Wire up certificate policies support in PathBuilder.

net/cert/internal/path_builder.h

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_INTERNAL_PATH_BUILDER_H_
 #define NET_CERT_INTERNAL_PATH_BUILDER_H_
 
 #include <memory>
 #include <string>
 #include <vector>
@@ skipping 60 matching lines @@
     ~ResultPath();
 
     // Returns true if the candidate path is valid, false otherwise.
     bool IsValid() const;
 
     // The (possibly partial) certificate path. Consumers must always test
     // |errors.IsValid()| before using |path|. When invalid,
     // |path.trust_anchor| may be null, and the path may be incomplete.
     CertPath path;
 
+    // The set of policies that the certificate is valid for (of the
+    // subset of policies user requested during verification).
+    std::set<der::Input> user_constrained_policy_set;
+
     // The errors/warnings from this path. Use |IsValid()| to determine if the
     // path is valid.
     CertPathErrors errors;
   };
 
   // Provides the overall result of path building. This includes the paths that
   // were attempted.
   struct NET_EXPORT Result {
     Result();
     ~Result();
@@ skipping 22 matching lines @@
 
   // TODO(mattm): allow caller specified hook/callback to extend path
   // verification.
   //
   // Creates a CertPathBuilder that attempts to find a path from |cert| to a
   // trust anchor in |trust_store|, which satisfies |signature_policy| and is
   // valid at |time|.  Details of attempted path(s) are stored in |*result|.
   //
   // The caller must keep |trust_store|, |signature_policy|, and |*result| valid
   // for the lifetime of the CertPathBuilder.
+  //
+  // See VerifyCertificateChain() for a more detailed explanation of the
+  // same-named parameters.
   CertPathBuilder(scoped_refptr<ParsedCertificate> cert,
                   TrustStore* trust_store,
                   const SignaturePolicy* signature_policy,
                   const der::GeneralizedTime& time,
                   KeyPurpose key_purpose,
+                  InitialExplicitPolicy initial_explicit_policy,
+                  const std::set<der::Input>& user_initial_policy_set,
+                  InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
+                  InitialAnyPolicyInhibit initial_any_policy_inhibit,
                   Result* result);
   ~CertPathBuilder();
 
   // Adds a CertIssuerSource to provide intermediates for use in path building.
   // Multiple sources may be added. Must not be called after Run is called.
   // The |*cert_issuer_source| must remain valid for the lifetime of the
   // CertPathBuilder.
   //
   // (If no issuer sources are added, the target certificate will only verify if
   // it is a trust anchor or is directly signed by a trust anchor.)
@@ skipping 15 matching lines @@
 
   void DoGetNextPath();
   void DoGetNextPathComplete();
 
   void AddResultPath(std::unique_ptr<ResultPath> result_path);
 
   std::unique_ptr<CertPathIter> cert_path_iter_;
   const SignaturePolicy* signature_policy_;
   const der::GeneralizedTime time_;
   const KeyPurpose key_purpose_;
+  const InitialExplicitPolicy initial_explicit_policy_;
+  const std::set<der::Input> user_initial_policy_set_;
+  const InitialPolicyMappingInhibit initial_policy_mapping_inhibit_;
+  const InitialAnyPolicyInhibit initial_any_policy_inhibit_;
 
   // Stores the next complete path to attempt verification on. This is filled in
   // by |cert_path_iter_| during the STATE_GET_NEXT_PATH step, and thus should
   // only be accessed during the STATE_GET_NEXT_PATH_COMPLETE step.
   // (Will be empty if all paths have been tried, otherwise will be a candidate
   // path starting with the target cert and ending with a
   // certificate issued by trust anchor.)
   CertPath next_path_;
   State next_state_;
 
   Result* out_result_;
 
   DISALLOW_COPY_AND_ASSIGN(CertPathBuilder);
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_PATH_BUILDER_H_