net: add support for checking if a known public key is in a chain.

This is intended for use with future support for HSTS or CAA pinning of
certificate chains. Since we build certificate chains from a pool of
certificates, and certificates get reissued with updated expiries etc, only the
public keys in the chain will always match. Thus we match on SHA1 hashes of
SubjectPublicKeyInfos.

BUG=none
TEST=net_unittests

Review URL: http://codereview.chromium.org/6821010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81259 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 10 insertions, 0 deletions

diff --git a/net/base/cert_verify_result.h b/net/base/cert_verify_result.h
index 2939c3a..96b50e2 100644
--- a/net/base/cert_verify_result.h
+++ b/net/base/cert_verify_result.h
@@ -6,6 +6,10 @@
 #define NET_BASE_CERT_VERIFY_RESULT_H_
 #pragma once
 
+#include <vector>
+
+#include "net/base/x509_cert_types.h"
+
 namespace net {
 
 // The result of certificate verification.  Eventually this may contain the
@@ -22,6 +26,7 @@ class CertVerifyResult {
     has_md5_ca = false;
     has_md2_ca = false;
     is_issued_by_known_root = false;
+    public_key_hashes.clear();
   }
 
   // Bitmask of CERT_STATUS_* from net/base/cert_status_flags.h
@@ -34,6 +39,11 @@ class CertVerifyResult {
   bool has_md5_ca;
   bool has_md2_ca;
 
+  // If the certificate was successfully verified then this contains the SHA1
+  // fingerprints of the SubjectPublicKeyInfos of the chain. The fingerprint
+  // from the leaf certificate will be the first element of the vector.
+  std::vector<SHA1Fingerprint> public_key_hashes;
+
   // is_issued_by_known_root is true if we recognise the root CA as a standard
   // root.  If it isn't then it's probably the case that this certificate was
   // generated by a MITM proxy whose root has been installed locally. This is