PKI library Mac trust store integration

net/cert/internal/trust_store_mac.h

Index: net/cert/internal/trust_store_mac.h
diff --git a/net/cert/internal/trust_store_mac.h b/net/cert/internal/trust_store_mac.h
new file mode 100644
index 0000000000000000000000000000000000000000..3bd8aebf578603a242a00426bb6ad8bcf2bab450
--- /dev/null
+++ b/net/cert/internal/trust_store_mac.h
@@ -0,0 +1,59 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_INTERNAL_TRUST_STORE_MAC_H_
+#define NET_CERT_INTERNAL_TRUST_STORE_MAC_H_
+
+#include <CoreFoundation/CFString.h>

[Ryan Sleevi, 2017/02/06 23:59:05]

AIUI, the 'Apple supported way' is CoreFoundation/CoreFoundation.h

(that is, I don't believe we're supposed to go straight to CFString.h, but I
could be wrong)

[mattm, 2017/02/09 23:40:17]

Done.

+
+#include "base/mac/scoped_cftyperef.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/net_export.h"
+#include "net/cert/internal/trust_store.h"
+
+namespace net {
+
+// TrustStoreMac is an implementation of TrustStore which uses Mac OS keychain

[Ryan Sleevi, 2017/02/06 23:59:05]

s/Mac OS/macOS/ to match Apple's naming?

[mattm, 2017/02/09 23:40:17]

Done.

+// to find trust anchors for path building.
+class NET_EXPORT TrustStoreMac : public TrustStore {
+ public:
+  // Creates a TrustStoreMac which will find anchors that are trusted for
+  // |policy_oid|. For list of possible policy values, see:
+  // https://developer.apple.com/reference/security/1667150-certificate_key_and_trust_servic/1670151-standard_policies_for_specific_c?language=objc
+  explicit TrustStoreMac(const void* policy_oid);
+  ~TrustStoreMac() override;
+
+  // Finds certificates in the OS keychains whose Subject matches |name_data|.
+  // The result is an array of SecCertificateRef.
+  static base::ScopedCFTypeRef<CFArrayRef>
+  FindMatchingCertificatesForMacNormalizedSubject(CFDataRef name_data);
+
+  // Filters an array of SecCertificateRef by trust for |policy_oid|, returning
+  // the results as TrustAnchors in |out_anchors|.
+  static void FilterTrustedCertificates(CFArrayRef matching_items,
+                                        const CFStringRef policy_oid,
+                                        TrustAnchors* out_anchors);

[Ryan Sleevi, 2017/02/06 23:59:05]

On first read, I was surprised to see public class statics. Can/Should these be
private implementation details?

[mattm, 2017/02/09 23:40:17]

Done.

+
+  // Gets the Issuer name of |cert|, as normalized by the OS.
+  static base::ScopedCFTypeRef<CFDataRef> GetMacNormalizedIssuer(
+      const scoped_refptr<ParsedCertificate>& cert);
+
+  // Finds trust anchors with the Subject |name_data|, which should be
+  // normalized as by the OS.
+  void FindTrustAnchorsByMacNormalizedSubject(CFDataRef name_data,
+                                              TrustAnchors* matches) const;
+
+  // TrustStore implementation:
+  void FindTrustAnchorsForCert(const scoped_refptr<ParsedCertificate>& cert,
+                               TrustAnchors* matches) const override;

[Ryan Sleevi, 2017/02/06 23:59:05]

Suggestion: Order by "interface implementation first", then internal
implementation.

[mattm, 2017/02/09 23:40:17]

Done.

+
+ private:
+  const CFStringRef policy_oid_;
+
+  DISALLOW_COPY_AND_ASSIGN(TrustStoreMac);
+};
+
+}  // namespace net
+
+#endif  // NET_CERT_INTERNAL_TRUST_STORE_MAC_H_