Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

net/cert/internal/path_builder.h

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_INTERNAL_PATH_BUILDER_H_
 #define NET_CERT_INTERNAL_PATH_BUILDER_H_
 
 #include <memory>
 #include <string>
 #include <vector>
@@ skipping 14 matching lines @@
 
 class CertPathIter;
 class CertIssuerSource;
 class SignaturePolicy;
 
 // CertPath describes a chain of certificates in the "forward" direction.
 //
 // By convention:
 //   certs[0] is the target certificate
 //   certs[i] was issued by certs[i+1]
-//   certs.back() was issued by trust_anchor
+//   certs.back() is the root certificate.
 //
-// TODO(eroman): The current code doesn't allow for the target certificate to
-//               be the trust anchor. Should it?
+// Note that the final certificate may or may not be a trust achor -- inspect
+// |last_cert_trust| to determine it (or use GetTrustedCert())
 struct NET_EXPORT CertPath {
   CertPath();
   ~CertPath();
 
-  scoped_refptr<TrustAnchor> trust_anchor;
+  // Contains information on whether certs.back() is trusted.
+  CertificateTrust last_cert_trust;
 
-  // Path in the forward direction (path[0] is the target cert).
+  // Path in the forward direction (see class description).
   ParsedCertificateList certs;
 
   // Resets the path to empty path (same as if default constructed).
   void Clear();
 
   // TODO(eroman): Can we remove this? Unclear on how this relates to validity.
   bool IsEmpty() const;
+
+  // Returns the chain's root certificate or nullptr if the chain doesn't chain
+  // to a trust anchor.
+  const ParsedCertificate* GetTrustedCert() const;
 };
 
 // Checks whether a certificate is trusted by building candidate paths to trust
 // anchors and verifying those paths according to RFC 5280. Each instance of
 // CertPathBuilder is used for a single verification.
 //
 // WARNING: This implementation is currently experimental.  Consult an OWNER
 // before using it.
 class NET_EXPORT CertPathBuilder {
  public:
@@ skipping 46 matching lines @@
   // TODO(eroman): The assumption is that |result| is default initialized. Can
   // probably just internalize |result| into CertPathBuilder.
   //
   // Creates a CertPathBuilder that attempts to find a path from |cert| to a
   // trust anchor in |trust_store|, which satisfies |signature_policy| and is
   // valid at |time|.  Details of attempted path(s) are stored in |*result|.
   //
   // The caller must keep |trust_store|, |signature_policy|, and |*result| valid
   // for the lifetime of the CertPathBuilder.
   CertPathBuilder(scoped_refptr<ParsedCertificate> cert,
-                  const TrustStore* trust_store,
+                  TrustStore* trust_store,
                   const SignaturePolicy* signature_policy,
                   const der::GeneralizedTime& time,
                   KeyPurpose key_purpose,
                   Result* result);
   ~CertPathBuilder();
 
   // Adds a CertIssuerSource to provide intermediates for use in path building.
   // Multiple sources may be added. Must not be called after Run is called.
   // The |*cert_issuer_source| must remain valid for the lifetime of the
   // CertPathBuilder.
@@ skipping 36 matching lines @@
   State next_state_;
 
   Result* out_result_;
 
   DISALLOW_COPY_AND_ASSIGN(CertPathBuilder);
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_PATH_BUILDER_H_