Switch SHA256HashValue to a std::array.

It used to contain a fixed-length C-style array. Using a std::array is
safer.

Bug: 390223051
Change-Id: I33b1b207b1fde986a185c9d53fda3a7f61a05196
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6382619
Reviewed-by: Nico Weber <thakis@chromium.org>
Owners-Override: Nico Weber <thakis@chromium.org>
Commit-Queue: mmenke <mmenke@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1437923}

chrome/browser/certificate_provider/thread_safe_certificate_map.h

@@ -12,10 +12,10 @@
 #include "base/containers/flat_map.h"
 #include "base/synchronization/lock.h"
 #include "chromeos/components/certificate_provider/certificate_info.h"
+#include "net/base/hash_value.h"
 
 namespace net {
 class X509Certificate;
-struct SHA256HashValue;
 }  // namespace net
 
 namespace chromeos {

chrome/browser/ui/webui/certificate_manager/client_cert_sources.cc

@@ -279,7 +279,7 @@ net::X509Certificate* FindCertificateFromCertificateList(
     std::string_view sha256_hex_hash,
     const net::CertificateList& certs) {
   net::SHA256HashValue hash;
-  if (!base::HexStringToSpan(sha256_hex_hash, hash.data)) {
+  if (!base::HexStringToSpan(sha256_hex_hash, hash)) {
     return nullptr;
   }
 
@@ -414,7 +414,7 @@ class WritableCertLoader : public CertificateManagerPageHandler::CertSource {
     }
 
     net::SHA256HashValue hash;
-    if (!base::HexStringToSpan(sha256_hex_hash, hash.data)) {
+    if (!base::HexStringToSpan(sha256_hex_hash, hash)) {
       return nullptr;
     }
 

chrome/browser/ui/webui/certificate_manager/client_cert_sources_writable_unittest.cc

@@ -71,7 +71,7 @@ bool SlotContainsCertWithHash(PK11SlotInfo* slot, std::string_view hash_hex) {
     return false;
   }
   net::SHA256HashValue hash;
-  if (!base::HexStringToSpan(hash_hex, hash.data)) {
+  if (!base::HexStringToSpan(hash_hex, hash)) {
     return false;
   }
   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);

chrome/browser/ui/webui/certificate_manager/user_cert_sources_unittest.cc

@@ -139,13 +139,11 @@ TEST_F(UserCertSourcesUnitTest, TestGetCertificateInfos) {
   EXPECT_EQ(infos[0]->sha256hash_hex,
             base::ToLowerASCII(
                 base::HexEncode(net::X509Certificate::CalculateFingerprint256(
-                                    test_cert_1->cert_buffer())
+                    test_cert_1->cert_buffer()))));
-                                    .data)));
   EXPECT_EQ(infos[1]->sha256hash_hex,
             base::ToLowerASCII(
                 base::HexEncode(net::X509Certificate::CalculateFingerprint256(
-                                    test_cert_2->cert_buffer())
+                    test_cert_2->cert_buffer()))));
-                                    .data)));
 }
 
 TEST_F(UserCertSourcesUnitTest, TestImportCertificate) {
@@ -332,8 +330,7 @@ TEST_F(UserCertSourcesUnitTest, TestDeleteCertificate) {
   source.DeleteCertificate("",
                            base::ToLowerASCII(base::HexEncode(
                                net::X509Certificate::CalculateFingerprint256(
-                                   test_cert_1->cert_buffer())
+                                   test_cert_1->cert_buffer()))),
-                                   .data)),
                            delete_future.GetCallback());
   certificate_manager_v2::mojom::ActionResultPtr delete_result =
       delete_future.Take();
@@ -346,8 +343,7 @@ TEST_F(UserCertSourcesUnitTest, TestDeleteCertificate) {
   EXPECT_EQ(remaining_certs[0].sha256hash_hex,
             base::ToLowerASCII(
                 base::HexEncode(net::X509Certificate::CalculateFingerprint256(
-                                    test_cert_2->cert_buffer())
+                    test_cert_2->cert_buffer()))));
-                                    .data)));
   EXPECT_TRUE(fake_page->metadata_update_called());
 }
 
@@ -380,8 +376,7 @@ TEST_F(UserCertSourcesUnitTest, TestDeleteCertificateConfirmationRejected) {
   source.DeleteCertificate("",
                            base::ToLowerASCII(base::HexEncode(
                                net::X509Certificate::CalculateFingerprint256(
-                                   test_cert_1->cert_buffer())
+                                   test_cert_1->cert_buffer()))),
-                                   .data)),
                            delete_future.GetCallback());
   certificate_manager_v2::mojom::ActionResultPtr delete_result =
       delete_future.Take();
@@ -425,8 +420,7 @@ TEST_F(UserCertSourcesUnitTest, TestDeleteCertificateNotAllowedByPref) {
   source.DeleteCertificate("",
                            base::ToLowerASCII(base::HexEncode(
                                net::X509Certificate::CalculateFingerprint256(
-                                   test_cert_1->cert_buffer())
+                                   test_cert_1->cert_buffer()))),
-                                   .data)),
                            delete_future.GetCallback());
   certificate_manager_v2::mojom::ActionResultPtr delete_result =
       delete_future.Take();

chrome/browser/ui/webui/connectors_internals/device_trust_utils.cc

@@ -159,7 +159,7 @@ connectors_internals::mojom::CertificateMetadataPtr ConvertCertificate(
       base::ToLowerASCII(base::HexEncode(certificate->serial_number().data(),
                                          certificate->serial_number().size())),
       base::ToLowerASCII(
-          base::HexEncode(certificate->CalculateChainFingerprint256().data)),
+          base::HexEncode(certificate->CalculateChainFingerprint256())),
       base::UnlocalizedTimeFormatWithPattern(certificate->valid_start(),
                                              "MMM d, yyyy"),
       base::UnlocalizedTimeFormatWithPattern(certificate->valid_expiry(),

chrome/browser/ui/webui/net_internals/net_internals_ui.cc

@@ -518,8 +518,7 @@ void NetInternalsMessageHandler::OnGetSharedDictionaryInfoDone(
     dict.Set("expiration", base::NumberToString(item->expiration.InSeconds()));
     dict.Set("last_used_time", base::TimeFormatHTTP(item->last_used_time));
     dict.Set("size", base::NumberToString(item->size));
-    dict.Set("hash", base::ToLowerASCII(base::HexEncode(
+    dict.Set("hash", base::ToLowerASCII(base::HexEncode(item->hash)));
-                         item->hash.data, sizeof(item->hash.data))));
     dict_list.Append(std::move(dict));
   }
   AllowJavascript();

chrome/browser/ui/webui/net_internals/net_internals_ui_browsertest.cc

@@ -411,7 +411,7 @@ void NetInternalsTest::MessageHandler::RgisterTestSharedDictionary(
   CHECK(dictionary_json_string);
   base::Value::Dict dict = base::test::ParseJsonDict(*dictionary_json_string);
   net::SHA256HashValue hash_value;
-  base::HexStringToSpan(*dict.FindString("hash"), hash_value.data);
+  base::HexStringToSpan(*dict.FindString("hash"), hash_value);
   const std::string* id_string = dict.FindString("id");
   network_context_for_testing_.RegisterTestSharedDictionary(
       net::SharedDictionaryIsolationKey(

components/cronet/android/shared_dictionary_with_byte_buffer.cc

@@ -17,13 +17,13 @@ net::SHA256HashValue ByteArrayToSHA256(
     const base::android::JavaRef<jbyteArray>& jdictionary_sha256_hash) {
   const auto dictionary_sha256_hash_size =
       base::android::SafeGetArrayLength(env, jdictionary_sha256_hash);
-  CHECK_EQ(dictionary_sha256_hash_size, sizeof(net::SHA256HashValue::data));
+  CHECK_EQ(dictionary_sha256_hash_size, sizeof(net::SHA256HashValue));
   net::SHA256HashValue dictionary_sha256_hash;
   void* const bytes = env->GetPrimitiveArrayCritical(
       jdictionary_sha256_hash.obj(), /*isCopy=*/nullptr);
   CHECK(bytes);
-  UNSAFE_TODO(
+  UNSAFE_TODO(memcpy(dictionary_sha256_hash.data(), bytes,
-      memcpy(&dictionary_sha256_hash.data, bytes, dictionary_sha256_hash_size));
+                     dictionary_sha256_hash_size));
   env->ReleasePrimitiveArrayCritical(jdictionary_sha256_hash.obj(), bytes,
                                      JNI_ABORT);
   return dictionary_sha256_hash;

components/security_interstitials/content/stateful_ssl_host_state_delegate.cc

@@ -167,7 +167,7 @@ std::string GetKey(const net::X509Certificate& cert, int error) {
   // Since a security decision will be made based on the fingerprint, Chrome
   // should use the SHA-256 fingerprint for the certificate.
   net::SHA256HashValue fingerprint = cert.CalculateChainFingerprint256();
-  std::string base64_fingerprint = base::Base64Encode(fingerprint.data);
+  std::string base64_fingerprint = base::Base64Encode(fingerprint);
   return base::NumberToString(error) + base64_fingerprint;
 }
 

content/browser/devtools/protocol/network_handler.cc

@@ -2865,7 +2865,7 @@ void NetworkHandler::OnSignedExchangeReceived(
             .SetExpires(sig.expires)
             .Build();
     if (sig.cert_sha256) {
-      signature->SetCertSha256(base::HexEncode(sig.cert_sha256->data));
+      signature->SetCertSha256(base::HexEncode(*sig.cert_sha256));
     }
     if (certificate) {
       auto encoded_certificates = std::make_unique<protocol::Array<String>>();

content/browser/web_package/prefetched_signed_exchange_cache.cc

@@ -337,10 +337,10 @@ bool ExtractSHA256HashValueFromString(std::string_view value,
   const std::string_view base64_str = value.substr(7);
   std::string decoded;
   if (!base::Base64Decode(base64_str, &decoded) ||
-      decoded.size() != sizeof(out->data)) {
+      decoded.size() != out->size()) {
     return false;
   }
-  memcpy(out->data, decoded.data(), sizeof(out->data));
+  memcpy(out->data(), decoded.data(), out->size());
   return true;
 }
 

content/browser/web_package/prefetched_signed_exchange_cache_entry.h

@@ -7,14 +7,11 @@
 
 #include "base/time/time.h"
 #include "content/common/content_export.h"
+#include "net/base/hash_value.h"
 #include "services/network/public/cpp/url_loader_completion_status.h"
 #include "services/network/public/mojom/url_response_head.mojom.h"
 #include "url/gurl.h"
 
-namespace net {
-struct SHA256HashValue;
-}  // namespace net
-
 namespace storage {
 class BlobDataHandle;
 }  // namespace storage

content/browser/web_package/signed_exchange_signature_header_field.cc

@@ -109,7 +109,8 @@ SignedExchangeSignatureHeaderField::ParseSignature(
       return std::nullopt;
     }
     net::SHA256HashValue cert_sha256;
-    memcpy(&cert_sha256.data, cert_sha256_string.data(), crypto::kSHA256Length);
+    memcpy(cert_sha256.data(), cert_sha256_string.data(),
+           crypto::kSHA256Length);
     sig.cert_sha256 = std::move(cert_sha256);
 
     // TODO(crbug.com/40565993): Support ed25519key.

content/browser/web_package/signed_exchange_signature_verifier.cc

@@ -154,8 +154,7 @@ std::vector<uint8_t> GenerateSignedMessage(
   // format.
   message.push_back(32);
   const auto& cert_sha256 = envelope.signature().cert_sha256.value();
-  message.insert(message.end(), std::begin(cert_sha256.data),
+  message.insert(message.end(), cert_sha256.begin(), cert_sha256.end());
-                 std::end(cert_sha256.data));
 
   // Step 5.5. "The 8-byte big-endian encoding of the length in bytes of
   // validity-url, followed by the bytes of validity-url." [spec text]

content/browser/web_package/signed_exchange_signature_verifier_unittest.cc

@@ -189,7 +189,7 @@ class SignedExchangeSignatureVerifierTest
     SignedExchangeEnvelope badsigsha256_envelope(envelope);
     SignedExchangeSignatureHeaderField::Signature badsigsha256 =
         envelope.signature();
-    badsigsha256.cert_sha256->data[0]++;
+    (*badsigsha256.cert_sha256)[0]++;
     badsigsha256_envelope.SetSignatureForTesting(badsigsha256);
     EXPECT_EQ(
         SignedExchangeSignatureVerifier::Result::kErrCertificateSHA256Mismatch,

content/common/web_package/signed_exchange_utils.cc

@@ -7,16 +7,14 @@
 #include <string_view>
 
 #include "base/base64.h"
+#include "base/strings/strcat.h"
 
 namespace content {
 namespace signed_exchange_utils {
 
 std::string CreateHeaderIntegrityHashString(
     const net::SHA256HashValue& header_integrity) {
-  std::string header_integrity_base64 = base::Base64Encode(
+  return base::StrCat({"sha256-", base::Base64Encode(header_integrity)});
-      std::string_view(reinterpret_cast<const char*>(header_integrity.data),
-                       sizeof(header_integrity.data)));
-  return std::string("sha256-") + header_integrity_base64;
 }
 
 }  // namespace signed_exchange_utils

ios/web/session/hash_util.h

@@ -9,6 +9,7 @@
 #include <string_view>
 #include <tuple>
 
+#include "base/containers/span.h"
 #include "net/base/hash_value.h"
 #include "net/cert/x509_certificate.h"
 
@@ -28,8 +29,7 @@ struct Hasher<T*> : Hasher<const T*> {};
 template <>
 struct Hasher<net::SHA256HashValue> {
   size_t operator()(const net::SHA256HashValue& value) const {
-    const std::string_view value_string_piece(
+    const std::string_view value_string_piece = base::as_string_view(value);
-        reinterpret_cast<const char*>(&value.data[0]), sizeof(value.data));
     return Hasher<std::string_view>{}(value_string_piece);
   }
 };

net/base/hash_value.cc

@@ -2,11 +2,6 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifdef UNSAFE_BUFFERS_BUILD
-// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
-#pragma allow_unsafe_libc_calls
-#endif
-
 #include "net/base/hash_value.h"
 
 #include <stdlib.h>
@@ -35,12 +30,12 @@ constexpr std::string_view kSha256Slash = "sha256/";
 struct SHA256ToHashValueComparator {
   bool operator()(const SHA256HashValue& lhs, const HashValue& rhs) const {
     DCHECK_EQ(HASH_VALUE_SHA256, rhs.tag());
-    return memcmp(lhs.data, rhs.data(), rhs.size()) < 0;
+    return lhs < rhs.span();
   }
 
   bool operator()(const HashValue& lhs, const SHA256HashValue& rhs) const {
     DCHECK_EQ(HASH_VALUE_SHA256, lhs.tag());
-    return memcmp(lhs.data(), rhs.data, lhs.size()) < 0;
+    return lhs.span() < rhs;
   }
 };
 
@@ -81,20 +76,33 @@ std::string HashValue::ToString() const {
 size_t HashValue::size() const {
   switch (tag_) {
     case HASH_VALUE_SHA256:
-      return sizeof(fingerprint.sha256.data);
+      return sizeof(fingerprint.sha256);
   }
 
   NOTREACHED();
 }
 
 unsigned char* HashValue::data() {
-  return const_cast<unsigned char*>(const_cast<const HashValue*>(this)->data());
+  return span().data();
 }
 
 const unsigned char* HashValue::data() const {
+  return span().data();
+}
+
+base::span<uint8_t> HashValue::span() {
   switch (tag_) {
     case HASH_VALUE_SHA256:
-      return fingerprint.sha256.data;
+      return fingerprint.sha256;
+  }
+
+  NOTREACHED();
+}
+
+base::span<const uint8_t> HashValue::span() const {
+  switch (tag_) {
+    case HASH_VALUE_SHA256:
+      return fingerprint.sha256;
   }
 
   NOTREACHED();

net/base/hash_value.h

@@ -2,11 +2,6 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifdef UNSAFE_BUFFERS_BUILD
-// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
-#pragma allow_unsafe_libc_calls
-#endif
-
 #ifndef NET_BASE_HASH_VALUE_H_
 #define NET_BASE_HASH_VALUE_H_
 
@@ -14,6 +9,7 @@
 #include <stdint.h>
 #include <string.h>
 
+#include <array>
 #include <string>
 #include <string_view>
 #include <vector>
@@ -26,33 +22,7 @@
 
 namespace net {
 
-struct NET_EXPORT SHA256HashValue {
+using SHA256HashValue = std::array<uint8_t, 32>;
-  unsigned char data[32];
-};
-
-inline bool operator==(const SHA256HashValue& lhs, const SHA256HashValue& rhs) {
-  return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) == 0;
-}
-
-inline bool operator!=(const SHA256HashValue& lhs, const SHA256HashValue& rhs) {
-  return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) != 0;
-}
-
-inline bool operator<(const SHA256HashValue& lhs, const SHA256HashValue& rhs) {
-  return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0;
-}
-
-inline bool operator>(const SHA256HashValue& lhs, const SHA256HashValue& rhs) {
-  return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) > 0;
-}
-
-inline bool operator<=(const SHA256HashValue& lhs, const SHA256HashValue& rhs) {
-  return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) <= 0;
-}
-
-inline bool operator>=(const SHA256HashValue& lhs, const SHA256HashValue& rhs) {
-  return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) >= 0;
-}
 
 enum HashValueTag {
   HASH_VALUE_SHA256,
@@ -89,6 +59,9 @@ class NET_EXPORT HashValue {
   unsigned char* data();
   const unsigned char* data() const;
 
+  base::span<uint8_t> span();
+  base::span<const uint8_t> span() const;
+
   // Iterate memory as bytes up to the end of its logical size.
   iterator begin() {
     // SAFETY: `data()` points to at least `size()` contiguous elements, so this

net/cert/cert_verify_proc.cc

@@ -772,8 +772,9 @@ bool CertVerifyProc::HasNameConstraintsViolation(
     for (const auto& hash : public_key_hashes) {
       if (hash.tag() != HASH_VALUE_SHA256)
         continue;
-      if (memcmp(hash.data(), limit.public_key_hash.data, hash.size()) != 0)
+      if (hash.span() != limit.public_key_hash) {
         continue;
+      }
       if (dns_names.empty() && ip_addrs.empty()) {
         std::vector<std::string> names;
         names.push_back(common_name);

net/cert/cert_verify_proc_builtin.cc

@@ -17,6 +17,7 @@
 #include "base/time/time.h"
 #include "base/values.h"
 #include "components/network_time/time_tracker/time_tracker.h"
+#include "crypto/hash.h"
 #include "crypto/sha2.h"
 #include "net/base/features.h"
 #include "net/base/ip_address.h"
@@ -689,10 +690,7 @@ class PathBuilderDelegateImpl : public bssl::SimplePathBuilderDelegate {
       return false;
     }
 
-    SHA256HashValue root_fingerprint;
+    SHA256HashValue root_fingerprint = crypto::hash::Sha256(root->der_cert());
-    crypto::SHA256HashString(root->der_cert().AsStringView(),
-                             root_fingerprint.data,
-                             sizeof(root_fingerprint.data));
 
     for (const bssl::der::Input& oid : path->user_constrained_policy_set) {
       if (ev_metadata_->HasEVPolicyOID(root_fingerprint, oid)) {

net/cert/cert_verify_proc_unittest.cc

@@ -25,6 +25,7 @@
 #include "base/threading/thread.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
+#include "crypto/hash.h"
 #include "crypto/sha2.h"
 #include "net/base/cronet_buildflags.h"
 #include "net/base/net_errors.h"
@@ -519,8 +520,7 @@ TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) {
   std::string_view spki;
   ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(
       x509_util::CryptoBufferAsStringPiece(root->GetCertBuffer()), &spki));
-  SHA256HashValue spki_sha256;
+  SHA256HashValue spki_sha256 = crypto::hash::Sha256(base::as_byte_span(spki));
-  crypto::SHA256HashString(spki, spki_sha256.data, sizeof(spki_sha256.data));
   SetUpCertVerifyProc(CRLSet::ForTesting(false, &spki_sha256, "", "", {}));
 
   // Consider the root of the test chain a valid EV root for the test policy.

net/cert/crl_set.cc

@@ -434,8 +434,7 @@ scoped_refptr<CRLSet> CRLSet::ForTesting(
     crl_set->not_after_ = 1;
 
   if (issuer_spki) {
-    std::string spki(reinterpret_cast<const char*>(issuer_spki->data),
+    std::string spki(base::as_string_view(*issuer_spki));
-                     sizeof(issuer_spki->data));
     std::vector<std::string> serials;
     if (!serial_number.empty()) {
       serials.push_back(std::string(serial_number));

net/cert/crl_set_unittest.cc

@@ -12,6 +12,7 @@
 #include <string_view>
 
 #include "base/files/file_util.h"
+#include "crypto/hash.h"
 #include "crypto/sha2.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/x509_certificate.h"
@@ -187,8 +188,7 @@ TEST(CRLSetTest, BlockedSubjects) {
 
   std::string_view spki;
   ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(root_der, &spki));
-  SHA256HashValue spki_sha256;
+  SHA256HashValue spki_sha256 = crypto::hash::Sha256(base::as_byte_span(spki));
-  crypto::SHA256HashString(spki, spki_sha256.data, sizeof(spki_sha256.data));
 
   std::string_view subject;
   ASSERT_TRUE(asn1::ExtractSubjectFromDERCert(root_der, &subject));
@@ -206,10 +206,7 @@ TEST(CRLSetTest, BlockedSubjects) {
 
   // When used with the correct hash, that subject should be accepted.
   EXPECT_EQ(CRLSet::GOOD,
-            set->CheckSubject(
+            set->CheckSubject(subject, base::as_string_view(spki_sha256)));
-                subject, std::string_view(
-                             reinterpret_cast<const char*>(spki_sha256.data),
-                             sizeof(spki_sha256.data))));
 }
 
 TEST(CRLSetTest, Expired) {

net/cert/ct_log_verifier_unittest.cc

@@ -595,17 +595,15 @@ namespace rfc6962 {
 std::string HashLeaf(const std::string& leaf) {
   const char kLeafPrefix[] = {'\x00'};
 
-  SHA256HashValue sha256;
+  SHA256HashValue sha256 = {0};
-  memset(sha256.data, 0, sizeof(sha256.data));
 
   std::unique_ptr<crypto::SecureHash> hash(
       crypto::SecureHash::Create(crypto::SecureHash::SHA256));
   hash->Update(kLeafPrefix, 1);
   hash->Update(leaf.data(), leaf.size());
-  hash->Finish(sha256.data, sizeof(sha256.data));
+  hash->Finish(sha256);
 
-  return std::string(reinterpret_cast<const char*>(sha256.data),
+  return std::string(base::as_string_view(sha256));
-                     sizeof(sha256.data));
 }
 
 // Calculates the root hash of a Merkle tree, given its leaf data and size.

net/cert/ct_objects_extractor.cc

@@ -17,6 +17,7 @@
 #include "base/hash/sha1.h"
 #include "base/logging.h"
 #include "base/strings/string_util.h"
+#include "crypto/hash.h"
 #include "crypto/sha2.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/signed_certificate_timestamp.h"
@@ -334,8 +335,8 @@ bool GetPrecertSignedEntry(const CRYPTO_BUFFER* leaf,
   result->type = ct::SignedEntryData::LOG_ENTRY_TYPE_PRECERT;
   result->tbs_certificate.assign(
       reinterpret_cast<const char*>(new_tbs_cert_der), new_tbs_cert_len);
-  crypto::SHA256HashString(issuer_key, result->issuer_key_hash.data,
+  result->issuer_key_hash =
-                           sizeof(result->issuer_key_hash.data));
+      crypto::hash::Sha256(base::as_byte_span(issuer_key));
 
   return true;
 }

net/cert/ct_objects_extractor_unittest.cc

@@ -101,9 +101,8 @@ TEST_F(CTObjectsExtractorTest, ExtractPrecert) {
   // Should have empty leaf cert for this log entry type.
   ASSERT_TRUE(entry.leaf_certificate.empty());
   // Compare hash values of issuer spki.
-  SHA256HashValue expected_issuer_key_hash;
+  ASSERT_EQ(base::as_byte_span(GetDefaultIssuerKeyHash()),
-  memcpy(expected_issuer_key_hash.data, GetDefaultIssuerKeyHash().data(), 32);
+            entry.issuer_key_hash);
-  ASSERT_EQ(expected_issuer_key_hash, entry.issuer_key_hash);
 }
 
 TEST_F(CTObjectsExtractorTest, ExtractOrdinaryX509Cert) {

net/cert/ct_serialization.cc

@@ -114,10 +114,7 @@ bool EncodeAsn1CertSignedEntry(const SignedEntryData& input, CBB* output) {
 // does not exceed kMaxTbsCertificateLength and so can be written to |output|.
 bool EncodePrecertSignedEntry(const SignedEntryData& input, CBB* output) {
   CBB child;
-  return CBB_add_bytes(
+  return CBB_add_bytes(output, input.issuer_key_hash.data(), kLogIdLength) &&
-             output,
-             reinterpret_cast<const uint8_t*>(input.issuer_key_hash.data),
-             kLogIdLength) &&
          CBB_add_u24_length_prefixed(output, &child) &&
          CBB_add_bytes(
              &child,

net/cert/ct_serialization_unittest.cc

@@ -105,8 +105,7 @@ TEST_F(CtSerializationTest, EncodesSignedEntryForPrecert) {
   // First two bytes are the log entry type.
   EXPECT_EQ(std::string("\x00\x01", 2), encoded.substr(0, 2));
   // Next comes the 32-byte issuer key hash
-  EXPECT_THAT(encoded.substr(2, 32),
+  EXPECT_THAT(encoded.substr(2, 32), ElementsAreArray(entry.issuer_key_hash));
-              ElementsAreArray(entry.issuer_key_hash.data));
   // Then the length of the TBS cert (604 bytes = 0x237)
   EXPECT_EQ(std::string("\x00\x02\x37", 3), encoded.substr(34, 3));
   // Then the TBS cert itself
@@ -240,7 +239,7 @@ TEST_F(CtSerializationTest, EncodesMerkleTreeLeafForPrecert) {
   EXPECT_EQ(std::string("\x00\x01", 2), encoded.substr(10, 2)) <<
       "Log entry type encoded incorrectly";
   EXPECT_THAT(encoded.substr(12, 32),
-              ElementsAreArray(tree_leaf.signed_entry.issuer_key_hash.data))
+              ElementsAreArray(tree_leaf.signed_entry.issuer_key_hash))
       << "Issuer key hash encoded incorrectly";
   EXPECT_EQ(std::string("\x00\x02\x37", 3), encoded.substr(44, 3)) <<
       "TBS certificate length encoded incorrectly";

net/cert/internal/trust_store_mac.cc

@@ -456,7 +456,7 @@ class TrustDomainCacheFullCerts {
 
 SHA256HashValue CalculateFingerprint256(const bssl::der::Input& buffer) {
   SHA256HashValue sha256;
-  SHA256(buffer.data(), buffer.size(), sha256.data);
+  SHA256(buffer.data(), buffer.size(), sha256.data());
   return sha256;
 }
 

net/cert/x509_certificate.cc

@@ -666,13 +666,12 @@ SHA256HashValue X509Certificate::CalculateFingerprint256(
     const CRYPTO_BUFFER* cert) {
   SHA256HashValue sha256;
 
-  SHA256(CRYPTO_BUFFER_data(cert), CRYPTO_BUFFER_len(cert), sha256.data);
+  SHA256(CRYPTO_BUFFER_data(cert), CRYPTO_BUFFER_len(cert), sha256.data());
   return sha256;
 }
 
 SHA256HashValue X509Certificate::CalculateChainFingerprint256() const {
-  SHA256HashValue sha256;
+  SHA256HashValue sha256 = {0};
-  memset(sha256.data, 0, sizeof(sha256.data));
 
   SHA256_CTX sha256_ctx;
   SHA256_Init(&sha256_ctx);
@@ -682,7 +681,7 @@ SHA256HashValue X509Certificate::CalculateChainFingerprint256() const {
     SHA256_Update(&sha256_ctx, CRYPTO_BUFFER_data(cert.get()),
                   CRYPTO_BUFFER_len(cert.get()));
   }
-  SHA256_Final(sha256.data, &sha256_ctx);
+  SHA256_Final(sha256.data(), &sha256_ctx);
 
   return sha256;
 }

net/cert/x509_util_apple.cc

@@ -129,8 +129,7 @@ scoped_refptr<X509Certificate> CreateX509CertificateFromSecCertificate(
 }
 
 SHA256HashValue CalculateFingerprint256(SecCertificateRef cert) {
-  SHA256HashValue sha256;
+  SHA256HashValue sha256 = {0};
-  memset(sha256.data, 0, sizeof(sha256.data));
 
   base::apple::ScopedCFTypeRef<CFDataRef> cert_data(
       SecCertificateCopyData(cert));
@@ -142,7 +141,7 @@ SHA256HashValue CalculateFingerprint256(SecCertificateRef cert) {
   DCHECK_NE(CFDataGetLength(cert_data.get()), 0);
 
   CC_SHA256(CFDataGetBytePtr(cert_data.get()), CFDataGetLength(cert_data.get()),
-            sha256.data);
+            sha256.data());
 
   return sha256;
 }

net/cert/x509_util_nss.cc

@@ -438,13 +438,12 @@ bool GetValidityTimes(CERTCertificate* cert,
 }
 
 SHA256HashValue CalculateFingerprint256(CERTCertificate* cert) {
-  SHA256HashValue sha256;
+  SHA256HashValue sha256 = {0};
-  memset(sha256.data, 0, sizeof(sha256.data));
 
   DCHECK(cert->derCert.data);
   DCHECK_NE(0U, cert->derCert.len);
 
-  SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, sha256.data, cert->derCert.data,
+  SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, sha256.data(), cert->derCert.data,
                               cert->derCert.len);
   DCHECK_EQ(SECSuccess, rv);
 

net/cert/x509_util_win.cc

@@ -7,6 +7,7 @@
 #include <string_view>
 
 #include "base/logging.h"
+#include "crypto/hash.h"
 #include "crypto/scoped_capi_types.h"
 #include "crypto/sha2.h"
 #include "net/cert/x509_certificate.h"
@@ -102,15 +103,11 @@ SHA256HashValue CalculateFingerprint256(PCCERT_CONTEXT cert) {
   DCHECK(nullptr != cert->pbCertEncoded);
   DCHECK_NE(0u, cert->cbCertEncoded);
 
-  SHA256HashValue sha256;
+  // Use crypto::SHA256Hash for two reasons:
-
-  // Use crypto::SHA256HashString for two reasons:
   // * < Windows Vista does not have universal SHA-256 support.
   // * More efficient on Windows > Vista (less overhead since non-default CSP
   // is not needed).
-  crypto::SHA256HashString(base::as_string_view(CertContextAsSpan(cert)),
+  return crypto::hash::Sha256(CertContextAsSpan(cert));
-                           sha256.data, sizeof(sha256.data));
-  return sha256;
 }
 
 bool IsSelfSigned(PCCERT_CONTEXT cert_handle) {

net/disk_cache/simple/simple_synchronous_entry.cc

@@ -97,7 +97,7 @@ void CalculateSHA256OfKey(const std::string& key,
   std::unique_ptr<crypto::SecureHash> hash(
       crypto::SecureHash::Create(crypto::SecureHash::SHA256));
   hash->Update(key.data(), key.size());
-  hash->Finish(out_hash_value, sizeof(*out_hash_value));
+  hash->Finish(*out_hash_value);
 }
 
 SimpleFileTracker::SubFile SubFileForFileIndex(int file_index) {
@@ -1102,7 +1102,7 @@ void SimpleSynchronousEntry::Close(
       net::SHA256HashValue hash_value;
       CalculateSHA256OfKey(key, &hash_value);
       if (!file->WriteAndCheck(stream_0_offset + entry_stat.data_size(0),
-                               base::byte_span_from_ref(hash_value))) {
+                               hash_value)) {
         RecordCloseResult(cache_type_, CLOSE_RESULT_WRITE_FAILURE);
         DVLOG(1) << "Could not write stream 0 data.";
         DoomInternal(file_operations.get());

net/extras/sqlite/sqlite_persistent_shared_dictionary_store.cc

@@ -132,10 +132,10 @@ bool CreateV3Schema(sql::Database* db, sql::MetaTable* meta_table) {
 std::optional<SHA256HashValue> ToSHA256HashValue(
     base::span<const uint8_t> sha256_bytes) {
   SHA256HashValue sha256_hash;
-  if (sha256_bytes.size() != sizeof(sha256_hash.data)) {
+  if (sha256_bytes.size() != sha256_hash.size()) {
     return std::nullopt;
   }
-  memcpy(sha256_hash.data, sha256_bytes.data(), sha256_bytes.size());
+  memcpy(sha256_hash.data(), sha256_bytes.data(), sha256_bytes.size());
   return sha256_hash;
 }
 
@@ -570,7 +570,7 @@ SQLitePersistentSharedDictionaryStore::Backend::RegisterDictionaryImpl(
   statement.BindTime(9, dictionary_info.GetExpirationTime());
   statement.BindTime(10, dictionary_info.last_used_time());
   statement.BindInt64(11, dictionary_info.size());
-  statement.BindBlob(12, base::span(dictionary_info.hash().data));
+  statement.BindBlob(12, base::span(dictionary_info.hash()));
   // There is no `sql::Statement::BindUint64()` method. So we cast to int64_t.
   int64_t token_high = static_cast<int64_t>(
       dictionary_info.disk_cache_key_token().GetHighForSerialization());

net/shared_dictionary/shared_dictionary.h

@@ -9,11 +9,11 @@
 
 #include "base/functional/callback.h"
 #include "base/memory/ref_counted.h"
+#include "net/base/hash_value.h"
 #include "net/base/net_export.h"
 
 namespace net {
 class IOBuffer;
-struct SHA256HashValue;
 
 // This class is used to read the binary of the shared dictionary.
 class NET_EXPORT SharedDictionary : public base::RefCounted<SharedDictionary> {

net/shared_dictionary/shared_dictionary_header_checker_source_stream.cc

@@ -145,7 +145,7 @@ bool SharedDictionaryHeaderCheckerSourceStream::CheckHeaderBuffer() const {
   if (GetSignatureInBuffer() != GetExpectedSignature(type_)) {
     return false;
   }
-  if (GetHashInBuffer() != base::span(dictionary_hash_.data)) {
+  if (GetHashInBuffer() != dictionary_hash_) {
     return false;
   }
   return true;

net/shared_dictionary/shared_dictionary_header_checker_source_stream_unittest.cc

@@ -260,7 +260,7 @@ TEST_P(SharedDictionaryHeaderCheckerSourceStreamTest, HeaderSync) {
 
 TEST_P(SharedDictionaryHeaderCheckerSourceStreamTest, HeaderSplittedSync) {
   AddReadResult(GetSignature(), Mode::SYNC);
-  AddReadResult(kTestHash.data, Mode::SYNC);
+  AddReadResult(kTestHash, Mode::SYNC);
   AddReadResult(kTestBodyData, Mode::SYNC);
   AddReadResult(OK, Mode::SYNC);
   CreateHeaderCheckerSourceStream();
@@ -283,7 +283,7 @@ TEST_P(SharedDictionaryHeaderCheckerSourceStreamTest, HeaderAsync) {
 
 TEST_P(SharedDictionaryHeaderCheckerSourceStreamTest, HeaderSplittedAsync) {
   AddReadResult(GetSignature(), Mode::ASYNC);
-  AddReadResult(kTestHash.data, Mode::ASYNC);
+  AddReadResult(kTestHash, Mode::ASYNC);
   AddReadResult(kTestBodyData, Mode::ASYNC);
   AddReadResult(OK, Mode::ASYNC);
   CreateHeaderCheckerSourceStream();
@@ -295,14 +295,14 @@ TEST_P(SharedDictionaryHeaderCheckerSourceStreamTest, HeaderSplittedAsync) {
 
 TEST_P(SharedDictionaryHeaderCheckerSourceStreamTest, WrongSinatureSync) {
   AddReadResult(GetWrongSignature(), Mode::SYNC);
-  AddReadResult(kTestHash.data, Mode::SYNC);
+  AddReadResult(kTestHash, Mode::SYNC);
   CreateHeaderCheckerSourceStream();
   CheckSyncRead(ERR_UNEXPECTED_CONTENT_DICTIONARY_HEADER);
 }
 
 TEST_P(SharedDictionaryHeaderCheckerSourceStreamTest, WrongSinatureAsync) {
   AddReadResult(GetWrongSignature(), Mode::ASYNC);
-  AddReadResult(kTestHash.data, Mode::ASYNC);
+  AddReadResult(kTestHash, Mode::ASYNC);
   CreateHeaderCheckerSourceStream();
   CheckAsyncRead(ERR_UNEXPECTED_CONTENT_DICTIONARY_HEADER, 2);
 }
@@ -310,7 +310,7 @@ TEST_P(SharedDictionaryHeaderCheckerSourceStreamTest, WrongSinatureAsync) {
 TEST_P(SharedDictionaryHeaderCheckerSourceStreamTest, WrongHashSync) {
   const SHA256HashValue kWrongHash = {{0x01}};
   AddReadResult(GetSignature(), Mode::SYNC);
-  AddReadResult(kWrongHash.data, Mode::SYNC);
+  AddReadResult(kWrongHash, Mode::SYNC);
   CreateHeaderCheckerSourceStream();
   CheckSyncRead(ERR_UNEXPECTED_CONTENT_DICTIONARY_HEADER);
 }
@@ -318,7 +318,7 @@ TEST_P(SharedDictionaryHeaderCheckerSourceStreamTest, WrongHashSync) {
 TEST_P(SharedDictionaryHeaderCheckerSourceStreamTest, WrongHashAsync) {
   const SHA256HashValue kWrongHash = {{0x01}};
   AddReadResult(GetSignature(), Mode::ASYNC);
-  AddReadResult(kWrongHash.data, Mode::ASYNC);
+  AddReadResult(kWrongHash, Mode::ASYNC);
   CreateHeaderCheckerSourceStream();
   CheckAsyncRead(ERR_UNEXPECTED_CONTENT_DICTIONARY_HEADER, 2);
 }

net/shared_dictionary/shared_dictionary_network_transaction.cc

@@ -222,8 +222,8 @@ void SharedDictionaryNetworkTransaction::ModifyRequestHeaders(
     shared_dictionary_.reset();
     return;
   }
-  dictionary_hash_base64_ = base::StrCat(
+  dictionary_hash_base64_ =
-      {":", base::Base64Encode(shared_dictionary_->hash().data), ":"});
+      base::StrCat({":", base::Base64Encode(shared_dictionary_->hash()), ":"});
   request_headers->SetHeader(shared_dictionary::kAvailableDictionaryHeaderName,
                              dictionary_hash_base64_);
   if (enable_shared_zstd_) {

net/shared_dictionary/shared_dictionary_network_transaction_unittest.cc

@@ -94,7 +94,7 @@ class DummySyncDictionary : public SharedDictionary {
     std::unique_ptr<crypto::SecureHash> secure_hash =
         crypto::SecureHash::Create(crypto::SecureHash::SHA256);
     secure_hash->Update(data_->data(), size_);
-    secure_hash->Finish(hash_.data, sizeof(hash_.data));
+    secure_hash->Finish(hash_);
   }
 
   // SharedDictionary

net/test/cert_builder.cc

@@ -27,6 +27,7 @@
 #include "base/strings/string_util.h"
 #include "base/time/time.h"
 #include "crypto/ec_private_key.h"
+#include "crypto/hash.h"
 #include "crypto/rsa_private_key.h"
 #include "crypto/sha2.h"
 #include "net/cert/asn1_util.h"
@@ -1416,9 +1417,8 @@ void CertBuilder::BuildSctListExtension(const std::string& pre_tbs_certificate,
     ASSERT_TRUE(CBB_init(issuer_spki_cbb.get(), 32));
     ASSERT_TRUE(
         EVP_marshal_public_key(issuer_spki_cbb.get(), issuer_->GetKey()));
-    crypto::SHA256HashString(FinishCBB(issuer_spki_cbb.get()),
+    entry.issuer_key_hash = crypto::hash::Sha256(
-                             entry.issuer_key_hash.data,
+        base::as_byte_span(FinishCBB(issuer_spki_cbb.get())));
-                             sizeof(entry.issuer_key_hash.data));
     entry.tbs_certificate = pre_tbs_certificate;
 
     std::string serialized_log_entry;

net/test/ct_test_util.cc

@@ -187,8 +187,8 @@ std::string GetDerEncodedX509Cert() {
 
 void GetPrecertSignedEntry(SignedEntryData* entry) {
   entry->type = ct::SignedEntryData::LOG_ENTRY_TYPE_PRECERT;
-  std::string issuer_hash(HexDecode(kDefaultIssuerKeyHash));
+  base::span(entry->issuer_key_hash)
-  memcpy(entry->issuer_key_hash.data, issuer_hash.data(), issuer_hash.size());
+      .copy_from(base::as_byte_span(HexDecode(kDefaultIssuerKeyHash)));
   entry->tbs_certificate = HexDecode(kDefaultDerTbsCert);
 }
 

net/tools/cert_verify_tool/cert_verify_tool_util.cc

@@ -122,7 +122,7 @@ void PrintCertError(const std::string& error, const CertInput& cert) {
 std::string FingerPrintCryptoBuffer(const CRYPTO_BUFFER* cert_handle) {
   net::SHA256HashValue hash =
       net::X509Certificate::CalculateFingerprint256(cert_handle);
-  return base::HexEncode(hash.data);
+  return base::HexEncode(hash);
 }
 
 std::string SubjectFromX509Certificate(const net::X509Certificate* cert) {

services/cert_verifier/cert_verifier_service_factory.cc

@@ -112,7 +112,7 @@ internal::CertVerifierServiceImpl* GetNewCertVerifierImpl(
 std::string GetHash(const bssl::ParsedCertificate& cert) {
   net::SHA256HashValue hash =
       net::X509Certificate::CalculateFingerprint256(cert.cert_buffer());
-  return base::HexEncode(hash.data);
+  return base::HexEncode(hash);
 }
 
 bool IsVersionConstraintSatisified(

services/cert_verifier/cert_verifier_service_factory_unittest.cc

@@ -482,7 +482,7 @@ TEST(CertVerifierServiceFactoryTest, RootStoreInfoWithUpdatedRootStore) {
   net::SHA256HashValue root_hash =
       net::X509Certificate::CalculateFingerprint256(root->GetCertBuffer());
   EXPECT_EQ(info_ptr->root_cert_info[0]->sha256hash_hex,
-            base::HexEncode(root_hash.data));
+            base::HexEncode(root_hash));
   EXPECT_TRUE(net::x509_util::CryptoBufferEqual(
       net::x509_util::CreateCryptoBuffer(info_ptr->root_cert_info[0]->cert)
           .get(),

services/network/ignore_errors_cert_verifier_unittest.cc

@@ -59,7 +59,7 @@ static std::vector<std::string> MakeAllowlist() {
       &cert_spki);
 
   crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue));
-  std::string hash_base64 = base::Base64Encode(hash.data);
+  std::string hash_base64 = base::Base64Encode(hash);
   return {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "foobar", hash_base64,
           "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="};
 }

services/network/public/cpp/hash_value_mojom_traits.cc

@@ -7,9 +7,11 @@
 #pragma allow_unsafe_libc_calls
 #endif
 
+#include "services/network/public/cpp/hash_value_mojom_traits.h"
+
 #include <string.h>
 
-#include "services/network/public/cpp/hash_value_mojom_traits.h"
+#include "base/containers/span.h"
 
 namespace mojo {
 
@@ -25,7 +27,7 @@ bool StructTraits<
     // CHECK it instead when it does.
     return false;
   }
-  memcpy(out->data, bytes.data(), bytes.size());
+  base::span(*out).copy_from(base::as_byte_span(bytes));
   return true;
 }
 

services/network/public/cpp/hash_value_mojom_traits.h

@@ -15,7 +15,7 @@ template <>
 struct StructTraits<network::mojom::SHA256HashValueDataView,
                     net::SHA256HashValue> {
   static base::span<const uint8_t, 32> data(const net::SHA256HashValue& value) {
-    return value.data;
+    return value;
   }
 
   static bool Read(network::mojom::SHA256HashValueDataView in,

services/network/public/cpp/spki_hash_set.h

@@ -7,10 +7,7 @@
 
 #include "base/component_export.h"
 #include "base/containers/flat_set.h"
-
+#include "net/base/hash_value.h"
-namespace net {
-struct SHA256HashValue;
-}  // namespace net
 
 namespace network {
 

services/network/shared_dictionary/shared_dictionary_manager_unittest.cc

@@ -1112,7 +1112,7 @@ TEST_P(SharedDictionaryManagerTest, WriteAndReadDictionary) {
   secure_hash->Update(data1.c_str(), data1.size());
   secure_hash->Update(data2.c_str(), data2.size());
   net::SHA256HashValue sha256;
-  secure_hash->Finish(sha256.data, sizeof(sha256.data));
+  secure_hash->Finish(sha256);
 
   if (GetManagerType() == TestManagerType::kOnDisk) {
     FlushCacheTasks();

services/network/shared_dictionary/shared_dictionary_writer_in_memory.cc

@@ -58,7 +58,7 @@ void SharedDictionaryWriterInMemory::Finish() {
   }
 
   net::SHA256HashValue sha256;
-  secure_hash_->Finish(sha256.data, sizeof(sha256.data));
+  secure_hash_->Finish(sha256);
 
   if (total_size_ == 0) {
     std::move(finish_callback_)

services/network/shared_dictionary/shared_dictionary_writer_in_memory.h

@@ -12,11 +12,11 @@
 #include "base/component_export.h"
 #include "base/functional/callback.h"
 #include "crypto/secure_hash.h"
+#include "net/base/hash_value.h"
 #include "services/network/shared_dictionary/shared_dictionary_writer.h"
 
 namespace net {
 class IOBuffer;
-struct SHA256HashValue;
 }  // namespace net
 
 namespace network {

services/network/shared_dictionary/shared_dictionary_writer_in_memory_unittest.cc

@@ -25,7 +25,7 @@ net::SHA256HashValue GetHash(const std::string& data) {
       crypto::SecureHash::Create(crypto::SecureHash::SHA256);
   secure_hash->Update(data.c_str(), data.size());
   net::SHA256HashValue sha256;
-  secure_hash->Finish(sha256.data, sizeof(sha256.data));
+  secure_hash->Finish(sha256);
   return sha256;
 }
 

services/network/shared_dictionary/shared_dictionary_writer_on_disk.cc

@@ -174,7 +174,7 @@ void SharedDictionaryWriterOnDisk::MaybeFinish() {
   entry_.reset();
   DCHECK_EQ(written_size_, total_size_);
   net::SHA256HashValue sha256;
-  secure_hash_->Finish(sha256.data, sizeof(sha256.data));
+  secure_hash_->Finish(sha256);
   std::move(callback_).Run(Result::kSuccess, total_size_, sha256);
 }
 

services/network/shared_dictionary/shared_dictionary_writer_on_disk_unittest.cc

@@ -41,7 +41,7 @@ net::SHA256HashValue GetHash(const std::string& data) {
       crypto::SecureHash::Create(crypto::SecureHash::SHA256);
   secure_hash->Update(data.c_str(), data.size());
   net::SHA256HashValue sha256;
-  secure_hash->Finish(sha256.data, sizeof(sha256.data));
+  secure_hash->Finish(sha256);
   return sha256;
 }
 

third_party/blink/common/navigation/prefetched_signed_exchange_info_mojom_traits.cc

@@ -9,6 +9,7 @@
 
 #include "third_party/blink/public/common/navigation/prefetched_signed_exchange_info_mojom_traits.h"
 
+#include "base/containers/span.h"
 #include "base/notreached.h"
 
 namespace mojo {
@@ -20,11 +21,11 @@ bool StructTraits<blink::mojom::SHA256HashValueDataView, net::SHA256HashValue>::
   if (!input.ReadData(&data))
     return false;
 
-  if (data.size() != sizeof(out->data)) {
+  if (data.size() != out->size()) {
     NOTREACHED();
   }
 
-  memcpy(out->data, data.c_str(), sizeof(out->data));
+  base::span(*out).copy_from(base::as_byte_span(data));
   return true;
 }
 

third_party/blink/public/common/navigation/prefetched_signed_exchange_info_mojom_traits.h

@@ -7,6 +7,7 @@
 
 #include <string>
 
+#include "base/containers/span.h"
 #include "mojo/public/cpp/base/byte_string_mojom_traits.h"
 #include "mojo/public/cpp/bindings/struct_traits.h"
 #include "net/base/hash_value.h"
@@ -19,8 +20,7 @@ template <>
 struct BLINK_COMMON_EXPORT
     StructTraits<blink::mojom::SHA256HashValueDataView, net::SHA256HashValue> {
   static const std::string data(const net::SHA256HashValue& value) {
-    return std::string(reinterpret_cast<const char*>(value.data),
+    return std::string(base::as_string_view(value));
-                       sizeof(value.data));
   }
 
   static bool Read(blink::mojom::SHA256HashValueDataView input,