Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

net/cert/internal/trust_store.h

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_INTERNAL_TRUST_STORE_H_
 #define NET_CERT_INTERNAL_TRUST_STORE_H_
 
 #include <vector>
 
 #include "base/memory/ref_counted.h"
@@ skipping 99 matching lines @@
 };
 
 using TrustAnchors = std::vector<scoped_refptr<TrustAnchor>>;
 
 // Interface for finding trust anchors.
 class NET_EXPORT TrustStore {
  public:
   TrustStore();
   virtual ~TrustStore();
 
-  // Appends the trust anchors that match |cert|'s issuer name to |*matches|.
-  // |cert| and |matches| must not be null.
-  virtual void FindTrustAnchorsForCert(
-      const scoped_refptr<ParsedCertificate>& cert,
-      TrustAnchors* matches) const = 0;
+  // Looks up candidate [1] issuers for |cert| in the trust store and appends
+  // them to the provided out-parameters.
+  //
+  // [1] The identified trust anchors and itermediates are merely "candidates"

[mattm, 2017/04/20 03:19:07]

intermediates

+  // in that they may not pass certificate validation. However by some heuristic
+  // (issuer key ID, issuer name) they look like matches.
+  virtual void FindIssuers(const scoped_refptr<ParsedCertificate>& cert,
+                           TrustAnchors* trust_anchors,
+                           ParsedCertificateList* intermediates) const = 0;
+
+  // Returns true if |cert| is actively distrusted by this trust store.
+  virtual bool IsBlacklisted(const scoped_refptr<ParsedCertificate>& cert) const

[mattm, 2017/04/20 03:19:07]

If we still need to do a separate trust store check for each cert to check
blacklisting, I wonder if it makes sense to have FindIssuers only return certs
(not even do the trust tests, basically just making it another CertIssuerSource)
and then have a GetTrustStatus or something instead of IsBlacklisted. Then we
wouldn't end up doing the trust status check on each cert twice.

I guess that would complicate path builder a bit to prioritize trying the paths
with trust anchors first, we'd have to GetTrustStatus on all the intermediates
we had, and sort them based on the trust value..

[eroman, 2017/04/20 18:20:11]

I generally like that, however if we go that route, I will need to revisit yet
again the TrustAnchor abstraction -- since we would always need a Certificate
per TrustAnchor. Maybe I should just give up on that abstraction, since
CertVerifyProc requires a Certificate anyways and all our trust stores represent
anchors by certificates...

Another idea for efficiency (although harmful for code readability) would be to
have TrustStore::FindIssuers() return a list of (cert, trust_level). In this
manner the trust lookups are not lost and can be batched internally while having
the OS cert handle. PathBuilder would however still need to query trustedness
for the target certificate, as well as intermediates obtained from locations
other than TrustStore, so this approach is kind of meh.

I can experiment with the first option.

+      WARN_UNUSED_RESULT = 0;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(TrustStore);
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_TRUST_STORE_H_