diff options
| author | jww@chromium.org <jww@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-28 00:27:59 +0000 |
|---|---|---|
| committer | jww@chromium.org <jww@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-07-28 00:27:59 +0000 |
| commit | 4dbed6db2b694664a9735af9b68c84796f86e445 (patch) | |
| tree | d103f90fbcd4fde91efa4c442aecae1e9de4534d /net/cert/x509_certificate.h | |
| parent | 0681ba03bedbc2e316184bc8dd69db57dbc2a5d0 (diff) | |
| download | chromium_src-4dbed6db2b694664a9735af9b68c84796f86e445.zip chromium_src-4dbed6db2b694664a9735af9b68c84796f86e445.tar.gz chromium_src-4dbed6db2b694664a9735af9b68c84796f86e445.tar.bz2 | |
Add SHA-256 fingerprint functions to x509 certs.
Previously, the x509 cert implementation only had SHA-1 based fingerprinting for
quickly creating indexing appropriate hashes. Since SHA-1 is likely
cryptographically broken, these fingerprints should not be used for any security
decisions. This adds slow SHA-256 fingerprint support for when fingerprints are
needed for security decisions.
R=rsleevi@chromium.org
BUG=262615
Review URL: https://codereview.chromium.org/412263003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@285851 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert/x509_certificate.h')
| -rw-r--r-- | net/cert/x509_certificate.h | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/net/cert/x509_certificate.h b/net/cert/x509_certificate.h index 7aa48f0..15ef81c 100644 --- a/net/cert/x509_certificate.h +++ b/net/cert/x509_certificate.h @@ -389,13 +389,37 @@ class NET_EXPORT X509Certificate // Calculates the SHA-1 fingerprint of the certificate. Returns an empty // (all zero) fingerprint on failure. + // + // For calculating fingerprints, prefer SHA-1 for performance when indexing, + // but callers should use IsSameOSCert() before assuming two certificates are + // the same. static SHA1HashValue CalculateFingerprint(OSCertHandle cert_handle); // Calculates the SHA-1 fingerprint of the intermediate CA certificates. // Returns an empty (all zero) fingerprint on failure. + // + // See SHA-1 caveat on CalculateFingerprint(). static SHA1HashValue CalculateCAFingerprint( const OSCertHandles& intermediates); + // Calculates the SHA-256 fingerprint of the intermediate CA certificates. + // Returns an empty (all zero) fingerprint on failure. + // + // The implementation currently relies on the crypto::SecureHash utilities, + // which are not as fast as implementing this directly for each platform since + // the consumers are not expected to be performance critical. If performance + // is a concern going forward, it may be warranted to implement this on a + // per-platform basis. + static SHA256HashValue CalculateCAFingerprint256( + const OSCertHandles& intermediates); + + // Calculates the SHA-256 fingerprint for the complete chain, including the + // leaf certificate and all intermediate CA certificates. Returns an empty + // (all zero) fingerprint on failure. + static SHA256HashValue CalculateChainFingerprint256( + const OSCertHandle& leaf, + const OSCertHandles& intermediates); + private: friend class base::RefCountedThreadSafe<X509Certificate>; friend class TestRootCerts; // For unit tests |