net::CertVerifyProcBuiltin: do AIA fetching (if requested by VERIFY_CERT_IO_ENABLED)

Also call SetGlobalCertNetFetcher on OS_FUCHSIA (where CertVerifyProcBuiltin is the default).

Bug: 649017,762380
Change-Id: I39ee5de34dd96914189f323ecbaffabfc645b642
Reviewed-on: https://chromium-review.googlesource.com/884841Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Eric Roman <eroman@chromium.org>
Commit-Queue: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532227}

chrome/browser/io_thread.cc

@@ -114,9 +114,7 @@
 #include "chrome/browser/android/data_usage/external_data_use_observer.h"
 #include "chrome/browser/android/net/external_estimate_provider_android.h"
 #include "components/data_usage/android/traffic_stats_amortizer.h"
-#include "net/cert/cert_net_fetcher.h"
 #include "net/cert/cert_verify_proc_android.h"
-#include "net/cert_net/cert_net_fetcher_impl.h"
 #endif  // defined(OS_ANDROID)
 
 #if defined(OS_CHROMEOS)
@@ -131,6 +129,11 @@
 #include "third_party/boringssl/src/include/openssl/cpu.h"
 #endif
 
+#if defined(OS_ANDROID) || defined(OS_FUCHSIA)
+#include "net/cert/cert_net_fetcher.h"
+#include "net/cert_net/cert_net_fetcher_impl.h"
+#endif
+
 using content::BrowserThread;
 
 class SafeBrowsingURLRequestContext;
@@ -588,7 +591,7 @@ void IOThread::CleanUp() {
   net::SetURLRequestContextForNSSHttpIO(nullptr);
 #endif
 
-#if defined(OS_ANDROID)
+#if defined(OS_ANDROID) || defined(OS_FUCHSIA)
   net::ShutdownGlobalCertNetFetcher();
 #endif
 
@@ -831,7 +834,7 @@ void IOThread::ConstructSystemRequestContext() {
 #if defined(USE_NSS_CERTS)
   net::SetURLRequestContextForNSSHttpIO(globals_->system_request_context);
 #endif
-#if defined(OS_ANDROID)
+#if defined(OS_ANDROID) || defined(OS_FUCHSIA)
   net::SetGlobalCertNetFetcher(
       net::CreateCertNetFetcher(globals_->system_request_context));
 #endif

net/cert/cert_verify_proc_builtin.cc

@@ -20,6 +20,7 @@
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/ev_root_ca_metadata.h"
 #include "net/cert/internal/cert_errors.h"
+#include "net/cert/internal/cert_issuer_source_aia.h"
 #include "net/cert/internal/cert_issuer_source_static.h"
 #include "net/cert/internal/common_cert_errors.h"
 #include "net/cert/internal/parsed_certificate.h"
@@ -443,8 +444,17 @@ void TryBuildPath(const scoped_refptr<ParsedCertificate>& target,
   // |input_cert|.
   path_builder.AddCertIssuerSource(intermediates);
 
-  // TODO(crbug.com/649017): Allow the path builder to discover intermediates
-  // through AIA fetching.
+  // Allow the path builder to discover intermediates through AIA fetching.
+  std::unique_ptr<CertIssuerSourceAia> aia_cert_issuer_source;
+  if (flags & CertVerifier::VERIFY_CERT_IO_ENABLED) {
+    if (net_fetcher) {
+      aia_cert_issuer_source =
+          std::make_unique<CertIssuerSourceAia>(net_fetcher);
+      path_builder.AddCertIssuerSource(aia_cert_issuer_source.get());
+    } else {
+      LOG(ERROR) << "VERIFY_CERT_IO_ENABLED specified but no net_fetcher";
+    }
+  }
 
   path_builder.Run();
 }

net/url_request/url_request_unittest.cc

@@ -11201,8 +11201,7 @@ INSTANTIATE_TEST_CASE_P(OCSPVerify,
                         testing::ValuesIn(kOCSPVerifyData));
 
 static bool SystemSupportsAIA() {
-#if defined(OS_ANDROID) || defined(USE_BUILTIN_CERT_VERIFIER)
-  // TODO(crbug.com/762380): Enable on Fuchsia once it's implemented.
+#if defined(OS_ANDROID)
   return false;
 #else
   return true;