Support building BoringSSL with NSS certificates.

build/common.gypi

Index: build/common.gypi
diff --git a/build/common.gypi b/build/common.gypi
index 4c2d696830e3163fa5fd812eb42ef8103d4b98b1..80785f03079cd1d50512ded64caba5f32d0a70d3 100644
--- a/build/common.gypi
+++ b/build/common.gypi
@@ -70,7 +70,10 @@
           # certificates, use_openssl_certs must be set.
           'use_openssl%': 0,
 
-          # Typedef X509Certificate::OSCertHandle to OpenSSL's struct X509*.
+          # Use OpenSSL for representing certificates. When targeting Android,
+          # the platform certificate library is used for certificate
+          # verification. On other targets, this flag also enables OpenSSL for
+          # certificate verification, but this configuration is unsupported.
           'use_openssl_certs%': 0,
 
           # Disable viewport meta tag by default.
@@ -651,21 +654,16 @@
           'os_bsd%': 0,
         }],
 
-        # NSS usage.
-        ['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris") and use_openssl==0', {
+        # NSS usage. This controls whether NSS is used for certificate
+        # validation and storage (like use_openssl_certs). For historical
+        # reasons, this flag is named use_nss rather than use_nss_certs. In

[haavardm, 2015/03/11 14:42:50]

Would probably be some work but I mention it anyway: An alternative approach is
to turn on using NSS for cert verification on linux when use_openssl_certs == 0
and remove use_nss completely.

That would be consistent with how !use_openssl turns on using NSS for crypto and
TLS.

[davidben, 2015/03/11 23:32:42]

Hrm. So we can't easily get rid of USE_NSS the preprocessor flag. I don't have
terribly strong opinions about getting rid of use_nss(_certs) the build flag.
It'd probably make a lot of the conditions messier? Probably not worth all the
churn if NSS is going away.

Really, it doesn't make any sense to keep the USE_OPENSSL_CERTS flag on Linux
anyway. We should probably just drop it and fold it into OS_ANDROID in a
follow-up. That configuration is unsupported and not likely to ever become
supported; we won't be using X509_verify post-NSS, and I'd like to unify the
net::X509Certificate in-memory representation away from OpenSSL's crypto/x509
stack and to the new PKI stack. Both crypto/x509 and crypto/asn1 are
sufficiently decrepit that we're intentionally not touching them in BoringSSL.
We'll migrate away from them altogether.

+        # particular, note it is possible to set both use_openssl and use_nss.
+        ['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris")', {
           'use_nss%': 1,
         }, {
           'use_nss%': 0,
         }],
 
-        # When OpenSSL is used for SSL and crypto on Unix-like systems, use
-        # OpenSSL's certificate definition.
-        ['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris") and use_openssl==1', {
-          'use_openssl_certs%': 1,
-        }, {
-          'use_openssl_certs%': 0,
-        }],
-
         # libudev usage.  This currently only affects the content layer.
         ['OS=="linux" and embedded==0', {
           'use_udev%': 1,
@@ -2997,6 +2995,10 @@
         'defines': ['USE_GLIB=1'],
       }],
       ['<(use_nss)==1 and >(nacl_untrusted_build)==0', {
+        # USE_NSS really means NSS is used for certificate validation and
+        # storage (like USE_OPENSSL_CERTS). For historical reasons, this flag is
+        # named USE_NSS rather than USE_NSS_CERTS. In particular, note it is
+        # possible to set both USE_OPENSSL and USE_NSS.
         'defines': ['USE_NSS=1'],
       }],
       ['<(chromeos)==1 and >(nacl_untrusted_build)==0', {