Add TrustStoreNSS and TrustStoreCollection

net/cert/internal/trust_store_collection.h

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_INTERNAL_TRUST_STORE_COLLECTION_H_
+#define NET_CERT_INTERNAL_TRUST_STORE_COLLECTION_H_
+
+#include "base/memory/ref_counted.h"
+#include "net/base/net_export.h"
+#include "net/cert/internal/trust_store.h"
+
+namespace base {
+class TaskRunner;
+}
+
+namespace net {
+
+// TrustStoreCollection is an implementation of TrustStore which combines the
+// results from multiple other TrustStores.
+// Currently only one "primary" store can be added that supports async queries,
+// any number of additional, synchronous-only stores can be used. (The
+// assumption is that async one would be useful for OS integration, while the
+// sync only stores can be used for supplying additional anchors. If multiple
+// async stores are desired, it might be worth changing the
+// FindTrustAnchorsForCert interface so that it can return async results in
+// multiple batches.)

[eroman, 2016/08/23 18:48:54]

Can you mention something about the order of results that this combined store
returns?

[mattm, 2016/08/27 00:37:01]

Done.

+class NET_EXPORT TrustStoreCollection : public TrustStore {
+ public:
+  TrustStoreCollection();
+  ~TrustStoreCollection() override;
+
+  // Include results from |store| in the combined output. Both sync and async

[eroman, 2016/08/23 18:48:54]

Include --> Includes

[mattm, 2016/08/27 00:37:01]

Done.

+  // queries to |store| will be allowed. |store| must outlive the
+  // TrustStoreCollection.
+  void SetPrimaryTrustStore(TrustStore* store);
+
+  // Include results from |store| in the combined output. |store| will only be

[eroman, 2016/08/23 18:48:54]

Includes

[mattm, 2016/08/27 00:37:01]

Done.

+  // queried synchronously. |store| must outlive the TrustStoreCollection.
+  void AddTrustStoreSynchronousOnly(TrustStore* store);
+
+  // TrustStore implementation:
+  void FindTrustAnchorsForCert(

[eroman, 2016/08/23 18:48:54]

Do you think this API will ever need to communicate errors?

[mattm, 2016/08/27 00:37:01]

I think we may need something as far as logging / debugging error reporting. For
example if we can't parse a cert we get out of the OS, would be good to include
that in the debug info about maybe why we couldn't build a chain.

But I don't currently see a need to have a error output that the caller would
actually act on (if there is an error there's not really anything the caller can
do other than continue on and see if other paths succeed. Wouldn't want to fail
completely just because one possible issuer failed to parse or something like
that.)

+      const ParsedCertificate* cert,
+      const TrustAnchorCallback& callback,

[eroman, 2016/08/23 18:48:54]

side-comment (belongs on other CL): "TrustAnchorCallback" is a bit general -- in
my mind that would be a callback that returns a single TrustAnchor. I suggest
exploring other options like:
  * TrustAnchorsCallback
  * FindTrustAnchorsCallback
  * MatchingTrustAnchorsCallback
  * FoundTrustAnchorsCallback

[mattm, 2016/08/27 00:37:01]

Done.

+      TrustAnchors* out_matches,
+      std::unique_ptr<Request>* out_req) const override;
+
+ private:
+  TrustStore* primary_store_ = nullptr;
+  std::vector<TrustStore*> sync_only_stores_;
+
+  DISALLOW_COPY_AND_ASSIGN(TrustStoreCollection);
+};
+
+}  // namespace net
+
+#endif  // NET_CERT_INTERNAL_TRUST_STORE_COLLECTION_H_