PKI library Mac trust store integration

net/cert/internal/trust_store_mac.h

Index: net/cert/internal/trust_store_mac.h
diff --git a/net/cert/internal/trust_store_mac.h b/net/cert/internal/trust_store_mac.h
new file mode 100644
index 0000000000000000000000000000000000000000..1c99b9008d815090305ed826f38a1030d4c126e2
--- /dev/null
+++ b/net/cert/internal/trust_store_mac.h
@@ -0,0 +1,65 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_INTERNAL_TRUST_STORE_MAC_H_
+#define NET_CERT_INTERNAL_TRUST_STORE_MAC_H_
+
+#include <CoreFoundation/CoreFoundation.h>
+
+#include "base/gtest_prod_util.h"
+#include "base/mac/scoped_cftyperef.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/net_export.h"
+#include "net/cert/internal/trust_store.h"
+
+namespace net {
+
+// TrustStoreMac is an implementation of TrustStore which uses macOS keychain
+// to find trust anchors for path building.
+// TODO(mattm): handle distrust of intermediates.
+class NET_EXPORT TrustStoreMac : public TrustStore {
+ public:
+  // Creates a TrustStoreMac which will find anchors that are trusted for
+  // |policy_oid|. For list of possible policy values, see:
+  // https://developer.apple.com/reference/security/1667150-certificate_key_and_trust_servic/1670151-standard_policies_for_specific_c?language=objc
+  // TODO(mattm): policy oids are actually CFStrings, but the constants are
+  // defined as CFTypeRef in older SDK versions. Change |policy_oid| type to
+  // const CFStringRef when Chromium switches to building against the 10.11 SDK
+  // (or newer).
+  explicit TrustStoreMac(CFTypeRef policy_oid);
+  ~TrustStoreMac() override;
+
+  // TrustStore implementation:
+  void FindTrustAnchorsForCert(const scoped_refptr<ParsedCertificate>& cert,
+                               TrustAnchors* matches) const override;
+
+ private:
+  FRIEND_TEST_ALL_PREFIXES(TrustStoreMacTest, MultiRootNotTrusted);
+  FRIEND_TEST_ALL_PREFIXES(TrustStoreMacTest, SystemCerts);
+
+  // Finds certificates in the OS keychains whose Subject matches |name_data|.
+  // The result is an array of SecCertificateRef.
+  static base::ScopedCFTypeRef<CFArrayRef>
+  FindMatchingCertificatesForMacNormalizedSubject(CFDataRef name_data);
+
+  // Returns the OS-normalized issuer of |cert|.
+  // macOS internally uses a normalized form of subject/issuer names for
+  // comparing, roughly similar to RFC3280's normalization scheme. The
+  // normalized form is used for any database lookups and comparisons.
+  static base::ScopedCFTypeRef<CFDataRef> GetMacNormalizedIssuer(
+      const scoped_refptr<ParsedCertificate>& cert);
+
+  // Finds trust anchors with the Subject |name_data|, which should be
+  // normalized as by the OS.
+  void FindTrustAnchorsByMacNormalizedSubject(CFDataRef name_data,
+                                              TrustAnchors* matches) const;
+
+  const CFStringRef policy_oid_;
+
+  DISALLOW_COPY_AND_ASSIGN(TrustStoreMac);
+};
+
+}  // namespace net
+
+#endif  // NET_CERT_INTERNAL_TRUST_STORE_MAC_H_