Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

net/cert/internal/system_trust_store.h

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_
 #define NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_
 
 #include <vector>
 
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
 #include "net/cert/internal/parsed_certificate.h"
 
 namespace net {
 
 class TrustStore;
-class CertIssuerSource;
-class TrustAnchor;
 
 // The SystemTrustStore interface is used to encapsulate a TrustStore for the
 // current platform, with some extra bells and whistles.
 //
 // This is primarily used to abstract out the platform-specific bits that
 // relate to configuring the TrustStore needed for path building.
 //
 // Implementations of SystemTrustStore create an effective trust
 // store that is the composition of:
 //
@@ skipping 10 matching lines @@
   // valid only for the lifetime of |this|.
   virtual TrustStore* GetTrustStore() = 0;
 
   // Returns false if the implementation of SystemTrustStore doesn't actually
   // make use of the system's trust store. This might be the case for
   // unsupported platforms. In the case where this returns false, the trust
   // store returned by GetTrustStore() is made up solely of the manually added
   // trust anchors (via AddTrustAnchor()).
   virtual bool UsesSystemTrustStore() const = 0;
 
-  // TODO(eroman): Expose this through the TrustStore interface instead?
-  //
-  // Returns a CertIssuerSource that finds any intermediates that are present in
-  // the system trust store. These intermediates are not necessarily trusted,
-  // however may be used during path building as another means of finding
-  // certificates. If the implementation of SystemTrustStore doesn't support
-  // this feature may return nullptr.
-  virtual CertIssuerSource* GetCertIssuerSource() = 0;
-
-  // IsKnownRoot() returns true if the given trust anchor originated from the
+  // IsKnownRoot() returns true if the given certificate originated from the
   // system trust store and is a "standard" one. The meaning of "standard" is
   // that it is one of default trust anchors for the system, as opposed to a
-  // user-installed one. IsKnownRoot() is only guaranteed to work for
-  // TrustAnchors returned by GetTrustStore().
-  virtual bool IsKnownRoot(
-      const scoped_refptr<TrustAnchor>& trust_anchor) const = 0;
+  // user-installed one.
+  virtual bool IsKnownRoot(const ParsedCertificate* cert) const = 0;
 
-  // Adds a trust anchor to this particular instance of SystemTrustStore, and
-  // not globally for the system.
-  virtual void AddTrustAnchor(
-      const scoped_refptr<TrustAnchor>& trust_anchor) = 0;
+  // Adds a trust anchor to this particular instance of SystemTrustStore,
+  // and not globally for the system.
+  virtual void AddTrustAnchor(const scoped_refptr<ParsedCertificate>& cert) = 0;
 
-  // Returns true if |trust_anchor| was one added via |AddTrustAnchor()|. This
-  // is only guaranteed to work if |trust_anchor| was one returned by
-  // GetTrustStore(), as it may be implemented by pointer comparison rather than
-  // SPKI comparison.
-  virtual bool IsAdditionalTrustAnchor(
-      const scoped_refptr<TrustAnchor>& trust_anchor) const = 0;
+  // Returns true if |trust_anchor| was one added via |AddTrustAnchor()|.
+  virtual bool IsAdditionalTrustAnchor(const ParsedCertificate* cert) const = 0;
 };
 
 // Creates an instance of SystemTrustStore that wraps the current platform's SSL
 // trust store. This canno return nullptr, even in the case where system trust
 // store integration is not supported. In this latter case, the SystemTrustStore
 // will only give access to the manually added trust anchors. This can be
 // inspected by testing whether UsesSystemTrustStore() returns false.
 NET_EXPORT std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore();
 
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_SYSTEM_TRUST_STORE_H_