WIP: NSS trust store integration for path builder.

net/cert/internal/trust_store.h

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_INTERNAL_TRUST_STORE_H_
 #define NET_CERT_INTERNAL_TRUST_STORE_H_
 
-#include <unordered_map>
-#include <vector>
-
+#include "base/callback.h"
 #include "base/memory/ref_counted.h"
-#include "base/strings/string_piece.h"
 #include "net/base/net_export.h"
+#include "net/cert/internal/cert_issuer_source.h"
+#include "net/cert/internal/completion_status.h"
 #include "net/cert/internal/parsed_certificate.h"
 
 namespace net {
 
 namespace der {
 class Input;
 }
 
-// A very simple implementation of a TrustStore, which contains a set of
-// trusted certificates.
-// TODO(mattm): convert this into an interface, provide implementations that
-// interface with OS trust store.
-class NET_EXPORT TrustStore {
+// The TrustStore provides an interface for retrieving trusted root certificates
+// and for testing if an arbitrary certificate is trusted.
+//
+// XXX Having TrustStore inherit from CertIssuerSource makes some things cleaner
+// (such as adding a truststore to the pathbuilder instance, but makes some
+// things messier, such as TrustStoreCollection needing to also implement a
+// CertIssuerSourceCollection.. thought that doesn't actually end up being too
+// bad I guess since it can just delegate that to a CertIssuerSourceCollection
+// member..)
+// One alternative would be to have each concrete instance inherit from both
+// TrustStore and CertIssuerSource, but then they need to be added to the
+// pathbuilder twice (once as a TrustStore and once as a CertIssuerSource).
+class NET_EXPORT TrustStore : public CertIssuerSource {
  public:
-  TrustStore();
-  ~TrustStore();
+  using TrustCallback = base::Callback<void(bool)>;
 
-  // Empties the trust store, resetting it to original state.
-  void Clear();
+  class NET_EXPORT Request {
+   public:
+    Request() = default;
+    // Destruction of the Request cancels it.
+    virtual ~Request() = default;
+  };
 
-  // Adds a trusted certificate to the store.
-  void AddTrustedCertificate(scoped_refptr<ParsedCertificate> anchor);
+  ~TrustStore() override = default;
 
-  // Returns the trust anchors that match |name| in |*matches|, if any.
-  void FindTrustAnchorsByNormalizedName(const der::Input& normalized_name,
-                                        ParsedCertificateList* matches) const;
-
-  // Returns true if |cert| matches a certificate in the TrustStore.
-  bool IsTrustedCertificate(const ParsedCertificate* cert) const
-      WARN_UNUSED_RESULT;
-
- private:
-  // Multimap from normalized subject -> ParsedCertificate.
-  std::unordered_multimap<base::StringPiece,
-                          scoped_refptr<ParsedCertificate>,
-                          base::StringPieceHash>
-      anchors_;
-
-  DISALLOW_COPY_AND_ASSIGN(TrustStore);
+  // Checks if |cert| is a trust anchor.
+  // If the check is done synchronously, |*out_req| will be null and
+  // |*out_trusted| will indicate if |cert| is trusted.
+  // Otherwise, |out_req| will be filled with a Request and |callback| will be
+  // called with a bool indicating if |cert| is trusted. If |*out_req| is
+  // destroyed before the |callback| is run, it will cancel the check and
+  // |callback| will not be run.
+  virtual void IsTrustedCertificate(
+      scoped_refptr<ParsedCertificate> cert,
+      const TrustCallback& callback,
+      bool* out_trusted,
+      std::unique_ptr<Request>* out_req) const = 0;
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_TRUST_STORE_H_