Upstream (most of) ios/web/public

ios/web/net/cert_policy.cc

Index: ios/web/net/cert_policy.cc
diff --git a/ios/web/net/cert_policy.cc b/ios/web/net/cert_policy.cc
new file mode 100644
index 0000000000000000000000000000000000000000..46d5699de3f00d046137741edd53f924d5614ae6
--- /dev/null
+++ b/ios/web/net/cert_policy.cc
@@ -0,0 +1,39 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "ios/web/public/cert_policy.h"
+
+#include "base/logging.h"
+#include "net/cert/x509_certificate.h"
+
+namespace web {
+
+CertPolicy::CertPolicy() {
+}
+
+CertPolicy::~CertPolicy() {
+}
+
+// We consider a given |cert| to be a match to a saved allowed cert if the
+// |error| is an exact match to or subset of the errors in the saved CertStatus.
+CertPolicy::Judgment CertPolicy::Check(net::X509Certificate* cert,
+                                       net::CertStatus error) const {
+  std::map<net::SHA1HashValue,
+           net::CertStatus,
+           net::SHA1HashValueLessThan>::const_iterator allowed_iter =
+      allowed_.find(cert->fingerprint());
+  if ((allowed_iter != allowed_.end()) && (allowed_iter->second & error) &&
+      !(~(allowed_iter->second & error) ^ ~error)) {
+    return ALLOWED;
+  }
+  return UNKNOWN;  // We don't have a policy for this cert.
+}
+
+void CertPolicy::Allow(net::X509Certificate* cert, net::CertStatus error) {
+  // If this same cert had already been saved with a different error status,
+  // this will replace it with the new error status.
+  allowed_[cert->fingerprint()] = error;
+}
+
+}  // namespace web