Create stubs for system certificate validation.

net/base/x509_certificate_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/string_number_conversions.h"
@@ skipping 203 matching lines @@
   EXPECT_EQ(valid_to, valid_expiry.ToDoubleT());
 
   const SHA1Fingerprint& fingerprint = google_cert->fingerprint();
   for (size_t i = 0; i < 20; ++i)
     EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]);
 
   std::vector<std::string> dns_names;
   google_cert->GetDNSNames(&dns_names);
   ASSERT_EQ(1U, dns_names.size());
   EXPECT_EQ("www.google.com", dns_names[0]);
-
-#if TEST_EV
-  // TODO(avi): turn this on for the Mac once EV checking is implemented.
-  CertVerifyResult verify_result;
-  int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
-                X509Certificate::VERIFY_EV_CERT;
-  EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, NULL,
-                                    &verify_result);
-  EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV);
-#endif

[wtc, 2012/03/06 23:10:14]

Why did you delete this #if TEST_EV block but keep the other
ones?

[Ryan Sleevi, 2012/03/10 03:09:12]

Missed the other ones, but Adam has already nuked them in master, so all good.

 }
 
-TEST(X509CertificateTest, GoogleCertParsing) {
+// TODO(rsleevi): Temporary fixture while refactoring http://crbug.com/114343
+class X509CertificateTest : public testing::Test {
+ public:
+  X509CertificateTest() {}
+  virtual ~X509CertificateTest() {}
+
+ protected:
+  int Verify(X509Certificate* cert,
+             const std::string& hostname,
+             int flags,
+             CRLSet* crl_set,
+             CertVerifyResult* verify_result) {
+    return cert->Verify(hostname, flags, crl_set, verify_result);

[wtc, 2012/03/06 23:10:14]

Why is this fixture necessary?  Are you going to change
the Verify() method to call a CertVerifier or
VerifyProc?

[Ryan Sleevi, 2012/03/10 03:09:12]

To make it easier to friend this in X509Certificate while making Verify()
private [to avoid new callers being introduced]. New callers during the
refactoring should use the CertVerifier interface directly.

+  }
+};
+
+TEST_F(X509CertificateTest, GoogleCertParsing) {
   scoped_refptr<X509Certificate> google_cert(
       X509Certificate::CreateFromBytes(
           reinterpret_cast<const char*>(google_der), sizeof(google_der)));
 
   CheckGoogleCert(google_cert, google_fingerprint,
                   1238192407,   // Mar 27 22:20:07 2009 GMT
                   1269728407);  // Mar 27 22:20:07 2010 GMT
 }
 
-TEST(X509CertificateTest, WebkitCertParsing) {
+TEST_F(X509CertificateTest, WebkitCertParsing) {
   scoped_refptr<X509Certificate> webkit_cert(X509Certificate::CreateFromBytes(
       reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)));
 
   ASSERT_NE(static_cast<X509Certificate*>(NULL), webkit_cert);
 
   const CertPrincipal& subject = webkit_cert->subject();
   EXPECT_EQ("Cupertino", subject.locality_name);
   EXPECT_EQ("California", subject.state_or_province_name);
   EXPECT_EQ("US", subject.country_name);
   EXPECT_EQ(0U, subject.street_addresses.size());
@@ skipping 42 matching lines @@
 #endif
 
   // Test that the wildcard cert matches properly.
   EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org"));
   EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org"));
   EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org"));
   EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com"));
   EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com"));
 }
 
-TEST(X509CertificateTest, WithoutRevocationChecking) {
+TEST_F(X509CertificateTest, WithoutRevocationChecking) {
   // Check that verification without revocation checking works.
   CertificateList certs = CreateCertificateListFromFile(
       GetTestCertsDirectory(),
       "googlenew.chain.pem",
       X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
 
   scoped_refptr<X509Certificate> google_full_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
 
   CertVerifyResult verify_result;
-  EXPECT_EQ(OK, google_full_chain->Verify("www.google.com", 0 /* flags */, NULL,
-                                          &verify_result));
+  EXPECT_EQ(OK, Verify(google_full_chain, "www.google.com", 0 /* flags */, NULL,
+                       &verify_result));
 }
 
-TEST(X509CertificateTest, ThawteCertParsing) {
+TEST_F(X509CertificateTest, ThawteCertParsing) {
   scoped_refptr<X509Certificate> thawte_cert(X509Certificate::CreateFromBytes(
       reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)));
 
   ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert);
 
   const CertPrincipal& subject = thawte_cert->subject();
   EXPECT_EQ("www.thawte.com", subject.common_name);
   EXPECT_EQ("Mountain View", subject.locality_name);
   EXPECT_EQ("California", subject.state_or_province_name);
   EXPECT_EQ("US", subject.country_name);
@@ skipping 30 matching lines @@
   std::vector<std::string> dns_names;
   thawte_cert->GetDNSNames(&dns_names);
   ASSERT_EQ(1U, dns_names.size());
   EXPECT_EQ("www.thawte.com", dns_names[0]);
 
 #if TEST_EV
   int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
                 X509Certificate::VERIFY_EV_CERT;
   CertVerifyResult verify_result;
   // EV cert verification requires revocation checking.
-  EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, NULL,
-                                    &verify_result);
+  EXPECT_EQ(OK, Verify(thawte_cert, "www.thawte.com", flags, NULL,
+                       &verify_result);
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
   // Consequently, if we don't have revocation checking enabled, we can't claim
   // any cert is EV.
   flags = X509Certificate::VERIFY_EV_CERT;
-  EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, NULL,
-                                    &verify_result));
+  EXPECT_EQ(OK, Verify(thawte_cert, "www.thawte.com", flags, NULL,
+                       &verify_result));
   EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV);
 #endif
 }
 
 // Test that all desired AttributeAndValue pairs can be extracted when only
 // a single RelativeDistinguishedName is present. "Normally" there is only
 // one AVA per RDN, but some CAs place all AVAs within a single RDN.
 // This is a regression test for http://crbug.com/101009
-TEST(X509CertificateTest, MultivalueRDN) {
+TEST_F(X509CertificateTest, MultivalueRDN) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> multivalue_rdn_cert =
       ImportCertFromFile(certs_dir, "multivalue_rdn.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), multivalue_rdn_cert);
 
   const CertPrincipal& subject = multivalue_rdn_cert->subject();
   EXPECT_EQ("Multivalue RDN Test", subject.common_name);
   EXPECT_EQ("", subject.locality_name);
   EXPECT_EQ("", subject.state_or_province_name);
   EXPECT_EQ("US", subject.country_name);
   EXPECT_EQ(0U, subject.street_addresses.size());
   ASSERT_EQ(1U, subject.organization_names.size());
   EXPECT_EQ("Chromium", subject.organization_names[0]);
   ASSERT_EQ(1U, subject.organization_unit_names.size());
   EXPECT_EQ("Chromium net_unittests", subject.organization_unit_names[0]);
   ASSERT_EQ(1U, subject.domain_components.size());
   EXPECT_EQ("Chromium", subject.domain_components[0]);
 }
 
 // Test that characters which would normally be escaped in the string form,
 // such as '=' or '"', are not escaped when parsed as individual components.
 // This is a regression test for http://crbug.com/102839
-TEST(X509CertificateTest, UnescapedSpecialCharacters) {
+TEST_F(X509CertificateTest, UnescapedSpecialCharacters) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> unescaped_cert =
       ImportCertFromFile(certs_dir, "unescaped.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), unescaped_cert);
 
   const CertPrincipal& subject = unescaped_cert->subject();
   EXPECT_EQ("127.0.0.1", subject.common_name);
   EXPECT_EQ("Mountain View", subject.locality_name);
   EXPECT_EQ("California", subject.state_or_province_name);
   EXPECT_EQ("US", subject.country_name);
   ASSERT_EQ(1U, subject.street_addresses.size());
   EXPECT_EQ("1600 Amphitheatre Parkway", subject.street_addresses[0]);
   ASSERT_EQ(1U, subject.organization_names.size());
   EXPECT_EQ("Chromium = \"net_unittests\"", subject.organization_names[0]);
   ASSERT_EQ(2U, subject.organization_unit_names.size());
   EXPECT_EQ("net_unittests", subject.organization_unit_names[0]);
   EXPECT_EQ("Chromium", subject.organization_unit_names[1]);
   EXPECT_EQ(0U, subject.domain_components.size());
 }
 
-TEST(X509CertificateTest, PaypalNullCertParsing) {
+TEST_F(X509CertificateTest, PaypalNullCertParsing) {
   scoped_refptr<X509Certificate> paypal_null_cert(
       X509Certificate::CreateFromBytes(
           reinterpret_cast<const char*>(paypal_null_der),
           sizeof(paypal_null_der)));
 
   ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert);
 
   const SHA1Fingerprint& fingerprint =
       paypal_null_cert->fingerprint();
   for (size_t i = 0; i < 20; ++i)
     EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]);
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = paypal_null_cert->Verify("www.paypal.com", flags, NULL,
-                                       &verify_result);
+  int error = Verify(paypal_null_cert, "www.paypal.com", flags, NULL,
+                     &verify_result);
 #if defined(USE_OPENSSL) || defined(OS_MACOSX) || defined(OS_WIN)
   // TOOD(bulach): investigate why macosx and win aren't returning
   // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
 #else
   EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
 #endif
   // Either the system crypto library should correctly report a certificate
   // name mismatch, or our certificate blacklist should cause us to report an
   // invalid certificate.
 #if !defined(OS_MACOSX) && !defined(USE_OPENSSL)
   EXPECT_TRUE(verify_result.cert_status &
               (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
 #endif
 }
 
-TEST(X509CertificateTest, SerialNumbers) {
+TEST_F(X509CertificateTest, SerialNumbers) {
   scoped_refptr<X509Certificate> google_cert(
       X509Certificate::CreateFromBytes(
           reinterpret_cast<const char*>(google_der), sizeof(google_der)));
 
   static const uint8 google_serial[16] = {
     0x01,0x2a,0x39,0x76,0x0d,0x3f,0x4f,0xc9,
     0x0b,0xe7,0xbd,0x2b,0xcf,0x95,0x2e,0x7a,
   };
 
   ASSERT_EQ(sizeof(google_serial), google_cert->serial_number().size());
   EXPECT_TRUE(memcmp(google_cert->serial_number().data(), google_serial,
                      sizeof(google_serial)) == 0);
 
   // We also want to check a serial number where the first byte is >= 0x80 in
   // case the underlying library tries to pad it.
   scoped_refptr<X509Certificate> paypal_null_cert(
       X509Certificate::CreateFromBytes(
           reinterpret_cast<const char*>(paypal_null_der),
           sizeof(paypal_null_der)));
 
   static const uint8 paypal_null_serial[3] = {0x00, 0xf0, 0x9b};
   ASSERT_EQ(sizeof(paypal_null_serial),
             paypal_null_cert->serial_number().size());
   EXPECT_TRUE(memcmp(paypal_null_cert->serial_number().data(),
                      paypal_null_serial, sizeof(paypal_null_serial)) == 0);
 }
 
-TEST(X509CertificateTest, CAFingerprints) {
+TEST_F(X509CertificateTest, CAFingerprints) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
       ImportCertFromFile(certs_dir, "salesforce_com_test.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
 
   scoped_refptr<X509Certificate> intermediate_cert1 =
       ImportCertFromFile(certs_dir, "verisign_intermediate_ca_2011.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert1);
 
@@ skipping 37 matching lines @@
   EXPECT_TRUE(memcmp(cert_chain2->ca_fingerprint().data,
                      cert_chain2_ca_fingerprint, 20) == 0);
   EXPECT_TRUE(memcmp(cert_chain3->ca_fingerprint().data,
                      cert_chain3_ca_fingerprint, 20) == 0);
 }
 
 // A regression test for http://crbug.com/31497.
 // This certificate will expire on 2012-04-08. The test will still
 // pass if error == ERR_CERT_DATE_INVALID.  TODO(wtc): generate test
 // certificates for this unit test. http://crbug.com/111742
-TEST(X509CertificateTest, IntermediateCARequireExplicitPolicy) {
+TEST_F(X509CertificateTest, IntermediateCARequireExplicitPolicy) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
       ImportCertFromFile(certs_dir, "www_us_army_mil_cert.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
 
   // The intermediate CA certificate's policyConstraints extension has a
   // requireExplicitPolicy field with SkipCerts=0.
   scoped_refptr<X509Certificate> intermediate_cert =
       ImportCertFromFile(certs_dir, "dod_ca_17_cert.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
 
   FilePath root_cert_path = certs_dir.AppendASCII("dod_root_ca_2_cert.der");
   TestRootCerts* root_certs = TestRootCerts::GetInstance();
   ASSERT_TRUE(root_certs->AddFromFile(root_cert_path));
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(intermediate_cert->os_cert_handle());
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
                                         intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = cert_chain->Verify("www.us.army.mil", flags, NULL,
-                                 &verify_result);
+  int error = Verify(cert_chain, "www.us.army.mil", flags, NULL,
+                     &verify_result);
   if (error == OK) {
     EXPECT_EQ(0U, verify_result.cert_status);
   } else {
     EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
     EXPECT_EQ(CERT_STATUS_DATE_INVALID, verify_result.cert_status);
   }
   root_certs->Clear();
 }
 
 // Test for bug 58437.
 // This certificate will expire on 2011-12-21. The test will still
 // pass if error == ERR_CERT_DATE_INVALID.
 // This test is DISABLED because it appears that we cannot do
 // certificate revocation checking when running all of the net unit tests.
 // This test passes when run individually, but when run with all of the net
 // unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is
 // SEC_ERROR_REVOKED_CERTIFICATE. This indicates a lack of revocation
 // status, i.e. that the revocation check is failing for some reason.
-TEST(X509CertificateTest, DISABLED_GlobalSignR3EVTest) {
+TEST_F(X509CertificateTest, DISABLED_GlobalSignR3EVTest) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
       ImportCertFromFile(certs_dir, "2029_globalsign_com_cert.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
 
   scoped_refptr<X509Certificate> intermediate_cert =
       ImportCertFromFile(certs_dir, "globalsign_ev_sha256_ca_cert.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(intermediate_cert->os_cert_handle());
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
                                         intermediates);
 
   CertVerifyResult verify_result;
   int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
               X509Certificate::VERIFY_EV_CERT;
-  int error = cert_chain->Verify("2029.globalsign.com", flags, NULL,
-                                 &verify_result);
+  int error = Verify(cert_chain, "2029.globalsign.com", flags, NULL,
+                     &verify_result);
   if (error == OK)
     EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
   else
     EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
 }
 
 // Currently, only RSA and DSA keys are checked for weakness, and our example
 // weak size is 768. These could change in the future.
 //
 // Note that this means there may be false negatives: keys for other
 // algorithms and which are weak will pass this test.
 static bool IsWeakKeyType(const std::string& key_type) {
   size_t pos = key_type.find("-");
   std::string size = key_type.substr(0, pos);
   std::string type = key_type.substr(pos + 1);
 
   if (type == "rsa" || type == "dsa")
     return size == "768";
 
   return false;
 }
 
-TEST(X509CertificateTest, RejectWeakKeys) {
+TEST_F(X509CertificateTest, RejectWeakKeys) {
   FilePath certs_dir = GetTestCertsDirectory();
   typedef std::vector<std::string> Strings;
   Strings key_types;
 
   // generate-weak-test-chains.sh currently has:
   //     key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
   // We must use the same key types here. The filenames generated look like:
   //     2048-rsa-ee-by-768-rsa-intermediate.pem
   key_types.push_back("768-rsa");
   key_types.push_back("1024-rsa");
@@ skipping 32 matching lines @@
           ImportCertFromFile(certs_dir, basename);
       ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate);
 
       X509Certificate::OSCertHandles intermediates;
       intermediates.push_back(intermediate->os_cert_handle());
       scoped_refptr<X509Certificate> cert_chain =
           X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
                                             intermediates);
 
       CertVerifyResult verify_result;
-      int error = cert_chain->Verify("127.0.0.1", 0, NULL, &verify_result);
+      int error = Verify(cert_chain, "127.0.0.1", 0, NULL, &verify_result);
 
       if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
         EXPECT_NE(OK, error);
         EXPECT_EQ(CERT_STATUS_WEAK_KEY,
                   verify_result.cert_status & CERT_STATUS_WEAK_KEY);
       } else {
         EXPECT_EQ(OK, error);
         EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
       }
     }
   }
 
   TestRootCerts::GetInstance()->Clear();
 }
 
 // Test for bug 108514.
 // The certificate will expire on 2012-07-20. The test will still
 // pass if error == ERR_CERT_DATE_INVALID.  TODO(rsleevi): generate test
 // certificates for this unit test.  http://crbug.com/111730
-TEST(X509CertificateTest, ExtraneousMD5RootCert) {
+TEST_F(X509CertificateTest, ExtraneousMD5RootCert) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
       ImportCertFromFile(certs_dir, "images_etrade_wallst_com.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
 
   scoped_refptr<X509Certificate> intermediate_cert =
       ImportCertFromFile(certs_dir, "globalsign_orgv1_ca.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
 
   scoped_refptr<X509Certificate> md5_root_cert =
       ImportCertFromFile(certs_dir, "globalsign_root_ca_md5.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), md5_root_cert);
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(intermediate_cert->os_cert_handle());
   intermediates.push_back(md5_root_cert->os_cert_handle());
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
                                         intermediates);
 
   CertVerifyResult verify_result;
   int flags = 0;
-  int error = cert_chain->Verify("images.etrade.wallst.com", flags, NULL,
-                                 &verify_result);
+  int error = Verify(cert_chain, "images.etrade.wallst.com", flags, NULL,
+                     &verify_result);
   if (error != OK)
     EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
 
   EXPECT_FALSE(verify_result.has_md5);
   EXPECT_FALSE(verify_result.has_md5_ca);
 }
 
 // Test for bug 94673.
-TEST(X509CertificateTest, GoogleDigiNotarTest) {
+TEST_F(X509CertificateTest, GoogleDigiNotarTest) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
       ImportCertFromFile(certs_dir, "google_diginotar.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
 
   scoped_refptr<X509Certificate> intermediate_cert =
       ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(intermediate_cert->os_cert_handle());
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
                                         intermediates);
 
   CertVerifyResult verify_result;
   int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED;
-  int error = cert_chain->Verify("mail.google.com", flags, NULL,
-                                 &verify_result);
+  int error = Verify(cert_chain, "mail.google.com", flags, NULL,
+                     &verify_result);
   EXPECT_NE(OK, error);
 
   // Now turn off revocation checking.  Certificate verification should still
   // fail.
   flags = 0;
-  error = cert_chain->Verify("mail.google.com", flags, NULL, &verify_result);
+  error = Verify(cert_chain, "mail.google.com", flags, NULL, &verify_result);
   EXPECT_NE(OK, error);
 }
 
-TEST(X509CertificateTest, DigiNotarCerts) {
+TEST_F(X509CertificateTest, DigiNotarCerts) {
   static const char* const kDigiNotarFilenames[] = {
     "diginotar_root_ca.pem",
     "diginotar_cyber_ca.pem",
     "diginotar_services_1024_ca.pem",
     "diginotar_pkioverheid.pem",
     "diginotar_pkioverheid_g2.pem",
     NULL,
   };
 
   FilePath certs_dir = GetTestCertsDirectory();
@@ skipping 15 matching lines @@
     ASSERT_EQ(sizeof(fingerprint.data), spki_sha1.size());
     memcpy(fingerprint.data, spki_sha1.data(), spki_sha1.size());
     public_keys.push_back(fingerprint);
 
     EXPECT_TRUE(X509Certificate::IsPublicKeyBlacklisted(public_keys)) <<
         "Public key not blocked for " << kDigiNotarFilenames[i];
   }
 }
 
 // Bug 111893: This test needs a new certificate.
-TEST(X509CertificateTest, DISABLED_TestKnownRoot) {
+TEST_F(X509CertificateTest, DISABLED_TestKnownRoot) {
   FilePath certs_dir = GetTestCertsDirectory();
   scoped_refptr<X509Certificate> cert =
       ImportCertFromFile(certs_dir, "nist.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
 
   // This intermediate is only needed for old Linux machines. Modern NSS
   // includes it as a root already.
   scoped_refptr<X509Certificate> intermediate_cert =
       ImportCertFromFile(certs_dir, "nist_intermediate.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(intermediate_cert->os_cert_handle());
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(cert->os_cert_handle(),
                                         intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
   // This is going to blow up in Feb 2012. Sorry! Disable and file a bug
   // against agl. Also see PublicKeyHashes in this file.
-  int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result);
+  int error = Verify(cert_chain, "www.nist.gov", flags, NULL, &verify_result);
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
   EXPECT_TRUE(verify_result.is_issued_by_known_root);
 }
 
 // This is the SHA1 hash of the SubjectPublicKeyInfo of nist.der.
 static const char nistSPKIHash[] =
     "\x15\x60\xde\x65\x4e\x03\x9f\xd0\x08\x82"
     "\xa9\x6a\xc4\x65\x8e\x6f\x92\x06\x84\x35";
 
-TEST(X509CertificateTest, ExtractSPKIFromDERCert) {
+TEST_F(X509CertificateTest, ExtractSPKIFromDERCert) {
   FilePath certs_dir = GetTestCertsDirectory();
   scoped_refptr<X509Certificate> cert =
       ImportCertFromFile(certs_dir, "nist.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
 
   std::string derBytes;
   EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
                                              &derBytes));
 
   base::StringPiece spkiBytes;
   EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes));
 
   uint8 hash[base::kSHA1Length];
   base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()),
                       spkiBytes.size(), hash);
 
   EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash)));
 }
 
-TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) {
+TEST_F(X509CertificateTest, ExtractCRLURLsFromDERCert) {
   FilePath certs_dir = GetTestCertsDirectory();
   scoped_refptr<X509Certificate> cert =
       ImportCertFromFile(certs_dir, "nist.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
 
   std::string derBytes;
   EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
                                              &derBytes));
 
   std::vector<base::StringPiece> crl_urls;
   EXPECT_TRUE(asn1::ExtractCRLURLsFromDERCert(derBytes, &crl_urls));
 
   EXPECT_EQ(1u, crl_urls.size());
   if (crl_urls.size() > 0) {
     EXPECT_EQ("http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl",
               crl_urls[0].as_string());
   }
 }
 
 // Bug 111893: This test needs a new certificate.
-TEST(X509CertificateTest, DISABLED_PublicKeyHashes) {
+TEST_F(X509CertificateTest, DISABLED_PublicKeyHashes) {
   FilePath certs_dir = GetTestCertsDirectory();
   // This is going to blow up in Feb 2012. Sorry! Disable and file a bug
   // against agl. Also see TestKnownRoot in this file.
   scoped_refptr<X509Certificate> cert =
       ImportCertFromFile(certs_dir, "nist.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
 
   // This intermediate is only needed for old Linux machines. Modern NSS
   // includes it as a root already.
   scoped_refptr<X509Certificate> intermediate_cert =
       ImportCertFromFile(certs_dir, "nist_intermediate.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
 
   TestRootCerts::GetInstance()->Add(intermediate_cert.get());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(intermediate_cert->os_cert_handle());
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(cert->os_cert_handle(),
                                         intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
 
-  int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result);
+  int error = Verify(cert_chain, "www.nist.gov", flags, NULL, &verify_result);
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
   ASSERT_LE(2u, verify_result.public_key_hashes.size());
   EXPECT_EQ(HexEncode(nistSPKIHash, base::kSHA1Length),
       HexEncode(verify_result.public_key_hashes[0].data, base::kSHA1Length));
   EXPECT_EQ("83244223D6CBF0A26FC7DE27CEBCA4BDA32612AD",
       HexEncode(verify_result.public_key_hashes[1].data, base::kSHA1Length));
 
   TestRootCerts::GetInstance()->Clear();
 }
 
 // A regression test for http://crbug.com/70293.
 // The Key Usage extension in this RSA SSL server certificate does not have
 // the keyEncipherment bit.
-TEST(X509CertificateTest, InvalidKeyUsage) {
+TEST_F(X509CertificateTest, InvalidKeyUsage) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
       ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = server_cert->Verify("jira.aquameta.com", flags, NULL,
-                                  &verify_result);
+  int error = Verify(server_cert, "jira.aquameta.com", flags, NULL,
+                     &verify_result);
 #if defined(USE_OPENSSL)
   // This certificate has two errors: "invalid key usage" and "untrusted CA".
   // However, OpenSSL returns only one (the latter), and we can't detect
   // the other errors.
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
 #else
   EXPECT_EQ(ERR_CERT_INVALID, error);
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
 #endif
   // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
   // from NSS.
 #if !defined(USE_NSS)
   // The certificate is issued by an unknown CA.
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
 #endif
 }
 
 // Tests X509CertificateCache via X509Certificate::CreateFromHandle.  We
 // call X509Certificate::CreateFromHandle several times and observe whether
 // it returns a cached or new OSCertHandle.
-TEST(X509CertificateTest, Cache) {
+TEST_F(X509CertificateTest, Cache) {
   X509Certificate::OSCertHandle google_cert_handle;
   X509Certificate::OSCertHandle thawte_cert_handle;
 
   // Add a single certificate to the certificate cache.
   google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
       reinterpret_cast<const char*>(google_der), sizeof(google_der));
   scoped_refptr<X509Certificate> cert1(X509Certificate::CreateFromHandle(
       google_cert_handle, X509Certificate::OSCertHandles()));
   X509Certificate::FreeOSCertHandle(google_cert_handle);
 
@@ skipping 26 matching lines @@
   X509Certificate::FreeOSCertHandle(thawte_cert_handle);
 
   // Test that the new certificate, even with intermediates, results in the
   // same underlying handle being used.
   EXPECT_EQ(cert1->os_cert_handle(), cert3->os_cert_handle());
   // Though they use the same OS handle, the intermediates should be different.
   EXPECT_NE(cert1->GetIntermediateCertificates().size(),
       cert3->GetIntermediateCertificates().size());
 }
 
-TEST(X509CertificateTest, Pickle) {
+TEST_F(X509CertificateTest, Pickle) {
   X509Certificate::OSCertHandle google_cert_handle =
       X509Certificate::CreateOSCertHandleFromBytes(
           reinterpret_cast<const char*>(google_der), sizeof(google_der));
   X509Certificate::OSCertHandle thawte_cert_handle =
       X509Certificate::CreateOSCertHandleFromBytes(
           reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der));
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(thawte_cert_handle);
   scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
@@ skipping 17 matching lines @@
       cert->GetIntermediateCertificates();
   const X509Certificate::OSCertHandles& pickle_intermediates =
       cert_from_pickle->GetIntermediateCertificates();
   ASSERT_EQ(cert_intermediates.size(), pickle_intermediates.size());
   for (size_t i = 0; i < cert_intermediates.size(); ++i) {
     EXPECT_TRUE(X509Certificate::IsSameOSCert(cert_intermediates[i],
                                               pickle_intermediates[i]));
   }
 }
 
-TEST(X509CertificateTest, Policy) {
+TEST_F(X509CertificateTest, Policy) {
   scoped_refptr<X509Certificate> google_cert(X509Certificate::CreateFromBytes(
       reinterpret_cast<const char*>(google_der), sizeof(google_der)));
 
   scoped_refptr<X509Certificate> webkit_cert(X509Certificate::CreateFromBytes(
       reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)));
 
   CertPolicy policy;
 
   EXPECT_EQ(policy.Check(google_cert.get()), CertPolicy::UNKNOWN);
   EXPECT_EQ(policy.Check(webkit_cert.get()), CertPolicy::UNKNOWN);
@@ skipping 15 matching lines @@
   EXPECT_TRUE(policy.HasDeniedCert());
 
   policy.Allow(webkit_cert.get());
 
   EXPECT_EQ(policy.Check(google_cert.get()), CertPolicy::DENIED);
   EXPECT_EQ(policy.Check(webkit_cert.get()), CertPolicy::ALLOWED);
   EXPECT_TRUE(policy.HasAllowedCert());
   EXPECT_TRUE(policy.HasDeniedCert());
 }
 
-TEST(X509CertificateTest, IntermediateCertificates) {
+TEST_F(X509CertificateTest, IntermediateCertificates) {
   scoped_refptr<X509Certificate> webkit_cert(
       X509Certificate::CreateFromBytes(
           reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)));
 
   scoped_refptr<X509Certificate> thawte_cert(
       X509Certificate::CreateFromBytes(
           reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)));
 
   X509Certificate::OSCertHandle google_handle;
   // Create object with no intermediates:
@@ skipping 23 matching lines @@
   // Cleanup
   X509Certificate::FreeOSCertHandle(google_handle);
 }
 
 // Basic test for returning the chain in CertVerifyResult. Note that the
 // returned chain may just be a reflection of the originally supplied chain;
 // that is, if any errors occur, the default chain returned is an exact copy
 // of the certificate to be verified. The remaining VerifyReturn* tests are
 // used to ensure that the actual, verified chain is being returned by
 // Verify().
-TEST(X509CertificateTest, VerifyReturnChainBasic) {
+TEST_F(X509CertificateTest, VerifyReturnChainBasic) {
   FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
   intermediates.push_back(certs[2]->os_cert_handle());
 
   TestRootCerts::GetInstance()->Add(certs[2]);
 
   scoped_refptr<X509Certificate> google_full_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
   ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
   ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
 
   CertVerifyResult verify_result;
   EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
-  int error = google_full_chain->Verify("127.0.0.1", 0, NULL, &verify_result);
+  int error = Verify(google_full_chain, "127.0.0.1", 0, NULL, &verify_result);
   EXPECT_EQ(OK, error);
   ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
 
   EXPECT_NE(google_full_chain, verify_result.verified_cert);
   EXPECT_TRUE(X509Certificate::IsSameOSCert(
       google_full_chain->os_cert_handle(),
       verify_result.verified_cert->os_cert_handle()));
   const X509Certificate::OSCertHandles& return_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, return_intermediates.size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
                                             certs[1]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
                                             certs[2]->os_cert_handle()));
 
   TestRootCerts::GetInstance()->Clear();
 }
 
 // Test that the certificate returned in CertVerifyResult is able to reorder
 // certificates that are not ordered from end-entity to root. While this is
 // a protocol violation if sent during a TLS handshake, if multiple sources
 // of intermediate certificates are combined, it's possible that order may
 // not be maintained.
-TEST(X509CertificateTest, VerifyReturnChainProperlyOrdered) {
+TEST_F(X509CertificateTest, VerifyReturnChainProperlyOrdered) {
   FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   // Construct the chain out of order.
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[2]->os_cert_handle());
   intermediates.push_back(certs[1]->os_cert_handle());
 
   TestRootCerts::GetInstance()->Add(certs[2]);
 
   scoped_refptr<X509Certificate> google_full_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
   ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
   ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
 
   CertVerifyResult verify_result;
   EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
-  int error = google_full_chain->Verify("127.0.0.1", 0, NULL, &verify_result);
+  int error = Verify(google_full_chain, "127.0.0.1", 0, NULL, &verify_result);
   EXPECT_EQ(OK, error);
   ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
 
   EXPECT_NE(google_full_chain, verify_result.verified_cert);
   EXPECT_TRUE(X509Certificate::IsSameOSCert(
       google_full_chain->os_cert_handle(),
       verify_result.verified_cert->os_cert_handle()));
   const X509Certificate::OSCertHandles& return_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, return_intermediates.size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
                                             certs[1]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
                                             certs[2]->os_cert_handle()));
 
   TestRootCerts::GetInstance()->Clear();
 }
 
 // Test that Verify() filters out certificates which are not related to
 // or part of the certificate chain being verified.
-TEST(X509CertificateTest, VerifyReturnChainFiltersUnrelatedCerts) {
+TEST_F(X509CertificateTest, VerifyReturnChainFiltersUnrelatedCerts) {
   FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
   TestRootCerts::GetInstance()->Add(certs[2]);
 
   scoped_refptr<X509Certificate> unrelated_dod_certificate =
       ImportCertFromFile(certs_dir, "dod_ca_17_cert.der");
   scoped_refptr<X509Certificate> unrelated_dod_certificate2 =
       ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate);
   ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2);
 
   // Interject unrelated certificates into the list of intermediates.
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(unrelated_dod_certificate->os_cert_handle());
   intermediates.push_back(certs[1]->os_cert_handle());
   intermediates.push_back(unrelated_dod_certificate2->os_cert_handle());
   intermediates.push_back(certs[2]->os_cert_handle());
 
   scoped_refptr<X509Certificate> google_full_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
   ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
   ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size());
 
   CertVerifyResult verify_result;
   EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
-  int error = google_full_chain->Verify("127.0.0.1", 0, NULL, &verify_result);
+  int error = Verify(google_full_chain, "127.0.0.1", 0, NULL, &verify_result);
   EXPECT_EQ(OK, error);
   ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
 
   EXPECT_NE(google_full_chain, verify_result.verified_cert);
   EXPECT_TRUE(X509Certificate::IsSameOSCert(
       google_full_chain->os_cert_handle(),
       verify_result.verified_cert->os_cert_handle()));
   const X509Certificate::OSCertHandles& return_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, return_intermediates.size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
                                             certs[1]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
                                             certs[2]->os_cert_handle()));
   TestRootCerts::GetInstance()->Clear();
 }
 
 #if defined(OS_MACOSX)
-TEST(X509CertificateTest, IsIssuedBy) {
+TEST_F(X509CertificateTest, IsIssuedBy) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   // Test a client certificate from MIT.
   scoped_refptr<X509Certificate> mit_davidben_cert(
       ImportCertFromFile(certs_dir, "mit.davidben.der"));
   ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert);
 
   CertPrincipal mit_issuer;
   mit_issuer.country_name = "US";
   mit_issuer.state_or_province_name = "Massachusetts";
@@ skipping 28 matching lines @@
   EXPECT_TRUE(foaf_me_chromium_test_cert->IsIssuedBy(both_issuers));
   EXPECT_TRUE(mit_davidben_cert->IsIssuedBy(both_issuers));
   EXPECT_FALSE(foaf_me_chromium_test_cert->IsIssuedBy(mit_issuers));
   EXPECT_FALSE(mit_davidben_cert->IsIssuedBy(foaf_issuers));
 }
 #endif  // defined(OS_MACOSX)
 
 #if defined(USE_NSS) || defined(OS_WIN) || defined(OS_MACOSX)
 // This test creates a self-signed cert from a private key and then verify the
 // content of the certificate.
-TEST(X509CertificateTest, CreateSelfSigned) {
+TEST_F(X509CertificateTest, CreateSelfSigned) {
   scoped_ptr<crypto::RSAPrivateKey> private_key(
       crypto::RSAPrivateKey::Create(1024));
   scoped_refptr<X509Certificate> cert =
       X509Certificate::CreateSelfSigned(
           private_key.get(), "CN=subject", 1, base::TimeDelta::FromDays(1));
 
   EXPECT_EQ("subject", cert->subject().GetDisplayName());
   EXPECT_FALSE(cert->HasExpired());
 
   const uint8 private_key_info[] = {
@@ skipping 86 matching lines @@
   private_key.reset(crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(input));
   ASSERT_TRUE(private_key.get());
 
   cert = X509Certificate::CreateSelfSigned(
       private_key.get(), "CN=subject", 1, base::TimeDelta::FromDays(1));
 
   EXPECT_EQ("subject", cert->subject().GetDisplayName());
   EXPECT_FALSE(cert->HasExpired());
 }
 
-TEST(X509CertificateTest, GetDEREncoded) {
+TEST_F(X509CertificateTest, GetDEREncoded) {
   scoped_ptr<crypto::RSAPrivateKey> private_key(
       crypto::RSAPrivateKey::Create(1024));
   scoped_refptr<X509Certificate> cert =
       X509Certificate::CreateSelfSigned(
           private_key.get(), "CN=subject", 0, base::TimeDelta::FromDays(1));
 
   std::string der_cert;
   EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
                                              &der_cert));
   EXPECT_FALSE(der_cert.empty());
@@ skipping 44 matching lines @@
   0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
   0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0xe9, 0x7e, 0x8c, 0xc5, 0x1e, 0xd7,
   0xa4, 0xc4, 0x0a, 0xc4, 0x80, 0x3d, 0x3e, 0x3e, 0xbb, 0xeb, 0xcb, 0xed, 0x52,
   0x49, 0x33, 0x1f, 0x2c, 0xc0, 0xa2, 0x6a, 0x0e, 0x84, 0xa5, 0x27, 0xce, 0xc5,
   0x01, 0x00, 0x00, 0x00, 0x10, 0x4f, 0x9d, 0x96, 0xd9, 0x66, 0xb0, 0x99, 0x2b,
   0x54, 0xc2, 0x95, 0x7c, 0xb4, 0x15, 0x7d, 0x4d,
 };
 
 // Test that CRLSets are effective in making a certificate appear to be
 // revoked.
-TEST(X509CertificateTest, CRLSet) {
+TEST_F(X509CertificateTest, CRLSet) {
   CertificateList certs = CreateCertificateListFromFile(
       GetTestCertsDirectory(),
       "googlenew.chain.pem",
       X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
 
   scoped_refptr<X509Certificate> google_full_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
 
   CertVerifyResult verify_result;
-  int error = google_full_chain->Verify(
-      "www.google.com", 0, NULL, &verify_result);
+  int error = Verify(google_full_chain, "www.google.com", 0, NULL,
+                     &verify_result);
   EXPECT_EQ(OK, error);
 
   // First test blocking by SPKI.
   base::StringPiece crl_set_bytes(
       reinterpret_cast<const char*>(kCRLSetThawteSPKIBlocked),
       sizeof(kCRLSetThawteSPKIBlocked));
   scoped_refptr<CRLSet> crl_set;
   ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
 
-  error = google_full_chain->Verify(
-      "www.google.com", 0, crl_set.get(), &verify_result);
+  error = Verify(google_full_chain, "www.google.com", 0, crl_set.get(),
+                 &verify_result);
   EXPECT_EQ(ERR_CERT_REVOKED, error);
 
   // Second, test revocation by serial number of a cert directly under the
   // root.
   crl_set_bytes = base::StringPiece(
       reinterpret_cast<const char*>(kCRLSetThawteSerialBlocked),
       sizeof(kCRLSetThawteSerialBlocked));
   ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
 
-  error = google_full_chain->Verify(
-      "www.google.com", 0, crl_set.get(), &verify_result);
+  error = Verify(google_full_chain, "www.google.com", 0, crl_set.get(),
+                 &verify_result);
   EXPECT_EQ(ERR_CERT_REVOKED, error);
 
   // Lastly, test revocation by serial number of a certificate not under the
   // root.
   crl_set_bytes = base::StringPiece(
       reinterpret_cast<const char*>(kCRLSetGoogleSerialBlocked),
       sizeof(kCRLSetGoogleSerialBlocked));
   ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
 
-  error = google_full_chain->Verify(
-      "www.google.com", 0, crl_set.get(), &verify_result);
+  error = Verify(google_full_chain, "www.google.com", 0, crl_set.get(),
+                 &verify_result);
   EXPECT_EQ(ERR_CERT_REVOKED, error);
 }
 #endif
 
 class X509CertificateParseTest
     : public testing::TestWithParam<CertificateFormatTestData> {
  public:
   virtual ~X509CertificateParseTest() {}
   virtual void SetUp() {
     test_data_ = GetParam();
@@ skipping 267 matching lines @@
 // attempt to print out the first twenty bytes of the object, which depending
 // on platform and alignment, may result in an invalid read.
 void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
   *os << "root: "
       << (data.root_cert_filename ? data.root_cert_filename : "none")
       << "; intermediate: " << data.intermediate_cert_filename
       << "; end-entity: " << data.ee_cert_filename;
 }
 
 class X509CertificateWeakDigestTest
-    : public testing::TestWithParam<WeakDigestTestData> {
+    : public X509CertificateTest,
+      public testing::WithParamInterface<WeakDigestTestData> {
  public:
   X509CertificateWeakDigestTest() {}
 
   virtual void TearDown() {
     TestRootCerts::GetInstance()->Clear();
   }
 };
 
 TEST_P(X509CertificateWeakDigestTest, Verify) {
   WeakDigestTestData data = GetParam();
@@ skipping 16 matching lines @@
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(intermediate_cert->os_cert_handle());
 
   scoped_refptr<X509Certificate> ee_chain =
       X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
                                         intermediates);
   ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain);
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int rv = ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result);
+  int rv = Verify(ee_chain, "127.0.0.1", flags, NULL, &verify_result);
   EXPECT_EQ(data.expected_has_md5, verify_result.has_md5);
   EXPECT_EQ(data.expected_has_md4, verify_result.has_md4);
   EXPECT_EQ(data.expected_has_md2, verify_result.has_md2);
   EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca);
   EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca);
 
   // Ensure that MD4 and MD2 are tagged as invalid.
   if (data.expected_has_md4 || data.expected_has_md2) {
     EXPECT_EQ(CERT_STATUS_INVALID,
               verify_result.cert_status & CERT_STATUS_INVALID);
@@ skipping 153 matching lines @@
 #define MAYBE_VerifyMixed DISABLED_VerifyMixed
 #else
 #define MAYBE_VerifyMixed VerifyMixed
 #endif
 WRAPPED_INSTANTIATE_TEST_CASE_P(
     MAYBE_VerifyMixed,
     X509CertificateWeakDigestTest,
     testing::ValuesIn(kVerifyMixedTestData));
 
 }  // namespace net