Parameterize the CertVerifyProc tests so they can be run with

net/cert/cert_verify_proc_unittest.cc

Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 2e3a0f5d458f3e649789168ea481adc01e33a9e1..574cd83aebc02c360204c1dfbf0d2f5a6dbe7e6c 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -100,38 +100,47 @@ int MockCertVerifyProc::VerifyInternal(
   return OK;
 }
 
-bool SupportsReturningVerifiedChain() {
-#if defined(OS_ANDROID)
-  // Before API level 17, Android does not expose the APIs necessary to get at
-  // the verified certificate chain.
-  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
-    return false;
-#endif
-  return true;
-}
+// This enum identifies a concrete implemenation of CertVerifyProc.
+//
+// The type is erased by CertVerifyProc::CreateDefault(), however
+// needs to be known for some of the test expectations.
+enum CertVerifyProcType {
+  CERT_VERIFY_PROC_NSS,
+  CERT_VERIFY_PROC_OPENSSL,
+  CERT_VERIFY_PROC_ANDROID,
+  CERT_VERIFY_PROC_IOS,
+  CERT_VERIFY_PROC_MAC,
+  CERT_VERIFY_PROC_WIN,
+};
 
-bool SupportsDetectingKnownRoots() {
-#if defined(OS_ANDROID)
-  // Before API level 17, Android does not expose the APIs necessary to get at
-  // the verified certificate chain and detect known roots.
-  if (base::android::BuildInfo::GetInstance()->sdk_int() < 17)
-    return false;
+// Returns the CertVerifyProcType corresponding to what
+// CertVerifyProc::CreateDefault() returns. This needs to be kept in sync with
+// CreateDefault().
+CertVerifyProcType GetDefaultCertVerifyProcType() {
+#if defined(USE_NSS_CERTS)
+  return CERT_VERIFY_PROC_NSS;
+#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
+  return CERT_VERIFY_PROC_OPENSSL;
+#elif defined(OS_ANDROID)
+  return CERT_VERIFY_PROC_ANDROID;
 #elif defined(OS_IOS)
-  // iOS does not expose the APIs necessary to get the known system roots.
-  return false;
+  return CERT_VERIFY_PROC_IOS;
+#elif defined(OS_MACOSX)
+  return CERT_VERIFY_PROC_MAC;
+#elif defined(OS_WIN)
+  return CERT_VERIFY_PROC_WIN;
+#else
+// Will fail to compile.
 #endif
-  return true;
 }
 
-bool WeakKeysAreInvalid() {
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-  // Starting with Mac OS 10.12, certs with weak keys are treated as
-  // (recoverable) invalid certificate errors.
-  return base::mac::IsAtLeastOS10_12();
+// Whether the test is running within the iphone simulator.
+const bool kTargetIsIphoneSimulator =
+#if TARGET_IPHONE_SIMULATOR
+    true;
 #else
-  return false;
+    false;
 #endif
-}
 
 // Template helper to load a series of certificate files into a CertificateList.
 // Like CertTestUtil's CreateCertificateListFromFile, except it can load a
@@ -149,32 +158,60 @@ void LoadCertificateFiles(const char* const (&cert_files)[N],
   }
 }
 
+// Returns a textual description of the CertVerifyProc implementation
+// that is being tested, used to give better names to parameterized
+// tests.
+std::string VerifyProcTypeToName(
+    const testing::TestParamInfo<CertVerifyProcType>& params) {
+  switch (params.param) {
+    case CERT_VERIFY_PROC_NSS:
+      return "CertVerifyProcNSS";
+    case CERT_VERIFY_PROC_OPENSSL:
+      return "CertVerifyProcOpenSSL";
+    case CERT_VERIFY_PROC_ANDROID:
+      return "CertVerifyProcAndroid";
+    case CERT_VERIFY_PROC_IOS:
+      return "CertVerifyProcIOS";
+    case CERT_VERIFY_PROC_MAC:
+      return "CertVerifyProcMac";
+    case CERT_VERIFY_PROC_WIN:
+      return "CertVerifyProcWin";
+  }
+
+  return nullptr;
+}
+
+// The set of all CertVerifyProcTypes that tests should be
+// parameterized on.
+const std::vector<CertVerifyProcType> kAllCertVerifiers = {
+    GetDefaultCertVerifyProcType()};
+
+const CertificateList& EmptyCertList() {
+  static CertificateList empty;
+  return empty;
+}

[Ryan Sleevi, 2017/02/01 23:46:38]

This use of a static is forbidden -
https://google.github.io/styleguide/cppguide.html#Static_and_Global_Variables

I'm not sure why we wouldn't just CertificateList() ?

[eroman, 2017/02/02 00:36:55]

Done.

+
 }  // namespace
 
-class CertVerifyProcTest : public testing::Test {
- public:
-  CertVerifyProcTest()
-      : verify_proc_(CertVerifyProc::CreateDefault()) {
-  }
-  ~CertVerifyProcTest() override {}
+// Fixture for tests that don't test a concrete CertVerifyProc implementation,
+// but rather test methods of the base class CertVerifyProc.
+//
+// Mainly its own fixture to have a central place to describe it.
+class CertVerifyProcBaseClassTest : public testing::Test {};

[Ryan Sleevi, 2017/02/01 23:46:38]

Am I wrong for thinking that every instance of this class (that has a verify
proc) ends up using a MockCertVerifyProc?

Should this class instead just set up a MCV and let the caller override the
result for the cert?

It's a small point though.

Naming wise "BaseClassTest" and "BaseTest" are incredibly similar and somewhat
confusing to distinguish. Would "CertVerifyProcTest" (for BaseClass) and
"CertVerifyProcInternalBase" make it clearer?

Do we actually *need* a fixture for CertVerifyProcBaseClassTest? Is it just to
friend the specific tests? Should we do that instead?

[eroman, 2017/02/02 00:36:55]

Done.

 
+// Base class for writing tests against a specific CertVerifyProc
+// implementation.
+class CertVerifyProcBaseTest : public testing::Test {
  protected:
-  bool SupportsAdditionalTrustAnchors() {
-    return verify_proc_->SupportsAdditionalTrustAnchors();
+  void SetUp() override {
+    CertVerifyProcType type = verify_proc_type();
+    EXPECT_EQ(type, GetDefaultCertVerifyProcType());
+    verify_proc_ = CertVerifyProc::CreateDefault();

[Ryan Sleevi, 2017/02/01 23:46:38]

I'm still confused why the delegate gets to set the type but isn't responsible
for constructing it. Why not just have the delegate provide the type-and-value?

[eroman, 2017/02/02 00:36:55]

In my earlier version the derived class worked that way (created the verifier
and assigned the type) but your comment suggested having it be responsible for
just deciding the type.

At any rate, this is no longer applicable as I got rid of the base class.

   }
 
-  // Returns true if the underlying CertVerifyProc supports integrating CRLSets
-  // into path building logic, such as allowing the selection of alternatively
-  // valid paths when one or more are revoked. As the goal is to integrate this
-  // into all platforms, this is a temporary, test-only flag to centralize the
-  // conditionals in tests.
-  bool SupportsCRLSetsInPathBuilding() {
-#if defined(OS_WIN) || defined(USE_NSS_CERTS)
-    return true;
-#else
-    return false;
-#endif
-  }
+  // Returns the CertVerifyProcType that is being tested by this fixture.
+  // Should be fixed for the lifetime of this object.
+  virtual CertVerifyProcType verify_proc_type() const = 0;
 
   int Verify(X509Certificate* cert,
              const std::string& hostname,
@@ -186,34 +223,103 @@ class CertVerifyProcTest : public testing::Test {
                                 additional_trust_anchors, verify_result);
   }
 
-  int VerifyWithOCSPResponse(X509Certificate* cert,
-                             const std::string& hostname,
-                             const std::string& ocsp_response,
-                             int flags,
-                             CRLSet* crl_set,
-                             const CertificateList& additional_trust_anchors,
-                             CertVerifyResult* verify_result) {
-    return verify_proc_->Verify(cert, hostname, ocsp_response, flags, crl_set,
-                                additional_trust_anchors, verify_result);
+  bool SupportsAdditionalTrustAnchors() const {
+    return verify_proc_->SupportsAdditionalTrustAnchors();
+  }
+
+  bool SupportsReturningVerifiedChain() const {
+#if defined(OS_ANDROID)
+    // Before API level 17, Android does not expose the APIs necessary to get at
+    // the verified certificate chain.
+    if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID &&
+        base::android::BuildInfo::GetInstance()->sdk_int() < 17)
+      return false;
+#endif
+    return true;
+  }
+
+  bool SupportsDetectingKnownRoots() const {
+#if defined(OS_ANDROID)
+    // Before API level 17, Android does not expose the APIs necessary to get at
+    // the verified certificate chain and detect known roots.
+    if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID)
+      return base::android::BuildInfo::GetInstance()->sdk_int() >= 17;
+#endif
+
+    // iOS does not expose the APIs necessary to get the known system roots.
+    if (verify_proc_type() == CERT_VERIFY_PROC_IOS)
+      return false;
+
+    return true;
+  }
+
+  bool WeakKeysAreInvalid() const {
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+    // Starting with Mac OS 10.12, certs with weak keys are treated as
+    // (recoverable) invalid certificate errors.
+    if (verify_proc_type() == CERT_VERIFY_PROC_MAC &&
+        base::mac::IsAtLeastOS10_12()) {
+      return true;
+    }
+#endif
+    return false;
   }
 
-  const CertificateList empty_cert_list_;
+  bool SupportsCRLSet() const {
+    return verify_proc_type() == CERT_VERIFY_PROC_NSS ||
+           verify_proc_type() == CERT_VERIFY_PROC_WIN ||
+           verify_proc_type() == CERT_VERIFY_PROC_MAC;
+  }
+
+  bool SupportsCRLSetsInPathBuilding() const {
+    return verify_proc_type() == CERT_VERIFY_PROC_WIN ||
+           verify_proc_type() == CERT_VERIFY_PROC_NSS;
+  }
+
+  CertVerifyProc* verify_proc() const { return verify_proc_.get(); }
+
+ private:
   scoped_refptr<CertVerifyProc> verify_proc_;
 };
 
-#if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS)
-// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
-#define MAYBE_EVVerification DISABLED_EVVerification
-#else
+// This test fixture is paramaterized by the CertVerifyProc (which is specified
+// as an enum). Used for tests which should be run for multiple CertVerifyProc
+// implementations.
+class CertVerifyProcTest
+    : public CertVerifyProcBaseTest,
+      public testing::WithParamInterface<CertVerifyProcType> {
+ protected:
+  CertVerifyProcType verify_proc_type() const override { return GetParam(); }
+};
+
+INSTANTIATE_TEST_CASE_P(,
+                        CertVerifyProcTest,
+                        testing::ValuesIn(kAllCertVerifiers),
+                        VerifyProcTypeToName);
+
+// This test fixture is used for tests that are ONLY to be run with the
+// CertVerifyProc::CreateDefault() implementation.
+class CertVerifyProcDefaultTest : public CertVerifyProcBaseTest {
+ public:
+  CertVerifyProcType verify_proc_type() const override {
+    return GetDefaultCertVerifyProcType();
+  }
+};
+
 // TODO(rsleevi): Reenable this test once comodo.chaim.pem is no longer
 // expired, http://crbug.com/502818
-#define MAYBE_EVVerification DISABLED_EVVerification
-#endif
-TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
-  CertificateList certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(),
-      "comodo.chain.pem",
-      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
+TEST_P(CertVerifyProcTest, DISABLED_EVVerification) {
+  if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID ||
+      verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) {
+    // TODO(jnd): http://crbug.com/117478 - EV verification is not yet
+    // supported.
+    LOG(INFO) << "Skipping test as EV verification is not yet supported";
+    return;
+  }
+
+  CertificateList certs =
+      CreateCertificateListFromFile(GetTestCertsDirectory(), "comodo.chain.pem",
+                                    X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
@@ -227,12 +333,8 @@ TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
   scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
   CertVerifyResult verify_result;
   int flags = CertVerifier::VERIFY_EV_CERT;
-  int error = Verify(comodo_chain.get(),
-                     "comodo.com",
-                     flags,
-                     crl_set.get(),
-                     empty_cert_list_,
-                     &verify_result);
+  int error = Verify(comodo_chain.get(), "comodo.com", flags, crl_set.get(),
+                     EmptyCertList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
 }
@@ -241,7 +343,7 @@ TEST_F(CertVerifyProcTest, MAYBE_EVVerification) {
 // configurations, so disable the test until it is fixed (better to have
 // a bug to track a failing test than a false sense of security due to
 // false positive).
-TEST_F(CertVerifyProcTest, DISABLED_PaypalNullCertParsing) {
+TEST_P(CertVerifyProcTest, DISABLED_PaypalNullCertParsing) {
   // A certificate for www.paypal.com with a NULL byte in the common name.
   // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
   SHA256HashValue paypal_null_fingerprint = {{0x00}};
@@ -258,73 +360,68 @@ TEST_F(CertVerifyProcTest, DISABLED_PaypalNullCertParsing) {
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(paypal_null_cert.get(),
-                     "www.paypal.com",
-                     flags,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
-#if defined(USE_NSS_CERTS) || defined(OS_ANDROID)
-  EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
-#elif defined(OS_IOS) && TARGET_IPHONE_SIMULATOR
-  // iOS returns a ERR_CERT_INVALID error on the simulator, while returning
-  // ERR_CERT_AUTHORITY_INVALID on the real device.
-  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
-#else
-  // TOOD(bulach): investigate why macosx and win aren't returning
-  // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
-  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
-#endif
+  int error = Verify(paypal_null_cert.get(), "www.paypal.com", flags, NULL,
+                     EmptyCertList(), &verify_result);
+
+  if (verify_proc_type() == CERT_VERIFY_PROC_NSS ||
+      verify_proc_type() == CERT_VERIFY_PROC_ANDROID) {
+    EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
+  } else if (verify_proc_type() == CERT_VERIFY_PROC_IOS &&
+             kTargetIsIphoneSimulator) {
+    // iOS returns a ERR_CERT_INVALID error on the simulator, while returning
+    // ERR_CERT_AUTHORITY_INVALID on the real device.
+    EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
+  } else {
+    // TOOD(bulach): investigate why macosx and win aren't returning
+    // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
+    EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
+  }
+
   // Either the system crypto library should correctly report a certificate
   // name mismatch, or our certificate blacklist should cause us to report an
   // invalid certificate.
-#if defined(USE_NSS_CERTS) || defined(OS_WIN)
-  EXPECT_TRUE(verify_result.cert_status &
-              (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
-#endif
+  if (verify_proc_type() == CERT_VERIFY_PROC_NSS ||
+      verify_proc_type() == CERT_VERIFY_PROC_WIN) {
+    EXPECT_TRUE(verify_result.cert_status &
+                (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
+  }
+
+  // TODO(crbug.com/649017): What expectations to use for the other verifiers?
 }
 
 // A regression test for http://crbug.com/31497.
-#if defined(OS_ANDROID)
-// Disabled on Android, as the Android verification libraries require an
-// explicit policy to be specified, even when anyPolicy is permitted.
-#define MAYBE_IntermediateCARequireExplicitPolicy \
-    DISABLED_IntermediateCARequireExplicitPolicy
-#else
-#define MAYBE_IntermediateCARequireExplicitPolicy \
-    IntermediateCARequireExplicitPolicy
-#endif
-TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
+TEST_P(CertVerifyProcTest, IntermediateCARequireExplicitPolicy) {
+  if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID) {
+    // Disabled on Android, as the Android verification libraries require an
+    // explicit policy to be specified, even when anyPolicy is permitted.
+    LOG(INFO) << "Skipping test on Android";
+    return;
+  }
+
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "explicit-policy-chain.pem",
-      X509Certificate::FORMAT_AUTO);
+      certs_dir, "explicit-policy-chain.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
 
-  scoped_refptr<X509Certificate> cert =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
+  scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
+      certs[0]->os_cert_handle(), intermediates);
   ASSERT_TRUE(cert.get());
 
   ScopedTestRoot scoped_root(certs[2].get());
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(),
-                     "policy_test.example",
-                     flags,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
+  int error = Verify(cert.get(), "policy_test.example", flags, NULL,
+                     EmptyCertList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0u, verify_result.cert_status);
 }
 
-TEST_F(CertVerifyProcTest, RejectExpiredCert) {
+TEST_P(CertVerifyProcTest, RejectExpiredCert) {
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   // Load root_ca_cert.pem into the test root store.
@@ -341,7 +438,7 @@ TEST_F(CertVerifyProcTest, RejectExpiredCert) {
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
+  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, EmptyCertList(),
                      &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_DATE_INVALID));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID);
@@ -363,7 +460,7 @@ static bool IsWeakKeyType(const std::string& key_type) {
   return false;
 }
 
-TEST_F(CertVerifyProcTest, RejectWeakKeys) {
+TEST_P(CertVerifyProcTest, RejectWeakKeys) {
   base::FilePath certs_dir = GetTestCertsDirectory();
   typedef std::vector<std::string> Strings;
   Strings key_types;
@@ -388,8 +485,8 @@ TEST_F(CertVerifyProcTest, RejectWeakKeys) {
        ee_type != key_types.end(); ++ee_type) {
     for (Strings::const_iterator signer_type = key_types.begin();
          signer_type != key_types.end(); ++signer_type) {
-      std::string basename = *ee_type + "-ee-by-" + *signer_type +
-          "-intermediate.pem";
+      std::string basename =
+          *ee_type + "-ee-by-" + *signer_type + "-intermediate.pem";
       SCOPED_TRACE(basename);
       scoped_refptr<X509Certificate> ee_cert =
           ImportCertFromFile(certs_dir, basename);
@@ -407,12 +504,8 @@ TEST_F(CertVerifyProcTest, RejectWeakKeys) {
                                             intermediates);
 
       CertVerifyResult verify_result;
-      int error = Verify(cert_chain.get(),
-                         "127.0.0.1",
-                         0,
-                         NULL,
-                         empty_cert_list_,
-                         &verify_result);
+      int error = Verify(cert_chain.get(), "127.0.0.1", 0, NULL,
+                         EmptyCertList(), &verify_result);
 
       if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
         EXPECT_NE(OK, error);
@@ -429,20 +522,21 @@ TEST_F(CertVerifyProcTest, RejectWeakKeys) {
 }
 
 // Regression test for http://crbug.com/108514.
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-// Disabled on OS X - Security.framework doesn't ignore superflous certificates
-// provided by servers. See CertVerifyProcTest.CybertrustGTERoot for further
-// details.
-#define MAYBE_ExtraneousMD5RootCert DISABLED_ExtraneousMD5RootCert
-#else
-#define MAYBE_ExtraneousMD5RootCert ExtraneousMD5RootCert
-#endif
-TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
+TEST_P(CertVerifyProcTest, ExtraneousMD5RootCert) {
   if (!SupportsReturningVerifiedChain()) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
+  if (verify_proc_type() == CERT_VERIFY_PROC_MAC) {
+    // Disabled on OS X - Security.framework doesn't ignore superflous
+    // certificates provided by servers.
+    // TODO(eroman): Is this still needed?
+    LOG(INFO) << "Skipping this test as Security.framework doesn't ignore "
+                 "superflous certificates provided by servers.";
+    return;
+  }
+
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
@@ -461,18 +555,13 @@ TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(extra_cert->os_cert_handle());
-  scoped_refptr<X509Certificate> cert_chain =
-      X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
-                                        intermediates);
+  scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
+      server_cert->os_cert_handle(), intermediates);
 
   CertVerifyResult verify_result;
   int flags = 0;
-  int error = Verify(cert_chain.get(),
-                     "127.0.0.1",
-                     flags,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
+  int error = Verify(cert_chain.get(), "127.0.0.1", flags, NULL,
+                     EmptyCertList(), &verify_result);
   EXPECT_THAT(error, IsOk());
 
   // The extra MD5 root should be discarded
@@ -480,14 +569,14 @@ TEST_F(CertVerifyProcTest, MAYBE_ExtraneousMD5RootCert) {
   ASSERT_EQ(1u,
             verify_result.verified_cert->GetIntermediateCertificates().size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(
-        verify_result.verified_cert->GetIntermediateCertificates().front(),
-        root_cert->os_cert_handle()));
+      verify_result.verified_cert->GetIntermediateCertificates().front(),
+      root_cert->os_cert_handle()));
 
   EXPECT_FALSE(verify_result.has_md5);
 }
 
 // Test for bug 94673.
-TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
+TEST_P(CertVerifyProcTest, GoogleDigiNotarTest) {
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
@@ -500,35 +589,26 @@ TEST_F(CertVerifyProcTest, GoogleDigiNotarTest) {
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(intermediate_cert->os_cert_handle());
-  scoped_refptr<X509Certificate> cert_chain =
-      X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
-                                        intermediates);
+  scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
+      server_cert->os_cert_handle(), intermediates);
 
   CertVerifyResult verify_result;
   int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED;
-  int error = Verify(cert_chain.get(),
-                     "mail.google.com",
-                     flags,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
+  int error = Verify(cert_chain.get(), "mail.google.com", flags, NULL,
+                     EmptyCertList(), &verify_result);
   EXPECT_NE(OK, error);
 
   // Now turn off revocation checking.  Certificate verification should still
   // fail.
   flags = 0;
-  error = Verify(cert_chain.get(),
-                 "mail.google.com",
-                 flags,
-                 NULL,
-                 empty_cert_list_,
-                 &verify_result);
+  error = Verify(cert_chain.get(), "mail.google.com", flags, NULL,
+                 EmptyCertList(), &verify_result);
   EXPECT_NE(OK, error);
 }
 
 // Ensures the CertVerifyProc blacklist remains in sorted order, so that it
 // can be binary-searched.
-TEST_F(CertVerifyProcTest, BlacklistIsSorted) {
+TEST_F(CertVerifyProcBaseClassTest, BlacklistIsSorted) {
 // Defines kBlacklistedSPKIs.
 #include "net/cert/cert_verify_proc_blacklist.inc"
   for (size_t i = 0; i < arraysize(kBlacklistedSPKIs) - 1; ++i) {
@@ -538,14 +618,11 @@ TEST_F(CertVerifyProcTest, BlacklistIsSorted) {
   }
 }
 
-TEST_F(CertVerifyProcTest, DigiNotarCerts) {
+TEST_F(CertVerifyProcBaseClassTest, DigiNotarCerts) {
   static const char* const kDigiNotarFilenames[] = {
-    "diginotar_root_ca.pem",
-    "diginotar_cyber_ca.pem",
-    "diginotar_services_1024_ca.pem",
-    "diginotar_pkioverheid.pem",
-    "diginotar_pkioverheid_g2.pem",
-    NULL,
+      "diginotar_root_ca.pem",          "diginotar_cyber_ca.pem",
+      "diginotar_services_1024_ca.pem", "diginotar_pkioverheid.pem",
+      "diginotar_pkioverheid_g2.pem",   NULL,
   };
 
   base::FilePath certs_dir = GetTestCertsDirectory();
@@ -554,8 +631,8 @@ TEST_F(CertVerifyProcTest, DigiNotarCerts) {
     scoped_refptr<X509Certificate> diginotar_cert =
         ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]);
     std::string der_bytes;
-    ASSERT_TRUE(X509Certificate::GetDEREncoded(
-        diginotar_cert->os_cert_handle(), &der_bytes));
+    ASSERT_TRUE(X509Certificate::GetDEREncoded(diginotar_cert->os_cert_handle(),
+                                               &der_bytes));
 
     base::StringPiece spki;
     ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki));
@@ -568,15 +645,14 @@ TEST_F(CertVerifyProcTest, DigiNotarCerts) {
     memcpy(hash.data(), spki_sha256.data(), spki_sha256.size());
     public_keys.push_back(hash);
 
-    EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys)) <<
-        "Public key not blocked for " << kDigiNotarFilenames[i];
+    EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys))
+        << "Public key not blocked for " << kDigiNotarFilenames[i];
   }
 }
 
-TEST_F(CertVerifyProcTest, NameConstraintsOk) {
+TEST_P(CertVerifyProcTest, NameConstraintsOk) {
   CertificateList ca_cert_list =
-      CreateCertificateListFromFile(GetTestCertsDirectory(),
-                                    "root_ca_cert.pem",
+      CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   ScopedTestRoot test_root(ca_cert_list[0].get());
@@ -587,36 +663,30 @@ TEST_F(CertVerifyProcTest, NameConstraintsOk) {
   ASSERT_EQ(1U, cert_list.size());
 
   X509Certificate::OSCertHandles intermediates;
-  scoped_refptr<X509Certificate> leaf =
-      X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
-                                        intermediates);
+  scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle(
+      cert_list[0]->os_cert_handle(), intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(leaf.get(),
-                     "test.example.com",
-                     flags,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
+  int error = Verify(leaf.get(), "test.example.com", flags, NULL,
+                     EmptyCertList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
 
   error = Verify(leaf.get(), "foo.test2.example.com", flags, NULL,
-                 empty_cert_list_, &verify_result);
+                 EmptyCertList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
 }
 
-TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
+TEST_P(CertVerifyProcTest, NameConstraintsFailure) {
   if (!SupportsReturningVerifiedChain()) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
   CertificateList ca_cert_list =
-      CreateCertificateListFromFile(GetTestCertsDirectory(),
-                                    "root_ca_cert.pem",
+      CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   ScopedTestRoot test_root(ca_cert_list[0].get());
@@ -627,24 +697,19 @@ TEST_F(CertVerifyProcTest, NameConstraintsFailure) {
   ASSERT_EQ(1U, cert_list.size());
 
   X509Certificate::OSCertHandles intermediates;
-  scoped_refptr<X509Certificate> leaf =
-      X509Certificate::CreateFromHandle(cert_list[0]->os_cert_handle(),
-                                        intermediates);
+  scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle(
+      cert_list[0]->os_cert_handle(), intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(leaf.get(),
-                     "test.example.com",
-                     flags,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
+  int error = Verify(leaf.get(), "test.example.com", flags, NULL,
+                     EmptyCertList(), &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_NAME_CONSTRAINT_VIOLATION));
   EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
             verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
 }
 
-TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
+TEST_F(CertVerifyProcBaseClassTest, TestHasTooLongValidity) {
   struct {
     const char* const file;
     bool is_valid_too_long;
@@ -675,7 +740,7 @@ TEST_F(CertVerifyProcTest, TestHasTooLongValidity) {
 }
 
 // TODO(crbug.com/610546): Fix and re-enable this test.
-TEST_F(CertVerifyProcTest, DISABLED_TestKnownRoot) {
+TEST_P(CertVerifyProcTest, DISABLED_TestKnownRoot) {
   if (!SupportsDetectingKnownRoots()) {
     LOG(INFO) << "Skipping this test on this platform.";
     return;
@@ -689,22 +754,21 @@ TEST_F(CertVerifyProcTest, DISABLED_TestKnownRoot) {
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
 
-  scoped_refptr<X509Certificate> cert_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
+  scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
+      certs[0]->os_cert_handle(), intermediates);
 
   int flags = 0;
   CertVerifyResult verify_result;
   // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
   // against agl. See also PublicKeyHashes.
   int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
-                     empty_cert_list_, &verify_result);
+                     EmptyCertList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.is_issued_by_known_root);
 }
 
 // TODO(crbug.com/610546): Fix and re-enable this test.
-TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
+TEST_P(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
   if (!SupportsReturningVerifiedChain()) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
@@ -718,16 +782,15 @@ TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(certs[1]->os_cert_handle());
 
-  scoped_refptr<X509Certificate> cert_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
+  scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
+      certs[0]->os_cert_handle(), intermediates);
   int flags = 0;
   CertVerifyResult verify_result;
 
   // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
   // against agl. See also TestKnownRoot.
   int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
-                     empty_cert_list_, &verify_result);
+                     EmptyCertList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   ASSERT_LE(3U, verify_result.public_key_hashes.size());
 
@@ -761,7 +824,7 @@ TEST_F(CertVerifyProcTest, DISABLED_PublicKeyHashes) {
 // A regression test for http://crbug.com/70293.
 // The Key Usage extension in this RSA SSL server certificate does not have
 // the keyEncipherment bit.
-TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
+TEST_P(CertVerifyProcTest, InvalidKeyUsage) {
   base::FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> server_cert =
@@ -770,27 +833,28 @@ TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(server_cert.get(),
-                     "jira.aquameta.com",
-                     flags,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
-#if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
-  // This certificate has two errors: "invalid key usage" and "untrusted CA".
-  // However, OpenSSL returns only one (the latter), and we can't detect
-  // the other errors.
-  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
-#else
-  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
-#endif
+  int error = Verify(server_cert.get(), "jira.aquameta.com", flags, NULL,
+                     EmptyCertList(), &verify_result);
+
+  // TODO(eroman): Change the test data so results are consistent across
+  //               verifiers.
+  if (verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) {
+    // This certificate has two errors: "invalid key usage" and "untrusted CA".
+    // However, OpenSSL returns only one (the latter), and we can't detect
+    // the other errors.
+    EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
+  } else {
+    EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
+    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
+  }
   // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
   // from NSS.
-#if !defined(USE_NSS_CERTS) && !defined(OS_IOS) && !defined(OS_ANDROID)
-  // The certificate is issued by an unknown CA.
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
-#endif
+  if (verify_proc_type() != CERT_VERIFY_PROC_NSS &&
+      verify_proc_type() != CERT_VERIFY_PROC_IOS &&
+      verify_proc_type() != CERT_VERIFY_PROC_ANDROID) {
+    // The certificate is issued by an unknown CA.
+    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
+  }
 }
 
 // Basic test for returning the chain in CertVerifyResult. Note that the
@@ -799,7 +863,7 @@ TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
 // of the certificate to be verified. The remaining VerifyReturn* tests are
 // used to ensure that the actual, verified chain is being returned by
 // Verify().
-TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
+TEST_P(CertVerifyProcTest, VerifyReturnChainBasic) {
   if (!SupportsReturningVerifiedChain()) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
@@ -807,8 +871,7 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "x509_verify_results.chain.pem",
-      X509Certificate::FORMAT_AUTO);
+      certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   X509Certificate::OSCertHandles intermediates;
@@ -826,12 +889,8 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
   CertVerifyResult verify_result;
   EXPECT_EQ(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
-  int error = Verify(google_full_chain.get(),
-                     "127.0.0.1",
-                     0,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
+  int error = Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
+                     EmptyCertList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   ASSERT_NE(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
@@ -853,12 +912,7 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainBasic) {
 // known public registry controlled domain information) issued by well-known
 // CAs are flagged appropriately, while certificates that are issued by
 // internal CAs are not flagged.
-TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
-  if (!SupportsDetectingKnownRoots()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
+TEST_F(CertVerifyProcBaseClassTest, IntranetHostsRejected) {
   CertificateList cert_list = CreateCertificateListFromFile(
       GetTestCertsDirectory(), "reject_intranet_hosts.pem",
       X509Certificate::FORMAT_AUTO);
@@ -871,18 +925,18 @@ TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
   // Intranet names for public CAs should be flagged:
   CertVerifyResult dummy_result;
   dummy_result.is_issued_by_known_root = true;
-  verify_proc_ = new MockCertVerifyProc(dummy_result);
-  error =
-      Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));

[Ryan Sleevi, 2017/02/01 23:46:38]

It's a small pedantry nit, but your use of auto semantically changes this code
(from working on a scoped_refptr<CertVerifyProc> to now working on the
scoped_refptr<MockCertVerifyProc>)

This is part of my general hated for auto-plus-pointer-types (and which there
have been many a character spilled over email discussing)

[eroman, 2017/02/02 00:36:55]

Done (although testing via the Mock interface shouldn't be harmful here).

+  error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL,
+                              CertificateList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
 
   // However, if the CA is not well known, these should not be flagged:
   dummy_result.Reset();
   dummy_result.is_issued_by_known_root = false;
-  verify_proc_ = new MockCertVerifyProc(dummy_result);
-  error =
-      Verify(cert.get(), "intranet", 0, NULL, empty_cert_list_, &verify_result);
+  verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
+  error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL,
+                              CertificateList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
 }
@@ -893,7 +947,8 @@ TEST_F(CertVerifyProcTest, IntranetHostsRejected) {
 // that were issued after 1 January 2016, while still allowing those from
 // before that date, with SHA-1 in the intermediate, or from an enterprise
 // CA.
-TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
+TEST_F(CertVerifyProcBaseClassTest,
+       VerifyRejectsSHA1AfterDeprecationLegacyMode) {
   base::test::ScopedFeatureList scoped_feature_list;
   scoped_feature_list.InitAndEnableFeature(CertVerifyProc::kSHA1LegacyMode);
 
@@ -909,13 +964,13 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
   dummy_result.is_issued_by_known_root = true;
   dummy_result.has_sha1 = true;
   dummy_result.has_sha1_leaf = true;
-  verify_proc_ = new MockCertVerifyProc(dummy_result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
   cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
                                         "sha1_dec_2015.pem",
                                         X509Certificate::FORMAT_AUTO);
   ASSERT_TRUE(cert);
-  error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
-                 &verify_result);
+  error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
+                              CertificateList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
 
@@ -926,13 +981,13 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
   dummy_result.is_issued_by_known_root = true;
   dummy_result.has_sha1 = true;
   dummy_result.has_sha1_leaf = true;
-  verify_proc_ = new MockCertVerifyProc(dummy_result);
+  verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
   cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
                                         "sha1_jan_2016.pem",
                                         X509Certificate::FORMAT_AUTO);
   ASSERT_TRUE(cert);
-  error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
-                 &verify_result);
+  error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
+                              CertificateList(), &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
 
@@ -943,13 +998,13 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
   dummy_result.is_issued_by_known_root = false;
   dummy_result.has_sha1 = true;
   dummy_result.has_sha1_leaf = true;
-  verify_proc_ = new MockCertVerifyProc(dummy_result);
+  verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
   cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
                                         "sha1_jan_2016.pem",
                                         X509Certificate::FORMAT_AUTO);
   ASSERT_TRUE(cert);
-  error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
-                 &verify_result);
+  error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
+                              CertificateList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
 
@@ -960,13 +1015,13 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
   dummy_result.is_issued_by_known_root = true;
   dummy_result.has_sha1 = true;
   dummy_result.has_sha1_leaf = false;
-  verify_proc_ = new MockCertVerifyProc(dummy_result);
+  verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
   cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
                                         "sha1_jan_2016.pem",
                                         X509Certificate::FORMAT_AUTO);
   ASSERT_TRUE(cert);
-  error = Verify(cert.get(), "127.0.0.1", 0, NULL, empty_cert_list_,
-                 &verify_result);
+  error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
+                              CertificateList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
 }
@@ -976,7 +1031,7 @@ TEST_F(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
 // a protocol violation if sent during a TLS handshake, if multiple sources
 // of intermediate certificates are combined, it's possible that order may
 // not be maintained.
-TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
+TEST_P(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
   if (!SupportsReturningVerifiedChain()) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
@@ -984,8 +1039,7 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "x509_verify_results.chain.pem",
-      X509Certificate::FORMAT_AUTO);
+      certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
   // Construct the chain out of order.
@@ -1004,12 +1058,8 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
   CertVerifyResult verify_result;
   EXPECT_EQ(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
-  int error = Verify(google_full_chain.get(),
-                     "127.0.0.1",
-                     0,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
+  int error = Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
+                     EmptyCertList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   ASSERT_NE(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
@@ -1029,7 +1079,7 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainProperlyOrdered) {
 
 // Test that Verify() filters out certificates which are not related to
 // or part of the certificate chain being verified.
-TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
+TEST_P(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
   if (!SupportsReturningVerifiedChain()) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
@@ -1037,8 +1087,7 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "x509_verify_results.chain.pem",
-      X509Certificate::FORMAT_AUTO);
+      certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
   ScopedTestRoot scoped_root(certs[2].get());
 
@@ -1065,12 +1114,8 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
   CertVerifyResult verify_result;
   EXPECT_EQ(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
-  int error = Verify(google_full_chain.get(),
-                     "127.0.0.1",
-                     0,
-                     NULL,
-                     empty_cert_list_,
-                     &verify_result);
+  int error = Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
+                     EmptyCertList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   ASSERT_NE(static_cast<X509Certificate*>(NULL),
             verify_result.verified_cert.get());
@@ -1088,22 +1133,21 @@ TEST_F(CertVerifyProcTest, VerifyReturnChainFiltersUnrelatedCerts) {
                                             certs[2]->os_cert_handle()));
 }
 
-TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
+TEST_P(CertVerifyProcTest, AdditionalTrustAnchors) {
   if (!SupportsAdditionalTrustAnchors()) {
     LOG(INFO) << "Skipping this test in this platform.";
     return;
   }
 
   // |ca_cert| is the issuer of |cert|.
-  CertificateList ca_cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "root_ca_cert.pem",
-      X509Certificate::FORMAT_AUTO);
+  CertificateList ca_cert_list =
+      CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
+                                    X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]);
 
   CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "ok_cert.pem",
-      X509Certificate::FORMAT_AUTO);
+      GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
 
@@ -1111,8 +1155,8 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
   // list.
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(
-      cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
+  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, EmptyCertList(),
+                     &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
   EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
@@ -1120,16 +1164,16 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
   // Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
   CertificateList trust_anchors;
   trust_anchors.push_back(ca_cert);
-  error = Verify(
-      cert.get(), "127.0.0.1", flags, NULL, trust_anchors, &verify_result);
+  error = Verify(cert.get(), "127.0.0.1", flags, NULL, trust_anchors,
+                 &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
   EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor);
 
   // Clearing the |trust_anchors| makes verification fail again (the cache
   // should be skipped).
-  error = Verify(
-      cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
+  error = Verify(cert.get(), "127.0.0.1", flags, NULL, EmptyCertList(),
+                 &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
   EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
@@ -1138,7 +1182,7 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
 // Tests that certificates issued by user-supplied roots are not flagged as
 // issued by a known root. This should pass whether or not the platform supports
 // detecting known roots.
-TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
+TEST_P(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
   // Load root_ca_cert.pem into the test root store.
   ScopedTestRoot test_root(
       ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
@@ -1149,22 +1193,24 @@ TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
   // Verification should pass.
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(
-      cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
+  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, EmptyCertList(),
+                     &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
   // But should not be marked as a known root.
   EXPECT_FALSE(verify_result.is_issued_by_known_root);
 }
 
-#if defined(USE_NSS_CERTS) || defined(OS_WIN) || \
-    (defined(OS_MACOSX) && !defined(OS_IOS))
 // Test that CRLSets are effective in making a certificate appear to be
 // revoked.
-TEST_F(CertVerifyProcTest, CRLSet) {
+TEST_P(CertVerifyProcTest, CRLSet) {
+  if (!SupportsCRLSet()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support CRLSet";
+    return;
+  }
+
   CertificateList ca_cert_list =
-      CreateCertificateListFromFile(GetTestCertsDirectory(),
-                                    "root_ca_cert.pem",
+      CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   ScopedTestRoot test_root(ca_cert_list[0].get());
@@ -1176,8 +1222,8 @@ TEST_F(CertVerifyProcTest, CRLSet) {
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(
-      cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_, &verify_result);
+  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, EmptyCertList(),
+                     &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
 
@@ -1190,11 +1236,7 @@ TEST_F(CertVerifyProcTest, CRLSet) {
       &crl_set_bytes));
   ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
 
-  error = Verify(cert.get(),
-                 "127.0.0.1",
-                 flags,
-                 crl_set.get(),
-                 empty_cert_list_,
+  error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(), EmptyCertList(),
                  &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
 
@@ -1206,16 +1248,17 @@ TEST_F(CertVerifyProcTest, CRLSet) {
       &crl_set_bytes));
   ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
 
-  error = Verify(cert.get(),
-                 "127.0.0.1",
-                 flags,
-                 crl_set.get(),
-                 empty_cert_list_,
+  error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(), EmptyCertList(),
                  &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
 }
 
-TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
+TEST_P(CertVerifyProcTest, CRLSetLeafSerial) {
+  if (!SupportsCRLSet()) {
+    LOG(INFO) << "Skipping test as verifier doesn't support CRLSet";
+    return;
+  }
+
   CertificateList ca_cert_list =
       CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
@@ -1240,7 +1283,7 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(leaf.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
+  int error = Verify(leaf.get(), "127.0.0.1", flags, NULL, EmptyCertList(),
                      &verify_result);
   EXPECT_THAT(error, IsOk());
 
@@ -1252,8 +1295,8 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
       &crl_set_bytes));
   ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
 
-  error = Verify(leaf.get(), "127.0.0.1", flags, crl_set.get(),
-                 empty_cert_list_, &verify_result);
+  error = Verify(leaf.get(), "127.0.0.1", flags, crl_set.get(), EmptyCertList(),
+                 &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
 }
 
@@ -1271,7 +1314,7 @@ TEST_F(CertVerifyProcTest, CRLSetLeafSerial) {
 // 1. Revoking E by SPKI, so that only Path 1 is valid (as E is in Paths 2 & 3)
 // 2. Revoking C(D) and F(E) by serial, so that only Path 2 is valid.
 // 3. Revoking C by SPKI, so that only Path 3 is valid (as C is in Paths 1 & 2)
-TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
+TEST_P(CertVerifyProcTest, CRLSetDuringPathBuilding) {
   if (!SupportsCRLSetsInPathBuilding()) {
     LOG(INFO) << "Skipping this test on this platform.";
     return;
@@ -1338,7 +1381,7 @@ TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
     int flags = 0;
     CertVerifyResult verify_result;
     int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
-                       empty_cert_list_, &verify_result);
+                       EmptyCertList(), &verify_result);
 
     if (!testcase.expect_valid) {
       EXPECT_NE(OK, error);
@@ -1370,8 +1413,6 @@ TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
   }
 }
 
-#endif
-
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 // Test that a CRLSet blocking one of the intermediates supplied by the server
 // can be worked around by the chopping workaround for path building. (Once the
@@ -1389,7 +1430,7 @@ TEST_F(CertVerifyProcTest, CRLSetDuringPathBuilding) {
 //
 // The verifier should rollback until it just tries A(B) alone, at which point
 // it will pull B(F) & F(E) from the keychain and succeed.
-TEST_F(CertVerifyProcTest, MacCRLIntermediate) {
+TEST_F(CertVerifyProcDefaultTest, MacCRLIntermediate) {
   if (base::mac::IsAtLeastOS10_12()) {
     // TODO(crbug.com/671889): Investigate SecTrustSetKeychains issue on Sierra.
     LOG(INFO) << "Skipping test, SecTrustSetKeychains does not work on 10.12";
@@ -1446,7 +1487,7 @@ TEST_F(CertVerifyProcTest, MacCRLIntermediate) {
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
-                     empty_cert_list_, &verify_result);
+                     EmptyCertList(), &verify_result);
 
   ASSERT_EQ(OK, error);
   ASSERT_EQ(0U, verify_result.cert_status);
@@ -1472,7 +1513,7 @@ TEST_F(CertVerifyProcTest, MacCRLIntermediate) {
 // Test that if a keychain is present which trusts a less-desirable root (ex,
 // one using SHA1), that the keychain reordering hack will cause the better
 // root in the System Roots to be used instead.
-TEST_F(CertVerifyProcTest, MacKeychainReordering) {
+TEST_F(CertVerifyProcDefaultTest, MacKeychainReordering) {
   // Note: target cert expires Apr  2 23:59:59 2018 GMT
   scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
       GetTestCertsDirectory(), "tripadvisor-verisign-chain.pem",
@@ -1501,7 +1542,7 @@ TEST_F(CertVerifyProcTest, MacKeychainReordering) {
   int flags = 0;
   CertVerifyResult verify_result;
   int error = Verify(cert.get(), "www.tripadvisor.com", flags,
-                     nullptr /* crl_set */, empty_cert_list_, &verify_result);
+                     nullptr /* crl_set */, EmptyCertList(), &verify_result);
 
   ASSERT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
@@ -1516,7 +1557,7 @@ TEST_F(CertVerifyProcTest, MacKeychainReordering) {
 // Test that the system root certificate keychain is in the expected location
 // and can be opened. Other tests would fail if this was not true, but this
 // test makes the reason for the failure obvious.
-TEST_F(CertVerifyProcTest, MacSystemRootCertificateKeychainLocation) {
+TEST_F(CertVerifyProcDefaultTest, MacSystemRootCertificateKeychainLocation) {
   const char* root_keychain_path =
       "/System/Library/Keychains/SystemRootCertificates.keychain";
   ASSERT_TRUE(base::PathExists(base::FilePath(root_keychain_path)));
@@ -1526,8 +1567,11 @@ TEST_F(CertVerifyProcTest, MacSystemRootCertificateKeychainLocation) {
   ASSERT_EQ(errSecSuccess, status);
   CFRelease(keychain);
 }
-#endif
+#endif  // defined(OS_MACOSX) && !defined(OS_IOS)
 
+// TODO(crbug.com/649017): This is not parameterized by the CertVerifyProc
+// because the CertVerifyProc::Verify() does this unconditionally based on the
+// platform.
 bool AreSHA1IntermediatesAllowed() {
 #if defined(OS_WIN)
   // TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved
@@ -1539,58 +1583,61 @@ bool AreSHA1IntermediatesAllowed() {
 #endif
 }
 
-TEST_F(CertVerifyProcTest, RejectsMD2) {
+TEST_F(CertVerifyProcBaseClassTest, RejectsMD2) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
 
   CertVerifyResult result;
   result.has_md2 = true;
-  verify_proc_ = new MockCertVerifyProc(result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
-                     empty_cert_list_, &verify_result);
+  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+                                  nullptr /* crl_set */, CertificateList(),
+                                  &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
 }
 
-TEST_F(CertVerifyProcTest, RejectsMD4) {
+TEST_F(CertVerifyProcBaseClassTest, RejectsMD4) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
 
   CertVerifyResult result;
   result.has_md4 = true;
-  verify_proc_ = new MockCertVerifyProc(result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
-                     empty_cert_list_, &verify_result);
+  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+                                  nullptr /* crl_set */, CertificateList(),
+                                  &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
 }
 
-TEST_F(CertVerifyProcTest, RejectsMD5) {
+TEST_F(CertVerifyProcBaseClassTest, RejectsMD5) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
 
   CertVerifyResult result;
   result.has_md5 = true;
-  verify_proc_ = new MockCertVerifyProc(result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
-                     empty_cert_list_, &verify_result);
+  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+                                  nullptr /* crl_set */, CertificateList(),
+                                  &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
 }
 
-TEST_F(CertVerifyProcTest, RejectsPublicSHA1Leaves) {
+TEST_F(CertVerifyProcBaseClassTest, RejectsPublicSHA1Leaves) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
@@ -1599,17 +1646,19 @@ TEST_F(CertVerifyProcTest, RejectsPublicSHA1Leaves) {
   result.has_sha1 = true;
   result.has_sha1_leaf = true;
   result.is_issued_by_known_root = true;
-  verify_proc_ = new MockCertVerifyProc(result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
-                     empty_cert_list_, &verify_result);
+  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+                                  nullptr /* crl_set */, CertificateList(),
+                                  &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
 }
 
-TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
+TEST_F(CertVerifyProcBaseClassTest,
+       RejectsPublicSHA1IntermediatesUnlessAllowed) {
   scoped_refptr<X509Certificate> cert(ImportCertFromFile(
       GetTestCertsDirectory(), "39_months_after_2015_04.pem"));
   ASSERT_TRUE(cert);
@@ -1618,12 +1667,13 @@ TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
   result.has_sha1 = true;
   result.has_sha1_leaf = false;
   result.is_issued_by_known_root = true;
-  verify_proc_ = new MockCertVerifyProc(result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
-                     empty_cert_list_, &verify_result);
+  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+                                  nullptr /* crl_set */, CertificateList(),
+                                  &verify_result);
   if (AreSHA1IntermediatesAllowed()) {
     EXPECT_THAT(error, IsOk());
     EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
@@ -1634,7 +1684,7 @@ TEST_F(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
   }
 }
 
-TEST_F(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) {
+TEST_F(CertVerifyProcBaseClassTest, RejectsPrivateSHA1UnlessFlag) {
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
@@ -1643,21 +1693,23 @@ TEST_F(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) {
   result.has_sha1 = true;
   result.has_sha1_leaf = true;
   result.is_issued_by_known_root = false;
-  verify_proc_ = new MockCertVerifyProc(result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
 
   // SHA-1 should be rejected by default for private roots...
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
-                     empty_cert_list_, &verify_result);
+  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+                                  nullptr /* crl_set */, CertificateList(),
+                                  &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
 
   // ... unless VERIFY_ENABLE_SHA1_LOCAL_ANCHORS was supplied.
   flags = CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS;
   verify_result.Reset();
-  error = Verify(cert.get(), "127.0.0.1", flags, nullptr /* crl_set */,
-                 empty_cert_list_, &verify_result);
+  error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+                              nullptr /* crl_set */, CertificateList(),
+                              &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
 }
@@ -1695,14 +1747,14 @@ void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
 }
 
 class CertVerifyProcWeakDigestTest
-    : public CertVerifyProcTest,
+    : public CertVerifyProcBaseClassTest,
       public testing::WithParamInterface<WeakDigestTestData> {
  public:
   CertVerifyProcWeakDigestTest() {}
   virtual ~CertVerifyProcWeakDigestTest() {}
 };
 
-// Test that the CertVerifyProc::Verify() properly surfaces the (weak) hashing
+// Tests that the CertVerifyProc::Verify() properly surfaces the (weak) hash
 // algorithms used in the chain.
 TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) {
   WeakDigestTestData data = GetParam();
@@ -1731,9 +1783,8 @@ TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) {
       ImportCertFromFile(certs_dir, data.ee_cert_filename);
   ASSERT_TRUE(ee_cert);
 
-  scoped_refptr<X509Certificate> ee_chain =
-      X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
-                                        intermediates);
+  scoped_refptr<X509Certificate> ee_chain = X509Certificate::CreateFromHandle(
+      ee_cert->os_cert_handle(), intermediates);
   ASSERT_TRUE(ee_chain);
 
   int flags = 0;
@@ -1743,11 +1794,11 @@ TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) {
   // |ee_chain|.
   //
   // This is sufficient for the purposes of this test, as the checking for weak
-  // hashing algorithms is done by CertVerifyProc::Verify().
+  // hash algorithms is done by CertVerifyProc::Verify().
   scoped_refptr<CertVerifyProc> proc =
       new MockCertVerifyProc(CertVerifyResult());
   proc->Verify(ee_chain.get(), "127.0.0.1", std::string(), flags, nullptr,
-               empty_cert_list_, &verify_result);
+               CertificateList(), &verify_result);
   EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2);
   EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4);
   EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5);
@@ -1785,12 +1836,12 @@ INSTANTIATE_TEST_CASE_P(VerifyIntermediate,
 
 // The signature algorithm of end-entity should be properly detected.
 const WeakDigestTestData kVerifyEndEntityTestData[] = {
-  { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
-    "weak_digest_md5_ee.pem", EXPECT_MD5 | EXPECT_SHA1 },
-  { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
-    "weak_digest_md4_ee.pem", EXPECT_MD4 | EXPECT_SHA1 },
-  { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
-    "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_SHA1 },
+    {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
+     "weak_digest_md5_ee.pem", EXPECT_MD5 | EXPECT_SHA1},
+    {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
+     "weak_digest_md4_ee.pem", EXPECT_MD4 | EXPECT_SHA1},
+    {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
+     "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_SHA1},
 };
 
 INSTANTIATE_TEST_CASE_P(VerifyEndEntity,
@@ -1837,12 +1888,12 @@ INSTANTIATE_TEST_CASE_P(VerifyIncompleteEndEntity,
 // Differing algorithms between the intermediate and the EE should still be
 // reported.
 const WeakDigestTestData kVerifyMixedTestData[] = {
-  { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
-    "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD5 },
-  { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
-    "weak_digest_md5_ee.pem", EXPECT_MD2 | EXPECT_MD5 },
-  { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
-    "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD4 },
+    {"weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
+     "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD5},
+    {"weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
+     "weak_digest_md5_ee.pem", EXPECT_MD2 | EXPECT_MD5},
+    {"weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
+     "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD4},
 };
 
 INSTANTIATE_TEST_CASE_P(VerifyMixed,
@@ -1864,67 +1915,109 @@ INSTANTIATE_TEST_CASE_P(VerifyTrustedEE,
 
 // For the list of valid hostnames, see
 // net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem
-static const struct CertVerifyProcNameData {
+struct CertVerifyProcNameData {
   const char* hostname;
   bool valid;  // Whether or not |hostname| matches a subjectAltName.
-} kVerifyNameData[] = {
-  { "127.0.0.1", false },  // Don't match the common name
-  { "127.0.0.2", true },  // Matches the iPAddress SAN (IPv4)
-  { "FE80:0:0:0:0:0:0:1", true },  // Matches the iPAddress SAN (IPv6)
-  { "[FE80:0:0:0:0:0:0:1]", false },  // Should not match the iPAddress SAN
-  { "FE80::1", true },  // Compressed form matches the iPAddress SAN (IPv6)
-  { "::127.0.0.2", false },  // IPv6 mapped form should NOT match iPAddress SAN
-  { "test.example", true },  // Matches the dNSName SAN
-  { "test.example.", true },  // Matches the dNSName SAN (trailing . ignored)
-  { "www.test.example", false },  // Should not match the dNSName SAN
-  { "test..example", false },  // Should not match the dNSName SAN
-  { "test.example..", false },  // Should not match the dNSName SAN
-  { ".test.example.", false },  // Should not match the dNSName SAN
-  { ".test.example", false },  // Should not match the dNSName SAN
 };
 
-// GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
-// to output the parameter that was passed. Without this, it will simply
-// attempt to print out the first twenty bytes of the object, which depending
-// on platform and alignment, may result in an invalid read.
-void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) {
-  *os << "Hostname: " << data.hostname << "; valid=" << data.valid;
-}
-
-class CertVerifyProcNameTest
-    : public CertVerifyProcTest,
-      public testing::WithParamInterface<CertVerifyProcNameData> {
+// Test fixture for verifying certificate names.
+class CertVerifyProcNameTest : public CertVerifyProcTest {
  public:
   CertVerifyProcNameTest() {}
   virtual ~CertVerifyProcNameTest() {}
+
+ protected:
+  void VerifyCertName(const char* hostname, bool valid) {
+    CertificateList cert_list = CreateCertificateListFromFile(
+        GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
+        X509Certificate::FORMAT_AUTO);
+    ASSERT_EQ(1U, cert_list.size());
+    scoped_refptr<X509Certificate> cert(cert_list[0]);
+
+    ScopedTestRoot scoped_root(cert.get());
+
+    CertVerifyResult verify_result;
+    int error =
+        Verify(cert.get(), hostname, 0, NULL, EmptyCertList(), &verify_result);
+    if (valid) {
+      EXPECT_THAT(error, IsOk());
+      EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+    } else {
+      EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
+      EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+    }
+  }
 };
 
-TEST_P(CertVerifyProcNameTest, VerifyCertName) {
-  CertVerifyProcNameData data = GetParam();
+// Don't match the common name
+TEST_P(CertVerifyProcNameTest, DontMatchCommonName) {
+  VerifyCertName("127.0.0.1", false);
+}
 
-  CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, cert_list.size());
-  scoped_refptr<X509Certificate> cert(cert_list[0]);
+// Matches the iPAddress SAN (IPv4)
+TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv4) {
+  VerifyCertName("127.0.0.2", true);
+}
 
-  ScopedTestRoot scoped_root(cert.get());
+// Matches the iPAddress SAN (IPv6)
+TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv6) {
+  VerifyCertName("FE80:0:0:0:0:0:0:1", true);
+}
 
-  CertVerifyResult verify_result;
-  int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,
-                     &verify_result);
-  if (data.valid) {
-    EXPECT_THAT(error, IsOk());
-    EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
-  } else {
-    EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
-    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
-  }
+// Should not match the iPAddress SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIpv6) {
+  VerifyCertName("[FE80:0:0:0:0:0:0:1]", false);
+}
+
+// Compressed form matches the iPAddress SAN (IPv6)
+TEST_P(CertVerifyProcNameTest, MatchesIpSanCompressedIpv6) {
+  VerifyCertName("FE80::1", true);
+}
+
+// IPv6 mapped form should NOT match iPAddress SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIPv6Mapped) {
+  VerifyCertName("::127.0.0.2", false);
+}
+
+// Matches the dNSName SAN
+TEST_P(CertVerifyProcNameTest, MatchesDnsSan) {
+  VerifyCertName("test.example", true);
+}
+
+// Matches the dNSName SAN (trailing . ignored)
+TEST_P(CertVerifyProcNameTest, MatchesDnsSanTrailingDot) {
+  VerifyCertName("test.example.", true);
+}
+
+// Should not match the dNSName SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSan) {
+  VerifyCertName("www.test.example", false);
+}
+
+// Should not match the dNSName SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanInvalid) {
+  VerifyCertName("test..example", false);
+}
+
+// Should not match the dNSName SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTwoTrailingDots) {
+  VerifyCertName("test.example..", false);
+}
+
+// Should not match the dNSName SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) {
+  VerifyCertName(".test.example.", false);
+}
+
+// Should not match the dNSName SAN
+TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) {
+  VerifyCertName(".test.example", false);
 }
 
 INSTANTIATE_TEST_CASE_P(VerifyName,
                         CertVerifyProcNameTest,
-                        testing::ValuesIn(kVerifyNameData));
+                        testing::ValuesIn(kAllCertVerifiers),
+                        VerifyProcTypeToName);
 
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 // Test that CertVerifyProcMac reacts appropriately when Apple's certificate
@@ -1933,7 +2026,7 @@ INSTANTIATE_TEST_CASE_P(VerifyName,
 // (Since 10.12, this causes a recoverable error instead of a fatal one.)
 // TODO(mattm): Try to find a different way to cause a fatal error that works
 // on 10.12.
-TEST_F(CertVerifyProcTest, LargeKey) {
+TEST_F(CertVerifyProcDefaultTest, LargeKey) {
   // Load root_ca_cert.pem into the test root store.
   ScopedTestRoot test_root(
       ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
@@ -1946,7 +2039,7 @@ TEST_F(CertVerifyProcTest, LargeKey) {
   // large_key.pem may need to be regenerated with a larger key.
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
+  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, EmptyCertList(),
                      &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
@@ -1956,22 +2049,22 @@ TEST_F(CertVerifyProcTest, LargeKey) {
 // Tests that CertVerifyProc records a histogram correctly when a
 // certificate chaining to a private root contains the TLS feature
 // extension and does not have a stapled OCSP response.
-TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {
+TEST_F(CertVerifyProcBaseClassTest, HasTLSFeatureExtensionUMA) {
   base::HistogramTester histograms;
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
   ASSERT_TRUE(cert);
   CertVerifyResult result;
   result.is_issued_by_known_root = false;
-  verify_proc_ = new MockCertVerifyProc(result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
 
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
-                     &verify_result);
+  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+                                  NULL, EmptyCertList(), &verify_result);
   EXPECT_EQ(OK, error);
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
   histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1);
@@ -1982,14 +2075,14 @@ TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {
 // Tests that CertVerifyProc records a histogram correctly when a
 // certificate chaining to a private root contains the TLS feature
 // extension and does have a stapled OCSP response.
-TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
+TEST_F(CertVerifyProcBaseClassTest, HasTLSFeatureExtensionWithStapleUMA) {
   base::HistogramTester histograms;
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
   ASSERT_TRUE(cert);
   CertVerifyResult result;
   result.is_issued_by_known_root = false;
-  verify_proc_ = new MockCertVerifyProc(result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
 
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
@@ -1997,8 +2090,8 @@ TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
   int flags = 0;
   CertVerifyResult verify_result;
   int error =
-      VerifyWithOCSPResponse(cert.get(), "127.0.0.1", "dummy response", flags,
-                             NULL, empty_cert_list_, &verify_result);
+      verify_proc->Verify(cert.get(), "127.0.0.1", "dummy response", flags,
+                          nullptr, EmptyCertList(), &verify_result);
   EXPECT_EQ(OK, error);
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
   histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1);
@@ -2009,22 +2102,22 @@ TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
 // Tests that CertVerifyProc records a histogram correctly when a
 // certificate chaining to a private root does not contain the TLS feature
 // extension.
-TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) {
+TEST_F(CertVerifyProcBaseClassTest, DoesNotHaveTLSFeatureExtensionUMA) {
   base::HistogramTester histograms;
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
   ASSERT_TRUE(cert);
   CertVerifyResult result;
   result.is_issued_by_known_root = false;
-  verify_proc_ = new MockCertVerifyProc(result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
 
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
-                     &verify_result);
+  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+                                  NULL, EmptyCertList(), &verify_result);
   EXPECT_EQ(OK, error);
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
   histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, false, 1);
@@ -2034,21 +2127,21 @@ TEST_F(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) {
 // Tests that CertVerifyProc does not record a histogram when a
 // certificate contains the TLS feature extension but chains to a public
 // root.
-TEST_F(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) {
+TEST_F(CertVerifyProcBaseClassTest, HasTLSFeatureExtensionWithPublicRootUMA) {
   base::HistogramTester histograms;
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
   ASSERT_TRUE(cert);
   CertVerifyResult result;
   result.is_issued_by_known_root = true;
-  verify_proc_ = new MockCertVerifyProc(result);
+  auto verify_proc = make_scoped_refptr(new MockCertVerifyProc(result));
 
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, empty_cert_list_,
-                     &verify_result);
+  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
+                                  NULL, EmptyCertList(), &verify_result);
   EXPECT_EQ(OK, error);
   histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
   histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);