Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

net/cert/internal/trust_store_collection.cc

Index: net/cert/internal/trust_store_collection.cc
diff --git a/net/cert/internal/trust_store_collection.cc b/net/cert/internal/trust_store_collection.cc
index 7e004ae1b726b195f7b0012cfba7ccf25c197dc6..3687081632cc7f913c2075cef9ad26ce133a9f59 100644
--- a/net/cert/internal/trust_store_collection.cc
+++ b/net/cert/internal/trust_store_collection.cc
@@ -14,12 +14,34 @@ void TrustStoreCollection::AddTrustStore(TrustStore* store) {
   stores_.push_back(store);
 }
 
-void TrustStoreCollection::FindTrustAnchorsForCert(
+void TrustStoreCollection::SyncGetIssuersOf(const ParsedCertificate* cert,
+                                            ParsedCertificateList* issuers) {
+  for (auto* store : stores_) {
+    store->SyncGetIssuersOf(cert, issuers);
+  }
+}
+
+void TrustStoreCollection::GetTrust(
     const scoped_refptr<ParsedCertificate>& cert,
-    TrustAnchors* matches) const {
+    CertificateTrust* out_trust) const {
+  // The current aggregate result.
+  CertificateTrust result = CertificateTrust::Unspecified();
+
   for (auto* store : stores_) {
-    store->FindTrustAnchorsForCert(cert, matches);
+    CertificateTrust cur_trust;
+    store->GetTrust(cert, &cur_trust);
+
+    // * If any stores distrust the certificate, consider it untrusted.
+    // * If multiple stores consider it trusted, use the trust result from first

[mattm, 2017/04/28 20:26:47]

doesn't it use the result from the last one?

[eroman, 2017/04/28 21:48:03]

You are correct. Updated the comment.

+    //   one.
+    if (!cur_trust.HasUnspecifiedTrust()) {
+      result = cur_trust;
+      if (result.IsDistrusted())
+        break;
+    }
   }
+
+  *out_trust = result;
 }
 
 }  // namespace net