PKI library Mac trust store integration

net/cert/internal/trust_store_mac.h

Index: net/cert/internal/trust_store_mac.h
diff --git a/net/cert/internal/trust_store_mac.h b/net/cert/internal/trust_store_mac.h
new file mode 100644
index 0000000000000000000000000000000000000000..ec0b39f3b703ec9a7c4b01e19098374b00eb5367
--- /dev/null
+++ b/net/cert/internal/trust_store_mac.h
@@ -0,0 +1,63 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_INTERNAL_TRUST_STORE_MAC_H_
+#define NET_CERT_INTERNAL_TRUST_STORE_MAC_H_
+
+#include <CoreFoundation/CoreFoundation.h>
+
+#include "base/gtest_prod_util.h"
+#include "base/mac/scoped_cftyperef.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/net_export.h"
+#include "net/cert/internal/trust_store.h"
+
+namespace net {
+
+// TrustStoreMac is an implementation of TrustStore which uses macOS keychain
+// to find trust anchors for path building.
+class NET_EXPORT TrustStoreMac : public TrustStore {
+ public:
+  // Creates a TrustStoreMac which will find anchors that are trusted for
+  // |policy_oid|. For list of possible policy values, see:
+  // https://developer.apple.com/reference/security/1667150-certificate_key_and_trust_servic/1670151-standard_policies_for_specific_c?language=objc
+  explicit TrustStoreMac(const void* policy_oid);

[Ryan Sleevi, 2017/02/14 19:26:17]

Given that Line 56 stores this as a CFStringRef, is there any reason not to make
the API contract a CFStringRef here as well? I'm just uncertain why the void-ing
of it

[mattm, 2017/02/16 22:06:09]

It should be a CFStringRef, but in older versions of the SDK the constants are
defined as CFTypeRefs instead. I had void* due to too-hasty fixing of compiler
errors, I changed to CFTypeRef for now and added a TODO.

+  ~TrustStoreMac() override;
+
+  // TrustStore implementation:
+  void FindTrustAnchorsForCert(const scoped_refptr<ParsedCertificate>& cert,
+                               TrustAnchors* matches) const override;
+
+ private:
+  FRIEND_TEST_ALL_PREFIXES(TrustStoreMacTest, MultiRootNotTrusted);
+  FRIEND_TEST_ALL_PREFIXES(TrustStoreMacTest, SystemCerts);
+
+  // Finds certificates in the OS keychains whose Subject matches |name_data|.
+  // The result is an array of SecCertificateRef.
+  static base::ScopedCFTypeRef<CFArrayRef>
+  FindMatchingCertificatesForMacNormalizedSubject(CFDataRef name_data);
+
+  // Filters an array of SecCertificateRef by trust for |policy_oid|, returning
+  // the results as TrustAnchors in |out_anchors|.
+  static void FilterTrustedCertificates(CFArrayRef matching_items,
+                                        const CFStringRef policy_oid,
+                                        TrustAnchors* out_anchors);

[Ryan Sleevi, 2017/02/14 19:26:17]

This doesn't seem to be used in the unittest - move to .cc?

[mattm, 2017/02/16 22:06:09]

Done.

+
+  // Gets the Issuer name of |cert|, as normalized by the OS.

[Ryan Sleevi, 2017/02/14 19:26:17]

Perhaps we should expand on this documentation.

// Returns the OS-normalized issuer of |cert|.
// macOS internally uses a normalized form of subject/issuer names for
// comparing, roughly similar to RFC3280's normalization scheme. The
// normalized form is used for any database lookups and comparisons.

[mattm, 2017/02/16 22:06:09]

Done.

+  static base::ScopedCFTypeRef<CFDataRef> GetMacNormalizedIssuer(
+      const scoped_refptr<ParsedCertificate>& cert);
+
+  // Finds trust anchors with the Subject |name_data|, which should be
+  // normalized as by the OS.
+  void FindTrustAnchorsByMacNormalizedSubject(CFDataRef name_data,
+                                              TrustAnchors* matches) const;
+
+  const CFStringRef policy_oid_;
+
+  DISALLOW_COPY_AND_ASSIGN(TrustStoreMac);
+};
+
+}  // namespace net
+
+#endif  // NET_CERT_INTERNAL_TRUST_STORE_MAC_H_