Enable SSLClientSocketTest unit tests on Mac OS X by implementing our own certificate validation code. This gives us proper hostname matching, multiple error codes (e.g., before a certificate could be marked as expired or untrusted, but not both), revocation checking, and EV certificate checking.

BUG=19286,10910,14733
TEST=https://www.paypal.com should work without warning. https://paypal.com should get a warning about a hostname mismatch. https://test-ssev.verisign.com:1443/test-SSEV-expired-verisign.html should give a warning about an expired certificate.
Review URL: http://codereview.chromium.org/174102

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@24625 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 12 insertions, 0 deletions

diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index 1e2419e..4ae6554 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -209,6 +209,12 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   // now.
   bool HasExpired() const;
 
+#if defined(OS_MACOSX)
+    // Adds an untrusted intermediate certificate that may be needed for
+    // chain building.
+    void AddIntermediateCertificate(SecCertificateRef cert);
+#endif
+
   // Verifies the certificate against the given hostname.  Returns OK if
   // successful or an error code upon failure.
   //
@@ -299,6 +305,12 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   // A handle to the certificate object in the underlying crypto library.
   OSCertHandle cert_handle_;
 
+#if defined(OS_MACOSX)
+    // Untrusted intermediate certificates associated with this certificate
+    // that may be needed for chain building.
+    CFMutableArrayRef intermediate_ca_certs_;
+#endif
+
   // Where the certificate comes from.
   Source source_;