Initial support for HSTS certificate locking. This isn't a finished work, but

net/base/x509_certificate_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <cert.h>
 #include <cryptohi.h>
 #include <keyhi.h>
 #include <nss.h>
@@ skipping 931 matching lines @@
     OSCertHandle cert_handle) {
   return CERT_DupCertificate(cert_handle);
 }
 
 // static
 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
   CERT_DestroyCertificate(cert_handle);
 }
 
 // static
+void X509Certificate::GetCertChainFromCert(OSCertHandle cert_handle,
+                                           OSCertHandles* cert_handles) {
+  CERTCertList* cert_list =
+      CERT_GetCertChainFromCert(cert_handle, PR_Now(), certUsageSSLServer);

[wtc, 2011/04/07 01:00:29]

The certificate chain is readily available in the Verify()
method.  It is best to get the certificate chain in Verify().

+  CERTCertListNode* node;
+  for (node = CERT_LIST_HEAD(cert_list);
+       !CERT_LIST_END(node, cert_list);
+       node = CERT_LIST_NEXT(node)) {
+    cert_handles->push_back(CERT_DupCertificate(node->cert));
+  }
+  CERT_DestroyCertList(cert_list);
+}
+
+// static
+void X509Certificate::DestroyCertChain(OSCertHandles* cert_handles) {
+  for (OSCertHandles::iterator i(cert_handles->begin());
+       i != cert_handles->end(); ++i)
+    CERT_DestroyCertificate(*i);
+  cert_handles->clear();
+}
+
+// static
 SHA1Fingerprint X509Certificate::CalculateFingerprint(
     OSCertHandle cert) {
   SHA1Fingerprint sha1;
   memset(sha1.data, 0, sizeof(sha1.data));
 
   DCHECK(NULL != cert->derCert.data);
   DCHECK(0 != cert->derCert.len);
 
   SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data,
                               cert->derCert.data, cert->derCert.len);
   DCHECK(rv == SECSuccess);
 
   return sha1;
 }
 
 }  // namespace net