Initial support for HSTS certificate locking. This isn't a finished work, but

net/base/x509_certificate.h

Index: net/base/x509_certificate.h
===================================================================
--- net/base/x509_certificate.h	(revision 80114)
+++ net/base/x509_certificate.h	(working copy)
@@ -323,6 +323,18 @@
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
 
+  // Gets the complete cert chain (including root and intermediaries).
+  // The returned chain must be freed with DestroyCertChain.
+  static void GetCertChainFromCert(OSCertHandle cert_handle,
+                                   OSCertHandles* cert_handles);
+
+  // Frees a cert chain.
+  static void DestroyCertChain(OSCertHandles* cert_handles);

[abarth-chromium, 2011/04/04 22:49:36]

We should probably have a stack-allocated, scoped object to manage the lifetime
of these objects.

+
+  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
+  // (all zero) fingerprint on failure.
+  static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
+
  private:
   friend class base::RefCountedThreadSafe<X509Certificate>;
   friend class TestRootCerts;  // For unit tests
@@ -353,10 +365,6 @@
   static void ResetCertStore();
 #endif
 
-  // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
-  // (all zero) fingerprint on failure.
-  static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
-
   // Verifies that |hostname| matches one of the names in |cert_names|, based on
   // TLS name matching rules, specifically following http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09#section-4.4.3
   // The members of |cert_names| must have been extracted from the Subject CN or