Only use the platform cert in verification in SSLClientSocketOpenSSL.

net/cert/x509_util_openssl.h

Index: net/cert/x509_util_openssl.h
diff --git a/net/cert/x509_util_openssl.h b/net/cert/x509_util_openssl.h
index 8dc4473514ad1fee613dc4c6891bf0eef07903e9..9db5a56033f43956c4a4fd304adc90d7b57887c8 100644
--- a/net/cert/x509_util_openssl.h
+++ b/net/cert/x509_util_openssl.h
@@ -11,6 +11,7 @@
 #include <string>
 #include <vector>
 
+#include "base/strings/string_piece.h"
 #include "net/base/net_export.h"
 
 namespace base {
@@ -42,6 +43,19 @@ bool NET_EXPORT ParsePrincipalValueByNID(X509_NAME* name,
 
 bool NET_EXPORT ParseDate(ASN1_TIME* x509_time, base::Time* time);
 
+// DER-encodes |x509|. On success, returns true and writes the
+// encoding to |*out_der|.
+bool NET_EXPORT GetDER(X509* x509, std::string* out_der);
+

[Ryan Sleevi, 2014/09/19 15:56:54]

Why does this need to be exported? It is just a wrapper for i2d, which no one
should need, right? Or they can use the X509Certificate method, which this seems
to be redundant with?

That is, why wouldn't you keep this method purely in the .cc, and make
GetDerAndCacheIfNeeded called GetDER. The fact that there is a cache is an
opaque detail, right?

[davidben, 2014/09/19 16:53:40]

Well, that there is a cache isn't entirely opaque for a raw X509 since they're
not necessarily immutable, so I figured it'd be worth exposing both cached and
uncached versions. (GetDER is uncached.) I can unexpose GetDER if you prefer; I
think nothing outside x509_util_openssl.cc is actually using it.

This isn't redundant with the X509Certificate version because that's for the
platform one (which was the whole point of moving it to x509_util).

[Ryan Sleevi, 2014/09/19 17:39:33]

Yeah, I would rather wait until we have a demonstrable need for it.
I was more assuming that the only time you'd want to get the DER for an X509 AND
explicitly not cache it would be on USE_OPENSSL_CERTS, which is why it seemed
redundant/unnecessary, and that everyone else should always be using the
AndCacheIfNeeded version.

[davidben, 2014/09/19 18:10:09]

Done.

+// DER-encodes |x509|, caching the encoding in a structure owned by
+// the X509. On success, returns true, and sets |*out_der| to point to
+// the encoding. The StringPiece is valid as long as |x509| is not
+// freed.
+//
+// Note: this caches the encoding, so |x509| must not be modified
+// after the first call to this function.
+bool NET_EXPORT GetDERAndCacheIfNeeded(X509* x509, base::StringPiece* out_der);
+
 } // namespace x509_util
 
 } // namespace net