Support building BoringSSL with NSS certificates.

crypto/BUILD.gn

Index: crypto/BUILD.gn
diff --git a/crypto/BUILD.gn b/crypto/BUILD.gn
index d71719702139107d369e950dfbce78823a242882..2c0b1b27f9ab1b10036fc45d10a8a07329e8b9de 100644
--- a/crypto/BUILD.gn
+++ b/crypto/BUILD.gn
@@ -136,9 +136,6 @@ component("crypto") {
       "ec_signature_creator_nss.cc",
       "encryptor_nss.cc",
       "hmac_nss.cc",
-      "nss_util.cc",
-      "nss_util.h",
-      "nss_util_internal.h",
       "rsa_private_key_nss.cc",
       "secure_hash_default.cc",
       "signature_creator_nss.cc",
@@ -170,6 +167,16 @@ component("crypto") {
     ]
   }
 
+  # NSS is used for neither the internal crypto library nor the platform
+  # certificate library.
+  if (use_openssl && !use_nss_certs) {
+    sources -= [
+      "nss_util.cc",
+      "nss_util.h",
+      "nss_util_internal.h",
+    ]
+  }
+
   defines = [ "CRYPTO_IMPLEMENTATION" ]
 }
 
@@ -231,12 +238,14 @@ if (!is_win) {
       "symmetric_key_unittest.cc",
     ]
 
-    if (use_openssl || !is_linux) {
-      sources -= [ "rsa_private_key_nss_unittest.cc" ]
+    if (use_openssl && !use_nss_certs) {
+      # nss_util is built if NSS is used for either the internal crypto library
+      # or the platform certificate library.
+      sources -= [ "nss_util_unittest.cc" ]
     }
 
     if (use_openssl) {
-      sources -= [ "nss_util_unittest.cc" ]
+      sources -= [ "rsa_private_key_nss_unittest.cc" ]
     } else {
       sources -= [ "openssl_bio_string_unittest.cc" ]
     }
@@ -298,6 +307,11 @@ group("platform") {
     deps = [
       "//net/third_party/nss/ssl:libssl",
     ]
+  }
+
+  # Link in NSS if it is used for either the internal crypto library
+  # (use_openssl==0) or platform certificate library (use_nss==1).
+  if (use_nss_certs || !use_openssl) {
     if (is_linux) {
       # On Linux, we use the system NSS (excepting SSL where we always use our
       # own).