NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles.

net/cert/cert_verify_proc_nss.h

Index: net/cert/cert_verify_proc_nss.h
diff --git a/net/cert/cert_verify_proc_nss.h b/net/cert/cert_verify_proc_nss.h
index f8bb853544e0817200fde60d5ebaacb6cdf5e2b7..f03c5f85004d8841e82145c5a442cae8551874e7 100644
--- a/net/cert/cert_verify_proc_nss.h
+++ b/net/cert/cert_verify_proc_nss.h
@@ -5,6 +5,8 @@
 #ifndef NET_CERT_CERT_VERIFY_PROC_NSS_H_
 #define NET_CERT_CERT_VERIFY_PROC_NSS_H_
 
+#include <certt.h>

[Ryan Sleevi, 2014/01/25 01:50:17]

forward declare, you're only using pointer types

[mattm, 2014/01/28 04:36:44]

CERTChainVerifyCallback is an typedef of an unnamed struct, can't forward
declare.

+
 #include "net/base/net_export.h"
 #include "net/cert/cert_verify_proc.h"
 
@@ -15,6 +17,13 @@ class NET_EXPORT_PRIVATE CertVerifyProcNSS : public CertVerifyProc {
  public:
   CertVerifyProcNSS();
 
+  // Create a verifier that will allow the specified callback to override
+  // trust decisions. The |chain_verify_callback| must exist for the lifetime of
+  // the CertVerifyProcNSS object.
+  // See the documentation for CERTChainVerifyCallback and
+  // CERTChainVerifyCallbackFunc in NSS's lib/certdb/certt.h.
+  explicit CertVerifyProcNSS(CERTChainVerifyCallback* chain_verify_callback);
+
   virtual bool SupportsAdditionalTrustAnchors() const OVERRIDE;
 
  protected:
@@ -27,6 +36,8 @@ class NET_EXPORT_PRIVATE CertVerifyProcNSS : public CertVerifyProc {
                              CRLSet* crl_set,
                              const CertificateList& additional_trust_anchors,
                              CertVerifyResult* verify_result) OVERRIDE;
+
+  CERTChainVerifyCallback* chain_verify_callback_;
 };
 
 }  // namespace net