0

Introduce USE_OPENSSL_CERTS for certificate handling.

See discussion at chromium issue 338885.

When USE_OPENSSL_CERTS is defined, X509::OSCertHandle is now
typedef'ed to struct X509*. 
 
When USE_OPENSSL is defined, USE_OPENSSL_CERTS will now be
defined for linux and Android, while being off for Mac and 
Windows. This allows OpenSSL to be used while leaving
certificate handling to the OS.
 
OpenSSL cert verifying code will only be used on Linux.

This patch does not change any default behavior.

Bug=none
Test=none

Review URL: https://codereview.chromium.org/206453002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@260152 0039d316-1c4b-4281-b951-d872f2087c98
This commit is contained in:
haavardm@opera.com
2014-03-28 16:20:32 +00:00
parent 6241d536a5
commit e1b2d73a2e
13 changed files with 102 additions and 68 deletions

@ -57,9 +57,15 @@
# Whether we are using Views Toolkit # Whether we are using Views Toolkit
'toolkit_views%': 0, 'toolkit_views%': 0,
# Use OpenSSL instead of NSS. Under development: see http://crbug.com/62803 # Use OpenSSL instead of NSS as the underlying SSL and crypto
# implementation. Certificate verification will in most cases be
# handled by the OS. If OpenSSL's struct X509 is used to represent
# certificates, use_openssl_certs must be set.
'use_openssl%': 0, 'use_openssl%': 0,
# Typedef X509Certificate::OSCertHandle to OpenSSL's struct X509*.
'use_openssl_certs%': 0,
# Disable viewport meta tag by default. # Disable viewport meta tag by default.
'enable_viewport%': 0, 'enable_viewport%': 0,
@ -135,6 +141,7 @@
'use_ozone%': '<(use_ozone)', 'use_ozone%': '<(use_ozone)',
'embedded%': '<(embedded)', 'embedded%': '<(embedded)',
'use_openssl%': '<(use_openssl)', 'use_openssl%': '<(use_openssl)',
'use_openssl_certs%': '<(use_openssl_certs)',
'use_system_fontconfig%': '<(use_system_fontconfig)', 'use_system_fontconfig%': '<(use_system_fontconfig)',
'enable_viewport%': '<(enable_viewport)', 'enable_viewport%': '<(enable_viewport)',
'enable_hidpi%': '<(enable_hidpi)', 'enable_hidpi%': '<(enable_hidpi)',
@ -256,6 +263,7 @@
'use_clipboard_aurax11%': '<(use_clipboard_aurax11)', 'use_clipboard_aurax11%': '<(use_clipboard_aurax11)',
'embedded%': '<(embedded)', 'embedded%': '<(embedded)',
'use_openssl%': '<(use_openssl)', 'use_openssl%': '<(use_openssl)',
'use_openssl_certs%': '<(use_openssl_certs)',
'use_system_fontconfig%': '<(use_system_fontconfig)', 'use_system_fontconfig%': '<(use_system_fontconfig)',
'enable_viewport%': '<(enable_viewport)', 'enable_viewport%': '<(enable_viewport)',
'enable_hidpi%': '<(enable_hidpi)', 'enable_hidpi%': '<(enable_hidpi)',
@ -568,6 +576,14 @@
'use_nss%': 0, 'use_nss%': 0,
}], }],
# When OpenSSL is used for SSL and crypto on Unix-like systems, use
# OpenSSL's certificate definition.
['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris") and use_openssl==1', {
'use_openssl_certs%': 1,
}, {
'use_openssl_certs%': 0,
}],
# libudev usage. This currently only affects the content layer. # libudev usage. This currently only affects the content layer.
['OS=="linux" and embedded==0', { ['OS=="linux" and embedded==0', {
'use_udev%': 1, 'use_udev%': 1,
@ -932,6 +948,7 @@
'use_cras%': '<(use_cras)', 'use_cras%': '<(use_cras)',
'use_mojo%': '<(use_mojo)', 'use_mojo%': '<(use_mojo)',
'use_openssl%': '<(use_openssl)', 'use_openssl%': '<(use_openssl)',
'use_openssl_certs%': '<(use_openssl_certs)',
'use_nss%': '<(use_nss)', 'use_nss%': '<(use_nss)',
'use_udev%': '<(use_udev)', 'use_udev%': '<(use_udev)',
'os_bsd%': '<(os_bsd)', 'os_bsd%': '<(os_bsd)',
@ -1556,6 +1573,7 @@
# Always uses openssl. # Always uses openssl.
'use_openssl%': 1, 'use_openssl%': 1,
'use_openssl_certs%': 1,
'proprietary_codecs%': '<(proprietary_codecs)', 'proprietary_codecs%': '<(proprietary_codecs)',
'safe_browsing%': 2, 'safe_browsing%': 2,
@ -2588,9 +2606,18 @@
}], }],
], # conditions for 'target_defaults' ], # conditions for 'target_defaults'
'target_conditions': [ 'target_conditions': [
['<(use_openssl)==1 or >(nacl_untrusted_build)==1', { ['<(use_openssl)==1', {
'defines': ['USE_OPENSSL=1'], 'defines': ['USE_OPENSSL=1'],
}], }],
['<(use_openssl_certs)==1', {
'defines': ['USE_OPENSSL_CERTS=1'],
}],
['>(nacl_untrusted_build)==1', {
'defines': [
'USE_OPENSSL=1',
'USE_OPENSSL_CERTS=1',
],
}],
['<(use_nss)==1 and >(nacl_untrusted_build)==0', { ['<(use_nss)==1 and >(nacl_untrusted_build)==0', {
'defines': ['USE_NSS=1'], 'defines': ['USE_NSS=1'],
}], }],

@ -80,7 +80,7 @@
'mac_security_services_lock.h', 'mac_security_services_lock.h',
], ],
}], }],
[ 'OS == "mac" or OS == "ios" or OS == "win"', { [ 'use_openssl == 0 and (OS == "mac" or OS == "ios" or OS == "win")', {
'dependencies': [ 'dependencies': [
'../third_party/nss/nss.gyp:nspr', '../third_party/nss/nss.gyp:nspr',
'../third_party/nss/nss.gyp:nss', '../third_party/nss/nss.gyp:nss',
@ -201,12 +201,7 @@
'openpgp_symmetric_encryption_unittest.cc', 'openpgp_symmetric_encryption_unittest.cc',
] ]
}], }],
[ 'OS == "mac" or OS == "ios" or OS == "win"', { [ 'use_openssl == 0 and (OS == "mac" or OS == "ios" or OS == "win")', {
'dependencies': [
'../third_party/nss/nss.gyp:nss',
],
}],
[ 'OS == "mac"', {
'dependencies': [ 'dependencies': [
'../third_party/nss/nss.gyp:nspr', '../third_party/nss/nss.gyp:nspr',
], ],

@ -13,7 +13,8 @@
#include "build/build_config.h" #include "build/build_config.h"
#include "crypto/crypto_export.h" #include "crypto/crypto_export.h"
#if defined(USE_NSS) || defined(OS_WIN) || defined(OS_MACOSX) #if defined(USE_NSS) || \
(!defined(USE_OPENSSL) && (defined(OS_WIN) || defined(OS_MACOSX)))
#include "crypto/scoped_nss_types.h" #include "crypto/scoped_nss_types.h"
#endif #endif

@ -14,7 +14,8 @@
// See comments for crypto_nacl_win64 in crypto.gyp. // See comments for crypto_nacl_win64 in crypto.gyp.
// Must test for NACL_WIN64 before OS_WIN since former is a subset of latter. // Must test for NACL_WIN64 before OS_WIN since former is a subset of latter.
#include "crypto/scoped_capi_types.h" #include "crypto/scoped_capi_types.h"
#elif defined(USE_NSS) || defined(OS_WIN) || defined(OS_MACOSX) #elif defined(USE_NSS) || \
(!defined(USE_OPENSSL) && (defined(OS_WIN) || defined(OS_MACOSX)))
#include "crypto/scoped_nss_types.h" #include "crypto/scoped_nss_types.h"
#endif #endif

@ -20,7 +20,7 @@
#if defined(USE_NSS) || defined(OS_IOS) #if defined(USE_NSS) || defined(OS_IOS)
#include "net/cert/cert_verify_proc_nss.h" #include "net/cert/cert_verify_proc_nss.h"
#elif defined(USE_OPENSSL) && !defined(OS_ANDROID) #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
#include "net/cert/cert_verify_proc_openssl.h" #include "net/cert/cert_verify_proc_openssl.h"
#elif defined(OS_ANDROID) #elif defined(OS_ANDROID)
#include "net/cert/cert_verify_proc_android.h" #include "net/cert/cert_verify_proc_android.h"
@ -167,7 +167,7 @@ bool ExaminePublicKeys(const scoped_refptr<X509Certificate>& cert,
CertVerifyProc* CertVerifyProc::CreateDefault() { CertVerifyProc* CertVerifyProc::CreateDefault() {
#if defined(USE_NSS) || defined(OS_IOS) #if defined(USE_NSS) || defined(OS_IOS)
return new CertVerifyProcNSS(); return new CertVerifyProcNSS();
#elif defined(USE_OPENSSL) && !defined(OS_ANDROID) #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
return new CertVerifyProcOpenSSL(); return new CertVerifyProcOpenSSL();
#elif defined(OS_ANDROID) #elif defined(OS_ANDROID)
return new CertVerifyProcAndroid(); return new CertVerifyProcAndroid();

@ -157,7 +157,7 @@ TEST_F(CertVerifyProcTest, DISABLED_WithoutRevocationChecking) {
&verify_result)); &verify_result));
} }
#if defined(OS_ANDROID) || defined(USE_OPENSSL) #if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS)
// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported. // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
#define MAYBE_EVVerification DISABLED_EVVerification #define MAYBE_EVVerification DISABLED_EVVerification
#else #else
@ -724,7 +724,7 @@ TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
NULL, NULL,
empty_cert_list_, empty_cert_list_,
&verify_result); &verify_result);
#if defined(USE_OPENSSL) && !defined(OS_ANDROID) #if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
// This certificate has two errors: "invalid key usage" and "untrusted CA". // This certificate has two errors: "invalid key usage" and "untrusted CA".
// However, OpenSSL returns only one (the latter), and we can't detect // However, OpenSSL returns only one (the latter), and we can't detect
// the other errors. // the other errors.
@ -1407,7 +1407,7 @@ TEST_P(CertVerifyProcWeakDigestTest, Verify) {
const WeakDigestTestData kVerifyRootCATestData[] = { const WeakDigestTestData kVerifyRootCATestData[] = {
{ "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem", { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
"weak_digest_sha1_ee.pem", false, false, false }, "weak_digest_sha1_ee.pem", false, false, false },
#if defined(USE_OPENSSL) || defined(OS_WIN) #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS // MD4 is not supported by OS X / NSS
{ "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem", { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
"weak_digest_sha1_ee.pem", false, false, false }, "weak_digest_sha1_ee.pem", false, false, false },
@ -1422,7 +1422,7 @@ INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest,
const WeakDigestTestData kVerifyIntermediateCATestData[] = { const WeakDigestTestData kVerifyIntermediateCATestData[] = {
{ "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem", { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
"weak_digest_sha1_ee.pem", true, false, false }, "weak_digest_sha1_ee.pem", true, false, false },
#if defined(USE_OPENSSL) || defined(OS_WIN) #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS // MD4 is not supported by OS X / NSS
{ "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem", { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
"weak_digest_sha1_ee.pem", false, true, false }, "weak_digest_sha1_ee.pem", false, true, false },
@ -1445,7 +1445,7 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(
const WeakDigestTestData kVerifyEndEntityTestData[] = { const WeakDigestTestData kVerifyEndEntityTestData[] = {
{ "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
"weak_digest_md5_ee.pem", true, false, false }, "weak_digest_md5_ee.pem", true, false, false },
#if defined(USE_OPENSSL) || defined(OS_WIN) #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS // MD4 is not supported by OS X / NSS
{ "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
"weak_digest_md4_ee.pem", false, true, false }, "weak_digest_md4_ee.pem", false, true, false },
@ -1469,7 +1469,7 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity,
const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = { const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
{ NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem", { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
true, false, false }, true, false, false },
#if defined(USE_OPENSSL) || defined(OS_WIN) #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS // MD4 is not supported by OS X / NSS
{ NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem", { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
false, true, false }, false, true, false },
@ -1494,7 +1494,7 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(
const WeakDigestTestData kVerifyIncompleteEETestData[] = { const WeakDigestTestData kVerifyIncompleteEETestData[] = {
{ NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem", { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
true, false, false }, true, false, false },
#if defined(USE_OPENSSL) || defined(OS_WIN) #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS // MD4 is not supported by OS X / NSS
{ NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem", { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
false, true, false }, false, true, false },
@ -1521,7 +1521,7 @@ const WeakDigestTestData kVerifyMixedTestData[] = {
"weak_digest_md2_ee.pem", true, false, true }, "weak_digest_md2_ee.pem", true, false, true },
{ "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem", { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
"weak_digest_md5_ee.pem", true, false, true }, "weak_digest_md5_ee.pem", true, false, true },
#if defined(USE_OPENSSL) || defined(OS_WIN) #if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
// MD4 is not supported by OS X / NSS // MD4 is not supported by OS X / NSS
{ "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem", { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
"weak_digest_md2_ee.pem", false, true, true }, "weak_digest_md2_ee.pem", false, true, true },

@ -12,7 +12,7 @@
#if defined(USE_NSS) || defined(OS_IOS) #if defined(USE_NSS) || defined(OS_IOS)
#include <list> #include <list>
#elif defined(USE_OPENSSL) && !defined(OS_ANDROID) #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
#include <vector> #include <vector>
#elif defined(OS_WIN) #elif defined(OS_WIN)
#include <windows.h> #include <windows.h>
@ -25,7 +25,7 @@
#if defined(USE_NSS) #if defined(USE_NSS)
typedef struct CERTCertificateStr CERTCertificate; typedef struct CERTCertificateStr CERTCertificate;
#elif defined(USE_OPENSSL) && !defined(OS_ANDROID) #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
typedef struct x509_st X509; typedef struct x509_st X509;
#endif #endif
@ -78,7 +78,7 @@ class NET_EXPORT TestRootCerts {
// be trusted. By default, this is true, indicating that the TestRootCerts // be trusted. By default, this is true, indicating that the TestRootCerts
// are used in addition to OS trust store. // are used in addition to OS trust store.
void SetAllowSystemTrust(bool allow_system_trust); void SetAllowSystemTrust(bool allow_system_trust);
#elif defined(USE_OPENSSL) && !defined(OS_ANDROID) #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
const std::vector<scoped_refptr<X509Certificate> >& const std::vector<scoped_refptr<X509Certificate> >&
temporary_roots() const { return temporary_roots_; } temporary_roots() const { return temporary_roots_; }
bool Contains(X509* cert) const; bool Contains(X509* cert) const;
@ -106,7 +106,7 @@ class NET_EXPORT TestRootCerts {
// settings, in order to restore them when Clear() is called. // settings, in order to restore them when Clear() is called.
class TrustEntry; class TrustEntry;
std::list<TrustEntry*> trust_cache_; std::list<TrustEntry*> trust_cache_;
#elif defined(USE_OPENSSL) && !defined(OS_ANDROID) #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
std::vector<scoped_refptr<X509Certificate> > temporary_roots_; std::vector<scoped_refptr<X509Certificate> > temporary_roots_;
#elif defined(OS_WIN) #elif defined(OS_WIN)
HCERTSTORE temporary_roots_; HCERTSTORE temporary_roots_;

@ -135,7 +135,7 @@ TEST(TestRootCertsTest, OverrideTrust) {
EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status); EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status);
} }
#if defined(USE_NSS) || (defined(USE_OPENSSL) && !defined(OS_ANDROID)) #if defined(USE_NSS) || (defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID))
TEST(TestRootCertsTest, Contains) { TEST(TestRootCertsTest, Contains) {
// Another test root certificate. // Another test root certificate.
const char kRootCertificateFile2[] = "2048-rsa-root.pem"; const char kRootCertificateFile2[] = "2048-rsa-root.pem";

@ -25,7 +25,7 @@
#include <CoreFoundation/CFArray.h> #include <CoreFoundation/CFArray.h>
#include <Security/SecBase.h> #include <Security/SecBase.h>
#elif defined(USE_OPENSSL) #elif defined(USE_OPENSSL_CERTS)
// Forward declaration; real one in <x509.h> // Forward declaration; real one in <x509.h>
typedef struct x509_st X509; typedef struct x509_st X509;
typedef struct x509_store_st X509_STORE; typedef struct x509_store_st X509_STORE;
@ -58,7 +58,7 @@ class NET_EXPORT X509Certificate
typedef PCCERT_CONTEXT OSCertHandle; typedef PCCERT_CONTEXT OSCertHandle;
#elif defined(OS_MACOSX) #elif defined(OS_MACOSX)
typedef SecCertificateRef OSCertHandle; typedef SecCertificateRef OSCertHandle;
#elif defined(USE_OPENSSL) #elif defined(USE_OPENSSL_CERTS)
typedef X509* OSCertHandle; typedef X509* OSCertHandle;
#elif defined(USE_NSS) #elif defined(USE_NSS)
typedef struct CERTCertificateStr* OSCertHandle; typedef struct CERTCertificateStr* OSCertHandle;
@ -304,7 +304,7 @@ class NET_EXPORT X509Certificate
PCCERT_CONTEXT CreateOSCertChainForCert() const; PCCERT_CONTEXT CreateOSCertChainForCert() const;
#endif #endif
#if defined(USE_OPENSSL) #if defined(USE_OPENSSL_CERTS)
// Returns a handle to a global, in-memory certificate store. We // Returns a handle to a global, in-memory certificate store. We
// use it for test code, e.g. importing the test server's certificate. // use it for test code, e.g. importing the test server's certificate.
static X509_STORE* cert_store(); static X509_STORE* cert_store();
@ -413,7 +413,7 @@ class NET_EXPORT X509Certificate
// Common object initialization code. Called by the constructors only. // Common object initialization code. Called by the constructors only.
void Initialize(); void Initialize();
#if defined(USE_OPENSSL) #if defined(USE_OPENSSL_CERTS)
// Resets the store returned by cert_store() to default state. Used by // Resets the store returned by cert_store() to default state. Used by
// TestRootCerts to undo modifications. // TestRootCerts to undo modifications.
static void ResetCertStore(); static void ResetCertStore();

@ -1415,22 +1415,17 @@
'third_party/mozilla_security_manager/nsPKCS12Blob.cpp', 'third_party/mozilla_security_manager/nsPKCS12Blob.cpp',
'third_party/mozilla_security_manager/nsPKCS12Blob.h', 'third_party/mozilla_security_manager/nsPKCS12Blob.h',
], ],
'dependencies': [
'../third_party/openssl/openssl.gyp:openssl',
],
}, },
{ # else !use_openssl: remove the unneeded files { # else !use_openssl: remove the unneeded files
'sources!': [ 'sources!': [
'base/crypto_module_openssl.cc', 'base/crypto_module_openssl.cc',
'base/keygen_handler_openssl.cc', 'base/keygen_handler_openssl.cc',
'base/openssl_private_key_store.h',
'base/openssl_private_key_store_android.cc',
'base/openssl_private_key_store_memory.cc',
'cert/cert_database_openssl.cc',
'cert/cert_verify_proc_openssl.cc',
'cert/cert_verify_proc_openssl.h',
'cert/ct_log_verifier_openssl.cc', 'cert/ct_log_verifier_openssl.cc',
'cert/ct_objects_extractor_openssl.cc', 'cert/ct_objects_extractor_openssl.cc',
'cert/jwk_serializer_openssl.cc', 'cert/jwk_serializer_openssl.cc',
'cert/test_root_certs_openssl.cc',
'cert/x509_certificate_openssl.cc',
'cert/x509_util_openssl.cc', 'cert/x509_util_openssl.cc',
'cert/x509_util_openssl.h', 'cert/x509_util_openssl.h',
'quic/crypto/aead_base_decrypter_openssl.cc', 'quic/crypto/aead_base_decrypter_openssl.cc',
@ -1448,11 +1443,23 @@
'socket/ssl_server_socket_openssl.cc', 'socket/ssl_server_socket_openssl.cc',
'socket/ssl_session_cache_openssl.cc', 'socket/ssl_session_cache_openssl.cc',
'socket/ssl_session_cache_openssl.h', 'socket/ssl_session_cache_openssl.h',
'ssl/openssl_client_key_store.cc',
'ssl/openssl_client_key_store.h',
], ],
}, },
], ],
[ 'use_openssl_certs == 0', {
'sources!': [
'base/openssl_private_key_store.h',
'base/openssl_private_key_store_android.cc',
'base/openssl_private_key_store_memory.cc',
'cert/cert_database_openssl.cc',
'cert/cert_verify_proc_openssl.cc',
'cert/cert_verify_proc_openssl.h',
'cert/test_root_certs_openssl.cc',
'cert/x509_certificate_openssl.cc',
'ssl/openssl_client_key_store.cc',
'ssl/openssl_client_key_store.h',
],
}],
[ 'use_glib == 1', { [ 'use_glib == 1', {
'dependencies': [ 'dependencies': [
'../build/linux/system.gyp:gconf', '../build/linux/system.gyp:gconf',
@ -1461,12 +1468,8 @@
}], }],
[ 'desktop_linux == 1 or chromeos == 1', { [ 'desktop_linux == 1 or chromeos == 1', {
'conditions': [ 'conditions': [
['use_openssl==1', { ['use_openssl == 0', {
'dependencies': [ # use NSS
'../third_party/openssl/openssl.gyp:openssl',
],
},
{ # else use_openssl==0, use NSS
'dependencies': [ 'dependencies': [
'../build/linux/system.gyp:ssl', '../build/linux/system.gyp:ssl',
], ],
@ -1575,10 +1578,15 @@
}, },
], ],
[ 'OS == "mac"', { [ 'OS == "mac"', {
'dependencies': [ 'conditions': [
'../third_party/nss/nss.gyp:nspr', [ 'use_openssl == 0', {
'../third_party/nss/nss.gyp:nss', 'dependencies': [
'third_party/nss/ssl.gyp:libssl', # defaults to nss
'../third_party/nss/nss.gyp:nspr',
'../third_party/nss/nss.gyp:nss',
'third_party/nss/ssl.gyp:libssl',
],
}],
], ],
'link_settings': { 'link_settings': {
'libraries': [ 'libraries': [
@ -2268,10 +2276,14 @@
'quic/test_tools/crypto_test_utils_openssl.cc', 'quic/test_tools/crypto_test_utils_openssl.cc',
'socket/ssl_client_socket_openssl_unittest.cc', 'socket/ssl_client_socket_openssl_unittest.cc',
'socket/ssl_session_cache_openssl_unittest.cc', 'socket/ssl_session_cache_openssl_unittest.cc',
'ssl/openssl_client_key_store_unittest.cc',
], ],
}, },
], ],
[ 'use_openssl_certs == 0', {
'sources!': [
'ssl/openssl_client_key_store_unittest.cc',
],
}],
[ 'enable_websockets != 1', { [ 'enable_websockets != 1', {
'sources/': [ 'sources/': [
['exclude', '^socket_stream/'], ['exclude', '^socket_stream/'],
@ -2339,7 +2351,7 @@
'msvs_disabled_warnings': [4267, ], 'msvs_disabled_warnings': [4267, ],
}, },
], ],
[ 'OS == "mac"', { [ 'OS == "mac" and use_openssl == 0', {
'dependencies': [ 'dependencies': [
'../third_party/nss/nss.gyp:nspr', '../third_party/nss/nss.gyp:nspr',
'../third_party/nss/nss.gyp:nss', '../third_party/nss/nss.gyp:nss',

@ -389,7 +389,7 @@ SSLClientSocketOpenSSL::PeerCertificateChain::operator=(
return *this; return *this;
} }
#if defined(USE_OPENSSL) #if defined(USE_OPENSSL_CERTS)
// When OSCertHandle is typedef'ed to X509, this implementation does a short cut // When OSCertHandle is typedef'ed to X509, this implementation does a short cut
// to avoid converting back and forth between der and X509 struct. // to avoid converting back and forth between der and X509 struct.
void SSLClientSocketOpenSSL::PeerCertificateChain::Reset( void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
@ -417,7 +417,7 @@ void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
} }
} }
#else // !defined(USE_OPENSSL) #else // !defined(USE_OPENSSL_CERTS)
void SSLClientSocketOpenSSL::PeerCertificateChain::Reset( void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
STACK_OF(X509)* chain) { STACK_OF(X509)* chain) {
openssl_chain_.reset(NULL); openssl_chain_.reset(NULL);
@ -455,7 +455,7 @@ void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
os_chain_ = NULL; os_chain_ = NULL;
} }
} }
#endif // USE_OPENSSL #endif // defined(USE_OPENSSL_CERTS)
// static // static
SSLSessionCacheOpenSSL::Config SSLSessionCacheOpenSSL::Config
@ -471,7 +471,9 @@ void SSLClientSocket::ClearSessionCache() {
SSLClientSocketOpenSSL::SSLContext* context = SSLClientSocketOpenSSL::SSLContext* context =
SSLClientSocketOpenSSL::SSLContext::GetInstance(); SSLClientSocketOpenSSL::SSLContext::GetInstance();
context->session_cache()->Flush(); context->session_cache()->Flush();
#if defined(USE_OPENSSL_CERTS)
OpenSSLClientKeyStore::GetInstance()->Flush(); OpenSSLClientKeyStore::GetInstance()->Flush();
#endif
} }
SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
@ -1419,7 +1421,7 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl,
DCHECK(ssl == ssl_); DCHECK(ssl == ssl_);
DCHECK(*x509 == NULL); DCHECK(*x509 == NULL);
DCHECK(*pkey == NULL); DCHECK(*pkey == NULL);
#if defined(USE_OPENSSL_CERTS)
if (!ssl_config_.send_client_cert) { if (!ssl_config_.send_client_cert) {
// First pass: we know that a client certificate is needed, but we do not // First pass: we know that a client certificate is needed, but we do not
// have one at hand. // have one at hand.
@ -1456,6 +1458,10 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl,
} }
LOG(WARNING) << "Client cert found without private key"; LOG(WARNING) << "Client cert found without private key";
} }
#else // !defined(USE_OPENSSL_CERTS)
// OS handling of client certificates is not yet implemented.
NOTIMPLEMENTED();
#endif // defined(USE_OPENSSL_CERTS)
// Send no client certificate. // Send no client certificate.
return 0; return 0;

@ -24,7 +24,6 @@ namespace net {
namespace { namespace {
#if !defined(USE_OPENSSL)
void FailTest(int /* result */) { void FailTest(int /* result */) {
FAIL(); FAIL();
} }
@ -117,8 +116,6 @@ MockServerBoundCertStoreWithAsyncGet::CallGetServerBoundCertCallbackWithResult(
cert)); cert));
} }
#endif // !defined(USE_OPENSSL)
class ServerBoundCertServiceTest : public testing::Test { class ServerBoundCertServiceTest : public testing::Test {
public: public:
ServerBoundCertServiceTest() ServerBoundCertServiceTest()
@ -150,9 +147,6 @@ TEST_F(ServerBoundCertServiceTest, GetDomainForHost) {
ServerBoundCertService::GetDomainForHost("127.0.0.1")); ServerBoundCertService::GetDomainForHost("127.0.0.1"));
} }
// See http://crbug.com/91512 - implement OpenSSL version of CreateSelfSigned.
#if !defined(USE_OPENSSL)
TEST_F(ServerBoundCertServiceTest, GetCacheMiss) { TEST_F(ServerBoundCertServiceTest, GetCacheMiss) {
std::string host("encrypted.google.com"); std::string host("encrypted.google.com");
@ -775,8 +769,6 @@ TEST_F(ServerBoundCertServiceTest, AsyncStoreGetThenCreateNoCertsInStore) {
EXPECT_FALSE(request_handle2.is_active()); EXPECT_FALSE(request_handle2.is_active());
} }
#endif // !defined(USE_OPENSSL)
} // namespace } // namespace
} // namespace net } // namespace net

@ -7193,12 +7193,12 @@ static bool SystemSupportsHardFailRevocationChecking() {
// several tests are effected because our testing EV certificate won't be // several tests are effected because our testing EV certificate won't be
// recognised as EV. // recognised as EV.
static bool SystemUsesChromiumEVMetadata() { static bool SystemUsesChromiumEVMetadata() {
#if defined(USE_OPENSSL) #if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
// http://crbug.com/117478 - OpenSSL does not support EV validation. // http://crbug.com/117478 - OpenSSL does not support EV validation.
return false; return false;
#elif defined(OS_MACOSX) && !defined(OS_IOS) #elif (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_ANDROID)
// On OS X, we use the system to tell us whether a certificate is EV or not // On OS X and Android, we use the system to tell us whether a certificate is
// and the system won't recognise our testing root. // EV or not and the system won't recognise our testing root.
return false; return false;
#else #else
return true; return true;