net: add ability to distinguish user-added root CAs.

net/base/x509_certificate.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
@@ skipping 149 matching lines @@
   // Create a self-signed certificate containing the public key in |key|.
   // Subject, serial number and validity period are given as parameters.
   // The certificate is signed by the private key in |key|. The hashing
   // algorithm for the signature is SHA-1.
   //
   // |subject| is a distinguished name defined in RFC4514.
   //
   // An example:
   // CN=Michael Wong,O=FooBar Corporation,DC=foobar,DC=com
   //
-  // SECURUITY WARNING
+  // SECURITY WARNING
   //
   // Using self-signed certificates has the following security risks:
   // 1. Encryption without authentication and thus vulnerable to
   //    man-in-the-middle attacks.
   // 2. Self-signed certificates cannot be revoked.
   //
   // Use this certificate only after the above risks are acknowledged.
   static X509Certificate* CreateSelfSigned(base::RSAPrivateKey* key,
                                            const std::string& subject,
                                            uint32 serial_number,
@@ skipping 156 matching lines @@
                   const OSCertHandles& intermediates);
 
   ~X509Certificate();
 
   // Common object initialization code.  Called by the constructors only.
   void Initialize();
 
 #if defined(OS_WIN)
   bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
                const char* policy_oid) const;
+  bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context);
+#endif
+#if defined(OS_MACOSX)
+  bool IsIssuedByKnownRoot(CFArrayRef chain);

[wtc, 2011/04/07 05:01:54]

IsIssuedByKnownRoot can be a *static* method.

[agl, 2011/04/07 15:02:49]

Done.

 #endif
   bool VerifyEV() const;
 
 #if defined(USE_OPENSSL)
   // Resets the store returned by cert_store() to default state. Used by
   // TestRootCerts to undo modifications.
   static void ResetCertStore();
 #endif
 
   // Calculates the SHA-1 fingerprint of the certificate.  Returns an empty
@@ skipping 14 matching lines @@
   // NOTE: keep this method private, used by IsBlacklisted only.  To simplify
   // IsBlacklisted, we strip the leading 0 byte of a serial number, used to
   // encode a positive DER INTEGER (a signed type) with a most significant bit
   // of 1.  Other code must not use this method for general purpose until this
   // is fixed.
   const std::string& serial_number() const { return serial_number_; }
 
   // IsBlacklisted returns true if this certificate is explicitly blacklisted.
   bool IsBlacklisted() const;
 
+  // IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted
+  // array of SHA1 hashes.
+  static bool IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
+                                      const uint8* array,
+                                      size_t array_byte_len);
+
   // The subject of the certificate.
   CertPrincipal subject_;
 
   // The issuer of the certificate.
   CertPrincipal issuer_;
 
   // This certificate is not valid before |valid_start_|
   base::Time valid_start_;
 
   // This certificate is not valid after |valid_expiry_|
@@ skipping 20 matching lines @@
 
   // Where the certificate comes from.
   Source source_;
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_