This applies GUIDs to certificate and key nicknames when

net/base/cert_database.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_CERT_DATABASE_H_
 #define NET_BASE_CERT_DATABASE_H_
 #pragma once
 
 #include <string>
 #include <vector>
@@ skipping 81 matching lines @@
   // Check whether this is a valid user cert that we have the private key for.
   // Returns OK or a network error code such as ERR_CERT_CONTAINS_ERRORS.
   int CheckUserCert(X509Certificate* cert);
 
   // Store user (client) certificate. Assumes CheckUserCert has already passed.
   // Returns OK, or ERR_ADD_USER_CERT_FAILED if there was a problem saving to
   // the platform cert database, or possibly other network error codes.
   int AddUserCert(X509Certificate* cert);
 
 #if defined(USE_NSS) || defined(USE_OPENSSL)
-  // Get a list of unique certificates in the certificate database.  (One
-  // instance of all certificates.)
+  // Get a list of unique certificates in the certificate database (one
+  // instance of all certificates).
   void ListCerts(CertificateList* certs);
 
   // Get the default module for public key data.
   // The returned pointer must be stored in a scoped_refptr<CryptoModule>.
   CryptoModule* GetPublicModule() const;
 
   // Get the default module for private key or mixed private/public key data.
   // The returned pointer must be stored in a scoped_refptr<CryptoModule>.
   CryptoModule* GetPrivateModule() const;
 
   // Get all modules.
   // If |need_rw| is true, only writable modules will be returned.
   void ListModules(CryptoModuleList* modules, bool need_rw) const;
 
   // Import certificates and private keys from PKCS #12 blob into the module.
   // If |is_extractable| is false, mark the private key as being unextractable
   // from the module.
   // Returns OK or a network error code such as ERR_PKCS12_IMPORT_BAD_PASSWORD
   // or ERR_PKCS12_IMPORT_ERROR.
   int ImportFromPKCS12(CryptoModule* module,
                        const std::string& data,
                        const string16& password,
-                       bool is_extractable);
+                       bool is_extractable,
+                       CertificateList* imported_certs);

[wtc, 2011/11/29 23:13:57]

Please document the new imported_certs output parameter.
You can copy your comment from
net/third_party/mozilla_security_manager/nsPKCS12Blob.h.

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

Done.

 
   // Export the given certificates and private keys into a PKCS #12 blob,
   // storing into |output|.
   // Returns the number of certificates successfully exported.
   int ExportToPKCS12(const CertificateList& certs, const string16& password,
                      std::string* output) const;
 
   // Uses similar logic to nsNSSCertificateDB::handleCACertDownload to find the
   // root.  Assumes the list is an ordered hierarchy with the root being either
   // the first or last element.
@@ skipping 34 matching lines @@
   // Returns true on success or false on failure.
   bool SetCertTrust(const X509Certificate* cert,
                     CertType type,
                     TrustBits trust_bits);
 
   // Delete certificate and associated private key (if one exists).
   // |cert| is still valid when this function returns. Returns true on
   // success.
   bool DeleteCertAndKey(const X509Certificate* cert);
 
-  // Delete the certificate and associated public and private key (if
-  // one exists) with the given label from the database.  Returns true
-  // on success.  ("label" here refers to the NSS Attribute CKA_LABEL,
-  // also referred to as a nickname or friendly name).
-  bool DeleteCertAndKeyByLabel(const std::string& label);
-
   // Check whether cert is stored in a readonly slot.
   bool IsReadOnly(const X509Certificate* cert) const;
 #endif
 
+#if defined(USE_NSS)
+  // Delete the certificate and associated public and private key (if
+  // one exists) with the given label from the database.  Returns true
+  // on success.  ("label" here refers to the NSS attribute CKA_LABEL,

[wtc, 2011/11/29 23:13:57]

Nit: NSS attribute => PKCS #11 attribute

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

Done.  I've also moved these functions into the onc parser because it's the only
client at the moment, and it keeps NSS specific code out of this header.

+  // also referred to as a nickname or friendly name).
+  bool DeleteCertAndKeyByLabel(const std::string& label);
+
+  // Get a list of certificates in the certificate database that
+  // contain the given string in their label (one instance of all
+  // certificates that match).  This is a substring match, so if the

[wtc, 2011/11/29 23:13:57]

Doing an exact match in DeleteCertAndKeyByLabel but a substring
match in ListCertsWithLabel is a non-obvious inconsistency.

It seems that this class just needs to provide ListCerts(),
and you can do the substring match of labels in Chrome OS
ONC code.

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

I've moved these into OncNetworkParser, since it keeps NSS specific calls out of
this API, and they both do substring matches now.

+  // requested label is "a", then all certs with an "a" in their label
+  // will be returned.
+  void ListCertsWithLabel(const std::string& label, CertificateList* certs);
+#endif
+
   // Registers |observer| to receive notifications of certificate changes.  The
   // thread on which this is called is the thread on which |observer| will be
   // called back with notifications.
   static void AddObserver(Observer* observer);
 
   // Unregisters |observer| from receiving notifications.  This must be called
   // on the same thread on which AddObserver() was called.
   static void RemoveObserver(Observer* observer);
 
  private:
   // Broadcasts notifications to all registered observers.
   static void NotifyObserversOfUserCertAdded(const X509Certificate* cert);
   static void NotifyObserversOfCertTrustChanged(const X509Certificate* cert);
 
   DISALLOW_COPY_AND_ASSIGN(CertDatabase);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_CERT_DATABASE_H_