Initial support for HSTS certificate locking. This isn't a finished work, but

net/base/transport_security_state.h

Index: net/base/transport_security_state.h
===================================================================
--- net/base/transport_security_state.h	(revision 80114)
+++ net/base/transport_security_state.h	(working copy)
@@ -8,6 +8,7 @@
 
 #include <map>
 #include <string>
+#include <vector>
 
 #include "base/basictypes.h"
 #include "base/gtest_prod_util.h"
@@ -16,6 +17,8 @@
 
 namespace net {
 
+class X509Certificate;
+
 // TransportSecurityState
 //
 // Tracks which hosts have enabled *-Transport-Security. This object manages
@@ -54,6 +57,7 @@
     base::Time created;  // when this host entry was first created
     base::Time expiry;  // the absolute time (UTC) when this record expires
     bool include_subdomains;  // subdomains included?
+    std::vector<std::string> cert_locks;  // optional: fingerprint locking

[abarth-chromium, 2011/04/04 22:49:36]

People seem to like the name "pinning" better than locking.

 
     // The follow members are not valid when stored in |enabled_hosts_|.
     bool preloaded;  // is this a preloaded entry?
@@ -71,6 +75,10 @@
   // *result is filled out.
   bool IsEnabledForHost(DomainState* result, const std::string& host);
 
+  // Returns true if our (optional) stronger certificate authority checks
+  // will accept this signature chain for this domain.
+  bool IsAcceptableCertificate(const std::string& host, X509Certificate* cert);
+
   // Deletes all records created since a given time.
   void DeleteSince(const base::Time& time);