net: add ability to distinguish user-added root CAs.

net/base/cert_verify_result.h

Index: net/base/cert_verify_result.h
diff --git a/net/base/cert_verify_result.h b/net/base/cert_verify_result.h
index faac17a88b77f12da09994266ac6861a1804bfb1..419a1511fae128d46f91b4eca3b184e034a29e9d 100644
--- a/net/base/cert_verify_result.h
+++ b/net/base/cert_verify_result.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -21,6 +21,7 @@ class CertVerifyResult {
     has_md4 = false;
     has_md5_ca = false;
     has_md2_ca = false;
+    is_probably_mitm_cert = true;

[wtc, 2011/04/06 04:28:38]

Why does is_probably_mitm_cert default to true?  I guess
we have to presume a cert is probably a MITM cert.

You can define this member as is_issued_by_known_root.
Then it can default to false.  (The IsRootedAtKnownRoot
functions in x509_certificate_{mac,win}.cc can be renamed
IsIssuedByKnownRoot.)

[agl, 2011/04/06 19:02:02]

Done.

   }
 
   // Bitmask of CERT_STATUS_* from net/base/cert_status_flags.h
@@ -32,6 +33,14 @@ class CertVerifyResult {
   bool has_md4;
   bool has_md5_ca;
   bool has_md2_ca;
+
+  // is_probably_mitm_cert is true if we believe that the certificate is a MITM
+  // certificate. This is determined by checking to see if the root of the
+  // certificate chain is a well known root. If it isn't then it's probably the
+  // case that this certificate was generated by a MITM proxy who's root has

[wtc, 2011/04/06 04:28:38]

Typo: who's => whose

[agl, 2011/04/06 19:02:02]

Done.

+  // been installed locally. This is meaningless if the certificate was not
+  // trusted.
+  bool is_probably_mitm_cert;
 };
 
 }  // namespace net