Add new ParsedCertificate class, move TrustStore to own file.

net/cert/internal/trust_store.h

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_INTERNAL_TRUST_STORE_H_
+#define NET_CERT_INTERNAL_TRUST_STORE_H_
+
+#include <string>
+#include <unordered_map>
+#include <vector>
+
+#include "base/memory/ref_counted.h"
+#include "base/strings/string_piece.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+class ParsedCertificate;
+
+// A very simple implementation of a TrustStore, which contains a set of
+// trusted certificates.
+// TODO(mattm): convert this into an interface, provide implementations that
+// interface with OS trust store.
+class NET_EXPORT TrustStore {
+ public:
+  TrustStore();
+  ~TrustStore();
+
+  // Empties the trust store, resetting it to original state.
+  void Clear();
+
+  // Adds a trusted certificate to the store.
+  void AddTrustedCertificate(scoped_refptr<ParsedCertificate> anchor);
+
+  // Returns the trust anchors that match |name| in |*matches|, if any.
+  void FindTrustAnchorsByNormalizedName(
+      const std::string& normalized_name,
+      std::vector<scoped_refptr<ParsedCertificate>>* matches) const;

[eroman, 2016/05/12 18:12:30]

Should we make an alias for this somewhere? (appears in several places).

CertList, CertificateList, ParsedCertificates, etc.

[mattm, 2016/05/13 02:17:37]

I had one at one point, but it means you have to increase the amount of places
that #include that header, or re-alias it in a bunch of different headers..
Maybe we're ok with just including parsed_certificate.h in more of these
headers?

+
+  // Returns true if |cert| matches a certificate in the TrustStore.
+  bool IsTrustedCertificate(const ParsedCertificate* cert) const
+      WARN_UNUSED_RESULT;
+
+ private:
+  // Multimap from normalized subject -> ParsedCertificate.
+  std::unordered_multimap<base::StringPiece,

[eroman, 2016/05/12 18:12:30]

Sounds good, however this may be problematic if we ever support deletion from
the trust store (since key may belong to a removed certificate).

[mattm, 2016/05/13 02:17:37]

Good point, I'll keep that in mind.

+                          scoped_refptr<ParsedCertificate>,
+                          base::StringPieceHash>
+      anchors_;
+
+  DISALLOW_COPY_AND_ASSIGN(TrustStore);
+};
+
+}  // namespace net
+
+#endif  // NET_CERT_INTERNAL_TRUST_STORE_H_