::SHA1Fingerprint fp1;
-  memset(fp1.data, 0, sizeof(fp1.data));
-  net::SHA1Fingerprint fp2;
-  memset(fp2.data, 1, sizeof(fp2.data));
+  net::HashValue fp1;
+  fp1.tag = net::HASH_VALUE_SHA1;
+  memset(fp1.data(), 0, fp1.size());
+  net::HashValue fp2;
+  fp2.tag = net::HASH_VALUE_SHA1;
+  memset(fp2.data(), 1, fp2.size());
   TransportSecurityState::DomainState example_state;
   example_state.upgrade_expiry =
       base::Time::Now() + base::TimeDelta::FromSeconds(1000);
@@ -111,8 +114,8 @@ TEST_F(TransportSecurityPersisterTest, SerializeData3) {
   state_.EnableHost("www.example.com", example_state);
 
   // Add another entry.
-  memset(fp1.data, 2, sizeof(fp1.data));
-  memset(fp2.data, 3, sizeof(fp2.data));
+  memset(fp1.data(), 2, fp1.size());
+  memset(fp2.data(), 3, fp2.size());
   example_state.upgrade_expiry =
       base::Time::Now() + base::TimeDelta::FromSeconds(3000);
   example_state.upgrade_mode =
@@ -181,17 +184,26 @@ TEST_F(TransportSecurityPersisterTest, PublicKeyHashes) {
   TransportSecurityState::DomainState domain_state;
   static const char kTestDomain[] = "example.com";
   EXPECT_FALSE(state_.GetDomainState(kTestDomain, false, &domain_state));
-  net::FingerprintVector hashes;
-  EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(hashes));
+  std::vector<net::HashValueVector> hashes;
+  for (size_t i = 0; i < net::HASH_VALUE_TAGS_COUNT; ++i) {
+    net::HashValueVector v;
+    hashes.push_back(v);
+  }
+  EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes));
 
-  net::SHA1Fingerprint hash;
-  memset(hash.data, '1', sizeof(hash.data));
-  domain_state.static_spki_hashes.push_back(hash);
+  net::HashValue sha1;
+  sha1.tag = net::HASH_VALUE_SHA1;
+  memset(sha1.data(), '1', sha1.size());
+  domain_state.static_spki_hashes.push_back(sha1);
 
   EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes));
-  hashes.push_back(hash);
+
+DLOG(WARNING) << hashes[net::HASH_VALUE_SHA1].size();
+  hashes[net::HASH_VALUE_SHA1].push_back(sha1);
+DLOG(WARNING) << hashes[net::HASH_VALUE_SHA1].size();
   EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(hashes));
-  hashes[0].data[0] = '2';
+
+  hashes[net::HASH_VALUE_SHA1][0].data()[0] = '2';
   EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes));
 
   const base::Time current_time(base::Time::Now());
@@ -204,8 +216,9 @@ TEST_F(TransportSecurityPersisterTest, PublicKeyHashes) {
   EXPECT_TRUE(persister_->LoadEntries(ser, &dirty));
   EXPECT_TRUE(state_.GetDomainState(kTestDomain, false, &domain_state));
   EXPECT_EQ(1u, domain_state.static_spki_hashes.size());
-  EXPECT_EQ(0, memcmp(domain_state.static_spki_hashes[0].data, hash.data,
-                      sizeof(hash.data)));
+  EXPECT_EQ(sha1.tag, domain_state.static_spki_hashes[0].tag);
+  EXPECT_EQ(0, memcmp(domain_state.static_spki_hashes[0].data(), sha1.data(),
+                      sha1.size()));
 }
 
 TEST_F(TransportSecurityPersisterTest, ForcePreloads) {
diff --git a/chrome/browser/ui/webui/net_internals/net_internals_ui.cc b/chrome/browser/ui/webui/net_internals/net_internals_ui.cc
index 397d9e9..a413e5f 100644
--- a/chrome/browser/ui/webui/net_internals/net_internals_ui.cc
+++ b/chrome/browser/ui/webui/net_internals/net_internals_ui.cc
@@ -1084,18 +1084,32 @@ void NetInternalsMessageHandler::IOThreadImpl::OnStartConnectionTests(
   connection_tester_->RunAllTests(url);
 }
 
-void SPKIHashesToString(const net::FingerprintVector& hashes,
+void SPKIHashesToString(const net::HashValueVector& hashes,
                         std::string* string) {
-  for (net::FingerprintVector::const_iterator
+  for (net::HashValueVector::const_iterator
        i = hashes.begin(); i != hashes.end(); ++i) {
-    base::StringPiece hash_str(reinterpret_cast<const char*>(i->data),
-                               arraysize(i->data));
+    std::string label;
+    switch (i->tag) {
+      case net::HASH_VALUE_SHA1:
+        label = "sha1/";
+        break;
+      case net::HASH_VALUE_SHA256:
+        label = "sha256/";
+        break;
+      default:
+        NOTREACHED();
+        LOG(WARNING) << "Invalid fingerprint of unknown type " << i->tag;
+        label = "unknown/";
+    }
+
+    base::StringPiece hash_str(reinterpret_cast<const char*>(i->data()),
+                               i->size());
     std::string encoded;
     base::Base64Encode(hash_str, &encoded);
 
     if (i != hashes.begin())
       *string += ",";
-    *string += "sha1/" + encoded;
+    *string += label + encoded;
   }
 }
 
@@ -1171,7 +1185,7 @@ void NetInternalsMessageHandler::IOThreadImpl::OnHSTSAdd(
          i = type_and_b64s.begin(); i != type_and_b64s.end(); ++i) {
       std::string type_and_b64;
       RemoveChars(*i, " \t\r\n", &type_and_b64);
-      net::SHA1Fingerprint hash;
+      net::HashValue hash;
       if (!net::TransportSecurityState::ParsePin(type_and_b64, &hash))
         continue;