This applies GUIDs to certificate and key nicknames when

net/base/cert_database.h

Index: net/base/cert_database.h
diff --git a/net/base/cert_database.h b/net/base/cert_database.h
index a735e6937c9c97ab77abfe931d462e6ade6be9e0..aaebdfe20a2e59dc507762b0b20337ae132c2828 100644
--- a/net/base/cert_database.h
+++ b/net/base/cert_database.h
@@ -99,8 +99,8 @@ class NET_EXPORT CertDatabase {
   int AddUserCert(X509Certificate* cert);
 
 #if defined(USE_NSS) || defined(USE_OPENSSL)
-  // Get a list of unique certificates in the certificate database.  (One
-  // instance of all certificates.)
+  // Get a list of unique certificates in the certificate database (one
+  // instance of all certificates).
   void ListCerts(CertificateList* certs);
 
   // Get the default module for public key data.
@@ -123,7 +123,8 @@ class NET_EXPORT CertDatabase {
   int ImportFromPKCS12(CryptoModule* module,
                        const std::string& data,
                        const string16& password,
-                       bool is_extractable);
+                       bool is_extractable,
+                       CertificateList* imported_certs);

[wtc, 2011/11/29 23:13:57]

Please document the new imported_certs output parameter.
You can copy your comment from
net/third_party/mozilla_security_manager/nsPKCS12Blob.h.

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

Done.

 
   // Export the given certificates and private keys into a PKCS #12 blob,
   // storing into |output|.
@@ -178,14 +179,23 @@ class NET_EXPORT CertDatabase {
   // success.
   bool DeleteCertAndKey(const X509Certificate* cert);
 
+  // Check whether cert is stored in a readonly slot.
+  bool IsReadOnly(const X509Certificate* cert) const;
+#endif
+
+#if defined(USE_NSS)
   // Delete the certificate and associated public and private key (if
   // one exists) with the given label from the database.  Returns true
-  // on success.  ("label" here refers to the NSS Attribute CKA_LABEL,
+  // on success.  ("label" here refers to the NSS attribute CKA_LABEL,

[wtc, 2011/11/29 23:13:57]

Nit: NSS attribute => PKCS #11 attribute

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

Done.  I've also moved these functions into the onc parser because it's the only
client at the moment, and it keeps NSS specific code out of this header.

   // also referred to as a nickname or friendly name).
   bool DeleteCertAndKeyByLabel(const std::string& label);
 
-  // Check whether cert is stored in a readonly slot.
-  bool IsReadOnly(const X509Certificate* cert) const;
+  // Get a list of certificates in the certificate database that
+  // contain the given string in their label (one instance of all
+  // certificates that match).  This is a substring match, so if the

[wtc, 2011/11/29 23:13:57]

Doing an exact match in DeleteCertAndKeyByLabel but a substring
match in ListCertsWithLabel is a non-obvious inconsistency.

It seems that this class just needs to provide ListCerts(),
and you can do the substring match of labels in Chrome OS
ONC code.

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

I've moved these into OncNetworkParser, since it keeps NSS specific calls out of
this API, and they both do substring matches now.

+  // requested label is "a", then all certs with an "a" in their label
+  // will be returned.
+  void ListCertsWithLabel(const std::string& label, CertificateList* certs);
 #endif
 
   // Registers |observer| to receive notifications of certificate changes.  The