Refactor net tests to use GMock matchers for checking net::Error results

net/cert/cert_verify_proc_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <vector>
 
 #include "base/callback_helpers.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/sha1.h"
 #include "base/strings/string_number_conversions.h"
 #include "build/build_config.h"
 #include "crypto/sha2.h"
 #include "net/base/net_errors.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/crl_set_storage.h"
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_certificate.h"
 #include "net/test/cert_test_util.h"
+#include "net/test/gtest_util.h"
 #include "net/test/test_certificate_data.h"
 #include "net/test/test_data_directory.h"
+#include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 #if defined(OS_ANDROID)
 #include "base/android/build_info.h"
 #endif
 
+using net::test::IsError;
+using net::test::IsOk;
+
 using base::HexEncode;
 
 namespace net {
 
 namespace {
 
 // Mock CertVerifyProc that sets the CertVerifyResult to a given value for
 // all certificates that are Verify()'d
 class MockCertVerifyProc : public CertVerifyProc {
  public:
@@ skipping 138 matching lines @@
 
   scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
   CertVerifyResult verify_result;
   int flags = CertVerifier::VERIFY_EV_CERT;
   int error = Verify(comodo_chain.get(),
                      "comodo.com",
                      flags,
                      crl_set.get(),
                      empty_cert_list_,
                      &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
 }
 
 // TODO(crbug.com/605457): the test expectation was incorrect on some
 // configurations, so disable the test until it is fixed (better to have
 // a bug to track a failing test than a false sense of security due to
 // false positive).
 TEST_F(CertVerifyProcTest, DISABLED_PaypalNullCertParsing) {
   // A certificate for www.paypal.com with a NULL byte in the common name.
   // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
@@ skipping 11 matching lines @@
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(paypal_null_cert.get(),
                      "www.paypal.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
 #if defined(USE_NSS_CERTS) || defined(OS_ANDROID)
-  EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
 #elif defined(OS_IOS) && TARGET_IPHONE_SIMULATOR
   // iOS returns a ERR_CERT_INVALID error on the simulator, while returning
   // ERR_CERT_AUTHORITY_INVALID on the real device.
-  EXPECT_EQ(ERR_CERT_INVALID, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
 #else
   // TOOD(bulach): investigate why macosx and win aren't returning
   // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
-  EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
 #endif
   // Either the system crypto library should correctly report a certificate
   // name mismatch, or our certificate blacklist should cause us to report an
   // invalid certificate.
 #if defined(USE_NSS_CERTS) || defined(OS_WIN)
   EXPECT_TRUE(verify_result.cert_status &
               (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
 #endif
 }
 
@@ skipping 26 matching lines @@
   ScopedTestRoot scoped_root(certs[2].get());
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(),
                      "policy_test.example",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0u, verify_result.cert_status);
 }
 
 TEST_F(CertVerifyProcTest, RejectExpiredCert) {
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   // Load root_ca_cert.pem into the test root store.
   ScopedTestRoot test_root(
       ImportCertFromFile(certs_dir, "root_ca_cert.pem").get());
 
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "expired_cert.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
       certs[0]->os_cert_handle(), intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
                      &verify_result);
-  EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_DATE_INVALID));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID);
 }
 
 // Currently, only RSA and DSA keys are checked for weakness, and our example
 // weak size is 768. These could change in the future.
 //
 // Note that this means there may be false negatives: keys for other
 // algorithms and which are weak will pass this test.
 static bool IsWeakKeyType(const std::string& key_type) {
   size_t pos = key_type.find("-");
@@ skipping 57 matching lines @@
                          empty_cert_list_,
                          &verify_result);
 
       if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
         EXPECT_NE(OK, error);
         EXPECT_EQ(CERT_STATUS_WEAK_KEY,
                   verify_result.cert_status & CERT_STATUS_WEAK_KEY);
         EXPECT_NE(CERT_STATUS_INVALID,
                   verify_result.cert_status & CERT_STATUS_INVALID);
       } else {
-        EXPECT_EQ(OK, error);
+        EXPECT_THAT(error, IsOk());
         EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
       }
     }
   }
 }
 
 // Regression test for http://crbug.com/108514.
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 // Disabled on OS X - Security.framework doesn't ignore superflous certificates
 // provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further
@@ skipping 31 matching lines @@
                                         intermediates);
 
   CertVerifyResult verify_result;
   int flags = 0;
   int error = Verify(cert_chain.get(),
                      "127.0.0.1",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
 
   // The extra MD5 root should be discarded
   ASSERT_TRUE(verify_result.verified_cert.get());
   ASSERT_EQ(1u,
             verify_result.verified_cert->GetIntermediateCertificates().size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(
         verify_result.verified_cert->GetIntermediateCertificates().front(),
         root_cert->os_cert_handle()));
 
   EXPECT_FALSE(verify_result.has_md5);
@@ skipping 105 matching lines @@
                                         intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(leaf.get(),
                      "test.example.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
 
   error = Verify(leaf.get(), "foo.test2.example.com", flags, NULL,
                  empty_cert_list_, &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
 }
 
 TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
   if (!SupportsReturningVerifiedChain()) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
   CertificateList ca_cert_list =
@@ skipping 14 matching lines @@
                                         intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(leaf.get(),
                      "test.example.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
-  EXPECT_EQ(ERR_CERT_NAME_CONSTRAINT_VIOLATION, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_NAME_CONSTRAINT_VIOLATION));
   EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
             verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
 }
 
 TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
   struct {
     const char* const file;
     bool is_valid_too_long;
   } tests[] = {
       {"twitter-chain.pem", false},
@@ skipping 39 matching lines @@
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
   // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
   // against agl. See also PublicKeyHashes.
   int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
                      empty_cert_list_, &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.is_issued_by_known_root);
 }
 
 // TODO(crbug.com/610546): Fix and re-enable this test.
 TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
   if (!SupportsReturningVerifiedChain()) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
 
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
   int flags = 0;
   CertVerifyResult verify_result;
 
   // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
   // against agl. See also TestKnownRoot.
   int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
                      empty_cert_list_, &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   ASSERT_LE(3U, verify_result.public_key_hashes.size());
 
   HashValueVector sha1_hashes;
   for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
     if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1)
       continue;
     sha1_hashes.push_back(verify_result.public_key_hashes[i]);
   }
   ASSERT_LE(3u, sha1_hashes.size());
 
@@ skipping 31 matching lines @@
   int error = Verify(server_cert.get(),
                      "jira.aquameta.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
 #if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
   // This certificate has two errors: "invalid key usage" and "untrusted CA".
   // However, OpenSSL returns only one (the latter), and we can't detect
   // the other errors.
-  EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
 #else
-  EXPECT_EQ(ERR_CERT_INVALID, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
 #endif
   // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
   // from NSS.
 #if !defined(USE_NSS_CERTS) && !defined(OS_IOS) && !defined(OS_ANDROID)
   // The certificate is issued by an unknown CA.
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
 #endif
 }
 
@@ skipping 29 matching lines @@
 
   CertVerifyResult verify_result;
   EXPECT_EQ(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
   int error = Verify(google_full_chain.get(),
                      "127.0.0.1",
                      0,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   ASSERT_NE(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
 
   EXPECT_NE(google_full_chain, verify_result.verified_cert);
   EXPECT_TRUE(X509Certificate::IsSameOSCert(
       google_full_chain->os_cert_handle(),
       verify_result.verified_cert->os_cert_handle()));
   const X509Certificate::OSCertHandles& return_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, return_intermediates.size());
@@ skipping 21 matching lines @@
 
   CertVerifyResult verify_result;
   int error = 0;
 
   // Intranet names for public CAs should be flagged:
   CertVerifyResult dummy_result;
   dummy_result.is_issued_by_known_root = true;
   verify_proc_ = new MockCertVerifyProc(dummy_result);
   error =
       Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
 
   // However, if the CA is not well known, these should not be flagged:
   dummy_result.Reset();
   dummy_result.is_issued_by_known_root = false;
   verify_proc_ = new MockCertVerifyProc(dummy_result);
   error =
       Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
 }
 
 // Test that a SHA-1 certificate from a publicly trusted CA issued after
 // 1 January 2016 is rejected, but those issued before that date, or with
 // SHA-1 in the intermediate, is not rejected.
 TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecation) {
   CertVerifyResult dummy_result;
   CertVerifyResult verify_result;
   int error = 0;
   scoped_refptr<X509Certificate> cert;
 
   // Publicly trusted SHA-1 leaf certificates issued before 1 January 2016
   // are accepted.
   verify_result.Reset();
   dummy_result.Reset();
   dummy_result.is_issued_by_known_root = true;
   dummy_result.has_sha1 = true;
   dummy_result.has_sha1_leaf = true;
   verify_proc_ = new MockCertVerifyProc(dummy_result);
   cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
                                         "sha1_dec_2015.pem",
                                         X509Certificate::FORMAT_AUTO);
   ASSERT_TRUE(cert);
   error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
                  &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
 
   // Publicly trusted SHA-1 leaf certificates issued on/after 1 January 2016
   // are rejected.
   verify_result.Reset();
   dummy_result.Reset();
   dummy_result.is_issued_by_known_root = true;
   dummy_result.has_sha1 = true;
   dummy_result.has_sha1_leaf = true;
   verify_proc_ = new MockCertVerifyProc(dummy_result);
   cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
                                         "sha1_jan_2016.pem",
                                         X509Certificate::FORMAT_AUTO);
   ASSERT_TRUE(cert);
   error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
                  &verify_result);
-  EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
 
   // Enterprise issued SHA-1 leaf certificates issued on/after 1 January 2016
   // remain accepted until SHA-1 is disabled.
   verify_result.Reset();
   dummy_result.Reset();
   dummy_result.is_issued_by_known_root = false;
   dummy_result.has_sha1 = true;
   dummy_result.has_sha1_leaf = true;
   verify_proc_ = new MockCertVerifyProc(dummy_result);
   cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
                                         "sha1_jan_2016.pem",
                                         X509Certificate::FORMAT_AUTO);
   ASSERT_TRUE(cert);
   error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
                  &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
 
   // Publicly trusted SHA-1 intermediates issued on/after 1 January 2016 are,
   // unfortunately, accepted. This can arise due to OS path building quirks.
   verify_result.Reset();
   dummy_result.Reset();
   dummy_result.is_issued_by_known_root = true;
   dummy_result.has_sha1 = true;
   dummy_result.has_sha1_leaf = false;
   verify_proc_ = new MockCertVerifyProc(dummy_result);
   cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
                                         "sha1_jan_2016.pem",
                                         X509Certificate::FORMAT_AUTO);
   ASSERT_TRUE(cert);
   error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
                  &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
 }
 
 // Test that the certificate returned in CertVerifyResult is able to reorder
 // certificates that are not ordered from end-entity to root. While this is
 // a protocol violation if sent during a TLS handshake, if multiple sources
 // of intermediate certificates are combined, it's possible that order may
 // not be maintained.
 TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
   if (!SupportsReturningVerifiedChain()) {
@@ skipping 22 matching lines @@
 
   CertVerifyResult verify_result;
   EXPECT_EQ(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
   int error = Verify(google_full_chain.get(),
                      "127.0.0.1",
                      0,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   ASSERT_NE(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
 
   EXPECT_NE(google_full_chain, verify_result.verified_cert);
   EXPECT_TRUE(X509Certificate::IsSameOSCert(
       google_full_chain->os_cert_handle(),
       verify_result.verified_cert->os_cert_handle()));
   const X509Certificate::OSCertHandles& return_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, return_intermediates.size());
@@ skipping 40 matching lines @@
 
   CertVerifyResult verify_result;
   EXPECT_EQ(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
   int error = Verify(google_full_chain.get(),
                      "127.0.0.1",
                      0,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   ASSERT_NE(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
 
   EXPECT_NE(google_full_chain, verify_result.verified_cert);
   EXPECT_TRUE(X509Certificate::IsSameOSCert(
       google_full_chain->os_cert_handle(),
       verify_result.verified_cert->os_cert_handle()));
   const X509Certificate::OSCertHandles& return_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, return_intermediates.size());
@@ skipping 21 matching lines @@
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
 
   // Verification of |cert| fails when |ca_cert| is not in the trust anchors
   // list.
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(
       cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
-  EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
   EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
 
   // Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
   CertificateList trust_anchors;
   trust_anchors.push_back(ca_cert);
   error = Verify(
       cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
   EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor);
 
   // Clearing the |trust_anchors| makes verification fail again (the cache
   // should be skipped).
   error = Verify(
       cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
-  EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
   EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
 }
 
 // Tests that certificates issued by user-supplied roots are not flagged as
 // issued by a known root. This should pass whether or not the platform supports
 // detecting known roots.
 TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
   // Load root_ca_cert.pem into the test root store.
   ScopedTestRoot test_root(
       ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
 
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
 
   // Verification should pass.
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(
       cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
   // But should not be marked as a known root.
   EXPECT_FALSE(verify_result.is_issued_by_known_root);
 }
 
 #if defined(USE_NSS_CERTS) || defined(OS_WIN) || \
     (defined(OS_MACOSX) && !defined(OS_IOS))
 // Test that CRLSets are effective in making a certificate appear to be
 // revoked.
 TEST_F(CertVerifyProcTest, CRLSet) {
   CertificateList ca_cert_list =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
                                     "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   ScopedTestRoot test_root(ca_cert_list[0].get());
 
   CertificateList cert_list = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(
       cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
 
   scoped_refptr<CRLSet> crl_set;
   std::string crl_set_bytes;
 
   // First test blocking by SPKI.
   EXPECT_TRUE(base::ReadFileToString(
       GetTestCertsDirectory().AppendASCII("crlset_by_leaf_spki.raw"),
       &crl_set_bytes));
   ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
 
   error = Verify(cert.get(),
                  "127.0.0.1",
                  flags,
                  crl_set.get(),
                  empty_cert_list_,
                  &verify_result);
-  EXPECT_EQ(ERR_CERT_REVOKED, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
 
   // Second, test revocation by serial number of a cert directly under the
   // root.
   crl_set_bytes.clear();
   EXPECT_TRUE(base::ReadFileToString(
       GetTestCertsDirectory().AppendASCII("crlset_by_root_serial.raw"),
       &crl_set_bytes));
   ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
 
   error = Verify(cert.get(),
                  "127.0.0.1",
                  flags,
                  crl_set.get(),
                  empty_cert_list_,
                  &verify_result);
-  EXPECT_EQ(ERR_CERT_REVOKED, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
 }
 
 TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
   CertificateList ca_cert_list =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
                                     "quic_root.crt",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   ScopedTestRoot test_root(ca_cert_list[0].get());
 
@@ skipping 15 matching lines @@
                                         intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(leaf.get(),
                      "test.example.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
-  EXPECT_EQ(OK, error);
+  EXPECT_THAT(error, IsOk());
   EXPECT_EQ(CERT_STATUS_SHA1_SIGNATURE_PRESENT, verify_result.cert_status);
 
   // Test revocation by serial number of a certificate not under the root.
   scoped_refptr<CRLSet> crl_set;
   std::string crl_set_bytes;
   ASSERT_TRUE(base::ReadFileToString(
       GetTestCertsDirectory().AppendASCII("crlset_by_intermediate_serial.raw"),
       &crl_set_bytes));
   ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
 
   error = Verify(leaf.get(),
                  "test.example.com",
                  flags,
                  crl_set.get(),
                  empty_cert_list_,
                  &verify_result);
-  EXPECT_EQ(ERR_CERT_REVOKED, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
 }
 
 // Tests that CRLSets participate in path building functions, and that as
 // long as a valid path exists within the verification graph, verification
 // succeeds.
 //
 // In this test, there are two roots (D and E), and three possible paths
 // to validate a leaf (A):
 // 1. A(B) -> B(C) -> C(D) -> D(D)
 // 2. A(B) -> B(C) -> C(E) -> E(E)
@@ skipping 71 matching lines @@
     CertVerifyResult verify_result;
     int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
                        empty_cert_list_, &verify_result);
 
     if (!testcase.expect_valid) {
       EXPECT_NE(OK, error);
       EXPECT_NE(0U, verify_result.cert_status);
       continue;
     }
 
-    ASSERT_EQ(OK, error);
+    ASSERT_THAT(error, IsOk());
     ASSERT_EQ(0U, verify_result.cert_status);
     ASSERT_TRUE(verify_result.verified_cert.get());
 
     if (!testcase.expected_intermediate)
       continue;
 
     const X509Certificate::OSCertHandles& verified_intermediates =
         verify_result.verified_cert->GetIntermediateCertificates();
     ASSERT_EQ(3U, verified_intermediates.size());
 
@@ skipping 104 matching lines @@
   }
 
   // If a root cert is present, then check that the chain was rejected if any
   // weak algorithms are present. This is only checked when a root cert is
   // present because the error reported for incomplete chains with weak
   // algorithms depends on which implementation was used to validate (NSS,
   // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm
   // present (MD2, MD4, MD5).
   if (data.root_cert_filename) {
     if (data.expected_algorithms & (EXPECT_MD2 | EXPECT_MD4)) {
-      EXPECT_EQ(ERR_CERT_INVALID, rv);
+      EXPECT_THAT(rv, IsError(ERR_CERT_INVALID));
     } else if (data.expected_algorithms & EXPECT_MD5) {
-      EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv);
+      EXPECT_THAT(rv, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
     } else {
-      EXPECT_EQ(OK, rv);
+      EXPECT_THAT(rv, IsOk());
     }
   }
 }
 
 // Unlike TEST/TEST_F, which are macros that expand to further macros,
 // INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that
 // stringizes the arguments. As a result, macros passed as parameters (such as
 // prefix or test_case_name) will not be expanded by the preprocessor. To work
 // around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the
 // pre-processor will expand macros such as MAYBE_test_name before
@@ skipping 188 matching lines @@
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
 
   ScopedTestRoot scoped_root(cert.get());
 
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,
                      &verify_result);
   if (data.valid) {
-    EXPECT_EQ(OK, error);
+    EXPECT_THAT(error, IsOk());
     EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
   } else {
-    EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
+    EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
     EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
   }
 }
 
 WRAPPED_INSTANTIATE_TEST_CASE_P(
     VerifyName,
     CertVerifyProcNameTest,
     testing::ValuesIn(kVerifyNameData));
 
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 // Test that CertVerifyProcMac reacts appropriately when Apple's certificate
 // verifier rejects a certificate with a fatal error. This is a regression
 // test for https://crbug.com/472291.
 TEST_F(CertVerifyProcTest, LargeKey) {
   // Load root_ca_cert.pem into the test root store.
   ScopedTestRoot test_root(
       ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
 
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "large_key.pem"));
 
   // Apple's verifier rejects this certificate as invalid because the
   // RSA key is too large. If a future version of OS X changes this,
   // large_key.pem may need to be regenerated with a larger key.
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
                      &verify_result);
-  EXPECT_EQ(ERR_CERT_INVALID, error);
+  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
   EXPECT_EQ(CERT_STATUS_INVALID, verify_result.cert_status);
 }
 #endif  // defined(OS_MACOSX) && !defined(OS_IOS)
 
 }  // namespace net