Parameterize the CertVerifyProc tests so they can be run with

net/cert/cert_verify_proc_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <vector>
 
 #include "base/callback_helpers.h"
 #include "base/files/file_path.h"
@@ skipping 82 matching lines @@
     const std::string& ocsp_response,
     int flags,
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
     CertVerifyResult* verify_result) {
   *verify_result = result_;
   verify_result->verified_cert = cert;
   return OK;
 }
 
-bool SupportsReturningVerifiedChain() {
+// This enum names a concrete implemenation of CertVerifyProc.
+enum CertVerifyProcName {

[Ryan Sleevi, 2017/01/12 20:01:56]

So I had much more feedback originally written here, but I think two things
deserve calling out:

1) We're effectively reimplementing RTTI and type_id() - that is, this is all a
bunch of dynamic_cast<>s - and that does feel a little weird - but I can see why
and where we need it
2) The naming throws me off here, because I associate 'name' with string and
'id' with identifier. So I expected CertVerifyProcName to be a string, when it's
an enum, which then makes ToString weird.

[eroman, 2017/01/12 21:42:48]

Before I dive into the other comments, let's hash out your design concerns.

I was actually satisfied with the resulting organization of the unit-tests,
finding it more readable than before (and having gone through several other
iterations that I didn't like).

Fundamentally the problem we have is that test expectations depend on internal
details of the verifier that is used (and to a lesser degree the OS version it
is run on).

Primarily it depends on the concrete class of CertVerifyProc that is being used
(and in some cases the OS version as well).

In the currently checked in code, this is expressed by sprinkling #if throughout
the code, such as:

#if defined(OS_MACOSX) && !defined(OS_IOS)
...
#endif

or

#if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
...
#endif

These #ifs replicate logic internal to CertVerifyProc::CreateDefault(), and
constitute the same layering violation that you do not like with the
CertVerifyProcName.

My first step was to isolate these #ifs into functions, by representing the
verifier under test as a CertVerifyProcName, which re-organizes how that
information is accessed.

I found this to simplify readability and compostability of the code, for the
usual reasons that #if in code is bad (can get compile failures on all platforms
when modifying tests, rather than only when compiling in certain configurations;
something which bit me in past iterations when I kept the #ifdefs inline).

The second step then was to parameterize CertVerifyProcName so the tests can be
instantiated and run for more than one (and behave appropriately). The only real
alternatives in GTest is to parameterize on a type (which has problems I will
get into later), or instantiate tests manually (with its attendant problems).

Brainstorming through other ideas:

(1) Remove all verifier-specific differences between tests, by dumbing down the
tests. This has the disadvantage of losing test coverage, which I consider
undesirable.

(2) Instantiate tests separately for each of the CertVerifyProc*, in their own
_unittest.cc file. The difference in test expectations would still exist in the
generic code, however would be communicated via a delegate when instantiating
the CertVerifyProc tests. Testing would be explicit for concrete CertVerifyProc
rather than using CertVerifyProc::CreateDefault().

There are other variations on (2), but fundamentally the approach is to use a
test policy delegate, rather selecting the behavior by a dispatch on the type
(within the test).

Structurally I find this makes the tests (and differences in behavior) harder to
understand, because it is de-coupled from the type. The other structure problem
is disabling tests also needs to be described as such a policy.

How to split the tests in this manner is also non-trivial.

GTest has some support for type-parameterized tests, but it is quite difficult
to use and I gave up on getting it to work the way I wanted. Splitting things in
this manner will be a much less iterative change that what I have proposed, and
from my early attempts I found it to be quite a bit more complicated and not
something I would recommend.

[Ryan Sleevi, 2017/01/13 17:22:09]

VerifyProcType?

[eroman, 2017/02/01 01:13:55]

Done.

+  CERT_VERIFY_PROC_NSS,
+  CERT_VERIFY_PROC_OPENSSL,
+  CERT_VERIFY_PROC_ANDROID,
+  CERT_VERIFY_PROC_IOS,
+  CERT_VERIFY_PROC_MAC,
+  CERT_VERIFY_PROC_WIN,
+
+  // TODO(crbug.com/649017): The upcoming "built-in" implementation.
+  CERT_VERIFY_PROC_BUILTIN,

[eroman, 2017/01/12 07:26:09]

I will scrub all the "built-in" stuff prior to landing (so the CL remains a pure
refactor).

I left it in here temporarily to demonstrate how it plugs in.

[eroman, 2017/02/01 01:13:55]

Done.

+};
+
+// Returns the CertVerifyProcName corresponding to what
+// CertVerifyProc::CreateDefault() returns.
+CertVerifyProcName GetDefaultCertVerifyProcName() {

[Ryan Sleevi, 2017/01/12 20:01:56]

I'm torn on the appropriateness of this code duplication (and myself felt both
guilt and lack of creativity w/r/t doing something similar with
AreSHA1IntermediatesAllowed)

The problem is it seems that this design choice itself introduces a lot of
secondary complexity that I think we can reduce/eliminate. The problem is I'm
trying to find whether my unease at reading this code is simply because I wrote
the code you're replacing, or whether it's a legitimate remark about the
unnecessary complexity in your CL. I don't have a good answer - so I'd simply
ask - do you think the complexity is justified and there's no simpler, clearer
solution (ideally without so many helper functions)?

[eroman, 2017/02/01 01:13:55]

Acknowledged.

(Renamed ProcName --> ProcType)

+#if defined(USE_NSS_CERTS)
+  return CERT_VERIFY_PROC_NSS;
+#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
+  return CERT_VERIFY_PROC_OPENSSL;
+#elif defined(OS_ANDROID)
+  return CERT_VERIFY_PROC_ANDROID;
+#elif defined(OS_IOS)
+  return CERT_VERIFY_PROC_IOS;
+#elif defined(OS_MACOSX)
+  return CERT_VERIFY_PROC_MAC;
+#elif defined(OS_WIN)
+  return CERT_VERIFY_PROC_WIN;
+#else
+// Will fail to compile.
+#endif
+}
+
+const char* CertVerifyProcNameToString(CertVerifyProcName verify_proc_name) {

[Ryan Sleevi, 2017/01/12 20:01:56]

I don't believe this should be a helper function - you have exactly one call,
which is just VerifyProcTypeToName

[eroman, 2017/02/01 01:13:55]

Done.

+  switch (verify_proc_name) {
+    case CERT_VERIFY_PROC_NSS:
+      return "CertVerifyProcNSS";
+    case CERT_VERIFY_PROC_OPENSSL:
+      return "CertVerifyProcOpenSSL";
+    case CERT_VERIFY_PROC_ANDROID:
+      return "CertVerifyProcAndroid";
+    case CERT_VERIFY_PROC_IOS:
+      return "CertVerifyProcIOS";
+    case CERT_VERIFY_PROC_MAC:
+      return "CertVerifyProcMac";
+    case CERT_VERIFY_PROC_WIN:
+      return "CertVerifyProcWin";
+    case CERT_VERIFY_PROC_BUILTIN:
+      return "CertVerifyProcBuiltin";
+  }
+
+  return nullptr;
+}
+
+bool TargetIsIphoneSimulator() {

[Ryan Sleevi, 2017/01/12 20:01:56]

Was it necessary to make this a function? Couldn't this just be a bool variable?

[eroman, 2017/02/01 01:13:55]

Done.

+#if TARGET_IPHONE_SIMULATOR
+  return true;
+#else
+  return false;
+#endif
+}
+
+bool SupportsReturningVerifiedChain(CertVerifyProcName verify_proc_name) {

[Ryan Sleevi, 2017/01/13 17:22:09]

Despite our discussion, I'm still a little hazy about why you made this a free
function versus adding the the test fixture.

I think some of my unease might trace to the fact that you tried to keep this CL
minimal (yay!), but that means it left it inconsistent for reasons that aren't
clear - why are some helpers free functions, why are some on the base class,
what rules do you use to distinguish when you pass the CVPName versus when you
access verify_proc_name_ , etc.

[eroman, 2017/02/01 01:13:55]

I went ahead and moved them all into the base fixture (and removed the
parameter).

I was trying to keep things minimal, but reorganizing now should provide some
clarity.

 #if defined(OS_ANDROID)
   // Before API level 17, Android does not expose the APIs necessary to get at
   // the verified certificate chain.
-  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
+  if (verify_proc_name == CERT_VERIFY_PROC_ANDROID &&
+      base::android::BuildInfo::GetInstance()->sdk_int() < 17)
     return false;
 #endif
   return true;
 }
 
-bool SupportsDetectingKnownRoots() {
+bool SupportsDetectingKnownRoots(CertVerifyProcName verify_proc_name) {
 #if defined(OS_ANDROID)
   // Before API level 17, Android does not expose the APIs necessary to get at
   // the verified certificate chain and detect known roots.
-  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
+  if (verify_proc_name == CERT_VERIFY_PROC_ANDROID)
+    return base::android::BuildInfo::GetInstance()->sdk_int() >= 17;
+#endif
+
+  // iOS does not expose the APIs necessary to get the known system roots.
+  if (verify_proc_name == CERT_VERIFY_PROC_IOS)
     return false;
-#elif defined(OS_IOS)
-  // iOS does not expose the APIs necessary to get the known system roots.
-  return false;
-#endif
+
   return true;
 }
 
-bool WeakKeysAreInvalid() {
+bool WeakKeysAreInvalid(CertVerifyProcName verify_proc_name) {

[Ryan Sleevi, 2017/01/12 20:01:56]

Considering you're introducing a test fixture, I'm not sure why these helpers
can't or shouldn't be moved to the base class and the passing of
CertVerifyProcName dropped

[eroman, 2017/02/01 01:13:55]

Done.

 #if defined(OS_MACOSX) && !defined(OS_IOS)
   // Starting with Mac OS 10.12, certs with weak keys are treated as
   // (recoverable) invalid certificate errors.
-  return base::mac::IsAtLeastOS10_12();
-#else
+  if (verify_proc_name == CERT_VERIFY_PROC_MAC &&
+      base::mac::IsAtLeastOS10_12()) {
+    return true;
+  }
+#endif
   return false;
-#endif
 }
 
 // Template helper to load a series of certificate files into a CertificateList.
 // Like CertTestUtil's CreateCertificateListFromFile, except it can load a
 // series of individual certificates (to make the tests clearer).
 template <size_t N>
 void LoadCertificateFiles(const char* const (&cert_files)[N],
                           CertificateList* certs) {
   certs->clear();
   for (size_t i = 0; i < N; ++i) {
     SCOPED_TRACE(cert_files[i]);
     scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
         GetTestCertsDirectory(), cert_files[i], X509Certificate::FORMAT_AUTO);
     ASSERT_TRUE(cert);
     certs->push_back(cert);
   }
 }
 
+bool SupportsCRLSetsInPathBuilding(CertVerifyProcName verify_proc_name) {
+  // TODO(crbug.com/649017): Support for built-in
+  return verify_proc_name == CERT_VERIFY_PROC_WIN ||
+         verify_proc_name == CERT_VERIFY_PROC_NSS;
+}
+
+// Returns the name of the CertVerifyProc implementation that is being tested.
+std::string VerifyProcTypeToName(
+    const testing::TestParamInfo<CertVerifyProcName>& params) {
+  return CertVerifyProcNameToString(params.param);
+}

[Ryan Sleevi, 2017/01/13 17:22:09]

Let's definitely ditch this.

[eroman, 2017/02/01 01:13:55]

It is useful to to have the test name be:

   XXX/CertVerifyProcMac
   XXX/CertVerifyProcBuiltin

Instead of:
   XXX/1
   XXX/2

I have kept this for now, however deleted CertVerifyProcNameToString() per the
earlier comment.

+
+// The set of all CertVerifyProcNames to be used by tests.
+std::vector<CertVerifyProcName> AllCertVerifiers() {
+  // TODO(crbug.com/649017): Include CERT_VERIFY_PROC_BUILTIN
+  return {GetDefaultCertVerifyProcName()};
+}

[Ryan Sleevi, 2017/01/13 17:22:09]

Do you actually need this to be a function? Unittests are allowed to do static
initializers, and you could always slap a constexpr on the
GetDefaultCertVerifyProcName() and force it to be a compile-time check if you
wanted.

[eroman, 2017/02/01 01:13:55]

Done.

+
+scoped_refptr<CertVerifyProc> CreateCertVerifyProc(
+    CertVerifyProcName verify_proc_name) {
+  // TODO(crbug.com/649017): Handle CERT_VERIFY_PROC_BUILTIN
+  EXPECT_EQ(verify_proc_name, GetDefaultCertVerifyProcName());
+  return CertVerifyProc::CreateDefault();

[Ryan Sleevi, 2017/01/12 20:01:56]

My instinct is that trying to preserve this is perhaps the root cause of the
complexity. Do you feel the same?

[Ryan Sleevi, 2017/01/13 17:22:09]

So I don't think the EXPECT_EQ does anything to prevent the version shear you're
worried about, because you're still calling CreateDefault() here - the only
difference is that you might "think" you're testing CertVerifyProcMac, but
you're actually testing CertVerifyProcBuiltin (because that's what CreateDefault
returned)

It seems that the only defense against shear (where the test differs from what
CreateDefault returns) is that you're expecting different results on some
platforms, but that doesn't seem to be in and of itself a hard guarantee.

[eroman, 2017/02/01 01:13:55]

The EXPECT_EQ() was to guard against me adding CERT_VERIFY_PROC_BUILTIN to the
kAllVerifiers, but failing to update this line.

The consequence of that mistake is all the tests for BUILTIN would trivially
pass as they are testing the default verifier rather than the built-in verifier.

I can remove the check if you like, since I will be verifying manually at such
time too.

+}
+
 }  // namespace
 
-class CertVerifyProcTest : public testing::Test {
- public:
-  CertVerifyProcTest()
-      : verify_proc_(CertVerifyProc::CreateDefault()) {
-  }
-  ~CertVerifyProcTest() override {}
+// Base class for writing tests against a specific CertVerifyProc
+// implementation.
+class CertVerifyProcBaseTest : public testing::Test {
+ protected:
+  void SetUp() override { verify_proc_ = CreateVerifyProc(&verify_proc_name_); }
 
- protected:
+  // Creates the CertVerifyProc to be tested by this fixture, and fills
+  // |*verify_proc_name| with the created instance's name.
+  virtual scoped_refptr<CertVerifyProc> CreateVerifyProc(
+      CertVerifyProcName* verify_proc_name) = 0;

[Ryan Sleevi, 2017/01/12 20:01:56]

So it's unclear why you have the function return the fully constructed object,
and stashing the name of it into the |verify_proc_name|, rather than just having
the virtual function that tells you what sort of CertVerifyProc to create

That is, 321 and 327 are identical - so why not just have the subclass tell you
the name to run?

[eroman, 2017/02/01 01:13:55]

Done.

+
   bool SupportsAdditionalTrustAnchors() {
     return verify_proc_->SupportsAdditionalTrustAnchors();
   }
 
-  // Returns true if the underlying CertVerifyProc supports integrating CRLSets
-  // into path building logic, such as allowing the selection of alternatively
-  // valid paths when one or more are revoked. As the goal is to integrate this
-  // into all platforms, this is a temporary, test-only flag to centralize the
-  // conditionals in tests.
-  bool SupportsCRLSetsInPathBuilding() {
-#if defined(OS_WIN) || defined(USE_NSS_CERTS)
-    return true;
-#else
-    return false;
-#endif
-  }
-
   int Verify(X509Certificate* cert,
              const std::string& hostname,
              int flags,
              CRLSet* crl_set,
              const CertificateList& additional_trust_anchors,
              CertVerifyResult* verify_result) {
     return verify_proc_->Verify(cert, hostname, std::string(), flags, crl_set,
                                 additional_trust_anchors, verify_result);
   }
 
   int VerifyWithOCSPResponse(X509Certificate* cert,
                              const std::string& hostname,
                              const std::string& ocsp_response,
                              int flags,
                              CRLSet* crl_set,
                              const CertificateList& additional_trust_anchors,
                              CertVerifyResult* verify_result) {
     return verify_proc_->Verify(cert, hostname, ocsp_response, flags, crl_set,
                                 additional_trust_anchors, verify_result);
   }
 
+  bool UsingCertVerifyProcAndroid() const {

[Ryan Sleevi, 2017/01/12 20:01:56]

We're in CertVerifyProcUnittest - the use of "CertVerifyProc" here and in the
types feels entirely redundant/unnecessary

UsingAndroid/UsingNSS/UsingOpenSSL/ are possible simplifications there, but I
also question whether more fundamentally, we're just interested in default vs
builtin?

[eroman, 2017/02/01 01:13:55]

Removed these functions.

+    return verify_proc_name_ == CERT_VERIFY_PROC_ANDROID;
+  }
+
+  bool UsingCertVerifyProcNSS() const {

[Ryan Sleevi, 2017/01/13 17:22:09]

If we're going to go with these helper functions (which, to be honest, I'm not
terribly keen on, but I can live with), it does seem some documentation about
guarantees - such as how there should only ever be one of them true.

[eroman, 2017/02/01 01:13:55]

N/A

+    return verify_proc_name_ == CERT_VERIFY_PROC_NSS;
+  }
+
+  bool UsingCertVerifyProcOpenSSL() const {
+    return verify_proc_name_ == CERT_VERIFY_PROC_OPENSSL;
+  }
+
+  bool UsingCertVerifyProcIOS() const {
+    return verify_proc_name_ == CERT_VERIFY_PROC_IOS;
+  }
+
+  bool UsingCertVerifyProcWin() const {
+    return verify_proc_name_ == CERT_VERIFY_PROC_WIN;
+  }
+
+  bool UsingCertVerifyProcMac() const {
+    return verify_proc_name_ == CERT_VERIFY_PROC_MAC;
+  }
+
   const CertificateList empty_cert_list_;
   scoped_refptr<CertVerifyProc> verify_proc_;
+  CertVerifyProcName verify_proc_name_;
 };
 
-#if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS)
-// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
-#define MAYBE_EVVerification DISABLED_EVVerification
-#else
+// This test fixture is paramterized by the CertVerifyProc (which is specified
+// as an enum). Used for tests which should be run for multiple CertVerifyProc
+// implementations.
+class CertVerifyProcTest
+    : public CertVerifyProcBaseTest,
+      public testing::WithParamInterface<CertVerifyProcName> {
+ protected:
+  scoped_refptr<CertVerifyProc> CreateVerifyProc(
+      CertVerifyProcName* verify_proc_name) override {
+    *verify_proc_name = GetParam();
+    return CreateCertVerifyProc(*verify_proc_name);
+  }
+};
+
+INSTANTIATE_TEST_CASE_P(,
+                        CertVerifyProcTest,
+                        testing::ValuesIn(AllCertVerifiers()),
+                        VerifyProcTypeToName);
+
+// This test fixture is used for tests that are ONLY to be run with the
+// CertVerifyProc::CreateDefault() implementation.

[Ryan Sleevi, 2017/01/13 17:22:09]

Did you consider making an explicit fixture for each of those tests?

[eroman, 2017/02/01 01:13:55]

That entails duplicating fixtures in at least 4 places. Do you want me to go
ahead with that?

+class CertVerifyProcDefaultTest : public CertVerifyProcBaseTest {
+ public:
+  scoped_refptr<CertVerifyProc> CreateVerifyProc(
+      CertVerifyProcName* verify_proc_name) override {
+    *verify_proc_name = GetDefaultCertVerifyProcName();
+    return CreateCertVerifyProc(*verify_proc_name);
+  }
+};
+
 // TODO(rsleevi): Reenable this test once comodo.chaim.pem is no longer
 // expired, http://crbug.com/502818
-#define MAYBE_EVVerification DISABLED_EVVerification
-#endif
-TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
+TEST_P(CertVerifyProcTest, DISABLED_EVVerification) {
+  if (UsingCertVerifyProcAndroid() || UsingCertVerifyProcOpenSSL()) {
+    // TODO(jnd): http://crbug.com/117478 - EV verification is not yet
+    // supported.
+    LOG(INFO) << "Skipping test as EV verification is not yet supported";
+    return;
+  }
+
   CertificateList certs = CreateCertificateListFromFile(
       GetTestCertsDirectory(),
       "comodo.chain.pem",
       X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
   intermediates.push_back(certs[2]->os_cert_handle());
 
@@ skipping 11 matching lines @@
                      empty_cert_list_,
                      &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
 }
 
 // TODO(crbug.com/605457): the test expectation was incorrect on some
 // configurations, so disable the test until it is fixed (better to have
 // a bug to track a failing test than a false sense of security due to
 // false positive).
-TEST_F(CertVerifyProcTest, DISABLED_PaypalNullCertParsing) {
+TEST_P(CertVerifyProcTest, DISABLED_PaypalNullCertParsing) {
   // A certificate for www.paypal.com with a NULL byte in the common name.
   // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
   SHA256HashValue paypal_null_fingerprint = {{0x00}};
 
   scoped_refptr<X509Certificate> paypal_null_cert(
       X509Certificate::CreateFromBytes(
           reinterpret_cast<const char*>(paypal_null_der),
           sizeof(paypal_null_der)));
 
   ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert.get());
 
   EXPECT_EQ(paypal_null_fingerprint, X509Certificate::CalculateFingerprint256(
                                          paypal_null_cert->os_cert_handle()));
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(paypal_null_cert.get(),
                      "www.paypal.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
-#if defined(USE_NSS_CERTS) || defined(OS_ANDROID)
-  EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
-#elif defined(OS_IOS) && TARGET_IPHONE_SIMULATOR
-  // iOS returns a ERR_CERT_INVALID error on the simulator, while returning
-  // ERR_CERT_AUTHORITY_INVALID on the real device.
-  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
-#else
-  // TOOD(bulach): investigate why macosx and win aren't returning
-  // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
-  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
-#endif
+
+  if (UsingCertVerifyProcNSS() || UsingCertVerifyProcAndroid()) {
+    EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
+  } else if (UsingCertVerifyProcIOS() && TargetIsIphoneSimulator()) {
+    // iOS returns a ERR_CERT_INVALID error on the simulator, while returning
+    // ERR_CERT_AUTHORITY_INVALID on the real device.
+    EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
+  } else {
+    // TOOD(bulach): investigate why macosx and win aren't returning
+    // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
+    EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
+  }
+
   // Either the system crypto library should correctly report a certificate
   // name mismatch, or our certificate blacklist should cause us to report an
   // invalid certificate.
-#if defined(USE_NSS_CERTS) || defined(OS_WIN)
-  EXPECT_TRUE(verify_result.cert_status &
-              (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
-#endif
+  if (UsingCertVerifyProcNSS() || UsingCertVerifyProcWin()) {
+    EXPECT_TRUE(verify_result.cert_status &
+                (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
+  }
+
+  // TODO(crbug.com/649017): What expectations to use for the other verifiers?
 }
 
 // A regression test for http://crbug.com/31497.
-#if defined(OS_ANDROID)
-// Disabled on Android, as the Android verification libraries require an
-// explicit policy to be specified, even when anyPolicy is permitted.
-#define MAYBE_IntermediateCARequireExplicitPolicy \
-    DISABLED_IntermediateCARequireExplicitPolicy
-#else
-#define MAYBE_IntermediateCARequireExplicitPolicy \
-    IntermediateCARequireExplicitPolicy
-#endif
-TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
+TEST_P(CertVerifyProcTest, IntermediateCARequireExplicitPolicy) {
+  if (UsingCertVerifyProcAndroid()) {
+    // Disabled on Android, as the Android verification libraries require an
+    // explicit policy to be specified, even when anyPolicy is permitted.
+    LOG(INFO) << "Skipping test on Android";
+    return;
+  }
+
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "explicit-policy-chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
 
   scoped_refptr<X509Certificate> cert =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
   ASSERT_TRUE(cert.get());
 
   ScopedTestRoot scoped_root(certs[2].get());
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(),
                      "policy_test.example",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0u, verify_result.cert_status);
 }
 
-TEST_F(CertVerifyProcTest, RejectExpiredCert) {
+TEST_P(CertVerifyProcTest, RejectExpiredCert) {
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   // Load root_ca_cert.pem into the test root store.
   ScopedTestRoot test_root(
       ImportCertFromFile(certs_dir, "root_ca_cert.pem").get());
 
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "expired_cert.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
 
@@ skipping 18 matching lines @@
   size_t pos = key_type.find("-");
   std::string size = key_type.substr(0, pos);
   std::string type = key_type.substr(pos + 1);
 
   if (type == "rsa" || type == "dsa")
     return size == "768";
 
   return false;
 }
 
-TEST_F(CertVerifyProcTest, RejectWeakKeys) {
+TEST_P(CertVerifyProcTest, RejectWeakKeys) {
   base::FilePath certs_dir = GetTestCertsDirectory();
   typedef std::vector<std::string> Strings;
   Strings key_types;
 
   // generate-weak-test-chains.sh currently has:
   //     key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
   // We must use the same key types here. The filenames generated look like:
   //     2048-rsa-ee-by-768-rsa-intermediate.pem
   key_types.push_back("768-rsa");
   key_types.push_back("1024-rsa");
@@ skipping 34 matching lines @@
                          "127.0.0.1",
                          0,
                          NULL,
                          empty_cert_list_,
                          &verify_result);
 
       if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
         EXPECT_NE(OK, error);
         EXPECT_EQ(CERT_STATUS_WEAK_KEY,
                   verify_result.cert_status & CERT_STATUS_WEAK_KEY);
-        EXPECT_EQ(WeakKeysAreInvalid() ? CERT_STATUS_INVALID : 0,
-                  verify_result.cert_status & CERT_STATUS_INVALID);
+        EXPECT_EQ(
+            WeakKeysAreInvalid(verify_proc_name_) ? CERT_STATUS_INVALID : 0,
+            verify_result.cert_status & CERT_STATUS_INVALID);
       } else {
         EXPECT_THAT(error, IsOk());
         EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
       }
     }
   }
 }
 
 // Regression test for http://crbug.com/108514.
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-// Disabled on OS X - Security.framework doesn't ignore superflous certificates
-// provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further
-// details.
-#define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
-#else
-#define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert
-#endif
-TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
-  if (!SupportsReturningVerifiedChain()) {
+TEST_P(CertVerifyProcTest, ExtraneousMD5RootCert) {
+  if (!SupportsReturningVerifiedChain(verify_proc_name_)) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
+  if (UsingCertVerifyProcMac()) {
+    // Disabled on OS X - Security.framework doesn't ignore superflous
+    // certificates provided by servers.

[Ryan Sleevi, 2017/01/12 20:01:56]

This is probably fixed by mattm's changes.

[eroman, 2017/02/01 01:13:55]

Acknowledged -- left a TODO

+    LOG(INFO) << "Skipping this test as Security.framework doesn't ignore "
+                 "superflous certificates provided by servers.";
+    return;
+  }
+
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
       ImportCertFromFile(certs_dir, "cross-signed-leaf.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
 
   scoped_refptr<X509Certificate> extra_cert =
       ImportCertFromFile(certs_dir, "cross-signed-root-md5.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), extra_cert.get());
 
@@ skipping 24 matching lines @@
   ASSERT_EQ(1u,
             verify_result.verified_cert->GetIntermediateCertificates().size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(
         verify_result.verified_cert->GetIntermediateCertificates().front(),
         root_cert->os_cert_handle()));
 
   EXPECT_FALSE(verify_result.has_md5);
 }
 
 // Test for bug 94673.
-TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
+TEST_P(CertVerifyProcTest, GoogleDigiNotarTest) {
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
       ImportCertFromFile(certs_dir, "google_diginotar.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
 
   scoped_refptr<X509Certificate> intermediate_cert =
       ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert.get());
 
@@ skipping 20 matching lines @@
                  "mail.google.com",
                  flags,
                  NULL,
                  empty_cert_list_,
                  &verify_result);
   EXPECT_NE(OK, error);
 }
 
 // Ensures the CertVerifyProc blacklist remains in sorted order, so that it
 // can be binary-searched.
-TEST_F(CertVerifyProcTest, BlacklistIsSorted) {
+TEST_P(CertVerifyProcTest, BlacklistIsSorted) {
 // Defines kBlacklistedSPKIs.
 #include "net/cert/cert_verify_proc_blacklist.inc"
   for (size_t i = 0; i < arraysize(kBlacklistedSPKIs) - 1; ++i) {
     EXPECT_GT(0, memcmp(kBlacklistedSPKIs[i], kBlacklistedSPKIs[i + 1],
                         crypto::kSHA256Length))
         << " at index " << i;
   }
 }
 
-TEST_F(CertVerifyProcTest, DigiNotarCerts) {
+TEST_P(CertVerifyProcTest, DigiNotarCerts) {
   static const char* const kDigiNotarFilenames[] = {
     "diginotar_root_ca.pem",
     "diginotar_cyber_ca.pem",
     "diginotar_services_1024_ca.pem",
     "diginotar_pkioverheid.pem",
     "diginotar_pkioverheid_g2.pem",
     NULL,
   };
 
   base::FilePath certs_dir = GetTestCertsDirectory();
@@ skipping 14 matching lines @@
     HashValue hash(HASH_VALUE_SHA256);
     ASSERT_EQ(hash.size(), spki_sha256.size());
     memcpy(hash.data(), spki_sha256.data(), spki_sha256.size());
     public_keys.push_back(hash);
 
     EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) <<
         "Public key not blocked for " << kDigiNotarFilenames[i];
   }
 }
 
-TEST_F(CertVerifyProcTest, NameConstraintsOk) {
+TEST_P(CertVerifyProcTest, NameConstraintsOk) {
   CertificateList ca_cert_list =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
                                     "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   ScopedTestRoot test_root(ca_cert_list[0].get());
 
   CertificateList cert_list = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "name_constraint_good.pem",
       X509Certificate::FORMAT_AUTO);
@@ skipping 14 matching lines @@
                      &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
 
   error = Verify(leaf.get(), "foo.test2.example.com", flags, NULL,
                  empty_cert_list_, &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
 }
 
-TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
-  if (!SupportsReturningVerifiedChain()) {
+TEST_P(CertVerifyProcTest, NameConstraintsFailure) {
+  if (!SupportsReturningVerifiedChain(verify_proc_name_)) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
   CertificateList ca_cert_list =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
                                     "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   ScopedTestRoot test_root(ca_cert_list[0].get());
@@ skipping 14 matching lines @@
                      "test.example.com",
                      flags,
                      NULL,
                      empty_cert_list_,
                      &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_NAME_CONSTRAINT_VIOLATION));
   EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
             verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
 }
 
-TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
+TEST_P(CertVerifyProcTest, TestHasTooLongValidity) {
   struct {
     const char* const file;
     bool is_valid_too_long;
   } tests[] = {
       {"twitter-chain.pem", false},
       {"start_after_expiry.pem", true},
       {"pre_br_validity_ok.pem", false},
       {"pre_br_validity_bad_121.pem", true},
       {"pre_br_validity_bad_2020.pem", true},
       {"10_year_validity.pem", false},
@@ skipping 10 matching lines @@
     scoped_refptr<X509Certificate> certificate =
         ImportCertFromFile(certs_dir, tests[i].file);
     SCOPED_TRACE(tests[i].file);
     ASSERT_TRUE(certificate);
     EXPECT_EQ(tests[i].is_valid_too_long,
               CertVerifyProc::HasTooLongValidity(*certificate));
   }
 }
 
 // TODO(crbug.com/610546): Fix and re-enable this test.
-TEST_F(CertVerifyProcTest, DISABLED_TestKnownRoot) {
-  if (!SupportsDetectingKnownRoots()) {
+TEST_P(CertVerifyProcTest, DISABLED_TestKnownRoot) {
+  if (!SupportsDetectingKnownRoots(verify_proc_name_)) {
     LOG(INFO) << "Skipping this test on this platform.";
     return;
   }
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
 
   scoped_refptr<X509Certificate> cert_chain =
       X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
                                         intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
   // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
   // against agl. See also PublicKeyHashes.
   int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
                      empty_cert_list_, &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.is_issued_by_known_root);
 }
 
 // TODO(crbug.com/610546): Fix and re-enable this test.
-TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
-  if (!SupportsReturningVerifiedChain()) {
+TEST_P(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
+  if (!SupportsReturningVerifiedChain(verify_proc_name_)) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
@@ skipping 35 matching lines @@
 
   for (size_t i = 0; i < 3; ++i) {
     EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length),
               HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));
   }
 }
 
 // A regression test for http://crbug.com/70293.
 // The Key Usage extension in this RSA SSL server certificate does not have
 // the keyEncipherment bit.
-TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
+TEST_P(CertVerifyProcTest, InvalidKeyUsage) {

[Ryan Sleevi, 2017/01/12 20:01:56]

This seems like one of those tests we should be using our own files for, and if
so, would eliminate the result divergence.

[eroman, 2017/02/01 01:13:55]

Acknowledged -- left a TODO

   base::FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
       ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(server_cert.get(),
-                     "jira.aquameta.com",
-                     flags,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
-#if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
-  // This certificate has two errors: "invalid key usage" and "untrusted CA".
-  // However, OpenSSL returns only one (the latter), and we can't detect
-  // the other errors.
-  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
-#else
-  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
-#endif
+  int error = Verify(server_cert.get(), "jira.aquameta.com", flags, NULL,
+                     empty_cert_list_, &verify_result);
+
+  if (UsingCertVerifyProcOpenSSL()) {
+    // This certificate has two errors: "invalid key usage" and "untrusted CA".
+    // However, OpenSSL returns only one (the latter), and we can't detect
+    // the other errors.
+    EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
+  } else {
+    EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
+    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
+  }
   // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
   // from NSS.
-#if !defined(USE_NSS_CERTS) && !defined(OS_IOS) && !defined(OS_ANDROID)
-  // The certificate is issued by an unknown CA.
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
-#endif
+  if (!UsingCertVerifyProcNSS() && !UsingCertVerifyProcIOS() &&
+      !UsingCertVerifyProcAndroid()) {
+    // The certificate is issued by an unknown CA.
+    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
+  }
+
+  // TODO(crbug.com/649017): What expectations to use for the other verifiers?
 }
 
 // Basic test for returning the chain in CertVerifyResult. Note that the
 // returned chain may just be a reflection of the originally supplied chain;
 // that is, if any errors occur, the default chain returned is an exact copy
 // of the certificate to be verified. The remaining VerifyReturn* tests are
 // used to ensure that the actual, verified chain is being returned by
 // Verify().
-TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
-  if (!SupportsReturningVerifiedChain()) {
+TEST_P(CertVerifyProcTest, VerifyReturnChainBasic) {
+  if (!SupportsReturningVerifiedChain(verify_proc_name_)) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
@@ skipping 32 matching lines @@
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
                                             certs[1]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
                                             certs[2]->os_cert_handle()));
 }
 
 // Test that certificates issued for 'intranet' names (that is, containing no
 // known public registry controlled domain information) issued by well-known
 // CAs are flagged appropriately, while certificates that are issued by
 // internal CAs are not flagged.
-TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
-  if (!SupportsDetectingKnownRoots()) {
+TEST_P(CertVerifyProcTest, IntranetHostsRejected) {
+  if (!SupportsDetectingKnownRoots(verify_proc_name_)) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
   CertificateList cert_list = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "reject_intranet_hosts.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
 
@@ skipping 18 matching lines @@
   EXPECT_THAT(error, IsOk());
   EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
 }
 
 // While all SHA-1 certificates should be rejected, in the event that there
 // emerges some unexpected bug, test that the 'legacy' behaviour works
 // correctly - rejecting all SHA-1 certificates from publicly trusted CAs
 // that were issued after 1 January 2016, while still allowing those from
 // before that date, with SHA-1 in the intermediate, or from an enterprise
 // CA.
-TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
+TEST_P(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
   base::test::ScopedFeatureList scoped_feature_list;
   scoped_feature_list.InitAndEnableFeature(CertVerifyProc::kSHA1LegacyMode);
 
   CertVerifyResult dummy_result;
   CertVerifyResult verify_result;
   int error = 0;
   scoped_refptr<X509Certificate> cert;
 
   // Publicly trusted SHA-1 leaf certificates issued before 1 January 2016
   // are accepted.
@@ skipping 62 matching lines @@
                  &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
 }
 
 // Test that the certificate returned in CertVerifyResult is able to reorder
 // certificates that are not ordered from end-entity to root. While this is
 // a protocol violation if sent during a TLS handshake, if multiple sources
 // of intermediate certificates are combined, it's possible that order may
 // not be maintained.
-TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
-  if (!SupportsReturningVerifiedChain()) {
+TEST_P(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
+  if (!SupportsReturningVerifiedChain(verify_proc_name_)) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
@@ skipping 31 matching lines @@
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, return_intermediates.size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
                                             certs[1]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
                                             certs[2]->os_cert_handle()));
 }
 
 // Test that Verify() filters out certificates which are not related to
 // or part of the certificate chain being verified.
-TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
-  if (!SupportsReturningVerifiedChain()) {
+TEST_P(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
+  if (!SupportsReturningVerifiedChain(verify_proc_name_)) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
   ScopedTestRoot scoped_root(certs[2].get());
@@ skipping 37 matching lines @@
       verify_result.verified_cert->os_cert_handle()));
   const X509Certificate::OSCertHandles& return_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, return_intermediates.size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
                                             certs[1]->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
                                             certs[2]->os_cert_handle()));
 }
 
-TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
+TEST_P(CertVerifyProcTest, AdditionalTrustAnchors) {
   if (!SupportsAdditionalTrustAnchors()) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
   // |ca_cert| is the issuer of |cert|.
   CertificateList ca_cert_list = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "root_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
@@ skipping 29 matching lines @@
   error = Verify(
       cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
   EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
 }
 
 // Tests that certificates issued by user-supplied roots are not flagged as
 // issued by a known root. This should pass whether or not the platform supports
 // detecting known roots.
-TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
+TEST_P(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
   // Load root_ca_cert.pem into the test root store.
   ScopedTestRoot test_root(
       ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
 
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
 
   // Verification should pass.
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(
       cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
   // But should not be marked as a known root.
   EXPECT_FALSE(verify_result.is_issued_by_known_root);
 }
 
-#if defined(USE_NSS_CERTS) || defined(OS_WIN) || \
-    (defined(OS_MACOSX) && !defined(OS_IOS))
+bool SupportsCRLSet(CertVerifyProcName verify_proc_name) {
+  // TODO(crbug.com/649017): Support for built-in.
+  return verify_proc_name == CERT_VERIFY_PROC_NSS ||
+         verify_proc_name == CERT_VERIFY_PROC_WIN ||
+         verify_proc_name == CERT_VERIFY_PROC_MAC;

[Ryan Sleevi, 2017/01/12 20:01:56]

I wonder whether these should be different tests (like OCSP)

[eroman, 2017/02/01 01:13:54]

When you say "tests" do you mean unit-tests, or do you mean adding something
like CertVerifyProc::SupportsCRLSet ?

+}
+
 // Test that CRLSets are effective in making a certificate appear to be
 // revoked.
-TEST_F(CertVerifyProcTest, CRLSet) {
+TEST_P(CertVerifyProcTest, CRLSet) {
+  if (!SupportsCRLSet(verify_proc_name_)) {
+    LOG(INFO) << "Skipping test as verifier doesn't support CRLSet";
+    return;
+  }
+
   CertificateList ca_cert_list =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
                                     "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   ScopedTestRoot test_root(ca_cert_list[0].get());
 
   CertificateList cert_list = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, cert_list.size());
@@ skipping 33 matching lines @@
 
   error = Verify(cert.get(),
                  "127.0.0.1",
                  flags,
                  crl_set.get(),
                  empty_cert_list_,
                  &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
 }
 
-TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
+TEST_P(CertVerifyProcTest, CRLSetLeafSerial) {
+  if (!SupportsCRLSet(verify_proc_name_)) {
+    LOG(INFO) << "Skipping test as verifier doesn't support CRLSet";
+    return;
+  }
+
   CertificateList ca_cert_list =
       CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   ScopedTestRoot test_root(ca_cert_list[0].get());
 
   CertificateList intermediate_cert_list = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "intermediate_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, intermediate_cert_list.size());
@@ skipping 35 matching lines @@
 // In this test, there are two roots (D and E), and three possible paths
 // to validate a leaf (A):
 // 1. A(B) -> B(C) -> C(D) -> D(D)
 // 2. A(B) -> B(C) -> C(E) -> E(E)
 // 3. A(B) -> B(F) -> F(E) -> E(E)
 //
 // Each permutation of revocation is tried:
 // 1. Revoking E by SPKI, so that only Path 1 is valid (as E is in Paths 2 & 3)
 // 2. Revoking C(D) and F(E) by serial, so that only Path 2 is valid.
 // 3. Revoking C by SPKI, so that only Path 3 is valid (as C is in Paths 1 & 2)
-TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
-  if (!SupportsCRLSetsInPathBuilding()) {
+TEST_P(CertVerifyProcTest, CRLSetDuringPathBuilding) {
+  if (!SupportsCRLSetsInPathBuilding(verify_proc_name_)) {
     LOG(INFO) << "Skipping this test on this platform.";
     return;
   }
 
   const char* const kPath1Files[] = {
       "multi-root-A-by-B.pem", "multi-root-B-by-C.pem", "multi-root-C-by-D.pem",
       "multi-root-D-by-D.pem"};
   const char* const kPath2Files[] = {
       "multi-root-A-by-B.pem", "multi-root-B-by-C.pem", "multi-root-C-by-E.pem",
       "multi-root-E-by-E.pem"};
@@ skipping 77 matching lines @@
     ASSERT_TRUE(intermediate);
 
     EXPECT_TRUE(testcase.expected_intermediate->Equals(intermediate.get()))
         << "Expected: " << testcase.expected_intermediate->subject().common_name
         << " issued by " << testcase.expected_intermediate->issuer().common_name
         << "; Got: " << intermediate->subject().common_name << " issued by "
         << intermediate->issuer().common_name;
   }
 }
 
-#endif
-
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 // Test that a CRLSet blocking one of the intermediates supplied by the server
 // can be worked around by the chopping workaround for path building. (Once the
 // supplied chain is chopped back to just the target, a better path can be
 // found out-of-band. Normally that would be by AIA fetching, for the purposes
 // of this test the better path is supplied by a test keychain.)
 //
 // In this test, there are two possible paths to validate a leaf (A):
 // 1. A(B) -> B(C) -> C(E) -> E(E)
 // 2. A(B) -> B(F) -> F(E) -> E(E)
 //
 // A(B) -> B(C) -> C(E) is supplied to the verifier.
 // B(F) and F(E) are supplied in a test keychain.
 // C is blocked by a CRLset.
 //
 // The verifier should rollback until it just tries A(B) alone, at which point
 // it will pull B(F) & F(E) from the keychain and succeed.
-TEST_F(CertVerifyProcTest, MacCRLIntermediate) {
+TEST_F(CertVerifyProcDefaultTest, MacCRLIntermediate) {
   if (base::mac::IsAtLeastOS10_12()) {
     // TODO(crbug.com/671889): Investigate SecTrustSetKeychains issue on Sierra.
     LOG(INFO) << "Skipping test, SecTrustSetKeychains does not work on 10.12";
     return;
   }
   const char* const kPath2Files[] = {
       "multi-root-A-by-B.pem", "multi-root-B-by-C.pem", "multi-root-C-by-E.pem",
       "multi-root-E-by-E.pem"};
   CertificateList path_2_certs;
   ASSERT_NO_FATAL_FAILURE(LoadCertificateFiles(kPath2Files, &path_2_certs));
@@ skipping 62 matching lines @@
   EXPECT_TRUE(expected_intermediate->Equals(intermediate.get()))
       << "Expected: " << expected_intermediate->subject().common_name
       << " issued by " << expected_intermediate->issuer().common_name
       << "; Got: " << intermediate->subject().common_name << " issued by "
       << intermediate->issuer().common_name;
 }
 
 // Test that if a keychain is present which trusts a less-desirable root (ex,
 // one using SHA1), that the keychain reordering hack will cause the better
 // root in the System Roots to be used instead.
-TEST_F(CertVerifyProcTest, MacKeychainReordering) {
+TEST_F(CertVerifyProcDefaultTest, MacKeychainReordering) {
   // Note: target cert expires Apr  2 23:59:59 2018 GMT
   scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
       GetTestCertsDirectory(), "tripadvisor-verisign-chain.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_TRUE(cert);
 
   // Create a test keychain search list that will Always Trust the SHA1
   // cross-signed VeriSign Class 3 Public Primary Certification Authority - G5
   std::unique_ptr<TestKeychainSearchList> test_keychain_search_list(
       TestKeychainSearchList::Create());
@@ skipping 23 matching lines @@
   ASSERT_TRUE(verify_result.verified_cert.get());
 
   const X509Certificate::OSCertHandles& verified_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, verified_intermediates.size());
 }
 
 // Test that the system root certificate keychain is in the expected location
 // and can be opened. Other tests would fail if this was not true, but this
 // test makes the reason for the failure obvious.
-TEST_F(CertVerifyProcTest, MacSystemRootCertificateKeychainLocation) {
+TEST_F(CertVerifyProcDefaultTest, MacSystemRootCertificateKeychainLocation) {
   const char* root_keychain_path =
       "/System/Library/Keychains/SystemRootCertificates.keychain";
   ASSERT_TRUE(base::PathExists(base::FilePath(root_keychain_path)));
 
   SecKeychainRef keychain;
   OSStatus status = SecKeychainOpen(root_keychain_path, &keychain);
   ASSERT_EQ(errSecSuccess, status);
   CFRelease(keychain);
 }
-#endif
+#endif  // defined(OS_MACOSX) && !defined(OS_IOS)
 
-bool AreSHA1IntermediatesAllowed() {
+bool AreSHA1IntermediatesAllowed(CertVerifyProcName verify_proc_name) {
 #if defined(OS_WIN)
   // TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved
   // for Windows 7/2008 users.
   // Note: This must be kept in sync with cert_verify_proc.cc
-  return base::win::GetVersion() < base::win::VERSION_WIN8;
+  return verify_proc_name == CERT_VERIFY_PROC_WIN &&
+         base::win::GetVersion() < base::win::VERSION_WIN8;
 #else
   return false;
 #endif
 }
 
-TEST_F(CertVerifyProcTest, RejectsMD2) {
+TEST_P(CertVerifyProcTest, RejectsMD2) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
 
   CertVerifyResult result;
   result.has_md2 = true;
   verify_proc_ = new MockCertVerifyProc(result);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
                      empty_cert_list_, &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
 }
 
-TEST_F(CertVerifyProcTest, RejectsMD4) {
+TEST_P(CertVerifyProcTest, RejectsMD4) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
 
   CertVerifyResult result;
   result.has_md4 = true;
   verify_proc_ = new MockCertVerifyProc(result);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
                      empty_cert_list_, &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
 }
 
-TEST_F(CertVerifyProcTest, RejectsMD5) {
+TEST_P(CertVerifyProcTest, RejectsMD5) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
 
   CertVerifyResult result;
   result.has_md5 = true;
   verify_proc_ = new MockCertVerifyProc(result);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
                      empty_cert_list_, &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
 }
 
-TEST_F(CertVerifyProcTest, RejectsPublicSHA1Leaves) {
+TEST_P(CertVerifyProcTest, RejectsPublicSHA1Leaves) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
 
   CertVerifyResult result;
   result.has_sha1 = true;
   result.has_sha1_leaf = true;
   result.is_issued_by_known_root = true;
   verify_proc_ = new MockCertVerifyProc(result);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
                      empty_cert_list_, &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
 }
 
-TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
+TEST_P(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
   scoped_refptr<X509Certificate> cert(ImportCertFromFile(
       GetTestCertsDirectory(), "39_months_after_2015_04.pem"));
   ASSERT_TRUE(cert);
 
   CertVerifyResult result;
   result.has_sha1 = true;
   result.has_sha1_leaf = false;
   result.is_issued_by_known_root = true;
   verify_proc_ = new MockCertVerifyProc(result);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
                      empty_cert_list_, &verify_result);
-  if (AreSHA1IntermediatesAllowed()) {
+  if (AreSHA1IntermediatesAllowed(verify_proc_name_)) {
     EXPECT_THAT(error, IsOk());
     EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
   } else {
     EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
     EXPECT_TRUE(verify_result.cert_status &
                 CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
   }
 }
 
-TEST_F(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) {
+TEST_P(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
 
   CertVerifyResult result;
   result.has_sha1 = true;
   result.has_sha1_leaf = true;
   result.is_issued_by_known_root = false;
   verify_proc_ = new MockCertVerifyProc(result);
 
@@ skipping 39 matching lines @@
 // to output the parameter that was passed. Without this, it will simply
 // attempt to print out the first twenty bytes of the object, which depending
 // on platform and alignment, may result in an invalid read.
 void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
   *os << "root: " << StringOrDefault(data.root_cert_filename, "none")
       << "; intermediate: "
       << StringOrDefault(data.intermediate_cert_filename, "none")
       << "; end-entity: " << data.ee_cert_filename;
 }
 
+// This test fixture does not subclass CertVerifyProcBaseTest as it is testing
+// a mock CertVerifyProc rather than one of the concrete types.

[Ryan Sleevi, 2017/01/12 20:01:56]

My two cents is I'm not sure that this comment is necessary.

[eroman, 2017/02/01 01:13:54]

Done (removed)

Alternately I could re-write it as I had in the follow-up patchset:

// Tests to ensure that CertVerifyProc::Verify() sets the has_* members for
// hash algorithms.

 class CertVerifyProcWeakDigestTest
-    : public CertVerifyProcTest,
-      public testing::WithParamInterface<WeakDigestTestData> {
+    : public testing::TestWithParam<WeakDigestTestData> {
  public:
   CertVerifyProcWeakDigestTest() {}
   virtual ~CertVerifyProcWeakDigestTest() {}
 };
 
-// Test that the CertVerifyProc::Verify() properly surfaces the (weak) hashing
+// Tests that the CertVerifyProc::Verify() properly surfaces the (weak) hash
 // algorithms used in the chain.
 TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) {
   WeakDigestTestData data = GetParam();
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> intermediate_cert;
   scoped_refptr<X509Certificate> root_cert;
 
   // Build |intermediates| as the full chain (including trust anchor).
   X509Certificate::OSCertHandles intermediates;
@@ skipping 20 matching lines @@
                                         intermediates);
   ASSERT_TRUE(ee_chain);
 
   int flags = 0;
   CertVerifyResult verify_result;
 
   // Use a mock CertVerifyProc that returns success with a verified_cert of
   // |ee_chain|.
   //
   // This is sufficient for the purposes of this test, as the checking for weak
-  // hashing algorithms is done by CertVerifyProc::Verify().
+  // hash algorithms is done by CertVerifyProc::Verify().
   scoped_refptr<CertVerifyProc> proc =
       new MockCertVerifyProc(CertVerifyResult());
   proc->Verify(ee_chain.get(), "127.0.0.1", std::string(), flags, nullptr,
-               empty_cert_list_, &verify_result);
+               CertificateList(), &verify_result);
   EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2);
   EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4);
   EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5);
   EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1), verify_result.has_sha1);
   EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1_LEAF),
             verify_result.has_sha1_leaf);
 }
 
 // The signature algorithm of the root CA should not matter.
 const WeakDigestTestData kVerifyRootCATestData[] = {
@@ skipping 96 matching lines @@
     {NULL, NULL, "weak_digest_md2_ee.pem", 0},
     {NULL, NULL, "weak_digest_sha1_ee.pem", 0},
 };
 
 INSTANTIATE_TEST_CASE_P(VerifyTrustedEE,
                         CertVerifyProcWeakDigestTest,
                         testing::ValuesIn(kVerifyTrustedEETestData));
 
 // For the list of valid hostnames, see
 // net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem
-static const struct CertVerifyProcNameData {
+struct CertVerifyProcNameData {
   const char* hostname;
   bool valid;  // Whether or not |hostname| matches a subjectAltName.
-} kVerifyNameData[] = {
-  { "127.0.0.1", false },  // Don't match the common name
-  { "127.0.0.2", true },  // Matches the iPAddress SAN (IPv4)
-  { "FE80:0:0:0:0:0:0:1", true },  // Matches the iPAddress SAN (IPv6)
-  { "[FE80:0:0:0:0:0:0:1]", false },  // Should not match the iPAddress SAN
-  { "FE80::1", true },  // Compressed form matches the iPAddress SAN (IPv6)
-  { "::127.0.0.2", false },  // IPv6 mapped form should NOT match iPAddress SAN
-  { "test.example", true },  // Matches the dNSName SAN
-  { "test.example.", true },  // Matches the dNSName SAN (trailing . ignored)
-  { "www.test.example", false },  // Should not match the dNSName SAN
-  { "test..example", false },  // Should not match the dNSName SAN
-  { "test.example..", false },  // Should not match the dNSName SAN
-  { ".test.example.", false },  // Should not match the dNSName SAN
-  { ".test.example", false },  // Should not match the dNSName SAN
 };
 
-// GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
-// to output the parameter that was passed. Without this, it will simply
-// attempt to print out the first twenty bytes of the object, which depending
-// on platform and alignment, may result in an invalid read.
-void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) {
-  *os << "Hostname: " << data.hostname << "; valid=" << data.valid;
-}
-
-class CertVerifyProcNameTest
-    : public CertVerifyProcTest,
-      public testing::WithParamInterface<CertVerifyProcNameData> {
+// Test fixture for verifying certificate names.
+class CertVerifyProcNameTest : public CertVerifyProcTest {
  public:
   CertVerifyProcNameTest() {}
   virtual ~CertVerifyProcNameTest() {}
+
+ protected:
+  void VerifyCertName(const char* hostname, bool valid) {
+    CertificateList cert_list = CreateCertificateListFromFile(
+        GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
+        X509Certificate::FORMAT_AUTO);
+    ASSERT_EQ(1U, cert_list.size());
+    scoped_refptr<X509Certificate> cert(cert_list[0]);
+
+    ScopedTestRoot scoped_root(cert.get());
+
+    CertVerifyResult verify_result;
+    int error =
+        Verify(cert.get(), hostname, 0, NULL, empty_cert_list_, &verify_result);
+    if (valid) {
+      EXPECT_THAT(error, IsOk());
+      EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+    } else {
+      EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
+      EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+    }
+  }
 };
 
-TEST_P(CertVerifyProcNameTest, VerifyCertName) {
-  CertVerifyProcNameData data = GetParam();
+// Don't match the common name
+TEST_P(CertVerifyProcNameTest, DontMatchCommonName) {
+  VerifyCertName("127.0.0.1", false);
+}
 
-  CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, cert_list.size());
-  scoped_refptr<X509Certificate> cert(cert_list[0]);
+// Matches the iPAddress SAN (IPv4)
+TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv4) {
+  VerifyCertName("127.0.0.2", true);
+}
 
-  ScopedTestRoot scoped_root(cert.get());
+// Matches the iPAddress SAN (IPv6)
+TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv6) {
+  VerifyCertName("FE80:0:0:0:0:0:0:1", true);
+}
 
-  CertVerifyResult verify_result;
-  int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,
-                     &verify_result);
-  if (data.valid) {
-    EXPECT_THAT(error, IsOk());
-    EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
-  } else {
-    EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
-    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
-  }
+// Should not match the iPAddress SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIpv6) {
+  VerifyCertName("[FE80:0:0:0:0:0:0:1]", false);
+}
+
+// Compressed form matches the iPAddress SAN (IPv6)
+TEST_P(CertVerifyProcNameTest, MatchesIpSanCompressedIpv6) {
+  VerifyCertName("FE80::1", true);
+}
+
+// IPv6 mapped form should NOT match iPAddress SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIPv6Mapped) {
+  VerifyCertName("::127.0.0.2", false);
+}
+
+// Matches the dNSName SAN
+TEST_P(CertVerifyProcNameTest, MatchesDnsSan) {
+  VerifyCertName("test.example", true);
+}
+
+// Matches the dNSName SAN (trailing . ignored)
+TEST_P(CertVerifyProcNameTest, MatchesDnsSanTrailingDot) {
+  VerifyCertName("test.example.", true);
+}
+
+// Should not match the dNSName SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSan) {
+  VerifyCertName("www.test.example", false);
+}
+
+// Should not match the dNSName SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanInvalid) {
+  VerifyCertName("test..example", false);
+}
+
+// Should not match the dNSName SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTwoTrailingDots) {
+  VerifyCertName("test.example..", false);
+}
+
+// Should not match the dNSName SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) {
+  VerifyCertName(".test.example.", false);
+}
+
+// Should not match the dNSName SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) {
+  VerifyCertName(".test.example", false);
 }
 
 INSTANTIATE_TEST_CASE_P(VerifyName,
                         CertVerifyProcNameTest,
-                        testing::ValuesIn(kVerifyNameData));
+                        testing::ValuesIn(AllCertVerifiers()),
+                        VerifyProcTypeToName);
 
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 // Test that CertVerifyProcMac reacts appropriately when Apple's certificate
 // verifier rejects a certificate with a fatal error. This is a regression
 // test for https://crbug.com/472291.
 // (Since 10.12, this causes a recoverable error instead of a fatal one.)
 // TODO(mattm): Try to find a different way to cause a fatal error that works
 // on 10.12.
-TEST_F(CertVerifyProcTest, LargeKey) {
+TEST_F(CertVerifyProcDefaultTest, LargeKey) {
   // Load root_ca_cert.pem into the test root store.
   ScopedTestRoot test_root(
       ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
 
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "large_key.pem"));
 
   // Apple's verifier rejects this certificate as invalid because the
   // RSA key is too large. If a future version of OS X changes this,
   // large_key.pem may need to be regenerated with a larger key.
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
                      &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
 }
 #endif  // defined(OS_MACOSX) && !defined(OS_IOS)
 
 // Tests that CertVerifyProc records a histogram correctly when a
 // certificate chaining to a private root contains the TLS feature
 // extension and does not have a stapled OCSP response.
-TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {
+TEST_P(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {
   base::HistogramTester histograms;
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
   ASSERT_TRUE(cert);
   CertVerifyResult result;
   result.is_issued_by_known_root = false;
   verify_proc_ = new MockCertVerifyProc(result);
 
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
   histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1);
   histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, false, 1);
 }
 
 // Tests that CertVerifyProc records a histogram correctly when a
 // certificate chaining to a private root contains the TLS feature
 // extension and does have a stapled OCSP response.
-TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
+TEST_P(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
   base::HistogramTester histograms;
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
   ASSERT_TRUE(cert);
   CertVerifyResult result;
   result.is_issued_by_known_root = false;
   verify_proc_ = new MockCertVerifyProc(result);
 
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error =
       VerifyWithOCSPResponse(cert.get(), "127.0.0.1", "dummy response", flags,
                              NULL, empty_cert_list_, &verify_result);
   EXPECT_EQ(OK, error);
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
   histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1);
   histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, true, 1);
 }
 
 // Tests that CertVerifyProc records a histogram correctly when a
 // certificate chaining to a private root does not contain the TLS feature
 // extension.
-TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) {
+TEST_P(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) {
   base::HistogramTester histograms;
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
   CertVerifyResult result;
   result.is_issued_by_known_root = false;
   verify_proc_ = new MockCertVerifyProc(result);
 
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
   histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, false, 1);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
 }
 
 // Tests that CertVerifyProc does not record a histogram when a
 // certificate contains the TLS feature extension but chains to a public
 // root.
-TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) {
+TEST_P(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) {
   base::HistogramTester histograms;
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
   ASSERT_TRUE(cert);
   CertVerifyResult result;
   result.is_issued_by_known_root = true;
   verify_proc_ = new MockCertVerifyProc(result);
 
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
                      &verify_result);
   EXPECT_EQ(OK, error);
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
 }
 
 }  // namespace net