Initial support for HSTS certificate locking. This isn't a finished work, but

net/base/x509_certificate_openssl.cc

Index: net/base/x509_certificate_openssl.cc
===================================================================
--- net/base/x509_certificate_openssl.cc	(revision 80507)
+++ net/base/x509_certificate_openssl.cc	(working copy)
@@ -332,6 +332,21 @@
   X509InitSingleton::GetInstance()->ResetCertStore();
 }
 
+// static
+void X509Certificate::GetCertChainFromCert(OSCertHandle cert_handle,
+                                           OSCertHandles* cert_handles) {
+  // TODO(bulach): how to get the chain out of a certificate?

[wtc, 2011/04/07 01:00:29]

I don't know.  Usually a certificate chain is a byproduct
of certificate verification.  But my quick search on this
topic didn't find anything.  Sorry.

+  cert_handles->push_back(net::X509Certificate::DupOSCertHandle(cert_handle));
+}
+
+// static
+void X509Certificate::DestroyCertChain(OSCertHandles* cert_handles) {
+  for (OSCertHandles::iterator i = cert_handles->begin();
+       i != cert_handles->end(); ++i)
+    X509_free(*i);
+  cert_handles->clear();
+}
+
 SHA1Fingerprint X509Certificate::CalculateFingerprint(OSCertHandle cert) {
   SHA1Fingerprint sha1;
   unsigned int sha1_size = static_cast<unsigned int>(sizeof(sha1.data));