Add tests for keyUsage to the built-in cert verifier.

net/cert/internal/verify_certificate_chain.cc

Index: net/cert/internal/verify_certificate_chain.cc
diff --git a/net/cert/internal/verify_certificate_chain.cc b/net/cert/internal/verify_certificate_chain.cc
index 5f2b7d81bd79a87aec372bf13f2c1dbfb7967c87..9a1f6e008401812c794b9515943f2fcb8db40413 100644
--- a/net/cert/internal/verify_certificate_chain.cc
+++ b/net/cert/internal/verify_certificate_chain.cc
@@ -64,14 +64,15 @@ DEFINE_CERT_ERROR_ID(kEkuLacksClientAuth,
 bool IsHandledCriticalExtensionOid(const der::Input& oid) {
   if (oid == BasicConstraintsOid())
     return true;
+  // Key Usage is NOT processed for end-entity certificates (this is the
+  // responsibility of callers), however it is considered "handled" here in
+  // order to allow being marked as critical.
   if (oid == KeyUsageOid())
     return true;
   if (oid == ExtKeyUsageOid())
     return true;
   if (oid == NameConstraintsOid())
     return true;
-  // TODO(eroman): SubjectAltName isn't actually used here, but rather is being
-  // checked by a higher layer.
   if (oid == SubjectAltNameOid())
     return true;
 
@@ -607,8 +608,6 @@ void VerifyCertificateChainNoReturnValue(
                                 &name_constraints_list, cert_errors);
     } else {
       WrapUp(cert, cert_errors);
-      // TODO(eroman): Verify the Key Usage on target is consistent with
-      //               key_purpose.
     }
   }