Add tests for keyUsage to the built-in cert verifier.

net/cert/internal/verify_certificate_chain.h

Index: net/cert/internal/verify_certificate_chain.h
diff --git a/net/cert/internal/verify_certificate_chain.h b/net/cert/internal/verify_certificate_chain.h
index 7abeede6dd46cdc13c16fca22b53fd6415f00d61..e77c6fe1ed4cd1b0b2b3c64a3a52d73bc4052f93 100644
--- a/net/cert/internal/verify_certificate_chain.h
+++ b/net/cert/internal/verify_certificate_chain.h
@@ -30,9 +30,21 @@ enum class KeyPurpose {
   CLIENT_AUTH,
 };
 
-// VerifyCertificateChain() verifies a certificate path (chain) based on the
-// rules in RFC 5280. The caller is responsible for building the path and
-// finding the trust anchor.
+// VerifyCertificateChain() verifies an ordered certificate path in accordance
+// with RFC 5280 (with some modifications [1]).
+//
+// [1] Deviations from RFC 5280:
+//
+//   * If Extended Key Usage appears on intermediates it is treated as a
+//     restriction on subordinate certificates.
+//
+// The caller is responsible for additionally checking:
+//
+//  * The end-entity's KeyUsage before using its SPKI.
+//  * The end-entity's name/subjectAltName (note that name constraints from
+//    intermediates will have already been applied, so just need to check
+//    the end-entity for a match).
+//  * Policies
 //
 // WARNING: This implementation is in progress, and is currently incomplete.
 // Consult an OWNER before using it.