diff options
| author | palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-08 06:32:23 +0000 |
|---|---|---|
| committer | palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-08 06:32:23 +0000 |
| commit | bc0d7b86f1bb6ed7a4e0374a2c1a4c8182de307c (patch) | |
| tree | 6f86b2850f0763210ab249fceafbfb28a6013ead /net/base/cert_verify_proc_nss.cc | |
| parent | 77d555c7a0984ab10edc3d05016246d932cef2e1 (diff) | |
| download | chromium_src-bc0d7b86f1bb6ed7a4e0374a2c1a4c8182de307c.zip chromium_src-bc0d7b86f1bb6ed7a4e0374a2c1a4c8182de307c.tar.gz chromium_src-bc0d7b86f1bb6ed7a4e0374a2c1a4c8182de307c.tar.bz2 | |
Revert 150375 - Implement SHA-256 fingerprint support
The HTTP-based Public Key Pinning Internet Draft
(tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this.
Per wtc, give the *Fingeprint* types more meaningful *HashValue* names.
Cleaning up lint along the way.
BUG=117914
TEST=net_unittests, unit_tests TransportSecurityPersisterTest
Review URL: https://chromiumcodereview.appspot.com/10825211
TBR=palmer@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10836150
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@150507 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/cert_verify_proc_nss.cc')
| -rw-r--r-- | net/base/cert_verify_proc_nss.cc | 33 |
1 files changed, 8 insertions, 25 deletions
diff --git a/net/base/cert_verify_proc_nss.cc b/net/base/cert_verify_proc_nss.cc index db9b34a..3108555 100644 --- a/net/base/cert_verify_proc_nss.cc +++ b/net/base/cert_verify_proc_nss.cc @@ -4,9 +4,6 @@ #include "net/base/cert_verify_proc_nss.h" -#include <string> -#include <vector> - #include <cert.h> #include <nss.h> #include <prerror.h> @@ -600,19 +597,9 @@ bool CheckCertPolicies(X509Certificate::OSCertHandle cert_handle, return false; } -HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) { - HashValue hash; - hash.tag = HASH_VALUE_SHA1; - SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(), - cert->derPublicKey.data, cert->derPublicKey.len); - DCHECK_EQ(rv, SECSuccess); - return hash; -} - -HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) { - HashValue hash; - hash.tag = HASH_VALUE_SHA256; - SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(), +SHA1Fingerprint CertPublicKeyHash(CERTCertificate* cert) { + SHA1Fingerprint hash; + SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data, cert->derPublicKey.data, cert->derPublicKey.len); DCHECK_EQ(rv, SECSuccess); return hash; @@ -620,18 +607,14 @@ HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) { void AppendPublicKeyHashes(CERTCertList* cert_list, CERTCertificate* root_cert, - std::vector<HashValueVector>* hashes) { - // TODO(palmer): Generalize this to handle any and all HashValueTags. + std::vector<SHA1Fingerprint>* hashes) { for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); !CERT_LIST_END(node, cert_list); node = CERT_LIST_NEXT(node)) { - (*hashes)[HASH_VALUE_SHA1].push_back(CertPublicKeyHashSHA1(node->cert)); - (*hashes)[HASH_VALUE_SHA256].push_back(CertPublicKeyHashSHA256(node->cert)); - } - if (root_cert) { - (*hashes)[HASH_VALUE_SHA1].push_back(CertPublicKeyHashSHA1(root_cert)); - (*hashes)[HASH_VALUE_SHA256].push_back(CertPublicKeyHashSHA256(root_cert)); + hashes->push_back(CertPublicKeyHash(node->cert)); } + if (root_cert) + hashes->push_back(CertPublicKeyHash(root_cert)); } // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp @@ -684,7 +667,7 @@ bool VerifyEV(CERTCertificate* cert_handle, int flags, CRLSet* crl_set) { return false; } - SHA1HashValue fingerprint = + SHA1Fingerprint fingerprint = X509Certificate::CalculateFingerprint(root_ca); std::vector<SECOidTag> ev_policy_tags; if (!metadata->GetPolicyOIDsForCA(fingerprint, &ev_policy_tags)) |