split out CertUtils and (Peer|Self)CertImpl from Certificate.h

Summary: As part of the ongoing work to create a version of fizz that does depend on OpenSSL, this diff begins the refactors of `Certificate.h`. In this diff: - since `CertUtils`, `PeerCertImpl` and `SelfCertImpl` need to depend on OpenSSL, move them to different translation units than the `PeerCert` and `SelfCert` interfaces - rename `(Peer|Self)CertImpl` to `OpenSSL(Peer|Self)CertImpl` Main changes are in: - `protocol/Certificate.h` and `.cpp`, deleted `-inl.h` - `protocol/OpenSSLSelfCertImpl.h` and `-inl.h` (split from Certificate.h and renamed from SelfCertImpl) - `protocol/OpenSSLPeerCertImpl.h` and `-inl.h` (split from Certificate.h and renamed from PeerCertImpl) - `protocol/CertUtils.h`, `.cpp`and`-inl.h` (Split from Certificate.h) - `protocol/TARGETS` and `BUCK` - new targets `protocol:cert_utils`, `protocol:openssl_self_cert_impl`, `protocol:openssl_peer_cert_impl` - added new includes and targets to various dependencies. In the next diff, we'll use a compler flag `#if` guard the PeerCert and SelfCert interfaces to conditionally inherit from OpenSSL. This makes it so that the `Factory` interface and `ClientProtocol` do not need to depend on OpenSSL. We'll also create a buck config to conditionally select the openssl depednencies (and pass in the compiler flag). Reviewed By: mingtaoy Differential Revision: D51866623 fbshipit-source-id: d91cc4a39cabc2ac6879f16845ab8a7487d64c11
facebookincubator · Jan 12, 2024 · 735a20f · 735a20f
1 parent 0956733
commit 735a20f
Show file tree

Hide file tree

Showing 40 changed files with 949 additions and 788 deletions.
diff --git a/fizz/CMakeLists.txt b/fizz/CMakeLists.txt
@@ -220,6 +220,7 @@ set(FIZZ_SOURCES
   protocol/Events.cpp
   protocol/KeyScheduler.cpp
   protocol/Certificate.cpp
+  protocol/CertUtils.cpp
   protocol/OpenSSLFactory.cpp
   protocol/Params.cpp
   protocol/clock/SystemClock.cpp

diff --git a/fizz/client/PskSerializationUtils.cpp b/fizz/client/PskSerializationUtils.cpp
@@ -3,6 +3,7 @@
 #include "fizz/client/PskSerializationUtils.h"
 
 #include <fizz/record/Types.h>
+#include <folly/ssl/OpenSSLCertUtils.h>
 
 using namespace folly;
 

diff --git a/fizz/experimental/batcher/test/BatcherTest.cpp b/fizz/experimental/batcher/test/BatcherTest.cpp
@@ -10,6 +10,8 @@
 #include <fizz/experimental/batcher/Batcher.h>
 #include <fizz/experimental/client/BatchSignaturePeerCert.h>
 #include <fizz/experimental/server/BatchSignatureAsyncSelfCert.h>
+#include <fizz/protocol/OpenSSLPeerCertImpl.h>
+#include <fizz/protocol/OpenSSLSelfCertImpl.h>
 #include <fizz/server/State.h>
 #include <fizz/server/test/Mocks.h>
 #include <folly/portability/GTest.h>
@@ -56,7 +58,7 @@ TEST(BatchSignatureTest, TestSynchronizedBatcherSingleThread) {
   useMockRandom();
   std::vector<folly::ssl::X509UniquePtr> certs;
   certs.emplace_back(getCert(kRSACertificate));
-  auto certificate = std::make_shared<SelfCertImpl<KeyType::RSA>>(
+  auto certificate = std::make_shared<OpenSSLSelfCertImpl<KeyType::RSA>>(
       getPrivateKey(kRSAKey), std::move(certs));
 
   auto batcher = std::make_shared<SynchronizedBatcher<Sha256>>(
@@ -89,7 +91,7 @@ TEST(BatchSignatureTest, TestSynchronizedBatcherMultiThread) {
   size_t numMsgThreshold = 3;
   std::vector<folly::ssl::X509UniquePtr> certs;
   certs.emplace_back(getCert(kRSACertificate));
-  auto certificate = std::make_shared<SelfCertImpl<KeyType::RSA>>(
+  auto certificate = std::make_shared<OpenSSLSelfCertImpl<KeyType::RSA>>(
       getPrivateKey(kRSAKey), std::move(certs));
 
   auto batcher = std::make_shared<SynchronizedBatcher<Sha256>>(
@@ -122,7 +124,7 @@ TEST(BatchSignatureTest, TestSynchronizedBatcherWithSelfCertP256) {
   size_t numMsgThreshold = 3;
   std::vector<folly::ssl::X509UniquePtr> certs;
   certs.emplace_back(getCert(kP256Certificate));
-  auto certificate = std::make_shared<SelfCertImpl<KeyType::P256>>(
+  auto certificate = std::make_shared<OpenSSLSelfCertImpl<KeyType::P256>>(
       getPrivateKey(kP256Key), std::move(certs));
   auto batcher = std::make_shared<SynchronizedBatcher<Sha256>>(
       numMsgThreshold, certificate, CertificateVerifyContext::Server);
@@ -150,8 +152,8 @@ TEST(BatchSignatureTest, TestSynchronizedBatcherWithSelfCertP256) {
   }
 
   // verify
-  auto peerCert =
-      std::make_shared<PeerCertImpl<KeyType::P256>>(getCert(kP256Certificate));
+  auto peerCert = std::make_shared<OpenSSLPeerCertImpl<KeyType::P256>>(
+      getCert(kP256Certificate));
   BatchSignaturePeerCert batchPeerCert(peerCert);
   for (size_t i = 0; i < results.size(); i++) {
     batchPeerCert.verify(
@@ -167,7 +169,7 @@ TEST(BatchSignatureTest, TestThreadLocalBatcher) {
 
   std::vector<folly::ssl::X509UniquePtr> certs;
   certs.emplace_back(getCert(kRSACertificate));
-  auto certificate = std::make_shared<SelfCertImpl<KeyType::RSA>>(
+  auto certificate = std::make_shared<OpenSSLSelfCertImpl<KeyType::RSA>>(
       getPrivateKey(kRSAKey), std::move(certs));
   auto batcher = std::make_shared<ThreadLocalBatcher<Sha256>>(
       2, certificate, CertificateVerifyContext::Server);
@@ -202,7 +204,7 @@ TEST(BatchSignatureTest, TestThreadLocalBatcher) {
 TEST(BatchSignatureTest, TestThreadLocalBatcherWithSelfCertP256) {
   std::vector<folly::ssl::X509UniquePtr> certs;
   certs.emplace_back(getCert(kP256Certificate));
-  auto certificate = std::make_shared<SelfCertImpl<KeyType::P256>>(
+  auto certificate = std::make_shared<OpenSSLSelfCertImpl<KeyType::P256>>(
       getPrivateKey(kP256Key), std::move(certs));
   auto batcher = std::make_shared<ThreadLocalBatcher<Sha256>>(
       3, certificate, CertificateVerifyContext::Server);
@@ -248,8 +250,8 @@ TEST(BatchSignatureTest, TestThreadLocalBatcherWithSelfCertP256) {
     t.join();
   }
   // verify
-  auto peerCert =
-      std::make_shared<PeerCertImpl<KeyType::P256>>(getCert(kP256Certificate));
+  auto peerCert = std::make_shared<OpenSSLPeerCertImpl<KeyType::P256>>(
+      getCert(kP256Certificate));
   BatchSignaturePeerCert batchPeerCert(peerCert);
   for (size_t i = 0; i < results.size(); i++) {
     batchPeerCert.verify(

diff --git a/fizz/experimental/client/test/BatchSignaturePeerCertTest.cpp b/fizz/experimental/client/test/BatchSignaturePeerCertTest.cpp
@@ -10,6 +10,8 @@
 #include <fizz/experimental/batcher/Batcher.h>
 #include <fizz/experimental/client/BatchSignaturePeerCert.h>
 #include <fizz/experimental/server/BatchSignatureAsyncSelfCert.h>
+#include <fizz/protocol/OpenSSLPeerCertImpl.h>
+#include <fizz/protocol/OpenSSLSelfCertImpl.h>
 #include <fizz/protocol/test/Mocks.h>
 #include <folly/executors/ManualExecutor.h>
 #include <folly/portability/GTest.h>
@@ -58,7 +60,7 @@ TEST(BatchSignaturePeerCertTest, TestSignVerifyP256) {
   // sign
   std::vector<folly::ssl::X509UniquePtr> certs;
   certs.emplace_back(getCert(kP256Certificate));
-  auto certificate = std::make_shared<SelfCertImpl<KeyType::P256>>(
+  auto certificate = std::make_shared<OpenSSLSelfCertImpl<KeyType::P256>>(
       getPrivateKey(kP256Key), std::move(certs));
   auto batcher = std::make_shared<SynchronizedBatcher<Sha256>>(
       1, certificate, CertificateVerifyContext::Server);
@@ -71,8 +73,8 @@ TEST(BatchSignaturePeerCertTest, TestSignVerifyP256) {
   executor.drain();
 
   // verify
-  auto peerCert =
-      std::make_shared<PeerCertImpl<KeyType::P256>>(getCert(kP256Certificate));
+  auto peerCert = std::make_shared<OpenSSLPeerCertImpl<KeyType::P256>>(
+      getCert(kP256Certificate));
   BatchSignaturePeerCert batchPeerCert(peerCert);
   batchPeerCert.verify(
       SignatureScheme::ecdsa_secp256r1_sha256_batch,
@@ -96,7 +98,7 @@ TEST(BatchSignaturePeerCertTest, TestSignVerifyRSA) {
   // sign
   std::vector<folly::ssl::X509UniquePtr> certs;
   certs.emplace_back(getCert(kRSACertificate));
-  auto certificate = std::make_shared<SelfCertImpl<KeyType::RSA>>(
+  auto certificate = std::make_shared<OpenSSLSelfCertImpl<KeyType::RSA>>(
       getPrivateKey(kRSAKey), std::move(certs));
   auto batcher = std::make_shared<SynchronizedBatcher<Sha256>>(
       1, certificate, CertificateVerifyContext::Server);
@@ -109,8 +111,8 @@ TEST(BatchSignaturePeerCertTest, TestSignVerifyRSA) {
   executor.drain();
 
   // verify
-  auto peerCert =
-      std::make_shared<PeerCertImpl<KeyType::RSA>>(getCert(kRSACertificate));
+  auto peerCert = std::make_shared<OpenSSLPeerCertImpl<KeyType::RSA>>(
+      getCert(kRSACertificate));
   BatchSignaturePeerCert batchPeerCert(peerCert);
   batchPeerCert.verify(
       SignatureScheme::rsa_pss_sha256_batch,
@@ -134,7 +136,7 @@ TEST(BatchSignaturePeerCertTest, TestWrongBatchSignature) {
   // sign
   std::vector<folly::ssl::X509UniquePtr> certs;
   certs.emplace_back(getCert(kP256Certificate));
-  auto certificate = std::make_shared<SelfCertImpl<KeyType::P256>>(
+  auto certificate = std::make_shared<OpenSSLSelfCertImpl<KeyType::P256>>(
       getPrivateKey(kP256Key), std::move(certs));
   auto batcher = std::make_shared<SynchronizedBatcher<Sha256>>(
       1, certificate, CertificateVerifyContext::Server);
@@ -147,8 +149,8 @@ TEST(BatchSignaturePeerCertTest, TestWrongBatchSignature) {
   executor.drain();
   auto signatureBuf = *std::move(signature).get();
 
-  auto peerCert =
-      std::make_shared<PeerCertImpl<KeyType::P256>>(getCert(kP256Certificate));
+  auto peerCert = std::make_shared<OpenSSLPeerCertImpl<KeyType::P256>>(
+      getCert(kP256Certificate));
   BatchSignaturePeerCert batchPeerCert(peerCert);
   // normal verify
   EXPECT_NO_THROW(batchPeerCert.verify(

diff --git a/fizz/experimental/ktls/test/AsyncFizzBaseKTLSTest.cpp b/fizz/experimental/ktls/test/AsyncFizzBaseKTLSTest.cpp
@@ -17,6 +17,7 @@
 #include <fizz/client/SynchronizedLruPskCache.h>
 #include <fizz/crypto/test/TestUtil.h>
 #include <fizz/experimental/ktls/AsyncFizzBaseKTLS.h>
+#include <fizz/protocol/CertUtils.h>
 #include <fizz/protocol/Certificate.h>
 #include <fizz/protocol/test/Mocks.h>
 #include <fizz/server/AeadTicketCipher.h>

diff --git a/fizz/experimental/server/test/BatchSignatureAsyncSelfCertTest.cpp b/fizz/experimental/server/test/BatchSignatureAsyncSelfCertTest.cpp
@@ -9,6 +9,8 @@
 #include <fizz/crypto/test/TestUtil.h>
 #include <fizz/experimental/batcher/Batcher.h>
 #include <fizz/experimental/server/BatchSignatureAsyncSelfCert.h>
+#include <fizz/protocol/OpenSSLPeerCertImpl.h>
+#include <fizz/protocol/OpenSSLSelfCertImpl.h>
 #include <fizz/protocol/test/Mocks.h>
 #include <fizz/server/test/Mocks.h>
 #include <folly/portability/GTest.h>
@@ -117,7 +119,7 @@ TEST(BatchSignatureAsyncSelfCertTest, TestSignAndVerifyP256) {
   // sign
   std::vector<folly::ssl::X509UniquePtr> certs;
   certs.emplace_back(getCert(kP256Certificate));
-  auto certificate = std::make_shared<SelfCertImpl<KeyType::P256>>(
+  auto certificate = std::make_shared<OpenSSLSelfCertImpl<KeyType::P256>>(
       getPrivateKey(kP256Key), std::move(certs));
   auto batcher = std::make_shared<SynchronizedBatcher<Sha256>>(
       1, certificate, CertificateVerifyContext::Server);
@@ -128,7 +130,7 @@ TEST(BatchSignatureAsyncSelfCertTest, TestSignAndVerifyP256) {
       SignatureScheme::ecdsa_secp256r1_sha256,
       CertificateVerifyContext::Server,
       folly::IOBuf::copyBuffer(folly::StringPiece("Message1")));
-  PeerCertImpl<KeyType::P256> peerCert(getCert(kP256Certificate));
+  OpenSSLPeerCertImpl<KeyType::P256> peerCert(getCert(kP256Certificate));
   peerCert.verify(
       SignatureScheme::ecdsa_secp256r1_sha256,
       CertificateVerifyContext::Server,
@@ -154,7 +156,7 @@ TEST(BatchSignatureAsyncSelfCertTest, TestSignAndVerifyRSA) {
   // sign
   std::vector<folly::ssl::X509UniquePtr> certs;
   certs.emplace_back(getCert(kRSACertificate));
-  auto certificate = std::make_shared<SelfCertImpl<KeyType::RSA>>(
+  auto certificate = std::make_shared<OpenSSLSelfCertImpl<KeyType::RSA>>(
       getPrivateKey(kRSAKey), std::move(certs));
   auto batcher = std::make_shared<SynchronizedBatcher<Sha256>>(
       1, certificate, CertificateVerifyContext::Server);
@@ -165,7 +167,7 @@ TEST(BatchSignatureAsyncSelfCertTest, TestSignAndVerifyRSA) {
       SignatureScheme::rsa_pss_sha256,
       CertificateVerifyContext::Server,
       folly::IOBuf::copyBuffer(folly::StringPiece("Message1")));
-  PeerCertImpl<KeyType::RSA> peerCert(getCert(kRSACertificate));
+  OpenSSLPeerCertImpl<KeyType::RSA> peerCert(getCert(kRSACertificate));
   peerCert.verify(
       SignatureScheme::rsa_pss_sha256,
       CertificateVerifyContext::Server,
@@ -191,7 +193,7 @@ TEST(BatchSignatureAsyncSelfCertTest, TestUnsuportedHash) {
   // sign
   std::vector<folly::ssl::X509UniquePtr> certs;
   certs.emplace_back(getCert(kP384Certificate));
-  auto certificate = std::make_shared<SelfCertImpl<KeyType::P384>>(
+  auto certificate = std::make_shared<OpenSSLSelfCertImpl<KeyType::P384>>(
       getPrivateKey(kP384Key), std::move(certs));
   auto batcher = std::make_shared<SynchronizedBatcher<Sha256>>(
       1, certificate, CertificateVerifyContext::Server);

diff --git a/fizz/extensions/delegatedcred/DelegatedCredentialUtils.cpp b/fizz/extensions/delegatedcred/DelegatedCredentialUtils.cpp
@@ -6,6 +6,7 @@
  *  LICENSE file in the root directory of this source tree.
  */
 #include <fizz/extensions/delegatedcred/DelegatedCredentialUtils.h>
+#include <fizz/protocol/CertUtils.h>
 #include <folly/ssl/OpenSSLCertUtils.h>
 
 namespace fizz {

diff --git a/fizz/extensions/delegatedcred/PeerDelegatedCredential-inl.h b/fizz/extensions/delegatedcred/PeerDelegatedCredential-inl.h
@@ -15,7 +15,8 @@ PeerDelegatedCredential<T>::PeerDelegatedCredential(
     folly::ssl::X509UniquePtr cert,
     folly::ssl::EvpPkeyUniquePtr pubKey,
     DelegatedCredential credential)
-    : PeerCertImpl<T>(std::move(cert)), credential_(std::move(credential)) {
+    : OpenSSLPeerCertImpl<T>(std::move(cert)),
+      credential_(std::move(credential)) {
   this->signature_.setKey(std::move(pubKey));
 }
 
@@ -33,11 +34,12 @@ void PeerDelegatedCredential<T>::verify(
   }
 
   // Verify signature
-  auto parentCert =
-      std::make_unique<PeerCertImpl<T>>(PeerCertImpl<T>::getX509());
+  auto parentCert = std::make_unique<OpenSSLPeerCertImpl<T>>(
+      OpenSSLPeerCertImpl<T>::getX509());
   auto credSignBuf = DelegatedCredentialUtils::prepareSignatureBuffer(
       credential_,
-      folly::ssl::OpenSSLCertUtils::derEncode(*PeerCertImpl<T>::getX509()));
+      folly::ssl::OpenSSLCertUtils::derEncode(
+          *OpenSSLPeerCertImpl<T>::getX509()));
 
   try {
     parentCert->verify(
@@ -53,7 +55,7 @@ void PeerDelegatedCredential<T>::verify(
   }
 
   // Call the parent verify method
-  PeerCertImpl<T>::verify(
+  OpenSSLPeerCertImpl<T>::verify(
       scheme, context, std::move(toBeSigned), std::move(signature));
 }
 

diff --git a/fizz/extensions/delegatedcred/PeerDelegatedCredential.h b/fizz/extensions/delegatedcred/PeerDelegatedCredential.h
@@ -9,13 +9,13 @@
 #pragma once
 
 #include <fizz/extensions/delegatedcred/Types.h>
-#include <fizz/protocol/Certificate.h>
+#include <fizz/protocol/OpenSSLPeerCertImpl.h>
 
 namespace fizz {
 namespace extensions {
 
 template <KeyType T>
-class PeerDelegatedCredential : public PeerCertImpl<T> {
+class PeerDelegatedCredential : public OpenSSLPeerCertImpl<T> {
  public:
   explicit PeerDelegatedCredential(
       folly::ssl::X509UniquePtr cert,

diff --git a/fizz/extensions/delegatedcred/SelfDelegatedCredential-inl.h b/fizz/extensions/delegatedcred/SelfDelegatedCredential-inl.h
@@ -16,7 +16,7 @@ template <KeyType T>
 SelfDelegatedCredentialImpl<T>::InternalSelfCert::InternalSelfCert(
     std::vector<folly::ssl::X509UniquePtr> certs,
     folly::ssl::EvpPkeyUniquePtr privateKey)
-    : SelfCertImpl<T>(std::move(certs)) {
+    : OpenSSLSelfCertImpl<T>(std::move(certs)) {
   if (certs_.empty()) {
     throw std::runtime_error("Must supply at least 1 cert");
   }

diff --git a/fizz/extensions/delegatedcred/SelfDelegatedCredential.h b/fizz/extensions/delegatedcred/SelfDelegatedCredential.h
@@ -8,7 +8,7 @@
 
 #pragma once
 #include <fizz/extensions/delegatedcred/Types.h>
-#include <fizz/protocol/Certificate.h>
+#include <fizz/protocol/OpenSSLSelfCertImpl.h>
 
 namespace fizz {
 namespace extensions {
@@ -25,10 +25,11 @@ class SelfDelegatedCredential : public SelfCert {
 //
 // The inheritance is a bit funny cause we want to derive from SelfCert directly
 // to inherit the pure virtual base (for tests) but we also want the
-// implementation to inherit from SelfCertImpl (to share logic). To achieve that
-// without diamond inheritance, the implementation class derives from the
-// interface, and it has an internal private class that derives from the
-// corresponding SelfCertImpl class to provide the implementation logic.
+// implementation to inherit from OpenSSLSelfCertImpl (to share logic). To
+// achieve that without diamond inheritance, the implementation class derives
+// from the interface, and it has an internal private class that derives from
+// the corresponding OpenSSLSelfCertImpl class to provide the implementation
+// logic.
 template <KeyType T>
 class SelfDelegatedCredentialImpl : public SelfDelegatedCredential {
  public:
@@ -63,15 +64,15 @@ class SelfDelegatedCredentialImpl : public SelfDelegatedCredential {
   const DelegatedCredential& getDelegatedCredential() const override;
 
  private:
-  class InternalSelfCert : public SelfCertImpl<T> {
+  class InternalSelfCert : public OpenSSLSelfCertImpl<T> {
    public:
     ~InternalSelfCert() override = default;
 
     InternalSelfCert(
         std::vector<folly::ssl::X509UniquePtr> certs,
         folly::ssl::EvpPkeyUniquePtr privateKey);
-    using SelfCertImpl<T>::certs_;
-    using SelfCertImpl<T>::signature_;
+    using OpenSSLSelfCertImpl<T>::certs_;
+    using OpenSSLSelfCertImpl<T>::signature_;
   };
   InternalSelfCert selfCertImpl_;
   DelegatedCredential credential_;

diff --git a/fizz/extensions/delegatedcred/test/DelegatedCredentialFactoryTest.cpp b/fizz/extensions/delegatedcred/test/DelegatedCredentialFactoryTest.cpp
@@ -13,6 +13,7 @@
 #include <fizz/crypto/test/TestUtil.h>
 #include <fizz/extensions/delegatedcred/DelegatedCredentialFactory.h>
 #include <fizz/extensions/delegatedcred/PeerDelegatedCredential.h>
+#include <fizz/protocol/OpenSSLPeerCertImpl.h>
 #include <fizz/protocol/clock/test/Mocks.h>
 
 using namespace folly;
@@ -144,7 +145,7 @@ TEST_F(DelegatedCredentialFactoryTest, TestCredentialParsingNonLeaf) {
   auto entry = generateEntry();
   auto cert = factory_.makePeerCert(std::move(entry), false);
   EXPECT_TRUE(cert);
-  EXPECT_TRUE(typeid(*cert) == typeid(PeerCertImpl<KeyType::P256>));
+  EXPECT_TRUE(typeid(*cert) == typeid(OpenSSLPeerCertImpl<KeyType::P256>));
 }
 
 TEST_F(DelegatedCredentialFactoryTest, TestCredentialNoX509Extension) {
@@ -195,7 +196,7 @@ TEST_F(DelegatedCredentialFactoryTest, TestCredentialNoCertEntryExtension) {
   entry.extensions.clear();
   auto cert = factory_.makePeerCert(std::move(entry), true);
   EXPECT_TRUE(cert);
-  EXPECT_TRUE(typeid(*cert) == typeid(PeerCertImpl<KeyType::P256>));
+  EXPECT_TRUE(typeid(*cert) == typeid(OpenSSLPeerCertImpl<KeyType::P256>));
 }
 
 TEST_F(DelegatedCredentialFactoryTest, TestCertExpiredCredential) {

diff --git a/fizz/extensions/delegatedcred/test/SelfDelegatedCredentialTest.cpp b/fizz/extensions/delegatedcred/test/SelfDelegatedCredentialTest.cpp
@@ -14,6 +14,7 @@
 #include <fizz/crypto/test/TestUtil.h>
 #include <fizz/extensions/delegatedcred/DelegatedCredentialUtils.h>
 #include <fizz/extensions/delegatedcred/SelfDelegatedCredential.h>
+#include <fizz/protocol/OpenSSLSelfCertImpl.h>
 
 using namespace folly;
 
@@ -52,8 +53,8 @@ class SelfDelegatedCredentialTest : public Test {
  public:
   void SetUp() override {
     CryptoUtils::init();
-    parentCert_ =
-        std::make_unique<SelfCertImpl<KeyType::P256>>(getKey(), getCertVec());
+    parentCert_ = std::make_unique<OpenSSLSelfCertImpl<KeyType::P256>>(
+        getKey(), getCertVec());
   }
 
 #if FIZZ_OPENSSL_HAS_ED25519
@@ -208,7 +209,7 @@ class SelfDelegatedCredentialTest : public Test {
     return cred;
   }
 
-  std::unique_ptr<SelfCertImpl<KeyType::P256>> parentCert_;
+  std::unique_ptr<OpenSSLSelfCertImpl<KeyType::P256>> parentCert_;
 };
 
 TEST_F(SelfDelegatedCredentialTest, TestConstruction) {

diff --git a/fizz/extensions/exportedauth/ExportedAuthenticator.cpp b/fizz/extensions/exportedauth/ExportedAuthenticator.cpp
@@ -8,6 +8,7 @@
 
 #include <fizz/extensions/exportedauth/ExportedAuthenticator.h>
 #include <fizz/extensions/exportedauth/Util.h>
+#include <fizz/protocol/CertUtils.h>
 #include <fizz/protocol/OpenSSLFactory.h>
 
 namespace fizz {