Account for the OS returning an empty certificate chain.

net/cert/cert_verify_proc_unittest.cc

Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index ed6f028b2002d2446f10186473d9bb2e3d002c0e..201000f4a933a1c0d1b160e285b3757cb4f0306d 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -1593,4 +1593,28 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(
     CertVerifyProcNameTest,
     testing::ValuesIn(kVerifyNameData));
 
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+// Test that CertVerifyProcMac reacts appropriately when Apple's certificate
+// verifier rejects a certificate with a fatal error. This is a regression
+// test for https://crbug.com/472291.
+TEST_F(CertVerifyProcTest, LargeKey) {
+  // Load root_ca_cert.pem into the test root store.
+  ScopedTestRoot test_root(
+      ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
+
+  scoped_refptr<X509Certificate> cert(
+      ImportCertFromFile(GetTestCertsDirectory(), "large_key.pem"));
+
+  // Apple's verifier rejects this certificate as invalid because the
+  // RSA key is too large. If a future version of OS X changes this,
+  // large_key.pem may need to be regenerated with a larger key.
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
+                     &verify_result);
+  EXPECT_EQ(ERR_CERT_INVALID, error);
+  EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status);
+}
+#endif  // defined(OS_MACOSX) && !defined(OS_IOS)
+
 }  // namespace net