Add cmd line switch to force CertVerifierBuiltin

This can be used in testing so it's easy to test with
CertVerifierBuiltin without setting up a local finch instances.

Also promote logging of chosen cert verifier to VLOG(0) so it's visibe
in test logs and potentially also if a user reports cert verification
errors,

                    --force-cert-verifier-builtin
      (watch log output for chosen cert verifier)

Bug: 978069
Test: browser_tests --gtest_filter=*SSLUITest* \
Change-Id: I74981fa0a2aecb94b7eab129ab5da155f18847a8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1715348Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#680164}

chrome/browser/net/profile_network_context_service.cc

@@ -55,6 +55,7 @@
 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/policy/profile_policy_connector.h"
+#include "chromeos/constants/chromeos_switches.h"
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
 #endif
@@ -101,6 +102,10 @@ Profile* GetPrimaryProfile() {
 }
 
 bool ShouldUseBuiltinCertVerifier(Profile* profile) {
+  base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
+  if (command_line->HasSwitch(chromeos::switches::kForceCertVerifierBuiltin))
+    return true;
+
   if (chromeos::ProfileHelper::Get()->IsSigninProfile(profile) ||
       chromeos::ProfileHelper::Get()->IsLockScreenAppProfile(profile)) {
     // No need to override the feature-set setting through policy for sign-in
@@ -181,8 +186,8 @@ ProfileNetworkContextService::ProfileNetworkContextService(Profile* profile)
 
 #if defined(OS_CHROMEOS)
   using_builtin_cert_verifier_ = ShouldUseBuiltinCertVerifier(profile_);
-  DVLOG(1) << "Using " << (using_builtin_cert_verifier_ ? "built-in" : "legacy")
-           << " cert verifier.";
+  VLOG(0) << "Using " << (using_builtin_cert_verifier_ ? "built-in" : "legacy")
+          << " cert verifier.";
 #endif
   // When any of the following CT preferences change, we schedule an update
   // to aggregate the actual update using a |ct_policy_update_timer_|.

chromeos/constants/chromeos_switches.cc

@@ -345,6 +345,11 @@ const char kFakeDriveFsLauncherChrootPath[] =
 const char kFakeDriveFsLauncherSocketPath[] =
     "fake-drivefs-launcher-socket-path";
 
+// Forces Chrome to use CertVerifyProcBuiltin for verification of server
+// certificates, ignoring the status of
+// net::features::kCertVerifierBuiltinFeature.
+const char kForceCertVerifierBuiltin[] = "force-cert-verifier-builtin";
+
 // Passed to Chrome the first time that it's run after the system boots.
 // Not passed on restart after sign out.
 const char kFirstExecAfterBoot[] = "first-exec-after-boot";

chromeos/constants/chromeos_switches.h

@@ -136,6 +136,8 @@ extern const char kFakeDriveFsLauncherChrootPath[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS)
 extern const char kFakeDriveFsLauncherSocketPath[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS)
+extern const char kForceCertVerifierBuiltin[];
+COMPONENT_EXPORT(CHROMEOS_CONSTANTS)
 extern const char kForceDevToolsAvailable[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS) extern const char kForceFirstRunUI[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS)