Added a PolicyCertVerifier that uses the trust anchors from the ONC policies.

chrome/browser/policy/browser_policy_connector.h

Index: chrome/browser/policy/browser_policy_connector.h
diff --git a/chrome/browser/policy/browser_policy_connector.h b/chrome/browser/policy/browser_policy_connector.h
index 3774422070b650bda0f98c99f2e8629db0d1fc47..3752b84605af6071dbd0446c334ccf8dbb5ba8a1 100644
--- a/chrome/browser/policy/browser_policy_connector.h
+++ b/chrome/browser/policy/browser_policy_connector.h
@@ -19,10 +19,12 @@
 #endif
 
 class PrefRegistrySimple;
+class PrefRegistrySyncable;
 class PrefService;
 class Profile;
 
 namespace net {
+class CertTrustAnchorProvider;
 class URLRequestContextGetter;
 }
 
@@ -119,6 +121,8 @@ class BrowserPolicyConnector {
 
   NetworkConfigurationUpdater* GetNetworkConfigurationUpdater();
 
+  net::CertTrustAnchorProvider* GetCertTrustAnchorProvider();
+
   DeviceCloudPolicyManagerChromeOS* GetDeviceCloudPolicyManager() {
     return device_cloud_policy_manager_.get();
   }
@@ -156,9 +160,17 @@ class BrowserPolicyConnector {
   // false if the username is empty.
   static bool IsNonEnterpriseUser(const std::string& username);
 
+  // Returns true if |profile| has used certificates installed via policy
+  // to establish a secure connection before. This means that it may have
+  // cached content from an untrusted source.
+  static bool UsedPolicyCertificates(Profile* profile);
+
   // Registers refresh rate prefs.
   static void RegisterPrefs(PrefRegistrySimple* registry);
 
+  // Registers Profile prefs related to policy features.
+  static void RegisterUserPrefs(PrefRegistrySyncable* registry);
+
  private:
   // Set the timezone as soon as the policies are available.
   void SetTimezoneIfPolicyAvailable();