net: retain leading zero bytes in X.509 serial numbers.

net/base/x509_certificate.h

Index: net/base/x509_certificate.h
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index 94a6f4a93f5b9b4fa821744b3871c8c5bbddf13b..7c0ceb782846d0e336758c6ad0b7f46e7bc2c353 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -418,12 +418,8 @@ class NET_EXPORT X509Certificate
                      int flags,
                      CertVerifyResult* verify_result) const;
 
-  // The serial number, DER encoded.
-  // NOTE: keep this method private, used by IsBlacklisted only.  To simplify
-  // IsBlacklisted, we strip the leading 0 byte of a serial number, used to
-  // encode a positive DER INTEGER (a signed type) with a most significant bit
-  // of 1.  Other code must not use this method for general purpose until this
-  // is fixed.
+  // The serial number, DER encoded, possibly including leading 00 bytes.

[wtc, 2011/10/25 21:14:44]

Nit: "a leading 00 byte" might be better because one leading
zero byte is enough to make the INTEGER positive.

[agl, 2011/10/28 20:29:07]

Done.

+  // NOTE: keep this method private, used by IsBlacklisted only.

[wtc, 2011/10/25 21:14:44]

We can remove this NOTE now (i.e., this method can become
public if necessary) because it preserves the leading 0 bytes
required for DER encoding of ASN.1 INTEGER.

[agl, 2011/10/28 20:29:07]

Done.

   const std::string& serial_number() const { return serial_number_; }
 
   // IsBlacklisted returns true if this certificate is explicitly blacklisted.