FYI: I'm brooding on a modified proposal in which the devtools agent in the browser process would manage the certificates that the security panel needs to know about. Kinda like CertStore, except tying the certificate lifetime only to the devtools renderer processes that might actually need to pass back references to certificates, not to the page renderer processes. (Except for devtools, renderer processes shouldn't need to know or care about certificates.) In that world, an optimized equality test would probably still come in handy, but only when devtools is enabled. (So it might make sense to optimize for memory savings in the non-devtools-enabled case instead of fast equality testing in the devtools-enabled case.)

Yeah, my current thinking is the one case that cares about fast equality (CertStore - although some iOS code may care, TBD), we optimize by wrapping the object (e.g. instead of an X509Certificate, an X509CertificateAndFingerprints) - so that way we don't pay the memory overhead and parse overhead for every X509Certificate, just the indexed ones, and only while they're indexed.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/de70f5cff2a6e16cda89b15fadd75cba11694fc3

commit de70f5cff2a6e16cda89b15fadd75cba11694fc3
Author: rsleevi <rsleevi@chromium.org>
Date: Tue Jun 21 06:00:23 2016

Remove the fingerprint and ca_fingerprint from X509Certificate

X509Certificate provided a function to get the SHA-1 hash of
the certificate data and the SHA-1 hash of the intermediates.
This was largely for sorting optimizations, but was never
intended to be a substitute for true equality checks (namely,
IsSameOSCert()). However, because X509Certificate::LessThan
used these, the comparison of two X509Certificates was less
secure than desired.

This removes the fingerprint members and the ability to
publicly compute the SHA-1 hash of the certificate/intermediates.
Callers can instead compute the SHA-256 fingerprint using
X509Certificate::Calculate[CA]Fingerprint256 to obtain the
equivalent SHA256HashValue fingerprint.

This also optimizes CalculateCAFingerprint256 to avoid
additional copies, by moving it to the platform-native
implementation.

BUG= 613460 

Review-Url: https://codereview.chromium.org/2000503002
Cr-Commit-Position: refs/heads/master@{#400904}

[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/blimp/net/exact_match_cert_verifier.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/chrome/browser/safe_browsing/download_protection_service.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/chrome/browser/safe_browsing/download_protection_service_unittest.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/chrome/browser/ssl/ssl_browser_tests.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/chromeos/network/onc/onc_certificate_importer_impl_unittest.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/content/browser/cert_store_impl.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/content/browser/cert_store_impl.h
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/ios/web/navigation/crw_session_certificate_policy_manager.mm
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/ios/web/net/cert_host_pair.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/ios/web/net/cert_host_pair.h
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/ios/web/net/cert_host_pair_unittest.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/ios/web/net/cert_policy.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/ios/web/net/cert_store_impl.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/ios/web/net/cert_store_impl.h
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/ios/web/net/request_tracker_impl_unittest.mm
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/ios/web/public/cert_policy.h
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/cert_verify_proc_nss.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/cert_verify_proc_unittest.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/cert_verify_proc_win.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/nss_cert_database_unittest.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/nss_profile_filter_chromeos_unittest.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/x509_certificate.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/x509_certificate.h
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/x509_certificate_ios.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/x509_certificate_mac.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/x509_certificate_nss.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/x509_certificate_openssl.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/x509_certificate_unittest.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/cert/x509_certificate_win.cc
[modify] https://crrev.com/de70f5cff2a6e16cda89b15fadd75cba11694fc3/net/ssl/client_cert_store_mac.cc