Clean-up style issues in net:: related to X.509 data-types, eliminating unnecessary includes and marking platform-specific implementations as such. Also clearly document that CertPrincipal::Matches() is not suitable for security-relevant name checks.

In addition, because x509_cert_types.h no longer includes base/singleton.h, fix all the classes that broke because they weren't including what they used.

BUG=none
TEST=existing

Review URL: http://codereview.chromium.org/5162001

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@66941 0039d316-1c4b-4281-b951-d872f2087c98

13 files changed, 163 insertions, 206 deletions

diff --git a/net/base/cert_database_nss_unittest.cc b/net/base/cert_database_nss_unittest.cc
index c68b6fd..5056e5d 100644
--- a/net/base/cert_database_nss_unittest.cc
+++ b/net/base/cert_database_nss_unittest.cc
@@ -14,6 +14,7 @@
 #include "base/nss_util_internal.h"
 #include "base/path_service.h"
 #include "base/scoped_temp_dir.h"
+#include "base/singleton.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
 #include "net/base/cert_database.h"
diff --git a/net/base/x509_cert_types.cc b/net/base/x509_cert_types.cc
index 5dfc57a..cdfbdaa 100644
--- a/net/base/x509_cert_types.cc
+++ b/net/base/x509_cert_types.cc
@@ -4,38 +4,11 @@
 
 #include "net/base/x509_cert_types.h"
 
-#include <ostream>
-
 #include "net/base/x509_certificate.h"
 #include "base/logging.h"
 
 namespace net {
 
-bool match(const std::string &str, const std::string &against) {
-  // TODO(snej): Use the full matching rules specified in RFC 5280 sec. 7.1
-  // including trimming and case-folding: <http://www.ietf.org/rfc/rfc5280.txt>.
-  return against == str;
-}
-
-bool match(const std::vector<std::string> &rdn1,
-           const std::vector<std::string> &rdn2) {
-  // "Two relative distinguished names RDN1 and RDN2 match if they have the
-  // same number of naming attributes and for each naming attribute in RDN1
-  // there is a matching naming attribute in RDN2." --RFC 5280 sec. 7.1.
-  if (rdn1.size() != rdn2.size())
-    return false;
-  for (unsigned i1 = 0; i1 < rdn1.size(); ++i1) {
-    unsigned i2;
-    for (i2 = 0; i2 < rdn2.size(); ++i2) {
-      if (match(rdn1[i1], rdn2[i2]))
-          break;
-    }
-    if (i2 == rdn2.size())
-      return false;
-  }
-  return true;
-}
-
 CertPrincipal::CertPrincipal() {
 }
 
@@ -44,18 +17,6 @@ CertPrincipal::CertPrincipal(const std::string& name) : common_name(name) {}
 CertPrincipal::~CertPrincipal() {
 }
 
-bool CertPrincipal::Matches(const CertPrincipal& against) const {
-  return match(common_name, against.common_name) &&
-      match(common_name, against.common_name) &&
-      match(locality_name, against.locality_name) &&
-      match(state_or_province_name, against.state_or_province_name) &&
-      match(country_name, against.country_name) &&
-      match(street_addresses, against.street_addresses) &&
-      match(organization_names, against.organization_names) &&
-      match(organization_unit_names, against.organization_unit_names) &&
-      match(domain_components, against.domain_components);
-}
-
 std::string CertPrincipal::GetDisplayName() const {
   if (!common_name.empty())
     return common_name;
@@ -67,27 +28,6 @@ std::string CertPrincipal::GetDisplayName() const {
   return std::string();
 }
 
-std::ostream& operator<<(std::ostream& s, const CertPrincipal& p) {
-  s << "CertPrincipal[";
-  if (!p.common_name.empty())
-    s << "cn=\"" << p.common_name << "\" ";
-  for (unsigned i = 0; i < p.street_addresses.size(); ++i)
-    s << "street=\"" << p.street_addresses[i] << "\" ";
-  if (!p.locality_name.empty())
-    s << "l=\"" << p.locality_name << "\" ";
-  for (unsigned i = 0; i < p.organization_names.size(); ++i)
-    s << "o=\"" << p.organization_names[i] << "\" ";
-  for (unsigned i = 0; i < p.organization_unit_names.size(); ++i)
-    s << "ou=\"" << p.organization_unit_names[i] << "\" ";
-  if (!p.state_or_province_name.empty())
-    s << "st=\"" << p.state_or_province_name << "\" ";
-  if (!p.country_name.empty())
-    s << "c=\"" << p.country_name << "\" ";
-  for (unsigned i = 0; i < p.domain_components.size(); ++i)
-    s << "dc=\"" << p.domain_components[i] << "\" ";
-  return s << "]";
-}
-
 CertPolicy::CertPolicy() {
 }
 
diff --git a/net/base/x509_cert_types.h b/net/base/x509_cert_types.h
index 7723c22..f762e56 100644
--- a/net/base/x509_cert_types.h
+++ b/net/base/x509_cert_types.h
@@ -8,25 +8,14 @@
 
 #include <string.h>
 
-#include <functional>
-#include <iosfwd>
 #include <set>
 #include <string>
 #include <vector>
 
-#include "base/ref_counted.h"
-#include "base/singleton.h"
-#include "base/time.h"
-#include "testing/gtest/include/gtest/gtest_prod.h"
+#include "build/build_config.h"
 
-#if defined(OS_WIN)
-#include <windows.h>
-#include <wincrypt.h>
-#elif defined(OS_MACOSX)
+#if defined(OS_MACOSX)
 #include <Security/x509defs.h>
-#elif defined(USE_NSS)
-// Forward declaration; real one in <cert.h>
-struct CERTCertificateStr;
 #endif
 
 namespace net {
@@ -56,17 +45,19 @@ struct CertPrincipal {
   explicit CertPrincipal(const std::string& name);
   ~CertPrincipal();
 
+#if defined(OS_MACOSX)
   // Parses a BER-format DistinguishedName.
   bool ParseDistinguishedName(const void* ber_name_data, size_t length);
 
-#if defined(OS_MACOSX)
   // Parses a CSSM_X509_NAME struct.
   void Parse(const CSSM_X509_NAME* name);
-#endif
 
-  // Returns true if all attributes of the two objects match,
-  // where "match" is defined in RFC 5280 sec. 7.1.
+  // Compare this CertPrincipal with |against|, returning true if they're
+  // equal enough to be a possible match. This should NOT be used for any
+  // security relevant decisions.
+  // TODO(rsleevi): Remove once Mac client auth uses NSS for name comparison.
   bool Matches(const CertPrincipal& against) const;
+#endif
 
   // Returns a name that can be used to represent the issuer.  It tries in this
   // order: CN, O and OU and returns the first non-empty one found.
@@ -86,9 +77,6 @@ struct CertPrincipal {
   std::vector<std::string> domain_components;
 };
 
-// Writes a human-readable description of a CertPrincipal, for debugging.
-std::ostream& operator<<(std::ostream& s, const CertPrincipal& p);
-
 // This class is useful for maintaining policies about which certificates are
 // permitted or forbidden for a particular purpose.
 class CertPolicy {
diff --git a/net/base/x509_cert_types_mac.cc b/net/base/x509_cert_types_mac.cc
index 14d5eee..c672863 100644
--- a/net/base/x509_cert_types_mac.cc
+++ b/net/base/x509_cert_types_mac.cc
@@ -14,7 +14,9 @@
 
 namespace net {
 
-static const CSSM_OID* kOIDs[] = {
+namespace {
+
+const CSSM_OID* kOIDs[] = {
     &CSSMOID_CommonName,
     &CSSMOID_LocalityName,
     &CSSMOID_StateProvinceName,
@@ -25,65 +27,6 @@ static const CSSM_OID* kOIDs[] = {
     &CSSMOID_DNQualifier      // This should be "DC" but is undoubtedly wrong.
 };                            // TODO(avi): Find the right OID.
 
-// Converts raw CSSM_DATA to a std::string. (Char encoding is unaltered.)
-static std::string DataToString(CSSM_DATA data);
-
-// Converts raw CSSM_DATA in ISO-8859-1 to a std::string in UTF-8.
-static std::string Latin1DataToUTF8String(CSSM_DATA data);
-
-// Converts big-endian UTF-16 to UTF-8 in a std::string.
-// Note: The byte-order flipping is done in place on the input buffer!
-static bool UTF16BigEndianToUTF8(char16* chars, size_t length,
-                                 std::string* out_string);
-
-// Converts big-endian UTF-32 to UTF-8 in a std::string.
-// Note: The byte-order flipping is done in place on the input buffer!
-static bool UTF32BigEndianToUTF8(char32* chars, size_t length,
-                                 std::string* out_string);
-
-// Adds a type+value pair to the appropriate vector from a C array.
-// The array is keyed by the matching OIDs from kOIDS[].
-  static void AddTypeValuePair(const CSSM_OID type,
-                               const std::string& value,
-                               std::vector<std::string>* values[]);
-
-// Stores the first string of the vector, if any, to *single_value.
-static void SetSingle(const std::vector<std::string> &values,
-                      std::string* single_value);
-
-
-void CertPrincipal::Parse(const CSSM_X509_NAME* name) {
-  std::vector<std::string> common_names, locality_names, state_names,
-      country_names;
-
-  std::vector<std::string>* values[] = {
-      &common_names, &locality_names,
-      &state_names, &country_names,
-      &(this->street_addresses),
-      &(this->organization_names),
-      &(this->organization_unit_names),
-      &(this->domain_components)
-  };
-  DCHECK(arraysize(kOIDs) == arraysize(values));
-
-  for (size_t rdn = 0; rdn < name->numberOfRDNs; ++rdn) {
-    CSSM_X509_RDN rdn_struct = name->RelativeDistinguishedName[rdn];
-    for (size_t pair = 0; pair < rdn_struct.numberOfPairs; ++pair) {
-      CSSM_X509_TYPE_VALUE_PAIR pair_struct =
-          rdn_struct.AttributeTypeAndValue[pair];
-      AddTypeValuePair(pair_struct.type,
-                       DataToString(pair_struct.value),
-                       values);
-    }
-  }
-
-  SetSingle(common_names, &this->common_name);
-  SetSingle(locality_names, &this->locality_name);
-  SetSingle(state_names, &this->state_or_province_name);
-  SetSingle(country_names, &this->country_name);
-}
-
-
 // The following structs and templates work with Apple's very arcane and under-
 // documented SecAsn1Parser API, which is apparently the same as NSS's ASN.1
 // decoder:
@@ -108,7 +51,7 @@ struct KeyValuePair {
   };
 };
 
-static const SecAsn1Template kStringValueTemplate[] = {
+const SecAsn1Template kStringValueTemplate[] = {
   { SEC_ASN1_CHOICE, offsetof(KeyValuePair, value_type), },
   { SEC_ASN1_PRINTABLE_STRING,
     offsetof(KeyValuePair, value), 0, KeyValuePair::kTypePrintableString },
@@ -125,7 +68,7 @@ static const SecAsn1Template kStringValueTemplate[] = {
   { 0, }
 };
 
-static const SecAsn1Template kKeyValuePairTemplate[] = {
+const SecAsn1Template kKeyValuePairTemplate[] = {
   { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KeyValuePair) },
   { SEC_ASN1_OBJECT_ID, offsetof(KeyValuePair, key), },
   { SEC_ASN1_INLINE, 0, &kStringValueTemplate, },
@@ -136,8 +79,8 @@ struct KeyValuePairs {
   KeyValuePair* pairs;
 };
 
-static const SecAsn1Template kKeyValuePairSetTemplate[] = {
-  { SEC_ASN1_SET_OF, offsetof(KeyValuePairs,pairs),
+const SecAsn1Template kKeyValuePairSetTemplate[] = {
+  { SEC_ASN1_SET_OF, offsetof(KeyValuePairs, pairs),
       kKeyValuePairTemplate, sizeof(KeyValuePairs) }
 };
 
@@ -145,11 +88,99 @@ struct X509Name {
   KeyValuePairs** pairs_list;
 };
 
-static const SecAsn1Template kNameTemplate[] = {
-  { SEC_ASN1_SEQUENCE_OF, offsetof(X509Name,pairs_list),
+const SecAsn1Template kNameTemplate[] = {
+  { SEC_ASN1_SEQUENCE_OF, offsetof(X509Name, pairs_list),
       kKeyValuePairSetTemplate, sizeof(X509Name) }
 };
 
+// Converts raw CSSM_DATA to a std::string. (Char encoding is unaltered.)
+std::string DataToString(CSSM_DATA data) {
+  return std::string(
+      reinterpret_cast<std::string::value_type*>(data.Data),
+      data.Length);
+}
+
+// Converts raw CSSM_DATA in ISO-8859-1 to a std::string in UTF-8.
+std::string Latin1DataToUTF8String(CSSM_DATA data) {
+  string16 utf16;
+  if (!CodepageToUTF16(DataToString(data), base::kCodepageLatin1,
+                       base::OnStringConversionError::FAIL, &utf16))
+    return "";
+  return UTF16ToUTF8(utf16);
+}
+
+// Converts big-endian UTF-16 to UTF-8 in a std::string.
+// Note: The byte-order flipping is done in place on the input buffer!
+bool UTF16BigEndianToUTF8(char16* chars, size_t length,
+                          std::string* out_string) {
+  for (size_t i = 0; i < length; i++)
+    chars[i] = EndianU16_BtoN(chars[i]);
+  return UTF16ToUTF8(chars, length, out_string);
+}
+
+// Converts big-endian UTF-32 to UTF-8 in a std::string.
+// Note: The byte-order flipping is done in place on the input buffer!
+bool UTF32BigEndianToUTF8(char32* chars, size_t length,
+                          std::string* out_string) {
+  for (size_t i = 0; i < length; ++i)
+    chars[i] = EndianS32_BtoN(chars[i]);
+#if defined(WCHAR_T_IS_UTF32)
+  return WideToUTF8(reinterpret_cast<const wchar_t*>(chars),
+                    length, out_string);
+#else
+#error This code doesn't handle 16-bit wchar_t.
+#endif
+}
+
+// Adds a type+value pair to the appropriate vector from a C array.
+// The array is keyed by the matching OIDs from kOIDS[].
+void AddTypeValuePair(const CSSM_OID type,
+                      const std::string& value,
+                      std::vector<std::string>* values[]) {
+  for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) {
+    if (CSSMOIDEqual(&type, kOIDs[oid])) {
+      values[oid]->push_back(value);
+      break;
+    }
+  }
+}
+
+// Stores the first string of the vector, if any, to *single_value.
+void SetSingle(const std::vector<std::string>& values,
+               std::string* single_value) {
+  // We don't expect to have more than one CN, L, S, and C.
+  LOG_IF(WARNING, values.size() > 1) << "Didn't expect multiple values";
+  if (values.size() > 0)
+    *single_value = values[0];
+}
+
+bool match(const std::string& str, const std::string& against) {
+  // TODO(snej): Use the full matching rules specified in RFC 5280 sec. 7.1
+  // including trimming and case-folding: <http://www.ietf.org/rfc/rfc5280.txt>.
+  return against == str;
+}
+
+bool match(const std::vector<std::string>& rdn1,
+           const std::vector<std::string>& rdn2) {
+  // "Two relative distinguished names RDN1 and RDN2 match if they have the
+  // same number of naming attributes and for each naming attribute in RDN1
+  // there is a matching naming attribute in RDN2." --RFC 5280 sec. 7.1.
+  if (rdn1.size() != rdn2.size())
+    return false;
+  for (unsigned i1 = 0; i1 < rdn1.size(); ++i1) {
+    unsigned i2;
+    for (i2 = 0; i2 < rdn2.size(); ++i2) {
+      if (match(rdn1[i1], rdn2[i2]))
+          break;
+    }
+    if (i2 == rdn2.size())
+      return false;
+  }
+  return true;
+}
+
+}  // namespace
+
 bool CertPrincipal::ParseDistinguishedName(const void* ber_name_data,
                                            size_t length) {
   DCHECK(ber_name_data);
@@ -182,7 +213,7 @@ bool CertPrincipal::ParseDistinguishedName(const void* ber_name_data,
   };
   DCHECK(arraysize(kOIDs) == arraysize(values));
 
-  for (int rdn=0; name[rdn].pairs_list; ++rdn) {
+  for (int rdn = 0; name[rdn].pairs_list; ++rdn) {
     KeyValuePair *pair;
     for (int pair_index = 0;
          NULL != (pair = name[rdn].pairs_list[0][pair_index].pairs);
@@ -235,59 +266,46 @@ bool CertPrincipal::ParseDistinguishedName(const void* ber_name_data,
   return true;
 }
 
+void CertPrincipal::Parse(const CSSM_X509_NAME* name) {
+  std::vector<std::string> common_names, locality_names, state_names,
+      country_names;
 
-// SUBROUTINES:
-
-static std::string DataToString(CSSM_DATA data) {
-  return std::string(
-      reinterpret_cast<std::string::value_type*>(data.Data),
-      data.Length);
-}
-
-static std::string Latin1DataToUTF8String(CSSM_DATA data) {
-  string16 utf16;
-  if (!CodepageToUTF16(DataToString(data), base::kCodepageLatin1,
-                       base::OnStringConversionError::FAIL, &utf16))
-    return "";
-  return UTF16ToUTF8(utf16);
-}
-
-bool UTF16BigEndianToUTF8(char16* chars, size_t length,
-                          std::string* out_string) {
-  for (size_t i = 0; i < length; i++)
-    chars[i] = EndianU16_BtoN(chars[i]);
-  return UTF16ToUTF8(chars, length, out_string);
-}
-
-bool UTF32BigEndianToUTF8(char32* chars, size_t length,
-                          std::string* out_string) {
-  for (size_t i = 0; i < length; i++)
-    chars[i] = EndianS32_BtoN(chars[i]);
-#if defined(WCHAR_T_IS_UTF32)
-  return WideToUTF8(reinterpret_cast<const wchar_t*>(chars),
-                    length, out_string);
-#else
-#error This code doesn't handle 16-bit wchar_t.
-#endif
-}
+  std::vector<std::string>* values[] = {
+      &common_names, &locality_names,
+      &state_names, &country_names,
+      &(this->street_addresses),
+      &(this->organization_names),
+      &(this->organization_unit_names),
+      &(this->domain_components)
+  };
+  DCHECK(arraysize(kOIDs) == arraysize(values));
 
-  static void AddTypeValuePair(const CSSM_OID type,
-                               const std::string& value,
-                               std::vector<std::string>* values[]) {
-  for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) {
-    if (CSSMOIDEqual(&type, kOIDs[oid])) {
-      values[oid]->push_back(value);
-      break;
+  for (size_t rdn = 0; rdn < name->numberOfRDNs; ++rdn) {
+    CSSM_X509_RDN rdn_struct = name->RelativeDistinguishedName[rdn];
+    for (size_t pair = 0; pair < rdn_struct.numberOfPairs; ++pair) {
+      CSSM_X509_TYPE_VALUE_PAIR pair_struct =
+          rdn_struct.AttributeTypeAndValue[pair];
+      AddTypeValuePair(pair_struct.type,
+                       DataToString(pair_struct.value),
+                       values);
     }
   }
+
+  SetSingle(common_names, &this->common_name);
+  SetSingle(locality_names, &this->locality_name);
+  SetSingle(state_names, &this->state_or_province_name);
+  SetSingle(country_names, &this->country_name);
 }
 
-static void SetSingle(const std::vector<std::string> &values,
-                      std::string* single_value) {
-  // We don't expect to have more than one CN, L, S, and C.
-  LOG_IF(WARNING, values.size() > 1) << "Didn't expect multiple values";
-  if (values.size() > 0)
-    *single_value = values[0];
+bool CertPrincipal::Matches(const CertPrincipal& against) const {
+  return match(common_name, against.common_name) &&
+      match(locality_name, against.locality_name) &&
+      match(state_or_province_name, against.state_or_province_name) &&
+      match(country_name, against.country_name) &&
+      match(street_addresses, against.street_addresses) &&
+      match(organization_names, against.organization_names) &&
+      match(organization_unit_names, against.organization_unit_names) &&
+      match(domain_components, against.domain_components);
 }
 
 }  // namespace net
diff --git a/net/base/x509_cert_types_unittest.cc b/net/base/x509_cert_types_mac_unittest.cc
index 50012b1..e4809b0 100644
--- a/net/base/x509_cert_types_unittest.cc
+++ b/net/base/x509_cert_types_mac_unittest.cc
@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "base/basictypes.h"
 #include "net/base/x509_cert_types.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -249,8 +250,6 @@ TEST(X509TypesTest, Matching) {
   EXPECT_FALSE(spamco.Matches(bogus));
 }
 
-#if defined(OS_MACOSX)  // ParseDistinguishedName not implemented for Win/Linux
-
 TEST(X509TypesTest, ParseDNVerisign) {
   CertPrincipal verisign;
   EXPECT_TRUE(verisign.ParseDistinguishedName(VerisignDN, sizeof(VerisignDN)));
@@ -339,6 +338,4 @@ TEST(X509TypesTest, ParseDNEntrust) {
             entrust.organization_unit_names[1]);
 }
 
-#endif
-
-}
+}  // namespace net
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index 310defb..7385743 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -9,6 +9,7 @@
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
+#include "base/singleton.h"
 #include "base/string_piece.h"
 #include "base/time.h"
 #include "net/base/pem_tokenizer.h"
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index 9f44952..c0342a1 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -23,6 +23,8 @@
 #elif defined(OS_MACOSX)
 #include <CoreFoundation/CFArray.h>
 #include <Security/SecBase.h>
+
+#include "base/lock.h"
 #elif defined(USE_OPENSSL)
 // Forward declaration; real one in <x509.h>
 struct x509_st;
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index 2a604ee..5a5d457c 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -11,6 +11,7 @@
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/pickle.h"
+#include "base/singleton.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/sys_string_conversions.h"
 #include "net/base/cert_status_flags.h"
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index 9e018fd..75cdf40 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -6,6 +6,7 @@
 
 #include "base/logging.h"
 #include "base/pickle.h"
+#include "base/singleton.h"
 #include "base/string_tokenizer.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
diff --git a/net/net.gyp b/net/net.gyp
index b9e3776..71d7231 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -862,7 +862,7 @@
         'base/test_completion_callback_unittest.cc',
         'base/upload_data_stream_unittest.cc',
         'base/x509_certificate_unittest.cc',
-        'base/x509_cert_types_unittest.cc',
+        'base/x509_cert_types_mac_unittest.cc',
         'base/x509_openssl_util_unittest.cc',
         'disk_cache/addr_unittest.cc',
         'disk_cache/backend_unittest.cc',
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 3234320..cefe630 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -47,12 +47,6 @@
 
 #include "net/socket/ssl_client_socket_nss.h"
 
-#if defined(USE_SYSTEM_SSL)
-#include <dlfcn.h>
-#endif
-#if defined(OS_MACOSX)
-#include <Security/Security.h>
-#endif
 #include <certdb.h>
 #include <hasht.h>
 #include <keyhi.h>
@@ -97,6 +91,18 @@
 #include "net/socket/ssl_error_params.h"
 #include "net/socket/ssl_host_info.h"
 
+#if defined(USE_SYSTEM_SSL)
+#include <dlfcn.h>
+#endif
+#if defined(OS_WIN)
+#include <windows.h>
+#include <wincrypt.h>
+#elif defined(OS_MACOSX)
+#include <Security/SecBase.h>
+#include <Security/SecCertificate.h>
+#include <Security/SecIdentity.h>
+#endif
+
 static const int kRecvBufferSize = 4096;
 
 // kCorkTimeoutMs is the number of milliseconds for which we'll wait for a
diff --git a/net/socket_stream/socket_stream_job.cc b/net/socket_stream/socket_stream_job.cc
index 0913015..8d1da73 100644
--- a/net/socket_stream/socket_stream_job.cc
+++ b/net/socket_stream/socket_stream_job.cc
@@ -4,6 +4,7 @@
 
 #include "net/socket_stream/socket_stream_job.h"
 
+#include "base/singleton.h"
 #include "net/socket_stream/socket_stream_job_manager.h"
 
 namespace net {
diff --git a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp b/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
index 35170cc..aae8d90 100644
--- a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
+++ b/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
@@ -45,6 +45,7 @@
 #include "base/crypto/scoped_nss_types.h"
 #include "base/logging.h"
 #include "base/nss_util_internal.h"
+#include "base/singleton.h"
 #include "base/string_util.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"