net: add ability to distinguish user-added root CAs.

net/base/x509_certificate.h

Index: net/base/x509_certificate.h
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index 52bb9f1de87f6dccc1abd714b8ab25f973f82a51..9eba028e09b839d5706530a788256413eff2e2e7 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -167,7 +167,7 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   // An example:
   // CN=Michael Wong,O=FooBar Corporation,DC=foobar,DC=com
   //
-  // SECURUITY WARNING
+  // SECURITY WARNING
   //
   // Using self-signed certificates has the following security risks:
   // 1. Encryption without authentication and thus vulnerable to
@@ -344,6 +344,10 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
 #if defined(OS_WIN)
   bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
                const char* policy_oid) const;
+  bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context);
+#endif
+#if defined(OS_MACOSX)
+  bool IsIssuedByKnownRoot(CFArrayRef chain);

[wtc, 2011/04/07 05:01:54]

IsIssuedByKnownRoot can be a *static* method.

[agl, 2011/04/07 15:02:49]

Done.

 #endif
   bool VerifyEV() const;
 
@@ -378,6 +382,12 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   // IsBlacklisted returns true if this certificate is explicitly blacklisted.
   bool IsBlacklisted() const;
 
+  // IsSHA1HashInSortedArray returns true iff |hash| is in |array|, a sorted
+  // array of SHA1 hashes.
+  static bool IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
+                                      const uint8* array,
+                                      size_t array_byte_len);
+
   // The subject of the certificate.
   CertPrincipal subject_;