WIP: NSS trust store integration for path builder.

net/cert/internal/path_builder.h

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_INTERNAL_PATH_BUILDER_H_
 #define NET_CERT_INTERNAL_PATH_BUILDER_H_
 
 #include <memory>
 #include <string>
 #include <vector>
@@ skipping 80 matching lines @@
   // TODO(mattm): allow caller specified hook/callback to extend path
   // verification.
   //
   // Creates a CertPathBuilder that attempts to find a path from |cert| to a
   // trust anchor in |trust_store|, which satisfies |signature_policy| and is
   // valid at |time|.  Details of attempted path(s) are stored in |*result|.
   //
   // The caller must keep |trust_store|, |signature_policy|, and |*result| valid
   // for the lifetime of the CertPathBuilder.
   CertPathBuilder(scoped_refptr<ParsedCertificate> cert,
-                  const TrustStore* trust_store,
                   const SignaturePolicy* signature_policy,
                   const der::GeneralizedTime& time,
                   Result* result);
   ~CertPathBuilder();
 
+  // Adds a TrustStore to check if certificates are trust anchors during path
+  // building. Multiple trust stores may be added. Should not be called after
+  // Run is called. The |*trust_store| must remain valid for the lifetime of the
+  // CertPathBuilder.
+  //
+  // (If no trust stores are added, verification will fail.)
+  void AddTrustStore(TrustStore* trust_store);
+
   // Adds a CertIssuerSource to provide intermediates for use in path building.
   // Multiple sources may be added. Must not be called after Run is called.
   // The |*cert_issuer_source| must remain valid for the lifetime of the
   // CertPathBuilder.
   //
   // (If no issuer sources are added, the target certificate will only verify if
-  // it is a trust anchor or is directly signed by a trust anchor.)
+  // it is a trust anchor.)
   void AddCertIssuerSource(CertIssuerSource* cert_issuer_source);
 
   // Begins verification of the target certificate.
   //
   // If the return value is SYNC then the verification is complete and the
   // |result| value can be inspected for the status, and |callback| will not be
   // called.
   // If the return value is ASYNC, the |callback| will be called asynchronously
   // once the verification is complete. |result| should not be examined or
   // modified until the |callback| is run.
@@ skipping 19 matching lines @@
 
   CompletionStatus DoGetNextPath(bool allow_async);
   void HandleGotNextPath();
   CompletionStatus DoGetNextPathComplete();
 
   void AddResultPath(const ParsedCertificateList& path, bool is_success);
 
   base::Closure callback_;
 
   std::unique_ptr<CertPathIter> cert_path_iter_;
-  const TrustStore* trust_store_;
   const SignaturePolicy* signature_policy_;
   const der::GeneralizedTime time_;
 
   // Stores the next complete path to attempt verification on. This is filled in
   // by |cert_path_iter_| during the STATE_GET_NEXT_PATH step, and thus should
   // only be accessed during the STATE_GET_NEXT_PATH_COMPLETE step.
   // (Will be empty if all paths have been tried, otherwise will be a candidate
   // path starting with the target cert and ending with a trust anchor.)
   ParsedCertificateList next_path_;
   State next_state_;
 
   Result* out_result_;
 
   DISALLOW_COPY_AND_ASSIGN(CertPathBuilder);
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_PATH_BUILDER_H_