The net::CertTrustAnchorProvider is an abstraction to support ChromeOS trust anchor providers. However, if net::CertVerifier took an input of trust anchors (e.g. as part of a CertVerifier::RequestParams), we could remove that interface and leave it entirely up to the higher //chrome code to compose, by supplying the trust anchor certs in the Verify() call.
e.g.
PolicyCertVerifier::Verify(const CertVerifier::RequestParams& params, ...) {
CertVerifier::RequestParams local_request(params);
local_request.SetTrustAnchors(GetAdditionalTrustAnchors());
verifier_->Verify(local_request, ...);
}
PolicyCertVerifier::GetAdditionalTrustAnchors() {
.. What it does today
}
Basically, get rid of the entire concept of net::CertTrustAnchorProvider, which is weird.
Comment 1 by eroman@chromium.org
, Jun 21 2016