Switch //net to the new SPKI and PKCS#8 APIs.

net/base/keygen_handler_mac.cc

Index: net/base/keygen_handler_mac.cc
diff --git a/net/base/keygen_handler_mac.cc b/net/base/keygen_handler_mac.cc
index 63ea84751aa1d926cc7fb215edf03d5431567204..ed0439c53f0f3746d2ca72dd156600563d73fe99 100644
--- a/net/base/keygen_handler_mac.cc
+++ b/net/base/keygen_handler_mac.cc
@@ -148,10 +148,15 @@ std::string KeygenHandler::GenKeyAndSignChallenge() {
       goto failure;
     }
 
+    // The DER encoding of a NULL.
+    static const uint8_t kNullDer[] = {0x05, 0x00};
+
     // Fill in and DER-encode the PublicKeyAndChallenge:
     SignedPublicKeyAndChallenge spkac;
     memset(&spkac, 0, sizeof(spkac));
     spkac.pkac.spki.algorithm.algorithm = CSSMOID_RSA;
+    spkac.pkac.spki.algorithm.parameters.Data = const_cast<uint8_t*>(kNullDer);
+    spkac.pkac.spki.algorithm.parameters.Length = sizeof(kNullDer);

[davidben, 2016/03/03 16:22:31]

(We could also reimplement this whole thing in CBB in code shared with
keygen_handler_openssl.cc, but the fix was easy so it didn't seem worth
bothering.)

     spkac.pkac.spki.subjectPublicKey.Length =
         CFDataGetLength(key_data) * 8;  // interpreted as a _bit_ count
     spkac.pkac.spki.subjectPublicKey.Data =
@@ -175,6 +180,8 @@ std::string KeygenHandler::GenKeyAndSignChallenge() {
     spkac.signature.Data = signature.Data;
     spkac.signature.Length = signature.Length * 8;  // a _bit_ count
     spkac.signature_algorithm.algorithm = CSSMOID_MD5WithRSA;
+    spkac.signature_algorithm.parameters.Data = const_cast<uint8_t*>(kNullDer);
+    spkac.signature_algorithm.parameters.Length = sizeof(kNullDer);
     // TODO(snej): MD5 is weak. Can we use SHA1 instead?
     // See <https://bugzilla.mozilla.org/show_bug.cgi?id=549460>