This applies GUIDs to certificate and key nicknames when

net/base/x509_certificate.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
@@ skipping 13 matching lines @@
 #elif defined(OS_MACOSX)
 #include <CoreFoundation/CFArray.h>
 #include <Security/SecBase.h>
 
 #include "base/synchronization/lock.h"
 #elif defined(USE_OPENSSL)
 // Forward declaration; real one in <x509.h>
 typedef struct x509_st X509;
 typedef struct x509_store_st X509_STORE;
 #elif defined(USE_NSS)
+#include <net/base/cert_type.h>

[wtc, 2011/11/29 23:13:57]

This should be
  #include "net/base/cert_type.h"

<foo.h> means foo.h is a system header.

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

Whoops, yeah, I know that. :) Fixed.

 // Forward declaration; real one in <cert.h>
 struct CERTCertificateStr;
 #endif
 
 class Pickle;
 
 namespace crypto {
 class StringPiece;
 class RSAPrivateKey;
 }  // namespace crypto
@@ skipping 77 matching lines @@
     // |intermediate_ca_certificates_| at the time it was serialized.
     PICKLETYPE_CERTIFICATE_CHAIN,
   };
 
   // Creates a X509Certificate from the ground up.  Used by tests that simulate
   // SSL connections.
   X509Certificate(const std::string& subject, const std::string& issuer,
                   base::Time start_date, base::Time expiration_date);
 
   // Create an X509Certificate from a handle to the certificate object in the
-  // underlying crypto library. The returned pointer must be stored in a
+  // underlying crypto library. The returned pointer MUST be stored in a

[wtc, 2011/11/29 23:13:57]

Nit: we don't have a convention of capitalizing MUST for
emphasis in our header file comments.

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

OK, fixed.

   // scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromHandle(OSCertHandle cert_handle,
                                            const OSCertHandles& intermediates);
 
   // Create an X509Certificate from a chain of DER encoded certificates. The
   // first certificate in the chain is the end-entity certificate to which a
   // handle is returned. The other certificates in the chain are intermediate
-  // certificates. The returned pointer must be stored in a
+  // certificates. The returned pointer MUST be stored in a
   // scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromDERCertChain(
       const std::vector<base::StringPiece>& der_certs);
 
   // Create an X509Certificate from the DER-encoded representation.
   // Returns NULL on failure.
   //
-  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
+  // The returned pointer MUST be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromBytes(const char* data, int length);
 
+#if defined(USE_NSS)
+  // Create an X509Certificate from the DER-encoded representation.
+  // |nickname| can be NULL if an auto-generated nickname is desired.
+  // Returns NULL on failure.
+  //
+  // The returned pointer MUST be stored in a scoped_refptr<X509Certificate>.
+  static X509Certificate* CreateFromBytesWithNickname(const char* data,

[wtc, 2011/11/29 23:13:57]

It would be nice to point out the difference between this
method and the CreateFromBytes method above, and to explain
why this method is necessary.

Similarly for the CreateOSCertHandleFromBytesWithNickname
method below.

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

Done.

+                                                      int length,
+                                                      const char* nickname);
+#endif
+
   // Create an X509Certificate from the representation stored in the given
   // pickle.  The data for this object is found relative to the given
   // pickle_iter, which should be passed to the pickle's various Read* methods.
   // Returns NULL on failure.
   //
-  // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
+  // The returned pointer MUST be stored in a scoped_refptr<X509Certificate>.
   static X509Certificate* CreateFromPickle(const Pickle& pickle,
                                            void** pickle_iter,
                                            PickleType type);
 
   // Parses all of the certificates possible from |data|. |format| is a
   // bit-wise OR of Format, indicating the possible formats the
   // certificates may have been serialized as. If an error occurs, an empty
   // collection will be returned.
   static CertificateList CreateCertificateListFromBytes(const char* data,
                                                         int length,
@@ skipping 26 matching lines @@
   void Persist(Pickle* pickle);
 
   // The subject of the certificate.  For HTTPS server certificates, this
   // represents the web server.  The common name of the subject should match
   // the host name of the web server.
   const CertPrincipal& subject() const { return subject_; }
 
   // The issuer of the certificate.
   const CertPrincipal& issuer() const { return issuer_; }
 
+#if defined(USE_NSS)
+  // Set/get the label of this certificate (the equivalent of NSS's

[wtc, 2011/11/29 23:13:57]

Nit: Set/get => Sets/gets
     NSS's => PKCS #11's

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

Done.

+  // CKA_LABEL attribute, which is the nickname or friendly name of
+  // the certificate).
+  bool SetLabel(const std::string& label);
+  std::string GetLabel();

[wtc, 2011/11/29 23:13:57]

I believe GetLabel() can be 'const':
  std::string GetLabel() const;

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

Yes, it should be.  But I've moved these functions into x509_util_nss, so
they're standalone functions now.

+
+  // Gets the type of certificate this is, based on the certificate's
+  // properties.
+  CertType GetCertificateType() const;

[wtc, 2011/11/29 23:13:57]

Nit: GetCertificateType => GetCertType

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

Done.

+#endif  // defined(USE_NSS)
+
   // Time period during which the certificate is valid.  More precisely, this
   // certificate is invalid before the |valid_start| date and invalid after
   // the |valid_expiry| date.
   // If we were unable to parse either date from the certificate (or if the cert
   // lacks either date), the date will be null (i.e., is_null() will be true).
   const base::Time& valid_start() const { return valid_start_; }
   const base::Time& valid_expiry() const { return valid_expiry_; }
 
   // The fingerprint of this certificate.
   const SHA1Fingerprint& fingerprint() const { return fingerprint_; }
@@ skipping 195 matching lines @@
   // Returns the OSCertHandle of this object. Because of caching, this may
   // differ from the OSCertHandle originally supplied during initialization.
   // Note: On Windows, CryptoAPI may return unexpected results if this handle
   // is used across multiple threads. For more details, see
   // CreateOSCertChainForCert().
   OSCertHandle os_cert_handle() const { return cert_handle_; }
 
   // Returns true if two OSCertHandles refer to identical certificates.
   static bool IsSameOSCert(OSCertHandle a, OSCertHandle b);
 
-  // Creates an OS certificate handle from the BER-encoded representation.
+  // Creates an OS certificate handle from the DER-encoded representation.
   // Returns NULL on failure.
   static OSCertHandle CreateOSCertHandleFromBytes(const char* data,
                                                   int length);
 
+#if defined(USE_NSS)
+  // Creates an OS certificate handle from the DER-encoded representation,
+  // with the given nickname.  NULL nickname will do the same thing as
+  // CreateOSCertHandleFromBytes.  Returns NULL on failure.
+  static OSCertHandle CreateOSCertHandleFromBytesWithNickname(
+      const char* data, int length, const char* nickname);

[wtc, 2011/11/29 23:13:57]

Nit: List one parameter on each line.  See
http://www.chromium.org/developers/coding-style#TOC-Code-formatting

Follow the "OK3" example, and note the "BadWrappingStyle"
example.

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

OK, done.  Thanks, I had forgotten that rule, and we have LOTS of counter
examples in the code to help me forget (like CreateOSCertHandlesFromBytes, for
instance.  I fixed that one too). :)

+#endif
+
   // Creates all possible OS certificate handles from |data| encoded in a
   // specific |format|. Returns an empty collection on failure.
   static OSCertHandles CreateOSCertHandlesFromBytes(
       const char* data, int length, Format format);
 
   // Duplicates (or adds a reference to) an OS certificate handle.
   static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
 
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
@@ skipping 127 matching lines @@
   // (Marked mutable because it's used in a const method.)
   mutable base::Lock verification_lock_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_