Move CertVerifyProcMac unit-tests to their own file.

net/cert/cert_verify_proc_mac_unittest.cc

-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/cert/cert_verify_proc.h"
+#include "net/cert/cert_verify_proc_mac.h"
 
-#include <vector>
-
-#include "base/callback_helpers.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/logging.h"
+#include "base/mac/mac_util.h"
 #include "base/macros.h"
-#include "base/sha1.h"
-#include "base/strings/string_number_conversions.h"
-#include "base/test/histogram_tester.h"
-#include "base/test/scoped_feature_list.h"
-#include "build/build_config.h"
-#include "crypto/sha2.h"
+#include "base/memory/ptr_util.h"
 #include "net/base/net_errors.h"
-#include "net/cert/asn1_util.h"
-#include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/crl_set_storage.h"
+#include "net/cert/test_keychain_search_list_mac.h"
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_certificate.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/gtest_util.h"
-#include "net/test/test_certificate_data.h"
 #include "net/test/test_data_directory.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
-#if defined(OS_ANDROID)
-#include "base/android/build_info.h"
-#endif
-
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-#include "base/mac/mac_util.h"
-#include "net/cert/test_keychain_search_list_mac.h"
-#endif
-
-#if defined(OS_WIN)
-#include "base/win/windows_version.h"
-#endif
-
 using net::test::IsError;
 using net::test::IsOk;
 
-using base::HexEncode;
-
 namespace net {
 
 namespace {
 
-const char kTLSFeatureExtensionHistogram[] =
-    "Net.Certificate.TLSFeatureExtensionWithPrivateRoot";
-const char kTLSFeatureExtensionOCSPHistogram[] =
-    "Net.Certificate.TLSFeatureExtensionWithPrivateRootHasOCSP";
-
-// Mock CertVerifyProc that sets the CertVerifyResult to a given value for
-// all certificates that are Verify()'d
-class MockCertVerifyProc : public CertVerifyProc {
- public:
-  explicit MockCertVerifyProc(const CertVerifyResult& result)
-      : result_(result) {}
-  // CertVerifyProc implementation:
-  bool SupportsAdditionalTrustAnchors() const override { return false; }
-  bool SupportsOCSPStapling() const override { return false; }
-
- protected:
-  ~MockCertVerifyProc() override {}
-
- private:
-  int VerifyInternal(X509Certificate* cert,
-                     const std::string& hostname,
-                     const std::string& ocsp_response,
-                     int flags,
-                     CRLSet* crl_set,
-                     const CertificateList& additional_trust_anchors,
-                     CertVerifyResult* verify_result) override;
-
-  const CertVerifyResult result_;
-
-  DISALLOW_COPY_AND_ASSIGN(MockCertVerifyProc);
-};
-
-int MockCertVerifyProc::VerifyInternal(
-    X509Certificate* cert,
-    const std::string& hostname,
-    const std::string& ocsp_response,
-    int flags,
-    CRLSet* crl_set,
-    const CertificateList& additional_trust_anchors,
-    CertVerifyResult* verify_result) {
-  *verify_result = result_;
-  verify_result->verified_cert = cert;
-  return OK;
-}
-
-// This enum identifies a concrete implemenation of CertVerifyProc.
-//
-// The type is erased by CertVerifyProc::CreateDefault(), however
-// needs to be known for some of the test expectations.
-enum CertVerifyProcType {
-  CERT_VERIFY_PROC_NSS,
-  CERT_VERIFY_PROC_OPENSSL,
-  CERT_VERIFY_PROC_ANDROID,
-  CERT_VERIFY_PROC_IOS,
-  CERT_VERIFY_PROC_MAC,
-  CERT_VERIFY_PROC_WIN,
-};
-
-// Returns the CertVerifyProcType corresponding to what
-// CertVerifyProc::CreateDefault() returns. This needs to be kept in sync with
-// CreateDefault().
-CertVerifyProcType GetDefaultCertVerifyProcType() {
-#if defined(USE_NSS_CERTS)
-  return CERT_VERIFY_PROC_NSS;
-#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
-  return CERT_VERIFY_PROC_OPENSSL;
-#elif defined(OS_ANDROID)
-  return CERT_VERIFY_PROC_ANDROID;
-#elif defined(OS_IOS)
-  return CERT_VERIFY_PROC_IOS;
-#elif defined(OS_MACOSX)
-  return CERT_VERIFY_PROC_MAC;
-#elif defined(OS_WIN)
-  return CERT_VERIFY_PROC_WIN;
-#else
-// Will fail to compile.
-#endif
-}
-
-// Whether the test is running within the iphone simulator.
-const bool kTargetIsIphoneSimulator =
-#if TARGET_IPHONE_SIMULATOR
-    true;
-#else
-    false;
-#endif
-
-// Template helper to load a series of certificate files into a CertificateList.
-// Like CertTestUtil's CreateCertificateListFromFile, except it can load a
-// series of individual certificates (to make the tests clearer).
-template <size_t N>
-void LoadCertificateFiles(const char* const (&cert_files)[N],
-                          CertificateList* certs) {
-  certs->clear();
-  for (size_t i = 0; i < N; ++i) {
-    SCOPED_TRACE(cert_files[i]);
-    scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
-        GetTestCertsDirectory(), cert_files[i], X509Certificate::FORMAT_AUTO);
-    ASSERT_TRUE(cert);
-    certs->push_back(cert);
-  }
-}
-
-// Returns a textual description of the CertVerifyProc implementation
-// that is being tested, used to give better names to parameterized
-// tests.
-std::string VerifyProcTypeToName(
-    const testing::TestParamInfo<CertVerifyProcType>& params) {
-  switch (params.param) {
-    case CERT_VERIFY_PROC_NSS:
-      return "CertVerifyProcNSS";
-    case CERT_VERIFY_PROC_OPENSSL:
-      return "CertVerifyProcOpenSSL";
-    case CERT_VERIFY_PROC_ANDROID:
-      return "CertVerifyProcAndroid";
-    case CERT_VERIFY_PROC_IOS:
-      return "CertVerifyProcIOS";
-    case CERT_VERIFY_PROC_MAC:
-      return "CertVerifyProcMac";
-    case CERT_VERIFY_PROC_WIN:
-      return "CertVerifyProcWin";
-  }
-
-  return nullptr;
-}
-
-// The set of all CertVerifyProcTypes that tests should be
-// parameterized on.
-const std::vector<CertVerifyProcType> kAllCertVerifiers = {
-    GetDefaultCertVerifyProcType()};
-
-}  // namespace
-
-// This fixture is for tests that apply to concrete implementations of
-// CertVerifyProc. It will be run for all of the concrete
-// CertVerifyProc types.
-//
-// It is called "Internal" as it tests the internal methods like
-// "VerifyInternal()".
-class CertVerifyProcInternalTest
-    : public testing::TestWithParam<CertVerifyProcType> {
- protected:
-  void SetUp() override {
-    EXPECT_EQ(verify_proc_type(), GetDefaultCertVerifyProcType());
-    verify_proc_ = CertVerifyProc::CreateDefault();
-  }
-
-  int Verify(X509Certificate* cert,
-             const std::string& hostname,
-             int flags,
-             CRLSet* crl_set,
-             const CertificateList& additional_trust_anchors,
-             CertVerifyResult* verify_result) {
-    return verify_proc_->Verify(cert, hostname, std::string(), flags, crl_set,
-                                additional_trust_anchors, verify_result);
-  }
-
-  CertVerifyProcType verify_proc_type() const { return GetParam(); }
-
-  bool SupportsAdditionalTrustAnchors() const {
-    return verify_proc_->SupportsAdditionalTrustAnchors();
-  }
-
-  bool SupportsReturningVerifiedChain() const {
-#if defined(OS_ANDROID)
-    // Before API level 17, Android does not expose the APIs necessary to get at
-    // the verified certificate chain.
-    if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID &&
-        base::android::BuildInfo::GetInstance()->sdk_int() < 17)
-      return false;
-#endif
-    return true;
-  }
-
-  bool SupportsDetectingKnownRoots() const {
-#if defined(OS_ANDROID)
-    // Before API level 17, Android does not expose the APIs necessary to get at
-    // the verified certificate chain and detect known roots.
-    if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID)
-      return base::android::BuildInfo::GetInstance()->sdk_int() >= 17;
-#endif
-
-    // iOS does not expose the APIs necessary to get the known system roots.
-    if (verify_proc_type() == CERT_VERIFY_PROC_IOS)
-      return false;
-
-    return true;
-  }
-
-  bool WeakKeysAreInvalid() const {
-#if defined(OS_MACOSX) && !defined(OS_IOS)
-    // Starting with Mac OS 10.12, certs with weak keys are treated as
-    // (recoverable) invalid certificate errors.
-    if (verify_proc_type() == CERT_VERIFY_PROC_MAC &&
-        base::mac::IsAtLeastOS10_12()) {
-      return true;
-    }
-#endif
-    return false;
-  }
-
-  bool SupportsCRLSet() const {
-    return verify_proc_type() == CERT_VERIFY_PROC_NSS ||
-           verify_proc_type() == CERT_VERIFY_PROC_WIN ||
-           verify_proc_type() == CERT_VERIFY_PROC_MAC;
-  }
-
-  bool SupportsCRLSetsInPathBuilding() const {
-    return verify_proc_type() == CERT_VERIFY_PROC_WIN ||
-           verify_proc_type() == CERT_VERIFY_PROC_NSS;
-  }
-
-  CertVerifyProc* verify_proc() const { return verify_proc_.get(); }
-
- private:
-  scoped_refptr<CertVerifyProc> verify_proc_;
-};
-
-INSTANTIATE_TEST_CASE_P(,
-                        CertVerifyProcInternalTest,
-                        testing::ValuesIn(kAllCertVerifiers),
-                        VerifyProcTypeToName);
-
-// TODO(rsleevi): Reenable this test once comodo.chaim.pem is no longer
-// expired, http://crbug.com/502818
-TEST_P(CertVerifyProcInternalTest, DISABLED_EVVerification) {
-  if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID ||
-      verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) {
-    // TODO(jnd): http://crbug.com/117478 - EV verification is not yet
-    // supported.
-    LOG(INFO) << "Skipping test as EV verification is not yet supported";
-    return;
-  }
-
-  CertificateList certs =
-      CreateCertificateListFromFile(GetTestCertsDirectory(), "comodo.chain.pem",
-                                    X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
-  ASSERT_EQ(3U, certs.size());
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[1]->os_cert_handle());
-  intermediates.push_back(certs[2]->os_cert_handle());
-
-  scoped_refptr<X509Certificate> comodo_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
-
-  scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
-  CertVerifyResult verify_result;
-  int flags = CertVerifier::VERIFY_EV_CERT;
-  int error = Verify(comodo_chain.get(), "comodo.com", flags, crl_set.get(),
-                     CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
-}
-
-// TODO(crbug.com/605457): the test expectation was incorrect on some
-// configurations, so disable the test until it is fixed (better to have
-// a bug to track a failing test than a false sense of security due to
-// false positive).
-TEST_P(CertVerifyProcInternalTest, DISABLED_PaypalNullCertParsing) {
-  // A certificate for www.paypal.com with a NULL byte in the common name.
-  // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
-  SHA256HashValue paypal_null_fingerprint = {{0x00}};
-
-  scoped_refptr<X509Certificate> paypal_null_cert(
-      X509Certificate::CreateFromBytes(
-          reinterpret_cast<const char*>(paypal_null_der),
-          sizeof(paypal_null_der)));
-
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert.get());
-
-  EXPECT_EQ(paypal_null_fingerprint, X509Certificate::CalculateFingerprint256(
-                                         paypal_null_cert->os_cert_handle()));
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = Verify(paypal_null_cert.get(), "www.paypal.com", flags, NULL,
-                     CertificateList(), &verify_result);
-
-  if (verify_proc_type() == CERT_VERIFY_PROC_NSS ||
-      verify_proc_type() == CERT_VERIFY_PROC_ANDROID) {
-    EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
-  } else if (verify_proc_type() == CERT_VERIFY_PROC_IOS &&
-             kTargetIsIphoneSimulator) {
-    // iOS returns a ERR_CERT_INVALID error on the simulator, while returning
-    // ERR_CERT_AUTHORITY_INVALID on the real device.
-    EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
-  } else {
-    // TOOD(bulach): investigate why macosx and win aren't returning
-    // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
-    EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
-  }
-
-  // Either the system crypto library should correctly report a certificate
-  // name mismatch, or our certificate blacklist should cause us to report an
-  // invalid certificate.
-  if (verify_proc_type() == CERT_VERIFY_PROC_NSS ||
-      verify_proc_type() == CERT_VERIFY_PROC_WIN) {
-    EXPECT_TRUE(verify_result.cert_status &
-                (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
-  }
-
-  // TODO(crbug.com/649017): What expectations to use for the other verifiers?
-}
-
-// A regression test for http://crbug.com/31497.
-TEST_P(CertVerifyProcInternalTest, IntermediateCARequireExplicitPolicy) {
-  if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID) {
-    // Disabled on Android, as the Android verification libraries require an
-    // explicit policy to be specified, even when anyPolicy is permitted.
-    LOG(INFO) << "Skipping test on Android";
-    return;
-  }
-
-  base::FilePath certs_dir = GetTestCertsDirectory();
-
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "explicit-policy-chain.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[1]->os_cert_handle());
-
-  scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
-      certs[0]->os_cert_handle(), intermediates);
-  ASSERT_TRUE(cert.get());
-
-  ScopedTestRoot scoped_root(certs[2].get());
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "policy_test.example", flags, NULL,
-                     CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_EQ(0u, verify_result.cert_status);
-}
-
-TEST_P(CertVerifyProcInternalTest, RejectExpiredCert) {
-  base::FilePath certs_dir = GetTestCertsDirectory();
-
-  // Load root_ca_cert.pem into the test root store.
-  ScopedTestRoot test_root(
-      ImportCertFromFile(certs_dir, "root_ca_cert.pem").get());
-
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "expired_cert.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, certs.size());
-
-  X509Certificate::OSCertHandles intermediates;
-  scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
-      certs[0]->os_cert_handle(), intermediates);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(),
-                     &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_DATE_INVALID));
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID);
-}
-
-// Currently, only RSA and DSA keys are checked for weakness, and our example
-// weak size is 768. These could change in the future.
-//
-// Note that this means there may be false negatives: keys for other
-// algorithms and which are weak will pass this test.
-static bool IsWeakKeyType(const std::string& key_type) {
-  size_t pos = key_type.find("-");
-  std::string size = key_type.substr(0, pos);
-  std::string type = key_type.substr(pos + 1);
-
-  if (type == "rsa" || type == "dsa")
-    return size == "768";
-
-  return false;
-}
-
-TEST_P(CertVerifyProcInternalTest, RejectWeakKeys) {
-  base::FilePath certs_dir = GetTestCertsDirectory();
-  typedef std::vector<std::string> Strings;
-  Strings key_types;
-
-  // generate-weak-test-chains.sh currently has:
-  //     key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
-  // We must use the same key types here. The filenames generated look like:
-  //     2048-rsa-ee-by-768-rsa-intermediate.pem
-  key_types.push_back("768-rsa");
-  key_types.push_back("1024-rsa");
-  key_types.push_back("2048-rsa");
-  key_types.push_back("prime256v1-ecdsa");
-
-  // Add the root that signed the intermediates for this test.
-  scoped_refptr<X509Certificate> root_cert =
-      ImportCertFromFile(certs_dir, "2048-rsa-root.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
-  ScopedTestRoot scoped_root(root_cert.get());
-
-  // Now test each chain.
-  for (Strings::const_iterator ee_type = key_types.begin();
-       ee_type != key_types.end(); ++ee_type) {
-    for (Strings::const_iterator signer_type = key_types.begin();
-         signer_type != key_types.end(); ++signer_type) {
-      std::string basename =
-          *ee_type + "-ee-by-" + *signer_type + "-intermediate.pem";
-      SCOPED_TRACE(basename);
-      scoped_refptr<X509Certificate> ee_cert =
-          ImportCertFromFile(certs_dir, basename);
-      ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert.get());
-
-      basename = *signer_type + "-intermediate.pem";
-      scoped_refptr<X509Certificate> intermediate =
-          ImportCertFromFile(certs_dir, basename);
-      ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate.get());
-
-      X509Certificate::OSCertHandles intermediates;
-      intermediates.push_back(intermediate->os_cert_handle());
-      scoped_refptr<X509Certificate> cert_chain =
-          X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
-                                            intermediates);
-
-      CertVerifyResult verify_result;
-      int error = Verify(cert_chain.get(), "127.0.0.1", 0, NULL,
-                         CertificateList(), &verify_result);
-
-      if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
-        EXPECT_NE(OK, error);
-        EXPECT_EQ(CERT_STATUS_WEAK_KEY,
-                  verify_result.cert_status & CERT_STATUS_WEAK_KEY);
-        EXPECT_EQ(WeakKeysAreInvalid() ? CERT_STATUS_INVALID : 0,
-                  verify_result.cert_status & CERT_STATUS_INVALID);
-      } else {
-        EXPECT_THAT(error, IsOk());
-        EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
-      }
-    }
-  }
-}
-
-// Regression test for http://crbug.com/108514.
-TEST_P(CertVerifyProcInternalTest, ExtraneousMD5RootCert) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
-  if (verify_proc_type() == CERT_VERIFY_PROC_MAC) {
-    // Disabled on OS X - Security.framework doesn't ignore superflous
-    // certificates provided by servers.
-    // TODO(eroman): Is this still needed?
-    LOG(INFO) << "Skipping this test as Security.framework doesn't ignore "
-                 "superflous certificates provided by servers.";
-    return;
-  }
-
-  base::FilePath certs_dir = GetTestCertsDirectory();
-
-  scoped_refptr<X509Certificate> server_cert =
-      ImportCertFromFile(certs_dir, "cross-signed-leaf.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
-
-  scoped_refptr<X509Certificate> extra_cert =
-      ImportCertFromFile(certs_dir, "cross-signed-root-md5.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), extra_cert.get());
-
-  scoped_refptr<X509Certificate> root_cert =
-      ImportCertFromFile(certs_dir, "cross-signed-root-sha256.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
-
-  ScopedTestRoot scoped_root(root_cert.get());
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(extra_cert->os_cert_handle());
-  scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
-      server_cert->os_cert_handle(), intermediates);
-
-  CertVerifyResult verify_result;
-  int flags = 0;
-  int error = Verify(cert_chain.get(), "127.0.0.1", flags, NULL,
-                     CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-
-  // The extra MD5 root should be discarded
-  ASSERT_TRUE(verify_result.verified_cert.get());
-  ASSERT_EQ(1u,
-            verify_result.verified_cert->GetIntermediateCertificates().size());
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(
-      verify_result.verified_cert->GetIntermediateCertificates().front(),
-      root_cert->os_cert_handle()));
-
-  EXPECT_FALSE(verify_result.has_md5);
-}
-
-// Test for bug 94673.
-TEST_P(CertVerifyProcInternalTest, GoogleDigiNotarTest) {
-  base::FilePath certs_dir = GetTestCertsDirectory();
-
-  scoped_refptr<X509Certificate> server_cert =
-      ImportCertFromFile(certs_dir, "google_diginotar.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
-
-  scoped_refptr<X509Certificate> intermediate_cert =
-      ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert.get());
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(intermediate_cert->os_cert_handle());
-  scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
-      server_cert->os_cert_handle(), intermediates);
-
-  CertVerifyResult verify_result;
-  int flags = CertVerifier::VERIFY_REV_CHECKING_ENABLED;
-  int error = Verify(cert_chain.get(), "mail.google.com", flags, NULL,
-                     CertificateList(), &verify_result);
-  EXPECT_NE(OK, error);
-
-  // Now turn off revocation checking.  Certificate verification should still
-  // fail.
-  flags = 0;
-  error = Verify(cert_chain.get(), "mail.google.com", flags, NULL,
-                 CertificateList(), &verify_result);
-  EXPECT_NE(OK, error);
-}
-
-// Ensures the CertVerifyProc blacklist remains in sorted order, so that it
-// can be binary-searched.
-TEST(CertVerifyProcTest, BlacklistIsSorted) {
-// Defines kBlacklistedSPKIs.
-#include "net/cert/cert_verify_proc_blacklist.inc"
-  for (size_t i = 0; i < arraysize(kBlacklistedSPKIs) - 1; ++i) {
-    EXPECT_GT(0, memcmp(kBlacklistedSPKIs[i], kBlacklistedSPKIs[i + 1],
-                        crypto::kSHA256Length))
-        << " at index " << i;
-  }
-}
-
-TEST(CertVerifyProcTest, DigiNotarCerts) {
-  static const char* const kDigiNotarFilenames[] = {
-      "diginotar_root_ca.pem",          "diginotar_cyber_ca.pem",
-      "diginotar_services_1024_ca.pem", "diginotar_pkioverheid.pem",
-      "diginotar_pkioverheid_g2.pem",   NULL,
-  };
-
-  base::FilePath certs_dir = GetTestCertsDirectory();
-
-  for (size_t i = 0; kDigiNotarFilenames[i]; i++) {
-    scoped_refptr<X509Certificate> diginotar_cert =
-        ImportCertFromFile(certs_dir, kDigiNotarFilenames[i]);
-    std::string der_bytes;
-    ASSERT_TRUE(X509Certificate::GetDEREncoded(diginotar_cert->os_cert_handle(),
-                                               &der_bytes));
-
-    base::StringPiece spki;
-    ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(der_bytes, &spki));
-
-    std::string spki_sha256 = crypto::SHA256HashString(spki.as_string());
-
-    HashValueVector public_keys;
-    HashValue hash(HASH_VALUE_SHA256);
-    ASSERT_EQ(hash.size(), spki_sha256.size());
-    memcpy(hash.data(), spki_sha256.data(), spki_sha256.size());
-    public_keys.push_back(hash);
-
-    EXPECT_TRUE(CertVerifyProc::IsPublicKeyBlacklisted(public_keys))
-        << "Public key not blocked for " << kDigiNotarFilenames[i];
-  }
-}
-
-TEST_P(CertVerifyProcInternalTest, NameConstraintsOk) {
-  CertificateList ca_cert_list =
-      CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
-                                    X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, ca_cert_list.size());
-  ScopedTestRoot test_root(ca_cert_list[0].get());
-
-  CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "name_constraint_good.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, cert_list.size());
-
-  X509Certificate::OSCertHandles intermediates;
-  scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle(
-      cert_list[0]->os_cert_handle(), intermediates);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = Verify(leaf.get(), "test.example.com", flags, NULL,
-                     CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_EQ(0U, verify_result.cert_status);
-
-  error = Verify(leaf.get(), "foo.test2.example.com", flags, NULL,
-                 CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_EQ(0U, verify_result.cert_status);
-}
-
-TEST_P(CertVerifyProcInternalTest, NameConstraintsFailure) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
-  CertificateList ca_cert_list =
-      CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
-                                    X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, ca_cert_list.size());
-  ScopedTestRoot test_root(ca_cert_list[0].get());
-
-  CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "name_constraint_bad.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, cert_list.size());
-
-  X509Certificate::OSCertHandles intermediates;
-  scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle(
-      cert_list[0]->os_cert_handle(), intermediates);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = Verify(leaf.get(), "test.example.com", flags, NULL,
-                     CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_NAME_CONSTRAINT_VIOLATION));
-  EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
-            verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
-}
-
-TEST(CertVerifyProcTest, TestHasTooLongValidity) {
-  struct {
-    const char* const file;
-    bool is_valid_too_long;
-  } tests[] = {
-      {"twitter-chain.pem", false},
-      {"start_after_expiry.pem", true},
-      {"pre_br_validity_ok.pem", false},
-      {"pre_br_validity_bad_121.pem", true},
-      {"pre_br_validity_bad_2020.pem", true},
-      {"10_year_validity.pem", false},
-      {"11_year_validity.pem", true},
-      {"39_months_after_2015_04.pem", false},
-      {"40_months_after_2015_04.pem", true},
-      {"60_months_after_2012_07.pem", false},
-      {"61_months_after_2012_07.pem", true},
-  };
-
-  base::FilePath certs_dir = GetTestCertsDirectory();
-
-  for (size_t i = 0; i < arraysize(tests); ++i) {
-    scoped_refptr<X509Certificate> certificate =
-        ImportCertFromFile(certs_dir, tests[i].file);
-    SCOPED_TRACE(tests[i].file);
-    ASSERT_TRUE(certificate);
-    EXPECT_EQ(tests[i].is_valid_too_long,
-              CertVerifyProc::HasTooLongValidity(*certificate));
-  }
-}
-
-// TODO(crbug.com/610546): Fix and re-enable this test.
-TEST_P(CertVerifyProcInternalTest, DISABLED_TestKnownRoot) {
-  if (!SupportsDetectingKnownRoots()) {
-    LOG(INFO) << "Skipping this test on this platform.";
-    return;
-  }
-
-  base::FilePath certs_dir = GetTestCertsDirectory();
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[1]->os_cert_handle());
-
-  scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
-      certs[0]->os_cert_handle(), intermediates);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
-  // against agl. See also PublicKeyHashes.
-  int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
-                     CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_TRUE(verify_result.is_issued_by_known_root);
-}
-
-// TODO(crbug.com/610546): Fix and re-enable this test.
-TEST_P(CertVerifyProcInternalTest, DISABLED_PublicKeyHashes) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
-  base::FilePath certs_dir = GetTestCertsDirectory();
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "twitter-chain.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[1]->os_cert_handle());
-
-  scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(
-      certs[0]->os_cert_handle(), intermediates);
-  int flags = 0;
-  CertVerifyResult verify_result;
-
-  // This will blow up, May 9th, 2016. Sorry! Please disable and file a bug
-  // against agl. See also TestKnownRoot.
-  int error = Verify(cert_chain.get(), "twitter.com", flags, NULL,
-                     CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  ASSERT_LE(3U, verify_result.public_key_hashes.size());
-
-  HashValueVector sha1_hashes;
-  for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
-    if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA1)
-      continue;
-    sha1_hashes.push_back(verify_result.public_key_hashes[i]);
-  }
-  ASSERT_LE(3u, sha1_hashes.size());
-
-  for (size_t i = 0; i < 3; ++i) {
-    EXPECT_EQ(HexEncode(kTwitterSPKIs[i], base::kSHA1Length),
-              HexEncode(sha1_hashes[i].data(), base::kSHA1Length));
-  }
-
-  HashValueVector sha256_hashes;
-  for (size_t i = 0; i < verify_result.public_key_hashes.size(); ++i) {
-    if (verify_result.public_key_hashes[i].tag != HASH_VALUE_SHA256)
-      continue;
-    sha256_hashes.push_back(verify_result.public_key_hashes[i]);
-  }
-  ASSERT_LE(3u, sha256_hashes.size());
-
-  for (size_t i = 0; i < 3; ++i) {
-    EXPECT_EQ(HexEncode(kTwitterSPKIsSHA256[i], crypto::kSHA256Length),
-              HexEncode(sha256_hashes[i].data(), crypto::kSHA256Length));
-  }
-}
-
-// A regression test for http://crbug.com/70293.
-// The Key Usage extension in this RSA SSL server certificate does not have
-// the keyEncipherment bit.
-TEST_P(CertVerifyProcInternalTest, InvalidKeyUsage) {
-  base::FilePath certs_dir = GetTestCertsDirectory();
-
-  scoped_refptr<X509Certificate> server_cert =
-      ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get());
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = Verify(server_cert.get(), "jira.aquameta.com", flags, NULL,
-                     CertificateList(), &verify_result);
-
-  // TODO(eroman): Change the test data so results are consistent across
-  //               verifiers.
-  if (verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) {
-    // This certificate has two errors: "invalid key usage" and "untrusted CA".
-    // However, OpenSSL returns only one (the latter), and we can't detect
-    // the other errors.
-    EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
-  } else {
-    EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
-    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
-  }
-  // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
-  // from NSS.
-  if (verify_proc_type() != CERT_VERIFY_PROC_NSS &&
-      verify_proc_type() != CERT_VERIFY_PROC_IOS &&
-      verify_proc_type() != CERT_VERIFY_PROC_ANDROID) {
-    // The certificate is issued by an unknown CA.
-    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
-  }
-}
-
-// Basic test for returning the chain in CertVerifyResult. Note that the
-// returned chain may just be a reflection of the originally supplied chain;
-// that is, if any errors occur, the default chain returned is an exact copy
-// of the certificate to be verified. The remaining VerifyReturn* tests are
-// used to ensure that the actual, verified chain is being returned by
-// Verify().
-TEST_P(CertVerifyProcInternalTest, VerifyReturnChainBasic) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
-  base::FilePath certs_dir = GetTestCertsDirectory();
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[1]->os_cert_handle());
-  intermediates.push_back(certs[2]->os_cert_handle());
-
-  ScopedTestRoot scoped_root(certs[2].get());
-
-  scoped_refptr<X509Certificate> google_full_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain.get());
-  ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
-
-  CertVerifyResult verify_result;
-  EXPECT_EQ(static_cast<X509Certificate*>(NULL),
-            verify_result.verified_cert.get());
-  int error = Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
-                     CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  ASSERT_NE(static_cast<X509Certificate*>(NULL),
-            verify_result.verified_cert.get());
-
-  EXPECT_NE(google_full_chain, verify_result.verified_cert);
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(
-      google_full_chain->os_cert_handle(),
-      verify_result.verified_cert->os_cert_handle()));
-  const X509Certificate::OSCertHandles& return_intermediates =
-      verify_result.verified_cert->GetIntermediateCertificates();
-  ASSERT_EQ(2U, return_intermediates.size());
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
-                                            certs[1]->os_cert_handle()));
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
-                                            certs[2]->os_cert_handle()));
-}
-
-// Test that certificates issued for 'intranet' names (that is, containing no
-// known public registry controlled domain information) issued by well-known
-// CAs are flagged appropriately, while certificates that are issued by
-// internal CAs are not flagged.
-TEST(CertVerifyProcTest, IntranetHostsRejected) {
-  CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "reject_intranet_hosts.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, cert_list.size());
-  scoped_refptr<X509Certificate> cert(cert_list[0]);
-
-  CertVerifyResult verify_result;
-  int error = 0;
-
-  // Intranet names for public CAs should be flagged:
-  CertVerifyResult dummy_result;
-  dummy_result.is_issued_by_known_root = true;
-  scoped_refptr<CertVerifyProc> verify_proc =
-      new MockCertVerifyProc(dummy_result);
-  error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL,
-                              CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
-
-  // However, if the CA is not well known, these should not be flagged:
-  dummy_result.Reset();
-  dummy_result.is_issued_by_known_root = false;
-  verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
-  error = verify_proc->Verify(cert.get(), "intranet", std::string(), 0, NULL,
-                              CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_NON_UNIQUE_NAME);
-}
-
-// While all SHA-1 certificates should be rejected, in the event that there
-// emerges some unexpected bug, test that the 'legacy' behaviour works
-// correctly - rejecting all SHA-1 certificates from publicly trusted CAs
-// that were issued after 1 January 2016, while still allowing those from
-// before that date, with SHA-1 in the intermediate, or from an enterprise
-// CA.
-TEST(CertVerifyProcTest, VerifyRejectsSHA1AfterDeprecationLegacyMode) {
-  base::test::ScopedFeatureList scoped_feature_list;
-  scoped_feature_list.InitAndEnableFeature(CertVerifyProc::kSHA1LegacyMode);
-
-  CertVerifyResult dummy_result;
-  CertVerifyResult verify_result;
-  int error = 0;
-  scoped_refptr<X509Certificate> cert;
-
-  // Publicly trusted SHA-1 leaf certificates issued before 1 January 2016
-  // are accepted.
-  verify_result.Reset();
-  dummy_result.Reset();
-  dummy_result.is_issued_by_known_root = true;
-  dummy_result.has_sha1 = true;
-  dummy_result.has_sha1_leaf = true;
-  scoped_refptr<CertVerifyProc> verify_proc =
-      new MockCertVerifyProc(dummy_result);
-  cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
-                                        "sha1_dec_2015.pem",
-                                        X509Certificate::FORMAT_AUTO);
-  ASSERT_TRUE(cert);
-  error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
-                              CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
-
-  // Publicly trusted SHA-1 leaf certificates issued on/after 1 January 2016
-  // are rejected.
-  verify_result.Reset();
-  dummy_result.Reset();
-  dummy_result.is_issued_by_known_root = true;
-  dummy_result.has_sha1 = true;
-  dummy_result.has_sha1_leaf = true;
-  verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
-  cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
-                                        "sha1_jan_2016.pem",
-                                        X509Certificate::FORMAT_AUTO);
-  ASSERT_TRUE(cert);
-  error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
-                              CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
-
-  // Enterprise issued SHA-1 leaf certificates issued on/after 1 January 2016
-  // remain accepted.
-  verify_result.Reset();
-  dummy_result.Reset();
-  dummy_result.is_issued_by_known_root = false;
-  dummy_result.has_sha1 = true;
-  dummy_result.has_sha1_leaf = true;
-  verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
-  cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
-                                        "sha1_jan_2016.pem",
-                                        X509Certificate::FORMAT_AUTO);
-  ASSERT_TRUE(cert);
-  error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
-                              CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
-
-  // Publicly trusted SHA-1 intermediates issued on/after 1 January 2016 are,
-  // unfortunately, accepted. This can arise due to OS path building quirks.
-  verify_result.Reset();
-  dummy_result.Reset();
-  dummy_result.is_issued_by_known_root = true;
-  dummy_result.has_sha1 = true;
-  dummy_result.has_sha1_leaf = false;
-  verify_proc = make_scoped_refptr(new MockCertVerifyProc(dummy_result));
-  cert = CreateCertificateChainFromFile(GetTestCertsDirectory(),
-                                        "sha1_jan_2016.pem",
-                                        X509Certificate::FORMAT_AUTO);
-  ASSERT_TRUE(cert);
-  error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), 0, NULL,
-                              CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
-}
-
-// Test that the certificate returned in CertVerifyResult is able to reorder
-// certificates that are not ordered from end-entity to root. While this is
-// a protocol violation if sent during a TLS handshake, if multiple sources
-// of intermediate certificates are combined, it's possible that order may
-// not be maintained.
-TEST_P(CertVerifyProcInternalTest, VerifyReturnChainProperlyOrdered) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
-  base::FilePath certs_dir = GetTestCertsDirectory();
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
-
-  // Construct the chain out of order.
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[2]->os_cert_handle());
-  intermediates.push_back(certs[1]->os_cert_handle());
-
-  ScopedTestRoot scoped_root(certs[2].get());
-
-  scoped_refptr<X509Certificate> google_full_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain.get());
-  ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
-
-  CertVerifyResult verify_result;
-  EXPECT_EQ(static_cast<X509Certificate*>(NULL),
-            verify_result.verified_cert.get());
-  int error = Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
-                     CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  ASSERT_NE(static_cast<X509Certificate*>(NULL),
-            verify_result.verified_cert.get());
-
-  EXPECT_NE(google_full_chain, verify_result.verified_cert);
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(
-      google_full_chain->os_cert_handle(),
-      verify_result.verified_cert->os_cert_handle()));
-  const X509Certificate::OSCertHandles& return_intermediates =
-      verify_result.verified_cert->GetIntermediateCertificates();
-  ASSERT_EQ(2U, return_intermediates.size());
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
-                                            certs[1]->os_cert_handle()));
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
-                                            certs[2]->os_cert_handle()));
-}
-
-// Test that Verify() filters out certificates which are not related to
-// or part of the certificate chain being verified.
-TEST_P(CertVerifyProcInternalTest, VerifyReturnChainFiltersUnrelatedCerts) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
-  base::FilePath certs_dir = GetTestCertsDirectory();
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
-  ScopedTestRoot scoped_root(certs[2].get());
-
-  scoped_refptr<X509Certificate> unrelated_certificate =
-      ImportCertFromFile(certs_dir, "duplicate_cn_1.pem");
-  scoped_refptr<X509Certificate> unrelated_certificate2 =
-      ImportCertFromFile(certs_dir, "aia-cert.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate.get());
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_certificate2.get());
-
-  // Interject unrelated certificates into the list of intermediates.
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(unrelated_certificate->os_cert_handle());
-  intermediates.push_back(certs[1]->os_cert_handle());
-  intermediates.push_back(unrelated_certificate2->os_cert_handle());
-  intermediates.push_back(certs[2]->os_cert_handle());
-
-  scoped_refptr<X509Certificate> google_full_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain.get());
-  ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size());
-
-  CertVerifyResult verify_result;
-  EXPECT_EQ(static_cast<X509Certificate*>(NULL),
-            verify_result.verified_cert.get());
-  int error = Verify(google_full_chain.get(), "127.0.0.1", 0, NULL,
-                     CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  ASSERT_NE(static_cast<X509Certificate*>(NULL),
-            verify_result.verified_cert.get());
-
-  EXPECT_NE(google_full_chain, verify_result.verified_cert);
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(
-      google_full_chain->os_cert_handle(),
-      verify_result.verified_cert->os_cert_handle()));
-  const X509Certificate::OSCertHandles& return_intermediates =
-      verify_result.verified_cert->GetIntermediateCertificates();
-  ASSERT_EQ(2U, return_intermediates.size());
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
-                                            certs[1]->os_cert_handle()));
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
-                                            certs[2]->os_cert_handle()));
-}
-
-TEST_P(CertVerifyProcInternalTest, AdditionalTrustAnchors) {
-  if (!SupportsAdditionalTrustAnchors()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
-  // |ca_cert| is the issuer of |cert|.
-  CertificateList ca_cert_list =
-      CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
-                                    X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, ca_cert_list.size());
-  scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]);
-
-  CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, cert_list.size());
-  scoped_refptr<X509Certificate> cert(cert_list[0]);
-
-  // Verification of |cert| fails when |ca_cert| is not in the trust anchors
-  // list.
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(),
-                     &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
-  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
-  EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
-
-  // Now add the |ca_cert| to the |trust_anchors|, and verification should pass.
-  CertificateList trust_anchors;
-  trust_anchors.push_back(ca_cert);
-  error = Verify(cert.get(), "127.0.0.1", flags, NULL, trust_anchors,
-                 &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_EQ(0U, verify_result.cert_status);
-  EXPECT_TRUE(verify_result.is_issued_by_additional_trust_anchor);
-
-  // Clearing the |trust_anchors| makes verification fail again (the cache
-  // should be skipped).
-  error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(),
-                 &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
-  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
-  EXPECT_FALSE(verify_result.is_issued_by_additional_trust_anchor);
-}
-
-// Tests that certificates issued by user-supplied roots are not flagged as
-// issued by a known root. This should pass whether or not the platform supports
-// detecting known roots.
-TEST_P(CertVerifyProcInternalTest, IsIssuedByKnownRootIgnoresTestRoots) {
-  // Load root_ca_cert.pem into the test root store.
-  ScopedTestRoot test_root(
-      ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
-
-  scoped_refptr<X509Certificate> cert(
-      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
-
-  // Verification should pass.
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(),
-                     &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_EQ(0U, verify_result.cert_status);
-  // But should not be marked as a known root.
-  EXPECT_FALSE(verify_result.is_issued_by_known_root);
-}
-
-// Test that CRLSets are effective in making a certificate appear to be
-// revoked.
-TEST_P(CertVerifyProcInternalTest, CRLSet) {
-  if (!SupportsCRLSet()) {
-    LOG(INFO) << "Skipping test as verifier doesn't support CRLSet";
-    return;
-  }
-
-  CertificateList ca_cert_list =
-      CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
-                                    X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, ca_cert_list.size());
-  ScopedTestRoot test_root(ca_cert_list[0].get());
-
-  CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, cert_list.size());
-  scoped_refptr<X509Certificate> cert(cert_list[0]);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = Verify(cert.get(), "127.0.0.1", flags, NULL, CertificateList(),
-                     &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_EQ(0U, verify_result.cert_status);
-
-  scoped_refptr<CRLSet> crl_set;
-  std::string crl_set_bytes;
-
-  // First test blocking by SPKI.
-  EXPECT_TRUE(base::ReadFileToString(
-      GetTestCertsDirectory().AppendASCII("crlset_by_leaf_spki.raw"),
-      &crl_set_bytes));
-  ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
-
-  error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
-                 CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
-
-  // Second, test revocation by serial number of a cert directly under the
-  // root.
-  crl_set_bytes.clear();
-  EXPECT_TRUE(base::ReadFileToString(
-      GetTestCertsDirectory().AppendASCII("crlset_by_root_serial.raw"),
-      &crl_set_bytes));
-  ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
-
-  error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
-                 CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
-}
-
-TEST_P(CertVerifyProcInternalTest, CRLSetLeafSerial) {
-  if (!SupportsCRLSet()) {
-    LOG(INFO) << "Skipping test as verifier doesn't support CRLSet";
-    return;
-  }
-
-  CertificateList ca_cert_list =
-      CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
-                                    X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, ca_cert_list.size());
-  ScopedTestRoot test_root(ca_cert_list[0].get());
-
-  CertificateList intermediate_cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "intermediate_ca_cert.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, intermediate_cert_list.size());
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(intermediate_cert_list[0]->os_cert_handle());
-
-  CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "ok_cert_by_intermediate.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, cert_list.size());
-
-  scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromHandle(
-      cert_list[0]->os_cert_handle(), intermediates);
-  ASSERT_TRUE(leaf);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = Verify(leaf.get(), "127.0.0.1", flags, NULL, CertificateList(),
-                     &verify_result);
-  EXPECT_THAT(error, IsOk());
-
-  // Test revocation by serial number of a certificate not under the root.
-  scoped_refptr<CRLSet> crl_set;
-  std::string crl_set_bytes;
-  ASSERT_TRUE(base::ReadFileToString(
-      GetTestCertsDirectory().AppendASCII("crlset_by_intermediate_serial.raw"),
-      &crl_set_bytes));
-  ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
-
-  error = Verify(leaf.get(), "127.0.0.1", flags, crl_set.get(),
-                 CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_REVOKED));
-}
-
-// Tests that CRLSets participate in path building functions, and that as
-// long as a valid path exists within the verification graph, verification
-// succeeds.
-//
-// In this test, there are two roots (D and E), and three possible paths
-// to validate a leaf (A):
-// 1. A(B) -> B(C) -> C(D) -> D(D)
-// 2. A(B) -> B(C) -> C(E) -> E(E)
-// 3. A(B) -> B(F) -> F(E) -> E(E)
-//
-// Each permutation of revocation is tried:
-// 1. Revoking E by SPKI, so that only Path 1 is valid (as E is in Paths 2 & 3)
-// 2. Revoking C(D) and F(E) by serial, so that only Path 2 is valid.
-// 3. Revoking C by SPKI, so that only Path 3 is valid (as C is in Paths 1 & 2)
-TEST_P(CertVerifyProcInternalTest, CRLSetDuringPathBuilding) {
-  if (!SupportsCRLSetsInPathBuilding()) {
-    LOG(INFO) << "Skipping this test on this platform.";
-    return;
-  }
-
-  const char* const kPath1Files[] = {
-      "multi-root-A-by-B.pem", "multi-root-B-by-C.pem", "multi-root-C-by-D.pem",
-      "multi-root-D-by-D.pem"};
-  const char* const kPath2Files[] = {
-      "multi-root-A-by-B.pem", "multi-root-B-by-C.pem", "multi-root-C-by-E.pem",
-      "multi-root-E-by-E.pem"};
-  const char* const kPath3Files[] = {
-      "multi-root-A-by-B.pem", "multi-root-B-by-F.pem", "multi-root-F-by-E.pem",
-      "multi-root-E-by-E.pem"};
-
-  CertificateList path_1_certs;
-  ASSERT_NO_FATAL_FAILURE(LoadCertificateFiles(kPath1Files, &path_1_certs));
-
-  CertificateList path_2_certs;
-  ASSERT_NO_FATAL_FAILURE(LoadCertificateFiles(kPath2Files, &path_2_certs));
-
-  CertificateList path_3_certs;
-  ASSERT_NO_FATAL_FAILURE(LoadCertificateFiles(kPath3Files, &path_3_certs));
-
-  // Add D and E as trust anchors.
-  ScopedTestRoot test_root_D(path_1_certs[3].get());  // D-by-D
-  ScopedTestRoot test_root_E(path_2_certs[3].get());  // E-by-E
-
-  // Create a chain that contains all the certificate paths possible.
-  // CertVerifyProcInternalTest.VerifyReturnChainFiltersUnrelatedCerts already
-  // ensures that it's safe to send additional certificates as inputs, and
-  // that they're ignored if not necessary.
-  // This is to avoid relying on AIA or internal object caches when
-  // interacting with the underlying library.
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(path_1_certs[1]->os_cert_handle());  // B-by-C
-  intermediates.push_back(path_1_certs[2]->os_cert_handle());  // C-by-D
-  intermediates.push_back(path_2_certs[2]->os_cert_handle());  // C-by-E
-  intermediates.push_back(path_3_certs[1]->os_cert_handle());  // B-by-F
-  intermediates.push_back(path_3_certs[2]->os_cert_handle());  // F-by-E
-  scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
-      path_1_certs[0]->os_cert_handle(), intermediates);
-  ASSERT_TRUE(cert);
-
-  struct TestPermutations {
-    const char* crlset;
-    bool expect_valid;
-    scoped_refptr<X509Certificate> expected_intermediate;
-  } kTests[] = {
-      {"multi-root-crlset-D-and-E.raw", false, nullptr},
-      {"multi-root-crlset-E.raw", true, path_1_certs[2].get()},
-      {"multi-root-crlset-CD-and-FE.raw", true, path_2_certs[2].get()},
-      {"multi-root-crlset-C.raw", true, path_3_certs[2].get()},
-      {"multi-root-crlset-unrelated.raw", true, nullptr}};
-
-  for (const auto& testcase : kTests) {
-    SCOPED_TRACE(testcase.crlset);
-    scoped_refptr<CRLSet> crl_set;
-    std::string crl_set_bytes;
-    EXPECT_TRUE(base::ReadFileToString(
-        GetTestCertsDirectory().AppendASCII(testcase.crlset), &crl_set_bytes));
-    ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
-
-    int flags = 0;
-    CertVerifyResult verify_result;
-    int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
-                       CertificateList(), &verify_result);
-
-    if (!testcase.expect_valid) {
-      EXPECT_NE(OK, error);
-      EXPECT_NE(0U, verify_result.cert_status);
-      continue;
-    }
-
-    ASSERT_THAT(error, IsOk());
-    ASSERT_EQ(0U, verify_result.cert_status);
-    ASSERT_TRUE(verify_result.verified_cert.get());
-
-    if (!testcase.expected_intermediate)
-      continue;
-
-    const X509Certificate::OSCertHandles& verified_intermediates =
-        verify_result.verified_cert->GetIntermediateCertificates();
-    ASSERT_EQ(3U, verified_intermediates.size());
-
-    scoped_refptr<X509Certificate> intermediate =
-        X509Certificate::CreateFromHandle(verified_intermediates[1],
-                                          X509Certificate::OSCertHandles());
-    ASSERT_TRUE(intermediate);
-
-    EXPECT_TRUE(testcase.expected_intermediate->Equals(intermediate.get()))
-        << "Expected: " << testcase.expected_intermediate->subject().common_name
-        << " issued by " << testcase.expected_intermediate->issuer().common_name
-        << "; Got: " << intermediate->subject().common_name << " issued by "
-        << intermediate->issuer().common_name;
-  }
-}
-
-#if defined(OS_MACOSX) && !defined(OS_IOS)
 // Test that a CRLSet blocking one of the intermediates supplied by the server
 // can be worked around by the chopping workaround for path building. (Once the
 // supplied chain is chopped back to just the target, a better path can be
 // found out-of-band. Normally that would be by AIA fetching, for the purposes
 // of this test the better path is supplied by a test keychain.)
 //
 // In this test, there are two possible paths to validate a leaf (A):
 // 1. A(B) -> B(C) -> C(E) -> E(E)
 // 2. A(B) -> B(F) -> F(E) -> E(E)
 //
 // A(B) -> B(C) -> C(E) is supplied to the verifier.
 // B(F) and F(E) are supplied in a test keychain.
 // C is blocked by a CRLset.
 //
 // The verifier should rollback until it just tries A(B) alone, at which point
 // it will pull B(F) & F(E) from the keychain and succeed.
 TEST(CertVerifyProcMacTest, MacCRLIntermediate) {
   if (base::mac::IsAtLeastOS10_12()) {
     // TODO(crbug.com/671889): Investigate SecTrustSetKeychains issue on Sierra.
     LOG(INFO) << "Skipping test, SecTrustSetKeychains does not work on 10.12";
     return;
   }
-  const char* const kPath2Files[] = {
-      "multi-root-A-by-B.pem", "multi-root-B-by-C.pem", "multi-root-C-by-E.pem",
-      "multi-root-E-by-E.pem"};
   CertificateList path_2_certs;
-  ASSERT_NO_FATAL_FAILURE(LoadCertificateFiles(kPath2Files, &path_2_certs));
-
-  const char* const kPath3Files[] = {
-      "multi-root-A-by-B.pem", "multi-root-B-by-F.pem", "multi-root-F-by-E.pem",
-      "multi-root-E-by-E.pem"};
+  ASSERT_TRUE(
+      LoadCertificateFiles({"multi-root-A-by-B.pem", "multi-root-B-by-C.pem",
+                            "multi-root-C-by-E.pem", "multi-root-E-by-E.pem"},
+                           &path_2_certs));
 
   CertificateList path_3_certs;
-  ASSERT_NO_FATAL_FAILURE(LoadCertificateFiles(kPath3Files, &path_3_certs));
+  ASSERT_TRUE(
+      LoadCertificateFiles({"multi-root-A-by-B.pem", "multi-root-B-by-F.pem",
+                            "multi-root-F-by-E.pem", "multi-root-E-by-E.pem"},
+                           &path_3_certs));
 
   // Add E as trust anchor.
   ScopedTestRoot test_root_E(path_3_certs[3].get());  // E-by-E
 
   X509Certificate::OSCertHandles intermediates;
   intermediates.push_back(path_2_certs[1]->os_cert_handle());  // B-by-C
   intermediates.push_back(path_2_certs[2]->os_cert_handle());  // C-by-E
   scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
       path_3_certs[0]->os_cert_handle(), intermediates);
   ASSERT_TRUE(cert);
@@ skipping 19 matching lines @@
   std::string crl_set_bytes;
   // CRL which blocks C by SPKI.
   EXPECT_TRUE(base::ReadFileToString(
       GetTestCertsDirectory().AppendASCII("multi-root-crlset-C.raw"),
       &crl_set_bytes));
   ASSERT_TRUE(CRLSetStorage::Parse(crl_set_bytes, &crl_set));
 
   int flags = 0;
   CertVerifyResult verify_result;
 
-  scoped_refptr<CertVerifyProc> verify_proc = CertVerifyProc::CreateDefault();
+  scoped_refptr<CertVerifyProc> verify_proc = new CertVerifyProcMac;
   int error =
       verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
                           crl_set.get(), CertificateList(), &verify_result);
 
   ASSERT_EQ(OK, error);
   ASSERT_EQ(0U, verify_result.cert_status);
   ASSERT_TRUE(verify_result.verified_cert.get());
 
   const X509Certificate::OSCertHandles& verified_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
@@ skipping 36 matching lines @@
   SecKeychainRef keychain;
   OSStatus status =
       SecKeychainOpen(keychain_path.MaybeAsASCII().c_str(), &keychain);
   ASSERT_EQ(errSecSuccess, status);
   ASSERT_TRUE(keychain);
   base::ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain);
   test_keychain_search_list->AddKeychain(keychain);
 
   int flags = 0;
   CertVerifyResult verify_result;
-  scoped_refptr<CertVerifyProc> verify_proc = CertVerifyProc::CreateDefault();
+  scoped_refptr<CertVerifyProc> verify_proc = new CertVerifyProcMac;
   int error = verify_proc->Verify(cert.get(), "www.tripadvisor.com",
                                   std::string(), flags, nullptr /* crl_set */,
                                   CertificateList(), &verify_result);
 
   ASSERT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
   EXPECT_FALSE(verify_result.has_sha1);
   ASSERT_TRUE(verify_result.verified_cert.get());
 
   const X509Certificate::OSCertHandles& verified_intermediates =
       verify_result.verified_cert->GetIntermediateCertificates();
   ASSERT_EQ(2U, verified_intermediates.size());
 }
 
 // Test that the system root certificate keychain is in the expected location
 // and can be opened. Other tests would fail if this was not true, but this
 // test makes the reason for the failure obvious.
 TEST(CertVerifyProcMacTest, MacSystemRootCertificateKeychainLocation) {
   const char* root_keychain_path =
       "/System/Library/Keychains/SystemRootCertificates.keychain";
   ASSERT_TRUE(base::PathExists(base::FilePath(root_keychain_path)));
 
   SecKeychainRef keychain;
   OSStatus status = SecKeychainOpen(root_keychain_path, &keychain);
   ASSERT_EQ(errSecSuccess, status);
   CFRelease(keychain);
 }
-#endif  // defined(OS_MACOSX) && !defined(OS_IOS)
 
-// TODO(crbug.com/649017): This is not parameterized by the CertVerifyProc
-// because the CertVerifyProc::Verify() does this unconditionally based on the
-// platform.
-bool AreSHA1IntermediatesAllowed() {
-#if defined(OS_WIN)
-  // TODO(rsleevi): Remove this once https://crbug.com/588789 is resolved
-  // for Windows 7/2008 users.
-  // Note: This must be kept in sync with cert_verify_proc.cc
-  return base::win::GetVersion() < base::win::VERSION_WIN8;
-#else
-  return false;
-#endif
-}
-
-TEST(CertVerifyProcTest, RejectsMD2) {
-  scoped_refptr<X509Certificate> cert(
-      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
-  ASSERT_TRUE(cert);
-
-  CertVerifyResult result;
-  result.has_md2 = true;
-  scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
-                                  nullptr /* crl_set */, CertificateList(),
-                                  &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
-}
-
-TEST(CertVerifyProcTest, RejectsMD4) {
-  scoped_refptr<X509Certificate> cert(
-      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
-  ASSERT_TRUE(cert);
-
-  CertVerifyResult result;
-  result.has_md4 = true;
-  scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
-                                  nullptr /* crl_set */, CertificateList(),
-                                  &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
-}
-
-TEST(CertVerifyProcTest, RejectsMD5) {
-  scoped_refptr<X509Certificate> cert(
-      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
-  ASSERT_TRUE(cert);
-
-  CertVerifyResult result;
-  result.has_md5 = true;
-  scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
-                                  nullptr /* crl_set */, CertificateList(),
-                                  &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
-}
-
-TEST(CertVerifyProcTest, RejectsPublicSHA1Leaves) {
-  scoped_refptr<X509Certificate> cert(
-      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
-  ASSERT_TRUE(cert);
-
-  CertVerifyResult result;
-  result.has_sha1 = true;
-  result.has_sha1_leaf = true;
-  result.is_issued_by_known_root = true;
-  scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
-                                  nullptr /* crl_set */, CertificateList(),
-                                  &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
-}
-
-TEST(CertVerifyProcTest, RejectsPublicSHA1IntermediatesUnlessAllowed) {
-  scoped_refptr<X509Certificate> cert(ImportCertFromFile(
-      GetTestCertsDirectory(), "39_months_after_2015_04.pem"));
-  ASSERT_TRUE(cert);
-
-  CertVerifyResult result;
-  result.has_sha1 = true;
-  result.has_sha1_leaf = false;
-  result.is_issued_by_known_root = true;
-  scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
-                                  nullptr /* crl_set */, CertificateList(),
-                                  &verify_result);
-  if (AreSHA1IntermediatesAllowed()) {
-    EXPECT_THAT(error, IsOk());
-    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
-  } else {
-    EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
-    EXPECT_TRUE(verify_result.cert_status &
-                CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
-  }
-}
-
-TEST(CertVerifyProcTest, RejectsPrivateSHA1UnlessFlag) {
-  scoped_refptr<X509Certificate> cert(
-      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
-  ASSERT_TRUE(cert);
-
-  CertVerifyResult result;
-  result.has_sha1 = true;
-  result.has_sha1_leaf = true;
-  result.is_issued_by_known_root = false;
-  scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
-
-  // SHA-1 should be rejected by default for private roots...
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
-                                  nullptr /* crl_set */, CertificateList(),
-                                  &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
-
-  // ... unless VERIFY_ENABLE_SHA1_LOCAL_ANCHORS was supplied.
-  flags = CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS;
-  verify_result.Reset();
-  error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
-                              nullptr /* crl_set */, CertificateList(),
-                              &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_SHA1_SIGNATURE_PRESENT);
-}
-
-enum ExpectedAlgorithms {
-  EXPECT_MD2 = 1 << 0,
-  EXPECT_MD4 = 1 << 1,
-  EXPECT_MD5 = 1 << 2,
-  EXPECT_SHA1 = 1 << 3,
-  EXPECT_SHA1_LEAF = 1 << 4,
-};
-
-struct WeakDigestTestData {
-  const char* root_cert_filename;
-  const char* intermediate_cert_filename;
-  const char* ee_cert_filename;
-  int expected_algorithms;
-};
-
-const char* StringOrDefault(const char* str, const char* default_value) {
-  if (!str)
-    return default_value;
-  return str;
-}
-
-// GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
-// to output the parameter that was passed. Without this, it will simply
-// attempt to print out the first twenty bytes of the object, which depending
-// on platform and alignment, may result in an invalid read.
-void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
-  *os << "root: " << StringOrDefault(data.root_cert_filename, "none")
-      << "; intermediate: "
-      << StringOrDefault(data.intermediate_cert_filename, "none")
-      << "; end-entity: " << data.ee_cert_filename;
-}
-
-class CertVerifyProcWeakDigestTest
-    : public testing::TestWithParam<WeakDigestTestData> {
- public:
-  CertVerifyProcWeakDigestTest() {}
-  virtual ~CertVerifyProcWeakDigestTest() {}
-};
-
-// Tests that the CertVerifyProc::Verify() properly surfaces the (weak) hash
-// algorithms used in the chain.
-TEST_P(CertVerifyProcWeakDigestTest, VerifyDetectsAlgorithm) {
-  WeakDigestTestData data = GetParam();
-  base::FilePath certs_dir = GetTestCertsDirectory();
-
-  scoped_refptr<X509Certificate> intermediate_cert;
-  scoped_refptr<X509Certificate> root_cert;
-
-  // Build |intermediates| as the full chain (including trust anchor).
-  X509Certificate::OSCertHandles intermediates;
-
-  if (data.intermediate_cert_filename) {
-    intermediate_cert =
-        ImportCertFromFile(certs_dir, data.intermediate_cert_filename);
-    ASSERT_TRUE(intermediate_cert);
-    intermediates.push_back(intermediate_cert->os_cert_handle());
-  }
-
-  if (data.root_cert_filename) {
-    root_cert = ImportCertFromFile(certs_dir, data.root_cert_filename);
-    ASSERT_TRUE(root_cert);
-    intermediates.push_back(root_cert->os_cert_handle());
-  }
-
-  scoped_refptr<X509Certificate> ee_cert =
-      ImportCertFromFile(certs_dir, data.ee_cert_filename);
-  ASSERT_TRUE(ee_cert);
-
-  scoped_refptr<X509Certificate> ee_chain = X509Certificate::CreateFromHandle(
-      ee_cert->os_cert_handle(), intermediates);
-  ASSERT_TRUE(ee_chain);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-
-  // Use a mock CertVerifyProc that returns success with a verified_cert of
-  // |ee_chain|.
-  //
-  // This is sufficient for the purposes of this test, as the checking for weak
-  // hash algorithms is done by CertVerifyProc::Verify().
-  scoped_refptr<CertVerifyProc> proc =
-      new MockCertVerifyProc(CertVerifyResult());
-  proc->Verify(ee_chain.get(), "127.0.0.1", std::string(), flags, nullptr,
-               CertificateList(), &verify_result);
-  EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD2), verify_result.has_md2);
-  EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD4), verify_result.has_md4);
-  EXPECT_EQ(!!(data.expected_algorithms & EXPECT_MD5), verify_result.has_md5);
-  EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1), verify_result.has_sha1);
-  EXPECT_EQ(!!(data.expected_algorithms & EXPECT_SHA1_LEAF),
-            verify_result.has_sha1_leaf);
-}
-
-// The signature algorithm of the root CA should not matter.
-const WeakDigestTestData kVerifyRootCATestData[] = {
-    {"weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
-     "weak_digest_sha1_ee.pem", EXPECT_SHA1 | EXPECT_SHA1_LEAF},
-    {"weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
-     "weak_digest_sha1_ee.pem", EXPECT_SHA1 | EXPECT_SHA1_LEAF},
-    {"weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem",
-     "weak_digest_sha1_ee.pem", EXPECT_SHA1 | EXPECT_SHA1_LEAF},
-};
-INSTANTIATE_TEST_CASE_P(VerifyRoot,
-                        CertVerifyProcWeakDigestTest,
-                        testing::ValuesIn(kVerifyRootCATestData));
-
-// The signature algorithm of intermediates should be properly detected.
-const WeakDigestTestData kVerifyIntermediateCATestData[] = {
-    {"weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
-     "weak_digest_sha1_ee.pem", EXPECT_MD5 | EXPECT_SHA1 | EXPECT_SHA1_LEAF},
-    {"weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
-     "weak_digest_sha1_ee.pem", EXPECT_MD4 | EXPECT_SHA1 | EXPECT_SHA1_LEAF},
-    {"weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
-     "weak_digest_sha1_ee.pem", EXPECT_MD2 | EXPECT_SHA1 | EXPECT_SHA1_LEAF},
-};
-
-INSTANTIATE_TEST_CASE_P(VerifyIntermediate,
-                        CertVerifyProcWeakDigestTest,
-                        testing::ValuesIn(kVerifyIntermediateCATestData));
-
-// The signature algorithm of end-entity should be properly detected.
-const WeakDigestTestData kVerifyEndEntityTestData[] = {
-    {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
-     "weak_digest_md5_ee.pem", EXPECT_MD5 | EXPECT_SHA1},
-    {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
-     "weak_digest_md4_ee.pem", EXPECT_MD4 | EXPECT_SHA1},
-    {"weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
-     "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_SHA1},
-};
-
-INSTANTIATE_TEST_CASE_P(VerifyEndEntity,
-                        CertVerifyProcWeakDigestTest,
-                        testing::ValuesIn(kVerifyEndEntityTestData));
-
-// Incomplete chains do not report the status of the intermediate.
-// Note: really each of these tests should also expect the digest algorithm of
-// the intermediate (included as a comment). However CertVerifyProc::Verify() is
-// unable to distinguish that this is an intermediate and not a trust anchor, so
-// this intermediate is treated like a trust anchor.
-const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
-    {NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
-     /*EXPECT_MD5 |*/ EXPECT_SHA1 | EXPECT_SHA1_LEAF},
-    {NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
-     /*EXPECT_MD4 |*/ EXPECT_SHA1 | EXPECT_SHA1_LEAF},
-    {NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
-     /*EXPECT_MD2 |*/ EXPECT_SHA1 | EXPECT_SHA1_LEAF},
-};
-
-INSTANTIATE_TEST_CASE_P(
-    MAYBE_VerifyIncompleteIntermediate,
-    CertVerifyProcWeakDigestTest,
-    testing::ValuesIn(kVerifyIncompleteIntermediateTestData));
-
-// Incomplete chains should report the status of the end-entity.
-// Note: really each of these tests should also expect EXPECT_SHA1 (included as
-// a comment). However CertVerifyProc::Verify() is unable to distinguish that
-// this is an intermediate and not a trust anchor, so this intermediate is
-// treated like a trust anchor.
-const WeakDigestTestData kVerifyIncompleteEETestData[] = {
-    {NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
-     /*EXPECT_SHA1 |*/ EXPECT_MD5},
-    {NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
-     /*EXPECT_SHA1 |*/ EXPECT_MD4},
-    {NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem",
-     /*EXPECT_SHA1 |*/ EXPECT_MD2},
-};
-
-INSTANTIATE_TEST_CASE_P(VerifyIncompleteEndEntity,
-                        CertVerifyProcWeakDigestTest,
-                        testing::ValuesIn(kVerifyIncompleteEETestData));
-
-// Differing algorithms between the intermediate and the EE should still be
-// reported.
-const WeakDigestTestData kVerifyMixedTestData[] = {
-    {"weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
-     "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD5},
-    {"weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
-     "weak_digest_md5_ee.pem", EXPECT_MD2 | EXPECT_MD5},
-    {"weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
-     "weak_digest_md2_ee.pem", EXPECT_MD2 | EXPECT_MD4},
-};
-
-INSTANTIATE_TEST_CASE_P(VerifyMixed,
-                        CertVerifyProcWeakDigestTest,
-                        testing::ValuesIn(kVerifyMixedTestData));
-
-// The EE is a trusted certificate. Even though it uses weak hashes, these
-// should not be reported.
-const WeakDigestTestData kVerifyTrustedEETestData[] = {
-    {NULL, NULL, "weak_digest_md5_ee.pem", 0},
-    {NULL, NULL, "weak_digest_md4_ee.pem", 0},
-    {NULL, NULL, "weak_digest_md2_ee.pem", 0},
-    {NULL, NULL, "weak_digest_sha1_ee.pem", 0},
-};
-
-INSTANTIATE_TEST_CASE_P(VerifyTrustedEE,
-                        CertVerifyProcWeakDigestTest,
-                        testing::ValuesIn(kVerifyTrustedEETestData));
-
-// For the list of valid hostnames, see
-// net/cert/data/ssl/certificates/subjectAltName_sanity_check.pem
-struct CertVerifyProcNameData {
-  const char* hostname;
-  bool valid;  // Whether or not |hostname| matches a subjectAltName.
-};
-
-// Test fixture for verifying certificate names. These tests are run for each
-// of the CertVerify implementations.
-class CertVerifyProcNameTest : public CertVerifyProcInternalTest {
- public:
-  CertVerifyProcNameTest() {}
-  virtual ~CertVerifyProcNameTest() {}
-
- protected:
-  void VerifyCertName(const char* hostname, bool valid) {
-    CertificateList cert_list = CreateCertificateListFromFile(
-        GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
-        X509Certificate::FORMAT_AUTO);
-    ASSERT_EQ(1U, cert_list.size());
-    scoped_refptr<X509Certificate> cert(cert_list[0]);
-
-    ScopedTestRoot scoped_root(cert.get());
-
-    CertVerifyResult verify_result;
-    int error = Verify(cert.get(), hostname, 0, NULL, CertificateList(),
-                       &verify_result);
-    if (valid) {
-      EXPECT_THAT(error, IsOk());
-      EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
-    } else {
-      EXPECT_THAT(error, IsError(ERR_CERT_COMMON_NAME_INVALID));
-      EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
-    }
-  }
-};
-
-// Don't match the common name
-TEST_P(CertVerifyProcNameTest, DontMatchCommonName) {
-  VerifyCertName("127.0.0.1", false);
-}
-
-// Matches the iPAddress SAN (IPv4)
-TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv4) {
-  VerifyCertName("127.0.0.2", true);
-}
-
-// Matches the iPAddress SAN (IPv6)
-TEST_P(CertVerifyProcNameTest, MatchesIpSanIpv6) {
-  VerifyCertName("FE80:0:0:0:0:0:0:1", true);
-}
-
-// Should not match the iPAddress SAN
-TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIpv6) {
-  VerifyCertName("[FE80:0:0:0:0:0:0:1]", false);
-}
-
-// Compressed form matches the iPAddress SAN (IPv6)
-TEST_P(CertVerifyProcNameTest, MatchesIpSanCompressedIpv6) {
-  VerifyCertName("FE80::1", true);
-}
-
-// IPv6 mapped form should NOT match iPAddress SAN
-TEST_P(CertVerifyProcNameTest, DoesntMatchIpSanIPv6Mapped) {
-  VerifyCertName("::127.0.0.2", false);
-}
-
-// Matches the dNSName SAN
-TEST_P(CertVerifyProcNameTest, MatchesDnsSan) {
-  VerifyCertName("test.example", true);
-}
-
-// Matches the dNSName SAN (trailing . ignored)
-TEST_P(CertVerifyProcNameTest, MatchesDnsSanTrailingDot) {
-  VerifyCertName("test.example.", true);
-}
-
-// Should not match the dNSName SAN
-TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSan) {
-  VerifyCertName("www.test.example", false);
-}
-
-// Should not match the dNSName SAN
-TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanInvalid) {
-  VerifyCertName("test..example", false);
-}
-
-// Should not match the dNSName SAN
-TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTwoTrailingDots) {
-  VerifyCertName("test.example..", false);
-}
-
-// Should not match the dNSName SAN
-TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanLeadingAndTrailingDot) {
-  VerifyCertName(".test.example.", false);
-}
-
-// Should not match the dNSName SAN
-TEST_P(CertVerifyProcNameTest, DoesntMatchDnsSanTrailingDot) {
-  VerifyCertName(".test.example", false);
-}
-
-INSTANTIATE_TEST_CASE_P(VerifyName,
-                        CertVerifyProcNameTest,
-                        testing::ValuesIn(kAllCertVerifiers),
-                        VerifyProcTypeToName);
-
-#if defined(OS_MACOSX) && !defined(OS_IOS)
 // Test that CertVerifyProcMac reacts appropriately when Apple's certificate
 // verifier rejects a certificate with a fatal error. This is a regression
 // test for https://crbug.com/472291.
 // (Since 10.12, this causes a recoverable error instead of a fatal one.)
 // TODO(mattm): Try to find a different way to cause a fatal error that works
 // on 10.12.
 TEST(CertVerifyProcMacTest, LargeKey) {
   // Load root_ca_cert.pem into the test root store.
   ScopedTestRoot test_root(
       ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem").get());
 
   scoped_refptr<X509Certificate> cert(
       ImportCertFromFile(GetTestCertsDirectory(), "large_key.pem"));
 
   // Apple's verifier rejects this certificate as invalid because the
   // RSA key is too large. If a future version of OS X changes this,
   // large_key.pem may need to be regenerated with a larger key.
   int flags = 0;
   CertVerifyResult verify_result;
-  scoped_refptr<CertVerifyProc> verify_proc = CertVerifyProc::CreateDefault();
+  scoped_refptr<CertVerifyProc> verify_proc = new CertVerifyProcMac;
   int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
                                   NULL, CertificateList(), &verify_result);
   EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
 }
-#endif  // defined(OS_MACOSX) && !defined(OS_IOS)
 
-// Tests that CertVerifyProc records a histogram correctly when a
-// certificate chaining to a private root contains the TLS feature
-// extension and does not have a stapled OCSP response.
-TEST(CertVerifyProcTest, HasTLSFeatureExtensionUMA) {
-  base::HistogramTester histograms;
-  scoped_refptr<X509Certificate> cert(
-      ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
-  ASSERT_TRUE(cert);
-  CertVerifyResult result;
-  result.is_issued_by_known_root = false;
-  scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
-
-  histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
-  histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
-                                  NULL, CertificateList(), &verify_result);
-  EXPECT_EQ(OK, error);
-  histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
-  histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1);
-  histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1);
-  histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, false, 1);
-}
-
-// Tests that CertVerifyProc records a histogram correctly when a
-// certificate chaining to a private root contains the TLS feature
-// extension and does have a stapled OCSP response.
-TEST(CertVerifyProcTest, HasTLSFeatureExtensionWithStapleUMA) {
-  base::HistogramTester histograms;
-  scoped_refptr<X509Certificate> cert(
-      ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
-  ASSERT_TRUE(cert);
-  CertVerifyResult result;
-  result.is_issued_by_known_root = false;
-  scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
-
-  histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
-  histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error =
-      verify_proc->Verify(cert.get(), "127.0.0.1", "dummy response", flags,
-                          nullptr, CertificateList(), &verify_result);
-  EXPECT_EQ(OK, error);
-  histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
-  histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, true, 1);
-  histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 1);
-  histograms.ExpectBucketCount(kTLSFeatureExtensionOCSPHistogram, true, 1);
-}
-
-// Tests that CertVerifyProc records a histogram correctly when a
-// certificate chaining to a private root does not contain the TLS feature
-// extension.
-TEST(CertVerifyProcTest, DoesNotHaveTLSFeatureExtensionUMA) {
-  base::HistogramTester histograms;
-  scoped_refptr<X509Certificate> cert(
-      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
-  ASSERT_TRUE(cert);
-  CertVerifyResult result;
-  result.is_issued_by_known_root = false;
-  scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
-
-  histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
-  histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
-                                  NULL, CertificateList(), &verify_result);
-  EXPECT_EQ(OK, error);
-  histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 1);
-  histograms.ExpectBucketCount(kTLSFeatureExtensionHistogram, false, 1);
-  histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
-}
-
-// Tests that CertVerifyProc does not record a histogram when a
-// certificate contains the TLS feature extension but chains to a public
-// root.
-TEST(CertVerifyProcTest, HasTLSFeatureExtensionWithPublicRootUMA) {
-  base::HistogramTester histograms;
-  scoped_refptr<X509Certificate> cert(
-      ImportCertFromFile(GetTestCertsDirectory(), "tls_feature_extension.pem"));
-  ASSERT_TRUE(cert);
-  CertVerifyResult result;
-  result.is_issued_by_known_root = true;
-  scoped_refptr<CertVerifyProc> verify_proc = new MockCertVerifyProc(result);
-
-  histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = verify_proc->Verify(cert.get(), "127.0.0.1", std::string(), flags,
-                                  NULL, CertificateList(), &verify_result);
-  EXPECT_EQ(OK, error);
-  histograms.ExpectTotalCount(kTLSFeatureExtensionHistogram, 0);
-  histograms.ExpectTotalCount(kTLSFeatureExtensionOCSPHistogram, 0);
-}
+}  // namespace
 
 }  // namespace net