commit c909900ab543b9dad667f7f9e3272e4cf6894a24
author Hubert Chao <hchao@chromium.org> Wed Dec 06 18:55:23 2023 +0000
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Dec 06 19:32:34 2023 +0000
tree 5979289310b561dc96ef443bd412298e76656fb6
parent 540fcce9a5a8d92e4686d5d266dc19c91724ea0b

Add distrust by SPKI to TrustStoreInMemory

Change-Id: I9dcb1ef1218ece2678688abe7459fb2d1dcb8854
Bug: chromium:1477317
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64308
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>

pki/trust_store_in_memory.h

diff --git a/pki/trust_store_in_memory.h b/pki/trust_store_in_memory.h
index 4fea8d1..59ae3a4 100644
--- a/pki/trust_store_in_memory.h
+++ b/pki/trust_store_in_memory.h
@@ -6,6 +6,7 @@
 #define BSSL_PKI_TRUST_STORE_IN_MEMORY_H_
 
 #include <unordered_map>
+#include <set>
 
 #include <openssl/base.h>
 
@@ -55,6 +56,12 @@
   void AddDistrustedCertificateForTest(
       std::shared_ptr<const ParsedCertificate> cert);
 
+  // Distrusts the provided SPKI. This will override any other trust (e.g. if a
+  // certificate is passed into AddTrustAnchor() and the certificate's SPKI is
+  // passed into AddDistrustedCertificateBySPKI(), GetTrust() will return
+  // CertificateTrust::ForDistrusted()).
+  void AddDistrustedCertificateBySPKI(std::string spki);
+
   // Adds a certificate to the store, that is neither trusted nor untrusted.
   void AddCertificateWithUnspecifiedTrust(
       std::shared_ptr<const ParsedCertificate> cert);
@@ -81,6 +88,9 @@
   // Multimap from normalized subject -> Entry.
   std::unordered_multimap<std::string_view, Entry> entries_;
 
+  // Set of distrusted SPKIs.
+  std::set<std::string> distrusted_spkis_;
+
   // Returns the `Entry` matching `cert`, or `nullptr` if not in the trust
   // store.
   const Entry *GetEntry(const ParsedCertificate *cert) const;