De-prioritize 2.23.140.1.1 when searching for EV policy.

net/cert/cert_verify_proc_unittest.cc

Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 2b0eadce0d0ac624629dbd1a1c3989d943ebe79f..93437474b3373e42aa14165d6cfa9dd86d0036e0 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -253,6 +253,14 @@ class CertVerifyProcInternalTest
            verify_proc_type() == CERT_VERIFY_PROC_NSS;
   }
 
+  bool SupportsEV() const {
+    // TODO(crbug.com/649017): CertVerifyProcBuiltin does not support EV.
+    // TODO(crbug.com/117478): Android and iOS do not support EV.
+    return verify_proc_type() == CERT_VERIFY_PROC_NSS ||
+           verify_proc_type() == CERT_VERIFY_PROC_WIN ||
+           verify_proc_type() == CERT_VERIFY_PROC_MAC;
+  }
+
   CertVerifyProc* verify_proc() const { return verify_proc_.get(); }
 
  private:
@@ -267,10 +275,7 @@ INSTANTIATE_TEST_CASE_P(,
 // TODO(rsleevi): Reenable this test once comodo.chaim.pem is no longer
 // expired, http://crbug.com/502818
 TEST_P(CertVerifyProcInternalTest, DISABLED_EVVerification) {
-  if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID ||
-      verify_proc_type() == CERT_VERIFY_PROC_OPENSSL) {
-    // TODO(jnd): http://crbug.com/117478 - EV verification is not yet
-    // supported.
+  if (!SupportsEV()) {
     LOG(INFO) << "Skipping test as EV verification is not yet supported";
     return;
   }
@@ -297,6 +302,39 @@ TEST_P(CertVerifyProcInternalTest, DISABLED_EVVerification) {
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
 }
 
+// Tests that a certificate is recognized as EV, when the valid EV policy OID
+// for the trust anchor is the second candidate EV oid in the target
+// certificate. This is a regression test for crbug.com/705285.
+TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) {
+  if (!SupportsEV()) {
+    LOG(INFO) << "Skipping test as EV verification is not yet supported";
+    return;
+  }
+
+  // TODO(eroman): Update this test to use a synthetic certificate, so the test
+  // does not break in the future. The certificate chain in question expires on
+  // Dec 22 23:59:59 2018 GMT 2018, at which point this test will start failing.
+  if (base::Time::Now() >
+      base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1545523199)) {
+    FAIL() << "This test uses a certificate chain which is now expired. Please "
+              "disable and file a bug.";
+    return;
+  }
+
+  scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile(
+      GetTestCertsDirectory(), "trustcenter.websecurity.symantec.com.pem",
+      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
+  ASSERT_TRUE(chain);
+
+  scoped_refptr<CRLSet> crl_set(CRLSet::ForTesting(false, NULL, ""));
+  CertVerifyResult verify_result;
+  int flags = CertVerifier::VERIFY_EV_CERT;
+  int error = Verify(chain.get(), "trustcenter.websecurity.symantec.com", flags,
+                     crl_set.get(), CertificateList(), &verify_result);
+  EXPECT_THAT(error, IsOk());
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
+}
+
 // TODO(crbug.com/605457): the test expectation was incorrect on some
 // configurations, so disable the test until it is fixed (better to have
 // a bug to track a failing test than a false sense of security due to