Use NSS to generate Origin-Bound Certs on Win and Mac.

net/base/origin_bound_cert_service.cc

Index: net/base/origin_bound_cert_service.cc
diff --git a/net/base/origin_bound_cert_service.cc b/net/base/origin_bound_cert_service.cc
index 4b48e6192ac8a2e0127b8739983e5cd9ba6aff19..e5c1e9d8e644d8db6624e2bee4df227b26a4640f 100644
--- a/net/base/origin_bound_cert_service.cc
+++ b/net/base/origin_bound_cert_service.cc
@@ -19,6 +19,7 @@
 #include "net/base/net_errors.h"
 #include "net/base/origin_bound_cert_store.h"
 #include "net/base/x509_certificate.h"
+#include "net/base/x509_util.h"
 
 #if defined(USE_NSS)
 #include <private/pprthred.h>  // PR_DetachThread
@@ -324,20 +325,13 @@ int OriginBoundCertService::GenerateCert(const std::string& origin,
     LOG(WARNING) << "Unable to create key pair for client";
     return ERR_KEY_GENERATION_FAILED;
   }
-#if defined(USE_NSS)
-  scoped_refptr<X509Certificate> x509_cert = X509Certificate::CreateOriginBound(
+  std::string der_cert;
+  if (!x509_util::CreateOriginBoundCert(
       key.get(),
       origin,
       serial_number,
-      base::TimeDelta::FromDays(kValidityPeriodInDays));
-#else
-  scoped_refptr<X509Certificate> x509_cert = X509Certificate::CreateSelfSigned(
-      key.get(),
-      "CN=anonymous.invalid",
-      serial_number,
-      base::TimeDelta::FromDays(kValidityPeriodInDays));
-#endif
-  if (!x509_cert) {
+      base::TimeDelta::FromDays(kValidityPeriodInDays),
+      &der_cert)) {
     LOG(WARNING) << "Unable to create x509 cert for client";
     return ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED;
   }
@@ -351,12 +345,6 @@ int OriginBoundCertService::GenerateCert(const std::string& origin,
   // std::string* to prevent this copying.
   std::string key_out(private_key_info.begin(), private_key_info.end());
 
-  std::string der_cert;
-  if (!x509_cert->GetDEREncoded(&der_cert)) {
-    LOG(WARNING) << "Unable to get DER-encoded cert";
-    return ERR_GET_CERT_BYTES_FAILED;
-  }
-
   private_key->swap(key_out);
   cert->swap(der_cert);
   return OK;