Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

net/cert/internal/trust_store_in_memory.h

Index: net/cert/internal/trust_store_in_memory.h
diff --git a/net/cert/internal/trust_store_in_memory.h b/net/cert/internal/trust_store_in_memory.h
index 214d73e7a149c09bf58671bf59203e6f162f2aab..a0f77b1e06e04f67f7eccc27a8665286c3e177df 100644
--- a/net/cert/internal/trust_store_in_memory.h
+++ b/net/cert/internal/trust_store_in_memory.h
@@ -15,7 +15,7 @@
 namespace net {
 
 // A very simple implementation of a TrustStore, which contains a set of
-// trust anchors.
+// certificates and their trustedness.
 class NET_EXPORT TrustStoreInMemory : public TrustStore {
  public:
   TrustStoreInMemory();
@@ -24,23 +24,41 @@ class NET_EXPORT TrustStoreInMemory : public TrustStore {
   // Empties the trust store, resetting it to original state.
   void Clear();
 
-  void AddTrustAnchor(scoped_refptr<TrustAnchor> anchor);
+  // Adds a certificate as a trust anchor (only the SPKI and subject will be
+  // used during verification).
+  void AddTrustAnchor(scoped_refptr<ParsedCertificate> cert);
+
+  // Adds a certificate as a trust achor and extracts anchor constraints from
+  // the certificate. See VerifyCertificateChain for details.
+  void AddTrustAnchorWithConstraints(scoped_refptr<ParsedCertificate> cert);
+
+  // Adds a certificate with the specified trust settings.
+  void AddCertificate(scoped_refptr<ParsedCertificate> cert,
+                      const CertificateTrust& trust);
 
   // TrustStore implementation:
-  void FindTrustAnchorsForCert(const scoped_refptr<ParsedCertificate>& cert,
-                               TrustAnchors* matches) const override;
+  void SyncGetIssuersOf(const ParsedCertificate* cert,
+                        ParsedCertificateList* issuers) override;
+  void GetTrust(const scoped_refptr<ParsedCertificate>& cert,
+                CertificateTrust* trust) const override;
 
-  // Returns true if the trust store contains the given TrustAnchor instance.
-  // Note that this considers only pointer equality and not a more
-  // broad notion of equivalence based on the object's content.
-  bool Contains(const TrustAnchor* anchor) const;
+  // Returns true if the trust store contains the given ParsedCertificate
+  // (matches by DER).
+  bool Contains(const ParsedCertificate* cert) const;
 
  private:
-  // Multimap from normalized subject -> TrustAnchor.
-  std::unordered_multimap<base::StringPiece,
-                          scoped_refptr<TrustAnchor>,
-                          base::StringPieceHash>
-      anchors_;
+  struct Entry {
+    Entry();
+    Entry(const Entry& other);
+    ~Entry();
+
+    scoped_refptr<ParsedCertificate> cert;
+    CertificateTrust trust;
+  };
+
+  // Multimap from normalized subject -> Entry.
+  std::unordered_multimap<base::StringPiece, Entry, base::StringPieceHash>
+      entries_;
 
   DISALLOW_COPY_AND_ASSIGN(TrustStoreInMemory);
 };