Initial support for HSTS certificate locking. This isn't a finished work, but

net/base/x509_certificate.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
@@ skipping 305 matching lines @@
   // specific |format|. Returns an empty collection on failure.
   static OSCertHandles CreateOSCertHandlesFromBytes(
       const char* data, int length, Format format);
 
   // Duplicates (or adds a reference to) an OS certificate handle.
   static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
 
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
 
+  // Gets the complete cert chain (including root and intermediaries).
+  // The returned chain must be freed with DestroyCertChain.
+  static void GetCertChainFromCert(OSCertHandle cert_handle,
+                                   OSCertHandles* cert_handles);
+
+  // Frees a cert chain.
+  static void DestroyCertChain(OSCertHandles* cert_handles);

[abarth-chromium, 2011/04/04 22:49:36]

We should probably have a stack-allocated, scoped object to manage the lifetime
of these objects.

+
+  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
+  // (all zero) fingerprint on failure.
+  static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
+
  private:
   friend class base::RefCountedThreadSafe<X509Certificate>;
   friend class TestRootCerts;  // For unit tests
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname);
 
   // Construct an X509Certificate from a handle to the certificate object
   // in the underlying crypto library.
@@ skipping 10 matching lines @@
                const char* policy_oid) const;
 #endif
   bool VerifyEV() const;
 
 #if defined(USE_OPENSSL)
   // Resets the store returned by cert_store() to default state. Used by
   // TestRootCerts to undo modifications.
   static void ResetCertStore();
 #endif
 
-  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
-  // (all zero) fingerprint on failure.
-  static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
-
   // Verifies that |hostname| matches one of the names in |cert_names|, based on
   // TLS name matching rules, specifically following http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09#section-4.4.3
   // The members of |cert_names| must have been extracted from the Subject CN or
   // SAN fields of a certificate.
   // WARNING:  This function may return false negatives (for example, if
   //           |hostname| is an IP address literal) on some platforms.  Only
   //           use in cases where some false-positives are acceptible.
   static bool VerifyHostname(const std::string& hostname,
                              const std::vector<std::string>& cert_names);
 
@@ skipping 41 matching lines @@
 
   // Where the certificate comes from.
   Source source_;
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_