Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

net/cert/internal/trust_store_collection.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/trust_store_collection.h"
 
 namespace net {
 
 TrustStoreCollection::TrustStoreCollection() = default;
 TrustStoreCollection::~TrustStoreCollection() = default;
 
 void TrustStoreCollection::AddTrustStore(TrustStore* store) {
   DCHECK(store);
   stores_.push_back(store);
 }
 
-void TrustStoreCollection::FindTrustAnchorsForCert(
-    const scoped_refptr<ParsedCertificate>& cert,
-    TrustAnchors* matches) const {
+void TrustStoreCollection::SyncGetIssuersOf(const ParsedCertificate* cert,
+                                            ParsedCertificateList* issuers) {
   for (auto* store : stores_) {
-    store->FindTrustAnchorsForCert(cert, matches);
+    store->SyncGetIssuersOf(cert, issuers);
   }
 }
 
+void TrustStoreCollection::GetTrust(
+    const scoped_refptr<ParsedCertificate>& cert,
+    CertificateTrust* out_trust) const {
+  // The current aggregate result.
+  CertificateTrust result = CertificateTrust::Unspecified();
+
+  for (auto* store : stores_) {
+    CertificateTrust cur_trust;
+    store->GetTrust(cert, &cur_trust);
+
+    // * If any stores distrust the certificate, consider it untrusted.
+    // * If multiple stores consider it trusted, use the trust result from first

[mattm, 2017/04/28 20:26:47]

doesn't it use the result from the last one?

[eroman, 2017/04/28 21:48:03]

You are correct. Updated the comment.

+    //   one.
+    if (!cur_trust.HasUnspecifiedTrust()) {
+      result = cur_trust;
+      if (result.IsDistrusted())
+        break;
+    }
+  }
+
+  *out_trust = result;
+}
+
 }  // namespace net