Introduce USE_OPENSSL_CERTS for certificate handling.

build/common.gypi

Index: build/common.gypi
diff --git a/build/common.gypi b/build/common.gypi
index dbfd8243fe7f52f8174d6529da5ac955e2ed5d16..2ac3679fc932425b2707b995d6e582b271afc06d 100644
--- a/build/common.gypi
+++ b/build/common.gypi
@@ -50,6 +50,9 @@
           # Use OpenSSL instead of NSS. Under development: see http://crbug.com/62803

[wtc, 2014/03/20 21:14:56]

Please update this comment. At least, the "Under development: see
http://crbug.com/ 62803" part should be removed. It would be good to describe
the new, narrower meaning of use_openssl and the relation to use_openssl_certs.

[haavardm, 2014/03/24 18:48:52]

Done.

           'use_openssl%': 0,
 
+         # Use OpenSSL for certificate handling.

[Ryan Sleevi, 2014/03/21 19:47:51]

I'm a little confused here, when reading both this code and the later code for
CertVerifier.

When use_openssl_certs:1, X509Certificate::OSCertHandle will always be an X509*,
right?
When use_openssl_certs:1, certificate verification MAY happen with OpenSSL - or
it may not (eg: Android), right?

Perhaps there's a better way to express that here than just saying "certificate
handling".

[haavardm, 2014/03/24 18:48:52]

The way it is currently implemented, use_openssl_certs means "use openssl for
certificate verification", and is only on for linux.

The naming is confusing, so it should either be renamed to something along
"use_openssl_verification", or I should follow wtc's suggestion and let
use_openssl_certs mean "X509Certificate::OSCertHandle is typedef'd as an X509*".

I think I agree with WTC on this.

+          'use_openssl_certs%': 0,
+
           # Disable viewport meta tag by default.
           'enable_viewport%': 0,
 
@@ -124,6 +127,7 @@
         'use_ozone%': '<(use_ozone)',
         'embedded%': '<(embedded)',
         'use_openssl%': '<(use_openssl)',
+        'use_openssl_certs%': '<(use_openssl_certs)',
         'use_system_fontconfig%': '<(use_system_fontconfig)',
         'enable_viewport%': '<(enable_viewport)',
         'enable_hidpi%': '<(enable_hidpi)',
@@ -247,6 +251,7 @@
       'use_clipboard_aurax11%': '<(use_clipboard_aurax11)',
       'embedded%': '<(embedded)',
       'use_openssl%': '<(use_openssl)',
+      'use_openssl_certs%': '<(use_openssl_certs)',
       'use_system_fontconfig%': '<(use_system_fontconfig)',
       'enable_viewport%': '<(enable_viewport)',
       'enable_hidpi%': '<(enable_hidpi)',
@@ -540,6 +545,11 @@
           'use_nss%': 0,
         }],
 
+        # When OpenSSL is used for SSL on unix like systems, turn on OpenSSL

[wtc, 2014/03/20 21:14:56]

This should be "for SSL and crypto".

+        # certificate handling for now.
+        ['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris") and use_openssl==1', {
+          'use_openssl_certs%': 1,

[wtc, 2014/03/20 21:14:56]

Should we also add an "else" block that set use_openssl_certs to 0? All the
neighboring code does that, so it would be good to be consistent even if it's
not necessary.

[Ryan Sleevi, 2014/03/21 19:47:51]

+1 for consistency.

[haavardm, 2014/03/24 18:48:52]

Done.

+        }],
         # libudev usage.  This currently only affects the content layer.
         ['OS=="linux" and embedded==0', {
           'use_udev%': 1,
@@ -897,6 +907,7 @@
     'use_ash%': '<(use_ash)',
     'use_cras%': '<(use_cras)',
     'use_openssl%': '<(use_openssl)',
+    'use_openssl_certs%': '<(use_openssl_certs)',
     'use_nss%': '<(use_nss)',
     'use_udev%': '<(use_udev)',
     'os_bsd%': '<(os_bsd)',
@@ -2519,6 +2530,9 @@
       ['<(use_openssl)==1 or >(nacl_untrusted_build)==1', {
         'defines': ['USE_OPENSSL=1'],
       }],
+      ['<(use_openssl_certs)==1 or >(nacl_untrusted_build)==1', {
+        'defines': ['USE_OPENSSL_CERTS=1'],
+      }],
       ['<(use_nss)==1 and >(nacl_untrusted_build)==0', {
         'defines': ['USE_NSS=1'],
       }],