Move chain building/verification out of X509Certificate

net/base/x509_chain.h

Index: net/base/x509_chain.h
diff --git a/net/base/x509_chain.h b/net/base/x509_chain.h
new file mode 100644
index 0000000000000000000000000000000000000000..f391bb60990321cc23ad977e3a9e2ca9ba6a1896
--- /dev/null
+++ b/net/base/x509_chain.h
@@ -0,0 +1,45 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_X509_CHAIN_H_
+#define NET_BASE_X509_CHAIN_H_
+#pragma once
+
+#include <string>
+
+namespace net {
+
+class CertVerifyResult;
+class X509Certificate;
+
+// Functions related to X.509 certificate chain building and verification.
+namespace x509_chain {
+
+enum VerifyFlags {
+  VERIFY_REV_CHECKING_ENABLED = 1 << 0,
+  VERIFY_EV_CERT = 1 << 1,
+};
+
+// Verifies that |certificate| is a valid SSL server certificate for the
+// given |hostname|. against the given hostname.  Returns OK if successful

[bulach, 2010/10/21 10:21:33]

s/against the given hostname.//

+// or an error code upon failure.
+//
+// The |*verify_result| structure, including the |verify_result->cert_status|
+// bitmask, is always filled out regardless of the return value.  If the
+// certificate has multiple errors, the corresponding status flags are set in
+// |verify_result->cert_status|, and the error code for the most serious
+// error is returned.
+//
+// |flags| is bitwise OR'd of VerifyFlags.
+// If VERIFY_REV_CHECKING_ENABLED is set in |flags|, certificate revocation
+// checking is performed.  If VERIFY_EV_CERT is set in |flags| too,
+// EV certificate verification is performed.
+int VerifySSLServer(X509Certificate* certificate, const std::string& hostname,
+                    int flags, CertVerifyResult* verify_result);
+
+}  // namespace x509_chain
+
+}  // namespace net
+
+#endif  // NET_BASE_X509_CHAIN_H_