Remove SupportsOCSPStapling from CertVerifier and CertVerifyProc

In the long-ago times, OCSP stapling at the TLS layer was only enabled
if the certificate verification layer would be able to use these OCSP
responses as part of verification - which was true on Windows > XP and
'bleeding edge' versions of NSS at the time. However, this conditional
enabling at the TLS layer has been long replaced with unconditional
enabling, to support both Certificate Transparency (~2015) and
Expect-Staple experiments.

As a result, it's no longer necessary to report the platform
capabilities to enable this optimization.

BUG=none
TBR=mmenke@chromium.org, bartfab@chromium.org

Change-Id: Ia3c0d4cb161da47738ccb287a8286d6ce6248162
Reviewed-on: https://chromium-review.googlesource.com/1117034
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Eric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#570862}

chrome/browser/chromeos/policy/policy_cert_verifier.cc

@@ -94,9 +94,4 @@ int PolicyCertVerifier::Verify(
   return error;
 }
 
-bool PolicyCertVerifier::SupportsOCSPStapling() {
-  DCHECK_CURRENTLY_ON(content::BrowserThread::IO);
-  return delegate_->SupportsOCSPStapling();
-}
-
 }  // namespace policy

chrome/browser/chromeos/policy/policy_cert_verifier.h

@@ -52,8 +52,6 @@ class PolicyCertVerifier : public net::CertVerifier {
              std::unique_ptr<Request>* out_req,
              const net::NetLogWithSource& net_log) override;
 
-  bool SupportsOCSPStapling() override;
-
  private:
   net::CertificateList trust_anchors_;
   base::Closure anchor_used_callback_;

chrome/browser/io_thread.cc

@@ -140,11 +140,6 @@ class WrappedCertVerifierForIOThreadTesting : public net::CertVerifier {
     return g_cert_verifier_for_io_thread_testing->Verify(
         params, crl_set, verify_result, callback, out_req, net_log);
   }
-  bool SupportsOCSPStapling() override {
-    if (!g_cert_verifier_for_io_thread_testing)
-      return false;
-    return g_cert_verifier_for_io_thread_testing->SupportsOCSPStapling();
-  }
 };
 
 #if defined(OS_MACOSX)

chrome/browser/net/trial_comparison_cert_verifier.cc

@@ -504,10 +504,6 @@ int TrialComparisonCertVerifier::Verify(const RequestParams& params,
                                    out_req, net_log);
 }
 
-bool TrialComparisonCertVerifier::SupportsOCSPStapling() {
-  return primary_verifier_->SupportsOCSPStapling();
-}
-
 void TrialComparisonCertVerifier::OnPrimaryVerifierComplete(
     const RequestParams& params,
     scoped_refptr<net::CRLSet> crl_set,

chrome/browser/net/trial_comparison_cert_verifier.h

@@ -54,8 +54,6 @@ class TrialComparisonCertVerifier : public net::CertVerifier {
              std::unique_ptr<Request>* out_req,
              const net::NetLogWithSource& net_log) override;
 
-  bool SupportsOCSPStapling() override;
-
   // Returns a CertVerifier using the primary CertVerifyProc, which will not
   // cause OnPrimaryVerifierComplete to be called. This can be used to
   // attempt to re-verify a cert with different chain or flags without

chrome/browser/net/trial_comparison_cert_verifier_unittest.cc

@@ -91,7 +91,6 @@ class FakeCertVerifyProc : public net::CertVerifyProc {
 
   // CertVerifyProc implementation:
   bool SupportsAdditionalTrustAnchors() const override { return false; }
-  bool SupportsOCSPStapling() const override { return false; }
 
  protected:
   ~FakeCertVerifyProc() override = default;
@@ -133,7 +132,6 @@ class NotCalledCertVerifyProc : public net::CertVerifyProc {
 
   // CertVerifyProc implementation:
   bool SupportsAdditionalTrustAnchors() const override { return false; }
-  bool SupportsOCSPStapling() const override { return false; }
 
  protected:
   ~NotCalledCertVerifyProc() override = default;
@@ -171,7 +169,6 @@ class MockCertVerifyProc : public net::CertVerifyProc {
   MockCertVerifyProc() = default;
   // CertVerifyProc implementation:
   bool SupportsAdditionalTrustAnchors() const override { return false; }
-  bool SupportsOCSPStapling() const override { return false; }
   MOCK_METHOD7(VerifyInternal,
                int(net::X509Certificate* cert,
                    const std::string& hostname,

chrome/browser/profiles/profile_io_data.cc

@@ -200,11 +200,6 @@ class WrappedCertVerifierForProfileIODataTesting : public net::CertVerifier {
     return g_cert_verifier_for_profile_io_data_testing->Verify(
         params, crl_set, verify_result, callback, out_req, net_log);
   }
-  bool SupportsOCSPStapling() override {
-    if (!g_cert_verifier_for_profile_io_data_testing)
-      return false;
-    return g_cert_verifier_for_profile_io_data_testing->SupportsOCSPStapling();
-  }
 };
 
 #if BUILDFLAG(DEBUG_DEVTOOLS)

net/cert/caching_cert_verifier.cc

@@ -63,10 +63,6 @@ int CachingCertVerifier::Verify(const CertVerifier::RequestParams& params,
   return result;
 }
 
-bool CachingCertVerifier::SupportsOCSPStapling() {
-  return verifier_->SupportsOCSPStapling();
-}
-
 bool CachingCertVerifier::AddEntry(const RequestParams& params,
                                    int error,
                                    const CertVerifyResult& verify_result,

net/cert/caching_cert_verifier.h

@@ -63,7 +63,6 @@ class NET_EXPORT CachingCertVerifier : public CertVerifier,
              const CompletionCallback& callback,
              std::unique_ptr<Request>* out_req,
              const NetLogWithSource& net_log) override;
-  bool SupportsOCSPStapling() override;
 
   // Opportunistically attempts to add |error| and |verify_result| as the
   // result for |params|, which was obtained at |verification_time| and

net/cert/cert_verifier.cc

@@ -70,10 +70,6 @@ bool CertVerifier::RequestParams::operator<(
   return key_ < other.key_;
 }
 
-bool CertVerifier::SupportsOCSPStapling() {
-  return false;
-}
-
 std::unique_ptr<CertVerifier> CertVerifier::CreateDefault() {
 #if defined(OS_NACL)
   NOTIMPLEMENTED();

net/cert/cert_verifier.h

@@ -158,9 +158,6 @@ class NET_EXPORT CertVerifier {
                      std::unique_ptr<Request>* out_req,
                      const NetLogWithSource& net_log) = 0;
 
-  // Returns true if this CertVerifier supports stapled OCSP responses.
-  virtual bool SupportsOCSPStapling();
-
   // Creates a CertVerifier implementation that verifies certificates using
   // the preferred underlying cryptographic libraries.
   static std::unique_ptr<CertVerifier> CreateDefault();

net/cert/cert_verify_proc.h

@@ -71,11 +71,6 @@ class NET_EXPORT CertVerifyProc
   // passed to Verify() is ignored when this returns false.
   virtual bool SupportsAdditionalTrustAnchors() const = 0;
 
-  // Returns true if the implementation supports passing a stapled OCSP response
-  // to the Verify() call. The |ocsp_response| parameter passed to Verify() is
-  // ignored when this returns false.
-  virtual bool SupportsOCSPStapling() const = 0;
-
  protected:
   CertVerifyProc();
   virtual ~CertVerifyProc();

net/cert/cert_verify_proc_android.cc

@@ -349,10 +349,6 @@ bool CertVerifyProcAndroid::SupportsAdditionalTrustAnchors() const {
   return false;
 }
 
-bool CertVerifyProcAndroid::SupportsOCSPStapling() const {
-  return false;
-}
-
 int CertVerifyProcAndroid::VerifyInternal(
     X509Certificate* cert,
     const std::string& hostname,

net/cert/cert_verify_proc_android.h

@@ -18,7 +18,6 @@ class NET_EXPORT CertVerifyProcAndroid : public CertVerifyProc {
   CertVerifyProcAndroid();
 
   bool SupportsAdditionalTrustAnchors() const override;
-  bool SupportsOCSPStapling() const override;
 
  protected:
   ~CertVerifyProcAndroid() override;

net/cert/cert_verify_proc_builtin.cc

@@ -262,7 +262,6 @@ class CertVerifyProcBuiltin : public CertVerifyProc {
   CertVerifyProcBuiltin();
 
   bool SupportsAdditionalTrustAnchors() const override;
-  bool SupportsOCSPStapling() const override;
 
  protected:
   ~CertVerifyProcBuiltin() override;
@@ -285,10 +284,6 @@ bool CertVerifyProcBuiltin::SupportsAdditionalTrustAnchors() const {
   return true;
 }
 
-bool CertVerifyProcBuiltin::SupportsOCSPStapling() const {
-  return true;
-}
-
 scoped_refptr<ParsedCertificate> ParseCertificateFromBuffer(
     CRYPTO_BUFFER* cert_handle,
     CertErrors* errors) {

net/cert/cert_verify_proc_ios.cc

@@ -248,10 +248,6 @@ bool CertVerifyProcIOS::SupportsAdditionalTrustAnchors() const {
   return false;
 }
 
-bool CertVerifyProcIOS::SupportsOCSPStapling() const {
-  return false;
-}
-
 CertVerifyProcIOS::~CertVerifyProcIOS() = default;
 
 int CertVerifyProcIOS::VerifyInternal(

net/cert/cert_verify_proc_ios.h

@@ -22,7 +22,6 @@ class CertVerifyProcIOS : public CertVerifyProc {
   static CertStatus GetCertFailureStatusFromTrust(SecTrustRef trust);
 
   bool SupportsAdditionalTrustAnchors() const override;
-  bool SupportsOCSPStapling() const override;
 
  protected:
   ~CertVerifyProcIOS() override;

net/cert/cert_verify_proc_mac.cc

@@ -985,12 +985,6 @@ bool CertVerifyProcMac::SupportsAdditionalTrustAnchors() const {
   return false;
 }
 
-bool CertVerifyProcMac::SupportsOCSPStapling() const {
-  // TODO(rsleevi): Plumb an OCSP response into the Mac system library.
-  // https://crbug.com/430714
-  return false;
-}
-
 int CertVerifyProcMac::VerifyInternal(
     X509Certificate* cert,
     const std::string& hostname,

net/cert/cert_verify_proc_mac.h

@@ -17,7 +17,6 @@ class NET_EXPORT_PRIVATE CertVerifyProcMac : public CertVerifyProc {
   CertVerifyProcMac();
 
   bool SupportsAdditionalTrustAnchors() const override;
-  bool SupportsOCSPStapling() const override;
 
  protected:
   ~CertVerifyProcMac() override;

net/cert/cert_verify_proc_nss.cc

@@ -814,10 +814,6 @@ bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
   return true;
 }
 
-bool CertVerifyProcNSS::SupportsOCSPStapling() const {
-  return *ResolveCacheOCSPResponse() != nullptr;
-}
-
 int CertVerifyProcNSS::VerifyInternalImpl(
     X509Certificate* cert,
     const std::string& hostname,
@@ -843,7 +839,7 @@ int CertVerifyProcNSS::VerifyInternalImpl(
   }
   CERTCertificate* cert_handle = input_chain[0].get();
 
-  if (!ocsp_response.empty() && SupportsOCSPStapling()) {
+  if (!ocsp_response.empty() && *ResolveCacheOCSPResponse() != nullptr) {
     // Note: NSS uses a thread-safe global hash table, so this call will
     // affect any concurrent verification operations on |cert| or copies of
     // the same certificate. This is an unavoidable limitation of NSS's OCSP

net/cert/cert_verify_proc_nss.h

@@ -18,7 +18,6 @@ class NET_EXPORT_PRIVATE CertVerifyProcNSS : public CertVerifyProc {
   CertVerifyProcNSS();
 
   bool SupportsAdditionalTrustAnchors() const override;
-  bool SupportsOCSPStapling() const override;
 
  protected:
   ~CertVerifyProcNSS() override;

net/cert/cert_verify_proc_unittest.cc

@@ -79,7 +79,6 @@ class MockCertVerifyProc : public CertVerifyProc {
       : result_(result) {}
   // CertVerifyProc implementation:
   bool SupportsAdditionalTrustAnchors() const override { return false; }
-  bool SupportsOCSPStapling() const override { return false; }
 
  protected:
   ~MockCertVerifyProc() override = default;

net/cert/cert_verify_proc_win.cc

@@ -843,15 +843,6 @@ bool CertVerifyProcWin::SupportsAdditionalTrustAnchors() const {
   return false;
 }
 
-bool CertVerifyProcWin::SupportsOCSPStapling() const {
-  // CERT_OCSP_RESPONSE_PROP_ID is only implemented on Vista+, but it can be
-  // set on Windows XP without error. There is some overhead from the server
-  // sending the OCSP response if it supports the extension, for the subset of
-  // XP clients who will request it but be unable to use it, but this is an
-  // acceptable trade-off for simplicity of implementation.
-  return true;
-}
-
 int CertVerifyProcWin::VerifyInternal(
     X509Certificate* cert,
     const std::string& hostname,

net/cert/cert_verify_proc_win.h

@@ -16,7 +16,6 @@ class CertVerifyProcWin : public CertVerifyProc {
   CertVerifyProcWin();
 
   bool SupportsAdditionalTrustAnchors() const override;
-  bool SupportsOCSPStapling() const override;
 
  protected:
   ~CertVerifyProcWin() override;

net/cert/multi_threaded_cert_verifier.cc

@@ -389,10 +389,6 @@ int MultiThreadedCertVerifier::Verify(const RequestParams& params,
   return ERR_IO_PENDING;
 }
 
-bool MultiThreadedCertVerifier::SupportsOCSPStapling() {
-  return verify_proc_->SupportsOCSPStapling();
-}
-
 bool MultiThreadedCertVerifier::JobComparator::operator()(
     const CertVerifierJob* job1,
     const CertVerifierJob* job2) const {

net/cert/multi_threaded_cert_verifier.h

@@ -68,8 +68,6 @@ class NET_EXPORT_PRIVATE MultiThreadedCertVerifier : public CertVerifier {
              std::unique_ptr<Request>* out_req,
              const NetLogWithSource& net_log) override;
 
-  bool SupportsOCSPStapling() override;
-
  private:
   struct JobToRequestParamsComparator;
   friend class CertVerifierRequest;

net/cert/multi_threaded_cert_verifier_unittest.cc

@@ -43,7 +43,6 @@ class MockCertVerifyProc : public CertVerifyProc {
 
   // CertVerifyProc implementation
   bool SupportsAdditionalTrustAnchors() const override { return false; }
-  bool SupportsOCSPStapling() const override { return false; }
 
   int VerifyInternal(X509Certificate* cert,
                      const std::string& hostname,

net/socket/ssl_client_socket_impl.cc

@@ -934,9 +934,6 @@ int SSLClientSocketImpl::Init() {
   SSL_enable_signed_cert_timestamps(ssl_.get());
   SSL_enable_ocsp_stapling(ssl_.get());
 
-  if (cert_verifier_->SupportsOCSPStapling())
-    SSL_enable_ocsp_stapling(ssl_.get());
-
   // Configure BoringSSL to allow renegotiations. Once the initial handshake
   // completes, if renegotiations are not allowed, the default reject value will
   // be restored. This is done in this order to permit a BoringSSL