net: add ability to distinguish user-added root CAs.

net/base/x509_certificate.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
@@ skipping 149 matching lines @@
   // Create a self-signed certificate containing the public key in |key|.
   // Subject, serial number and validity period are given as parameters.
   // The certificate is signed by the private key in |key|. The hashing
   // algorithm for the signature is SHA-1.
   //
   // |subject| is a distinguished name defined in RFC4514.
   //
   // An example:
   // CN=Michael Wong,O=FooBar Corporation,DC=foobar,DC=com
   //
-  // SECURUITY WARNING
+  // SECURITY WARNING
   //
   // Using self-signed certificates has the following security risks:
   // 1. Encryption without authentication and thus vulnerable to
   //    man-in-the-middle attacks.
   // 2. Self-signed certificates cannot be revoked.
   //
   // Use this certificate only after the above risks are acknowledged.
   static X509Certificate* CreateSelfSigned(base::RSAPrivateKey* key,
                                            const std::string& subject,
                                            uint32 serial_number,
@@ skipping 135 matching lines @@
   // specific |format|. Returns an empty collection on failure.
   static OSCertHandles CreateOSCertHandlesFromBytes(
       const char* data, int length, Format format);
 
   // Duplicates (or adds a reference to) an OS certificate handle.
   static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
 
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
 
+  // IsSHA1HashInArray returns true iff |hash| is in |array|, a sorted array of
+  // SHA1 hashes.
+  static bool IsSHA1HashInSortedArray(const uint8 hash[20], const uint8* array,
+                                      unsigned array_byte_len);

[wtc, 2011/04/06 04:28:38]

This method should be private.

You may be able to use the SHA1Fingerprint type, at least
for the first argument.  The static method CalculateFingerprint
should be useful.

Declare array_byte_len as size_t.  (Only NSS uses unsigned int
for lengths, but we're not dealing with NSS here.)

[agl, 2011/04/06 19:02:02]

Done, although this means that the IsIssuedByKnownRoot have to be members of
X509Certificate too.
Done.

+
  private:
   friend class base::RefCountedThreadSafe<X509Certificate>;
   friend class TestRootCerts;  // For unit tests
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, SerialNumbers);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateNameVerifyTest, VerifyHostname);
 
   // Construct an X509Certificate from a handle to the certificate object
   // in the underlying crypto library.
@@ skipping 75 matching lines @@
 
   // Where the certificate comes from.
   Source source_;
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_