Move chain building/verification out of X509Certificate

net/base/x509_certificate_win.cc

Index: net/base/x509_certificate_win.cc
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index 336a7e58427f98ad51e95cd960446258f8853e33..8bacb76f770a9a41bb4c2a5b43119b2527b91c1e 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -6,14 +6,10 @@
 
 #include "base/logging.h"
 #include "base/pickle.h"
+#include "base/scoped_ptr.h"
 #include "base/string_tokenizer.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
-#include "net/base/cert_status_flags.h"
-#include "net/base/cert_verify_result.h"
-#include "net/base/ev_root_ca_metadata.h"
-#include "net/base/net_errors.h"
-#include "net/base/scoped_cert_chain_context.h"
 
 #pragma comment(lib, "crypt32.lib")
 
@@ -23,112 +19,6 @@ namespace net {
 
 namespace {
 
-//-----------------------------------------------------------------------------
-
-// TODO(wtc): This is a copy of the MapSecurityError function in
-// ssl_client_socket_win.cc.  Another function that maps Windows error codes
-// to our network error codes is WinInetUtil::OSErrorToNetError.  We should
-// eliminate the code duplication.
-int MapSecurityError(SECURITY_STATUS err) {
-  // There are numerous security error codes, but these are the ones we thus
-  // far find interesting.
-  switch (err) {
-    case SEC_E_WRONG_PRINCIPAL:  // Schannel
-    case CERT_E_CN_NO_MATCH:  // CryptoAPI
-      return ERR_CERT_COMMON_NAME_INVALID;
-    case SEC_E_UNTRUSTED_ROOT:  // Schannel
-    case CERT_E_UNTRUSTEDROOT:  // CryptoAPI
-      return ERR_CERT_AUTHORITY_INVALID;
-    case SEC_E_CERT_EXPIRED:  // Schannel
-    case CERT_E_EXPIRED:  // CryptoAPI
-      return ERR_CERT_DATE_INVALID;
-    case CRYPT_E_NO_REVOCATION_CHECK:
-      return ERR_CERT_NO_REVOCATION_MECHANISM;
-    case CRYPT_E_REVOCATION_OFFLINE:
-      return ERR_CERT_UNABLE_TO_CHECK_REVOCATION;
-    case CRYPT_E_REVOKED:  // Schannel and CryptoAPI
-      return ERR_CERT_REVOKED;
-    case SEC_E_CERT_UNKNOWN:
-    case CERT_E_ROLE:
-      return ERR_CERT_INVALID;
-    case CERT_E_WRONG_USAGE:
-      // TODO(wtc): Should we add ERR_CERT_WRONG_USAGE?
-      return ERR_CERT_INVALID;
-    // We received an unexpected_message or illegal_parameter alert message
-    // from the server.
-    case SEC_E_ILLEGAL_MESSAGE:
-      return ERR_SSL_PROTOCOL_ERROR;
-    case SEC_E_ALGORITHM_MISMATCH:
-      return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
-    case SEC_E_INVALID_HANDLE:
-      return ERR_UNEXPECTED;
-    case SEC_E_OK:
-      return OK;
-    default:
-      LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED";
-      return ERR_FAILED;
-  }
-}
-
-// Map the errors in the chain_context->TrustStatus.dwErrorStatus returned by
-// CertGetCertificateChain to our certificate status flags.
-int MapCertChainErrorStatusToCertStatus(DWORD error_status) {
-  int cert_status = 0;
-
-  // CERT_TRUST_IS_NOT_TIME_NESTED means a subject certificate's time validity
-  // does not nest correctly within its issuer's time validity.
-  const DWORD kDateInvalidErrors = CERT_TRUST_IS_NOT_TIME_VALID |
-                                   CERT_TRUST_IS_NOT_TIME_NESTED |
-                                   CERT_TRUST_CTL_IS_NOT_TIME_VALID;
-  if (error_status & kDateInvalidErrors)
-    cert_status |= CERT_STATUS_DATE_INVALID;
-
-  const DWORD kAuthorityInvalidErrors = CERT_TRUST_IS_UNTRUSTED_ROOT |
-                                        CERT_TRUST_IS_EXPLICIT_DISTRUST |
-                                        CERT_TRUST_IS_PARTIAL_CHAIN;
-  if (error_status & kAuthorityInvalidErrors)
-    cert_status |= CERT_STATUS_AUTHORITY_INVALID;
-
-  if ((error_status & CERT_TRUST_REVOCATION_STATUS_UNKNOWN) &&
-      !(error_status & CERT_TRUST_IS_OFFLINE_REVOCATION))
-    cert_status |= CERT_STATUS_NO_REVOCATION_MECHANISM;
-
-  if (error_status & CERT_TRUST_IS_OFFLINE_REVOCATION)
-    cert_status |= CERT_STATUS_UNABLE_TO_CHECK_REVOCATION;
-
-  if (error_status & CERT_TRUST_IS_REVOKED)
-    cert_status |= CERT_STATUS_REVOKED;
-
-  const DWORD kWrongUsageErrors = CERT_TRUST_IS_NOT_VALID_FOR_USAGE |
-                                  CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE;
-  if (error_status & kWrongUsageErrors) {
-    // TODO(wtc): Should we add CERT_STATUS_WRONG_USAGE?
-    cert_status |= CERT_STATUS_INVALID;
-  }
-
-  // The rest of the errors.
-  const DWORD kCertInvalidErrors =
-      CERT_TRUST_IS_NOT_SIGNATURE_VALID |
-      CERT_TRUST_IS_CYCLIC |
-      CERT_TRUST_INVALID_EXTENSION |
-      CERT_TRUST_INVALID_POLICY_CONSTRAINTS |
-      CERT_TRUST_INVALID_BASIC_CONSTRAINTS |
-      CERT_TRUST_INVALID_NAME_CONSTRAINTS |
-      CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID |
-      CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT |
-      CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT |
-      CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
-      CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT |
-      CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY |
-      CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT;
-  if (error_status & kCertInvalidErrors)
-    cert_status |= CERT_STATUS_INVALID;
-
-  return cert_status;
-}
-
-//-----------------------------------------------------------------------------
-
 // Wrappers of malloc and free for CRYPT_DECODE_PARA, which requires the
 // WINAPI calling convention.
 void* WINAPI MyCryptAlloc(size_t size) {
@@ -168,212 +58,6 @@ void GetCertSubjectAltName(PCCERT_CONTEXT cert,
     output->reset(alt_name_info);
 }
 
-// Returns true if any common name in the certificate's Subject field contains
-// a NULL character.
-bool CertSubjectCommonNameHasNull(PCCERT_CONTEXT cert) {
-  CRYPT_DECODE_PARA decode_para;
-  decode_para.cbSize = sizeof(decode_para);
-  decode_para.pfnAlloc = MyCryptAlloc;
-  decode_para.pfnFree = MyCryptFree;
-  CERT_NAME_INFO* name_info = NULL;
-  DWORD name_info_size = 0;
-  BOOL rv;
-  rv = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                           X509_NAME,
-                           cert->pCertInfo->Subject.pbData,
-                           cert->pCertInfo->Subject.cbData,
-                           CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
-                           &decode_para,
-                           &name_info,
-                           &name_info_size);
-  if (rv) {
-    scoped_ptr_malloc<CERT_NAME_INFO> scoped_name_info(name_info);
-
-    // The Subject field may have multiple common names.  According to the
-    // "PKI Layer Cake" paper, CryptoAPI uses every common name in the
-    // Subject field, so we inspect every common name.
-    //
-    // From RFC 5280:
-    // X520CommonName ::= CHOICE {
-    //       teletexString     TeletexString   (SIZE (1..ub-common-name)),
-    //       printableString   PrintableString (SIZE (1..ub-common-name)),
-    //       universalString   UniversalString (SIZE (1..ub-common-name)),
-    //       utf8String        UTF8String      (SIZE (1..ub-common-name)),
-    //       bmpString         BMPString       (SIZE (1..ub-common-name)) }
-    //
-    // We also check IA5String and VisibleString.
-    for (DWORD i = 0; i < name_info->cRDN; ++i) {
-      PCERT_RDN rdn = &name_info->rgRDN[i];
-      for (DWORD j = 0; j < rdn->cRDNAttr; ++j) {
-        PCERT_RDN_ATTR rdn_attr = &rdn->rgRDNAttr[j];
-        if (strcmp(rdn_attr->pszObjId, szOID_COMMON_NAME) == 0) {
-          switch (rdn_attr->dwValueType) {
-            // After the CryptoAPI ASN.1 security vulnerabilities described in
-            // http://www.microsoft.com/technet/security/Bulletin/MS09-056.mspx
-            // were patched, we get CERT_RDN_ENCODED_BLOB for a common name
-            // that contains a NULL character.
-            case CERT_RDN_ENCODED_BLOB:
-              break;
-            // Array of 8-bit characters.
-            case CERT_RDN_PRINTABLE_STRING:
-            case CERT_RDN_TELETEX_STRING:
-            case CERT_RDN_IA5_STRING:
-            case CERT_RDN_VISIBLE_STRING:
-              for (DWORD k = 0; k < rdn_attr->Value.cbData; ++k) {
-                if (rdn_attr->Value.pbData[k] == '\0')
-                  return true;
-              }
-              break;
-            // Array of 16-bit characters.
-            case CERT_RDN_BMP_STRING:
-            case CERT_RDN_UTF8_STRING: {
-              DWORD num_wchars = rdn_attr->Value.cbData / 2;
-              wchar_t* common_name =
-                  reinterpret_cast<wchar_t*>(rdn_attr->Value.pbData);
-              for (DWORD k = 0; k < num_wchars; ++k) {
-                if (common_name[k] == L'\0')
-                  return true;
-              }
-              break;
-            }
-            // Array of ints (32-bit).
-            case CERT_RDN_UNIVERSAL_STRING: {
-              DWORD num_ints = rdn_attr->Value.cbData / 4;
-              int* common_name =
-                  reinterpret_cast<int*>(rdn_attr->Value.pbData);
-              for (DWORD k = 0; k < num_ints; ++k) {
-                if (common_name[k] == 0)
-                  return true;
-              }
-              break;
-            }
-            default:
-              NOTREACHED();
-              break;
-          }
-        }
-      }
-    }
-  }
-  return false;
-}
-
-// Saves some information about the certificate chain chain_context in
-// *verify_result.  The caller MUST initialize *verify_result before calling
-// this function.
-void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
-                      CertVerifyResult* verify_result) {
-  PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0];
-  int num_elements = first_chain->cElement;
-  PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;
-
-  // Each chain starts with the end entity certificate (i = 0) and ends with
-  // the root CA certificate (i = num_elements - 1).  Do not inspect the
-  // signature algorithm of the root CA certificate because the signature on
-  // the trust anchor is not important.
-  for (int i = 0; i < num_elements - 1; ++i) {
-    PCCERT_CONTEXT cert = element[i]->pCertContext;
-    const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId;
-    if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) {
-      // md5WithRSAEncryption: 1.2.840.113549.1.1.4
-      verify_result->has_md5 = true;
-      if (i != 0)
-        verify_result->has_md5_ca = true;
-    } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) {
-      // md2WithRSAEncryption: 1.2.840.113549.1.1.2
-      verify_result->has_md2 = true;
-      if (i != 0)
-        verify_result->has_md2_ca = true;
-    } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) {
-      // md4WithRSAEncryption: 1.2.840.113549.1.1.3
-      verify_result->has_md4 = true;
-    }
-  }
-}
-
-///////////////////////////////////////////////////////////////////////////
-//
-// Functions used by X509Certificate::IsEV
-//
-///////////////////////////////////////////////////////////////////////////
-
-// Constructs a certificate chain starting from the end certificate
-// 'cert_context', matching any of the certificate policies.
-//
-// Returns the certificate chain context on success, or NULL on failure.
-// The caller is responsible for freeing the certificate chain context with
-// CertFreeCertificateChain.
-PCCERT_CHAIN_CONTEXT ConstructCertChain(
-    PCCERT_CONTEXT cert_context,
-    const char* const* policies,
-    int num_policies) {
-  CERT_CHAIN_PARA chain_para;
-  memset(&chain_para, 0, sizeof(chain_para));
-  chain_para.cbSize = sizeof(chain_para);
-  chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
-  chain_para.RequestedUsage.Usage.cUsageIdentifier = 0;
-  chain_para.RequestedUsage.Usage.rgpszUsageIdentifier = NULL;  // LPSTR*
-  chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_OR;
-  chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = num_policies;
-  chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier =
-      const_cast<char**>(policies);
-  PCCERT_CHAIN_CONTEXT chain_context;
-  if (!CertGetCertificateChain(
-      NULL,  // default chain engine, HCCE_CURRENT_USER
-      cert_context,
-      NULL,  // current system time
-      cert_context->hCertStore,  // search this store
-      &chain_para,
-      CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT |
-      CERT_CHAIN_CACHE_END_CERT,
-      NULL,  // reserved
-      &chain_context)) {
-    return NULL;
-  }
-  return chain_context;
-}
-
-// Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO
-// structure and stores it in *output.
-void GetCertPoliciesInfo(PCCERT_CONTEXT cert,
-                         scoped_ptr_malloc<CERT_POLICIES_INFO>* output) {
-  PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES,
-                                                cert->pCertInfo->cExtension,
-                                                cert->pCertInfo->rgExtension);
-  if (!extension)
-    return;
-
-  CRYPT_DECODE_PARA decode_para;
-  decode_para.cbSize = sizeof(decode_para);
-  decode_para.pfnAlloc = MyCryptAlloc;
-  decode_para.pfnFree = MyCryptFree;
-  CERT_POLICIES_INFO* policies_info = NULL;
-  DWORD policies_info_size = 0;
-  BOOL rv;
-  rv = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                           szOID_CERT_POLICIES,
-                           extension->Value.pbData,
-                           extension->Value.cbData,
-                           CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
-                           &decode_para,
-                           &policies_info,
-                           &policies_info_size);
-  if (rv)
-    output->reset(policies_info);
-}
-
-// Returns true if the policy is in the array of CERT_POLICY_INFO in
-// the CERT_POLICIES_INFO structure.
-bool ContainsPolicy(const CERT_POLICIES_INFO* policies_info,
-                    const char* policy) {
-  int num_policies = policies_info->cPolicyInfo;
-  for (int i = 0; i < num_policies; i++) {
-    if (!strcmp(policies_info->rgPolicyInfo[i].pszPolicyIdentifier, policy))
-      return true;
-  }
-  return false;
-}
-
 // Helper function to parse a principal from a WinInet description of that
 // principal.
 void ParsePrincipal(const std::string& description,
@@ -572,224 +256,6 @@ X509Certificate::CreateOSCertListHandle() const {
 
   return cert_list;
 }
-
-int X509Certificate::Verify(const std::string& hostname,
-                            int flags,
-                            CertVerifyResult* verify_result) const {
-  verify_result->Reset();
-  if (!cert_handle_)
-    return ERR_UNEXPECTED;
-
-  // Build and validate certificate chain.
-
-  CERT_CHAIN_PARA chain_para;
-  memset(&chain_para, 0, sizeof(chain_para));
-  chain_para.cbSize = sizeof(chain_para);
-  // ExtendedKeyUsage.
-  // We still need to request szOID_SERVER_GATED_CRYPTO and szOID_SGC_NETSCAPE
-  // today because some certificate chains need them.  IE also requests these
-  // two usages.
-  static const LPSTR usage[] = {
-    szOID_PKIX_KP_SERVER_AUTH,
-    szOID_SERVER_GATED_CRYPTO,
-    szOID_SGC_NETSCAPE
-  };
-  chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
-  chain_para.RequestedUsage.Usage.cUsageIdentifier = arraysize(usage);
-  chain_para.RequestedUsage.Usage.rgpszUsageIdentifier =
-      const_cast<LPSTR*>(usage);
-  // We can set CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS to get more chains.
-  DWORD chain_flags = CERT_CHAIN_CACHE_END_CERT;
-  if (flags & VERIFY_REV_CHECKING_ENABLED) {
-    verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
-    chain_flags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
-  } else {
-    chain_flags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
-    // EV requires revocation checking.
-    flags &= ~VERIFY_EV_CERT;
-  }
-
-  OSCertListHandle cert_list = CreateOSCertListHandle();
-  PCCERT_CHAIN_CONTEXT chain_context;
-  // IE passes a non-NULL pTime argument that specifies the current system
-  // time.  IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the
-  // chain_flags argument.
-  if (!CertGetCertificateChain(
-           NULL,  // default chain engine, HCCE_CURRENT_USER
-           cert_list,
-           NULL,  // current system time
-           cert_list->hCertStore,  // search this store
-           &chain_para,
-           chain_flags,
-           NULL,  // reserved
-           &chain_context)) {
-    FreeOSCertListHandle(cert_list);
-    return MapSecurityError(GetLastError());
-  }
-  FreeOSCertListHandle(cert_list);
-  ScopedCertChainContext scoped_chain_context(chain_context);
-
-  GetCertChainInfo(chain_context, verify_result);
-
-  verify_result->cert_status |= MapCertChainErrorStatusToCertStatus(
-      chain_context->TrustStatus.dwErrorStatus);
-
-  // Treat certificates signed using broken signature algorithms as invalid.
-  if (verify_result->has_md4)
-    verify_result->cert_status |= CERT_STATUS_INVALID;
-
-  // Flag certificates signed using weak signature algorithms.
-  if (verify_result->has_md2)
-    verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
-
-  // Flag certificates that have a Subject common name with a NULL character.
-  if (CertSubjectCommonNameHasNull(cert_handle_))
-    verify_result->cert_status |= CERT_STATUS_INVALID;
-
-  std::wstring wstr_hostname = ASCIIToWide(hostname);
-
-  SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para;
-  memset(&extra_policy_para, 0, sizeof(extra_policy_para));
-  extra_policy_para.cbSize = sizeof(extra_policy_para);
-  extra_policy_para.dwAuthType = AUTHTYPE_SERVER;
-  extra_policy_para.fdwChecks = 0;
-  extra_policy_para.pwszServerName =
-      const_cast<wchar_t*>(wstr_hostname.c_str());
-
-  CERT_CHAIN_POLICY_PARA policy_para;
-  memset(&policy_para, 0, sizeof(policy_para));
-  policy_para.cbSize = sizeof(policy_para);
-  policy_para.dwFlags = 0;
-  policy_para.pvExtraPolicyPara = &extra_policy_para;
-
-  CERT_CHAIN_POLICY_STATUS policy_status;
-  memset(&policy_status, 0, sizeof(policy_status));
-  policy_status.cbSize = sizeof(policy_status);
-
-  if (!CertVerifyCertificateChainPolicy(
-           CERT_CHAIN_POLICY_SSL,
-           chain_context,
-           &policy_para,
-           &policy_status)) {
-    return MapSecurityError(GetLastError());
-  }
-
-  if (policy_status.dwError) {
-    verify_result->cert_status |= MapNetErrorToCertStatus(
-        MapSecurityError(policy_status.dwError));
-
-    // CertVerifyCertificateChainPolicy reports only one error (in
-    // policy_status.dwError) if the certificate has multiple errors.
-    // CertGetCertificateChain doesn't report certificate name mismatch, so
-    // CertVerifyCertificateChainPolicy is the only function that can report
-    // certificate name mismatch.
-    //
-    // To prevent a potential certificate name mismatch from being hidden by
-    // some other certificate error, if we get any other certificate error,
-    // we call CertVerifyCertificateChainPolicy again, ignoring all other
-    // certificate errors.  Both extra_policy_para.fdwChecks and
-    // policy_para.dwFlags allow us to ignore certificate errors, so we set
-    // them both.
-    if (policy_status.dwError != CERT_E_CN_NO_MATCH) {
-      const DWORD extra_ignore_flags =
-          0x00000080 |  // SECURITY_FLAG_IGNORE_REVOCATION
-          0x00000100 |  // SECURITY_FLAG_IGNORE_UNKNOWN_CA
-          0x00002000 |  // SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
-          0x00000200;   // SECURITY_FLAG_IGNORE_WRONG_USAGE
-      extra_policy_para.fdwChecks = extra_ignore_flags;
-      const DWORD ignore_flags =
-          CERT_CHAIN_POLICY_IGNORE_ALL_NOT_TIME_VALID_FLAGS |
-          CERT_CHAIN_POLICY_IGNORE_INVALID_BASIC_CONSTRAINTS_FLAG |
-          CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG |
-          CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG |
-          CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG |
-          CERT_CHAIN_POLICY_IGNORE_INVALID_POLICY_FLAG |
-          CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS |
-          CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG |
-          CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG |
-          CERT_CHAIN_POLICY_IGNORE_NOT_SUPPORTED_CRITICAL_EXT_FLAG |
-          CERT_CHAIN_POLICY_IGNORE_PEER_TRUST_FLAG;
-      policy_para.dwFlags = ignore_flags;
-      if (!CertVerifyCertificateChainPolicy(
-               CERT_CHAIN_POLICY_SSL,
-               chain_context,
-               &policy_para,
-               &policy_status)) {
-        return MapSecurityError(GetLastError());
-      }
-      if (policy_status.dwError) {
-        verify_result->cert_status |= MapNetErrorToCertStatus(
-            MapSecurityError(policy_status.dwError));
-      }
-    }
-  }
-
-  // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be
-  // compatible with WinHTTP, which doesn't report this error (bug 3004).
-  verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM;
-
-  if (IsCertStatusError(verify_result->cert_status))
-    return MapCertStatusToNetError(verify_result->cert_status);
-
-  // TODO(ukai): combine regular cert verification and EV cert verification.
-  if ((flags & VERIFY_EV_CERT) && VerifyEV())
-    verify_result->cert_status |= CERT_STATUS_IS_EV;
-  return OK;
-}
-
-// Returns true if the certificate is an extended-validation certificate.
-//
-// This function checks the certificatePolicies extensions of the
-// certificates in the certificate chain according to Section 7 (pp. 11-12)
-// of the EV Certificate Guidelines Version 1.0 at
-// http://cabforum.org/EV_Certificate_Guidelines.pdf.
-bool X509Certificate::VerifyEV() const {
-  DCHECK(cert_handle_);
-  net::EVRootCAMetadata* metadata = net::EVRootCAMetadata::GetInstance();
-
-  OSCertListHandle cert_list = CreateOSCertListHandle();
-  PCCERT_CHAIN_CONTEXT chain_context = ConstructCertChain(cert_list,
-      metadata->GetPolicyOIDs(), metadata->NumPolicyOIDs());
-  FreeOSCertListHandle(cert_list);
-  if (!chain_context)
-    return false;
-  ScopedCertChainContext scoped_chain_context(chain_context);
-
-  DCHECK(chain_context->cChain != 0);
-  // If the cert doesn't match any of the policies, the
-  // CERT_TRUST_IS_NOT_VALID_FOR_USAGE bit (0x10) in
-  // chain_context->TrustStatus.dwErrorStatus is set.
-  DWORD error_status = chain_context->TrustStatus.dwErrorStatus;
-  DWORD info_status = chain_context->TrustStatus.dwInfoStatus;
-  if (!chain_context->cChain || error_status != CERT_TRUST_NO_ERROR)
-    return false;
-
-  // Check the end certificate simple chain (chain_context->rgpChain[0]).
-  // If the end certificate's certificatePolicies extension contains the
-  // EV policy OID of the root CA, return true.
-  PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement;
-  int num_elements = chain_context->rgpChain[0]->cElement;
-  if (num_elements < 2)
-    return false;
-
-  // Look up the EV policy OID of the root CA.
-  PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext;
-  SHA1Fingerprint fingerprint = CalculateFingerprint(root_cert);
-  const char* ev_policy_oid = NULL;
-  if (!metadata->GetPolicyOID(fingerprint, &ev_policy_oid))
-    return false;
-  DCHECK(ev_policy_oid);
-
-  // Get the certificatePolicies extension of the end certificate.
-  PCCERT_CONTEXT end_cert = element[0]->pCertContext;
-  scoped_ptr_malloc<CERT_POLICIES_INFO> policies_info;
-  GetCertPoliciesInfo(end_cert, &policies_info);
-  if (!policies_info.get())
-    return false;
-
-  return ContainsPolicy(policies_info.get(), ev_policy_oid);
-}
-
 // static
 bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a,
                                    X509Certificate::OSCertHandle b) {