Added a PolicyCertVerifier that uses the trust anchors from the ONC policies.

chrome/browser/chromeos/policy/network_configuration_updater.h

Index: chrome/browser/chromeos/policy/network_configuration_updater.h
diff --git a/chrome/browser/chromeos/policy/network_configuration_updater.h b/chrome/browser/chromeos/policy/network_configuration_updater.h
index bd0bcd94619a928c0df5c7d04a71b36da042947d..672cdcfb8e5739d296aa26c3b390bb5339f1299d 100644
--- a/chrome/browser/chromeos/policy/network_configuration_updater.h
+++ b/chrome/browser/chromeos/policy/network_configuration_updater.h
@@ -17,6 +17,10 @@ namespace base {
 class Value;
 }
 
+namespace net {
+class CertTrustAnchorProvider;
+}
+
 namespace policy {
 
 class PolicyMap;
@@ -49,7 +53,18 @@ class NetworkConfigurationUpdater
   // request it.
   void set_allow_web_trust(bool allow) { allow_web_trust_ = allow; }
 
+  // Returns a CertTrustAnchorProvider that provides the list of server and
+  // CA certificates with the Web trust flag set that were retrieved from the
+  // last user ONC policy update.
+  // This getter must be used on UI, and the provider must be used on IO. It
+  // is only valid as long as the NetworkConfigurationUpdater is valid; the
+  // NetworkConfigurationUpdater outlives all the profiles, and deletes the
+  // provider on the IO thread.
+  net::CertTrustAnchorProvider* GetCertTrustAnchorProvider();
+
  private:
+  class CertTrustAnchorProviderImpl;
+
   // Callback that's called by |policy_service_| if the respective ONC policy
   // changed.
   void OnPolicyChanged(chromeos::onc::ONCSource onc_source,
@@ -81,6 +96,10 @@ class NetworkConfigurationUpdater
   // The policy service storing the ONC policies.
   PolicyService* policy_service_;
 
+  // An implementation of CertTrustAnchorProvider. Owned by the updater, but
+  // lives on the IO thread.
+  CertTrustAnchorProviderImpl* cert_trust_provider_;
+
   DISALLOW_COPY_AND_ASSIGN(NetworkConfigurationUpdater);
 };