Don't use X509Certificate in SSLConfig.

net/base/ssl_config_service.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H_
 #define NET_BASE_SSL_CONFIG_SERVICE_H_
 #pragma once
 
 #include <vector>
 
 #include "base/basictypes.h"
 #include "base/memory/ref_counted.h"
 #include "base/observer_list.h"
 #include "net/base/net_api.h"
 #include "net/base/x509_certificate.h"
 
 namespace net {
 
 // A collection of SSL-related configuration settings.
 struct NET_API SSLConfig {
   // Default to revocation checking.
   // Default to SSL 3.0 on and TLS 1.0 on.
   SSLConfig();
   ~SSLConfig();
 
   // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
   // The expected cert status is written to |cert_status|. |*cert_status| can
   // be NULL if user doesn't care about the cert status.
   bool IsAllowedBadCert(X509Certificate* cert, int* cert_status) const;
+  bool IsAllowedBadCert(const std::string& cert_der, int* cert_status) const;

[wtc, 2011/07/19 21:57:01]

Please document the new IsAllowedBadCert variant.

It may be better to use const StringPiece& instead of
const std::string&.  This may allow us to avoid copying
in some cases.

I assume it is fine to use function overloading here even
though the Style Guide recommends against it in general:
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml#Function_Overl...

Nit: please name the argument "der_cert".  The full
description is "DER encoded certificate", so "der_cert" is
closer to that than "cert_der".  Please do this renaming
throughout the CL, at least in the files under src/net.

If the renaming requires changing too many files, don't do
it.

[Sergey Ulanov, 2011/07/19 23:50:21]

Done.

 
   bool rev_checking_enabled;  // True if server certificate revocation
                               // checking is enabled.
   // SSL 2.0 is not supported.
   bool ssl3_enabled;  // True if SSL 3.0 is enabled.
   bool tls1_enabled;  // True if TLS 1.0 is enabled.
   // True if we'll do async checks for certificate provenance using DNS.
   bool dns_cert_provenance_checking_enabled;
 
   // Cipher suites which should be explicitly prevented from being used in
@@ skipping 20 matching lines @@
   bool cached_info_enabled;  // True if TLS cached info extension is enabled.
   bool false_start_enabled;  // True if we'll use TLS False Start.
 
   // TODO(wtc): move the following members to a new SSLParams structure.  They
   // are not SSL configuration settings.
 
   struct NET_API CertAndStatus {
     CertAndStatus();
     ~CertAndStatus();
 
-    scoped_refptr<X509Certificate> cert;
+    std::string cert_der;
     int cert_status;
   };
 
   // Add any known-bad SSL certificate (with its cert status) to
   // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when
   // calling SSLClientSocket::Connect.  This would normally be done in
   // response to the user explicitly accepting the bad certificate.
   std::vector<CertAndStatus> allowed_bad_certs;
 
   // True if we should send client_cert to the server.
@@ skipping 88 matching lines @@
   void ProcessConfigUpdate(const SSLConfig& orig_config,
                            const SSLConfig& new_config);
 
  private:
   ObserverList<Observer> observer_list_;
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_SSL_CONFIG_SERVICE_H_