Fix TransportSecurityState unittests to run in --single-process mode.

net/http/transport_security_state_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 1414 matching lines @@
   EXPECT_TRUE(state.ShouldUpgradeToSSL("www.google.com"));
 }
 
 TEST_F(TransportSecurityStateTest, HPKPReporting) {
   HostPortPair host_port_pair(kHost, kPort);
   HostPortPair subdomain_host_port_pair(kSubdomain, kPort);
   GURL report_uri(kReportUri);
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
 
   HashValueVector good_hashes, bad_hashes;
 
   for (size_t i = 0; kGoodPath[i]; i++)
     EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
   for (size_t i = 0; kBadPath[i]; i++)
     EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
 
   TransportSecurityState state;
@@ skipping 84 matching lines @@
 // Tests that a histogram entry is recorded when TransportSecurityState
 // fails to send an HPKP violation report.
 TEST_F(TransportSecurityStateTest, UMAOnHPKPReportingFailure) {
   base::HistogramTester histograms;
   const std::string histogram_name = "Net.PublicKeyPinReportSendingFailure2";
   HostPortPair host_port_pair(kHost, kPort);
   GURL report_uri(kReportUri);
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
 
   HashValueVector good_hashes, bad_hashes;
 
   for (size_t i = 0; kGoodPath[i]; i++)
     EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
   for (size_t i = 0; kBadPath[i]; i++)
     EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
 
   // The histogram should start off empty.
@@ skipping 19 matching lines @@
   histograms.ExpectBucketCount(histogram_name, -mock_report_sender.net_error(),
                                1);
 }
 
 TEST_F(TransportSecurityStateTest, HPKPReportOnly) {
   HostPortPair host_port_pair(kHost, kPort);
   GURL report_uri(kReportUri);
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
 
   TransportSecurityState state;
   MockCertificateReportSender mock_report_sender;
   state.SetReportSender(&mock_report_sender);
 
   SSLInfo ssl_info;
   ssl_info.is_issued_by_known_root = true;
   ssl_info.unverified_cert = cert1;
   ssl_info.cert = cert2;
@@ skipping 43 matching lines @@
 }
 
 // Tests that Report-Only reports are not sent on certs that chain to
 // local roots.
 TEST_F(TransportSecurityStateTest, HPKPReportOnlyOnLocalRoot) {
   HostPortPair host_port_pair(kHost, kPort);
   GURL report_uri(kReportUri);
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
 
   std::string header =
       "pin-sha256=\"" + std::string(kGoodPin1) + "\";pin-sha256=\"" +
       std::string(kGoodPin2) + "\";pin-sha256=\"" + std::string(kGoodPin3) +
       "\";report-uri=\"" + report_uri.spec() + "\";includeSubdomains";
 
   TransportSecurityState state;
   MockCertificateReportSender mock_report_sender;
   state.SetReportSender(&mock_report_sender);
@@ skipping 13 matching lines @@
 }
 
 // Tests that ProcessHPKPReportOnlyHeader() returns false if a report-uri
 // wasn't specified or if the header fails to parse.
 TEST_F(TransportSecurityStateTest, HPKPReportOnlyParseErrors) {
   HostPortPair host_port_pair(kHost, kPort);
   GURL report_uri(kReportUri);
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
 
   std::string header = "pin-sha256=\"" + std::string(kGoodPin1) +
                        "\";pin-sha256=\"" + std::string(kGoodPin2) +
                        "\";pin-sha256=\"" + std::string(kGoodPin3) + "\"";
 
   TransportSecurityState state;
   MockCertificateReportSender mock_report_sender;
   state.SetReportSender(&mock_report_sender);
 
@@ skipping 31 matching lines @@
   ASSERT_TRUE(pkp_state.HasPublicKeyPins());
 
   GURL report_uri = pkp_state.report_uri;
   ASSERT_TRUE(report_uri.is_valid());
   ASSERT_FALSE(report_uri.is_empty());
 
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter, as long as they are not the real google.com
   // certs in the pins.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
 
   HashValueVector bad_hashes;
   for (size_t i = 0; kBadPath[i]; i++)
     EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
 
   // Trigger a violation and check that it sends a report.
   std::string failure_log;
   EXPECT_EQ(TransportSecurityState::PKPStatus::VIOLATED,
             state.CheckPublicKeyPins(
@@ skipping 24 matching lines @@
   const base::Time current_time = base::Time::Now();
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
   HashValueVector good_hashes;
   for (size_t i = 0; kGoodPath[i]; i++)
     EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
 
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter, as long as they are not the real google.com
   // certs in the pins.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
 
   HashValueVector bad_hashes;
   for (size_t i = 0; kBadPath[i]; i++)
     EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
 
   state.AddHPKP(kHost, expiry, true, good_hashes, https_report_uri);
 
   // Trigger a violation and check that it does not send a report
   // because the report-uri is HTTPS and same-host as the pins.
@@ skipping 16 matching lines @@
 }
 
 // Tests that redundant reports are rate-limited.
 TEST_F(TransportSecurityStateTest, HPKPReportRateLimiting) {
   HostPortPair host_port_pair(kHost, kPort);
   HostPortPair subdomain_host_port_pair(kSubdomain, kPort);
   GURL report_uri(kReportUri);
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
 
   HashValueVector good_hashes, bad_hashes;
 
   for (size_t i = 0; kGoodPath[i]; i++)
     EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes));
   for (size_t i = 0; kBadPath[i]; i++)
     EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
 
   TransportSecurityState state;
@@ skipping 97 matching lines @@
 
 // Tests that the Expect CT reporter is not notified for invalid or absent
 // header values.
 TEST_F(TransportSecurityStateTest, InvalidExpectCTHeader) {
   HostPortPair host_port(kExpectCTStaticHostname, 443);
   SSLInfo ssl_info;
   ssl_info.ct_compliance_details_available = true;
   ssl_info.ct_cert_policy_compliance =
       ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
   ssl_info.is_issued_by_known_root = true;
+  scoped_refptr<X509Certificate> cert1 =
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
+  scoped_refptr<X509Certificate> cert2 =
+      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert2);
+  ssl_info.unverified_cert = cert1;
+  ssl_info.cert = cert2;
 
   TransportSecurityState state;
   TransportSecurityStateTest::EnableStaticExpectCT(&state);
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("", host_port, ssl_info);
   EXPECT_EQ(0u, reporter.num_failures());
 
   state.ProcessExpectCTHeader("blah blah", host_port, ssl_info);
   EXPECT_EQ(0u, reporter.num_failures());
 
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
 // Tests that the Expect CT reporter is only notified about certificates
 // chaining to public roots.
 TEST_F(TransportSecurityStateTest, ExpectCTNonPublicRoot) {
   HostPortPair host_port(kExpectCTStaticHostname, 443);
   SSLInfo ssl_info;
   ssl_info.ct_compliance_details_available = true;
   ssl_info.ct_cert_policy_compliance =
       ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
   ssl_info.is_issued_by_known_root = false;
+  scoped_refptr<X509Certificate> cert1 =
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
+  scoped_refptr<X509Certificate> cert2 =
+      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert2);
+  ssl_info.unverified_cert = cert1;
+  ssl_info.cert = cert2;
 
   TransportSecurityState state;
   TransportSecurityStateTest::EnableStaticExpectCT(&state);
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(0u, reporter.num_failures());
 
   ssl_info.is_issued_by_known_root = true;
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
 // Tests that the Expect CT reporter is not notified when compliance
 // details aren't available.
 TEST_F(TransportSecurityStateTest, ExpectCTComplianceNotAvailable) {
   HostPortPair host_port(kExpectCTStaticHostname, 443);
   SSLInfo ssl_info;
   ssl_info.ct_compliance_details_available = false;
   ssl_info.ct_cert_policy_compliance =
       ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
   ssl_info.is_issued_by_known_root = true;
+  scoped_refptr<X509Certificate> cert1 =
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
+  scoped_refptr<X509Certificate> cert2 =
+      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert2);
+  ssl_info.unverified_cert = cert1;
+  ssl_info.cert = cert2;
 
   TransportSecurityState state;
   TransportSecurityStateTest::EnableStaticExpectCT(&state);
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(0u, reporter.num_failures());
 
   ssl_info.ct_compliance_details_available = true;
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
 // Tests that the Expect CT reporter is not notified about compliant
 // connections.
 TEST_F(TransportSecurityStateTest, ExpectCTCompliantCert) {
   HostPortPair host_port(kExpectCTStaticHostname, 443);
   SSLInfo ssl_info;
   ssl_info.ct_compliance_details_available = true;
   ssl_info.ct_cert_policy_compliance =
       ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS;
   ssl_info.is_issued_by_known_root = true;
+  scoped_refptr<X509Certificate> cert1 =
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
+  scoped_refptr<X509Certificate> cert2 =
+      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert2);
+  ssl_info.unverified_cert = cert1;
+  ssl_info.cert = cert2;
 
   TransportSecurityState state;
   TransportSecurityStateTest::EnableStaticExpectCT(&state);
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(0u, reporter.num_failures());
 
   ssl_info.ct_cert_policy_compliance =
       ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS;
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
 // Tests that the Expect CT reporter is not notified for a site that
 // isn't preloaded.
 TEST_F(TransportSecurityStateTest, ExpectCTNotPreloaded) {
   HostPortPair host_port("not-expect-ct-preloaded.test", 443);
   SSLInfo ssl_info;
   ssl_info.ct_compliance_details_available = true;
   ssl_info.ct_cert_policy_compliance =
       ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS;
   ssl_info.is_issued_by_known_root = true;
+  scoped_refptr<X509Certificate> cert1 =
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
+  scoped_refptr<X509Certificate> cert2 =
+      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert2);
+  ssl_info.unverified_cert = cert1;
+  ssl_info.cert = cert2;
 
   TransportSecurityState state;
   TransportSecurityStateTest::EnableStaticExpectCT(&state);
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(0u, reporter.num_failures());
 
   host_port.set_host(kExpectCTStaticHostname);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
 // Tests that the Expect CT reporter is notified for noncompliant
 // connections.
 TEST_F(TransportSecurityStateTest, ExpectCTReporter) {
   HostPortPair host_port(kExpectCTStaticHostname, 443);
   SSLInfo ssl_info;
   ssl_info.ct_compliance_details_available = true;
   ssl_info.ct_cert_policy_compliance =
       ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS;
   ssl_info.is_issued_by_known_root = true;
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
   ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
   ssl_info.unverified_cert = cert1;
   ssl_info.cert = cert2;
   MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
                        std::string(), std::string(), base::Time::Now(),
                        ct::SCT_STATUS_INVALID_SIGNATURE,
                        &ssl_info.signed_certificate_timestamps);
@@ skipping 20 matching lines @@
 // Tests that the Expect CT reporter is not notified for repeated noncompliant
 // connections to the same preloaded host.
 TEST_F(TransportSecurityStateTest, RepeatedExpectCTReportsForStaticExpectCT) {
   HostPortPair host_port(kExpectCTStaticHostname, 443);
   SSLInfo ssl_info;
   ssl_info.ct_compliance_details_available = true;
   ssl_info.ct_cert_policy_compliance =
       ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS;
   ssl_info.is_issued_by_known_root = true;
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
   ssl_info.unverified_cert = cert1;
   ssl_info.cert = cert2;
   MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
                        std::string(), std::string(), base::Time::Now(),
                        ct::SCT_STATUS_INVALID_SIGNATURE,
                        &ssl_info.signed_certificate_timestamps);
 
   TransportSecurityState state;
   TransportSecurityStateTest::EnableStaticExpectCT(&state);
@@ skipping 298 matching lines @@
   MockCertificateReportSender reporter;
   ExpectStapleErrorResponseData test = GetParam();
 
   std::string ocsp_response;
   if (test.response_status != OCSPVerifyResult::MISSING)
     ocsp_response = "dummy_response";
 
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert2);
 
   SSLInfo ssl_info;
   ssl_info.cert = cert1;
   ssl_info.unverified_cert = cert2;
   ssl_info.ocsp_result.response_status = test.response_status;
 
   // Reports should only be sent when |is_issued_by_known_root| is true.
   ssl_info.is_issued_by_known_root = true;
   ASSERT_NO_FATAL_FAILURE(
       CheckExpectStapleReport(&state, &reporter, ssl_info, ocsp_response,
@@ skipping 29 matching lines @@
 TEST_P(ExpectStapleErrorCertStatusTest, CheckCertStatusSerialization) {
   TransportSecurityState state;
   TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true);
   MockCertificateReportSender reporter;
   ExpectStapleErrorCertStatusData test = GetParam();
   std::string ocsp_response = "dummy_response";
 
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert2);
 
   SSLInfo ssl_info;
   ssl_info.cert = cert1;
   ssl_info.unverified_cert = cert2;
   // |response_status| must be set to PROVIDED for |revocation_status| to have
   // meaning.
   ssl_info.ocsp_result.response_status = OCSPVerifyResult::PROVIDED;
   ssl_info.ocsp_result.revocation_status = test.revocation_status;
 
   // Reports should only be sent when |is_issued_by_known_root| is true.
@@ skipping 18 matching lines @@
   TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true);
   MockCertificateReportSender reporter;
   state.SetReportSender(&reporter);
 
   // Baked-in preloaded Expect-Staple test hosts.
   HostPortPair host_port(kExpectStapleStaticHostname, 443);
 
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert2);
 
   SSLInfo ssl_info;
   ssl_info.cert = cert1;
   ssl_info.unverified_cert = cert2;
   ssl_info.ocsp_result.response_status = OCSPVerifyResult::PROVIDED;
   ssl_info.ocsp_result.revocation_status = OCSPRevocationStatus::GOOD;
 
   std::string ocsp_response = "dummy response";
 
   ssl_info.is_issued_by_known_root = true;
@@ skipping 11 matching lines @@
   TransportSecurityState state;
   TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true);
   MockCertificateReportSender reporter;
   state.SetReportSender(&reporter);
 
   HostPortPair host_port("not-preloaded.host.example", 443);
 
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert2);
 
   SSLInfo ssl_info;
   ssl_info.cert = cert1;
   ssl_info.unverified_cert = cert2;
   ssl_info.ocsp_result.response_status = OCSPVerifyResult::MISSING;
 
   // Empty response
   std::string ocsp_response;
 
   ssl_info.is_issued_by_known_root = true;
@@ skipping 330 matching lines @@
 
 // Tests that the Expect-CT reporter is not notified for repeated dynamic
 // Expect-CT violations for the same host/port.
 TEST_F(TransportSecurityStateTest, DynamicExpectCTDeduping) {
   const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\"";
   SSLInfo ssl;
   ssl.is_issued_by_known_root = true;
   ssl.ct_compliance_details_available = true;
   ssl.ct_cert_policy_compliance =
       ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS;
+
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
+
   SignedCertificateTimestampAndStatusList sct_list;
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
       TransportSecurityState::kDynamicExpectCTFeature);
   base::Time now = base::Time::Now();
   TransportSecurityState state;
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl);
@@ skipping 141 matching lines @@
 // Tests that dynamic Expect-CT is not processed when CT compliance status
 // wasn't computed.
 TEST_F(TransportSecurityStateTest, DynamicExpectCTNoComplianceDetails) {
   const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\"";
   SSLInfo ssl;
   ssl.is_issued_by_known_root = true;
   ssl.ct_compliance_details_available = false;
   ssl.ct_cert_policy_compliance =
       ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
 
+  scoped_refptr<X509Certificate> cert1 =
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
+  scoped_refptr<X509Certificate> cert2 =
+      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert2);
+  ssl.unverified_cert = cert1;
+  ssl.cert = cert2;
+
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
       TransportSecurityState::kDynamicExpectCTFeature);
   TransportSecurityState state;
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl);
   TransportSecurityState::ExpectCTState expect_ct_state;
   EXPECT_FALSE(state.GetDynamicExpectCTState("example.test", &expect_ct_state));
   EXPECT_EQ(0u, reporter.num_failures());
 }
 
 // Tests that Expect-CT reports are sent when an Expect-CT header is received
 // over a non-compliant connection.
 TEST_F(TransportSecurityStateTest,
        DynamicExpectCTHeaderProcessingNonCompliant) {
   const char kHeader[] = "max-age=123,enforce,report-uri=\"http://foo.test\"";
   SSLInfo ssl;
   ssl.is_issued_by_known_root = true;
   ssl.ct_compliance_details_available = true;
   ssl.ct_cert_policy_compliance =
       ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
+
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
   ssl.unverified_cert = cert1;
   ssl.cert = cert2;
+
   MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
                        std::string(), std::string(), base::Time::Now(),
                        ct::SCT_STATUS_INVALID_SIGNATURE,
                        &ssl.signed_certificate_timestamps);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
       TransportSecurityState::kDynamicExpectCTFeature);
   TransportSecurityState state;
   MockExpectCTReporter reporter;
@@ skipping 12 matching lines @@
   EXPECT_EQ(ssl.signed_certificate_timestamps[0].sct,
             reporter.signed_certificate_timestamps()[0].sct);
 }
 
 // Tests that CheckCTRequirements() returns false if a connection to a host
 // violates an Expect-CT header, and that it reports violations.
 TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
   SignedCertificateTimestampAndStatusList sct_list;
   MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
                        std::string(), std::string(), base::Time::Now(),
                        ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
       TransportSecurityState::kDynamicExpectCTFeature);
 
@@ skipping 105 matching lines @@
 // Expect-CT-enabled, CheckCTRequirements() sends reports.
 TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCTAndDelegate) {
   using ::testing::_;
   using ::testing::Return;
   using CTRequirementLevel =
       TransportSecurityState::RequireCTDelegate::CTRequirementLevel;
 
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
   scoped_refptr<X509Certificate> cert1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(cert1);
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
-  ASSERT_TRUE(cert1);
   ASSERT_TRUE(cert2);
   SignedCertificateTimestampAndStatusList sct_list;
   MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
                        std::string(), std::string(), base::Time::Now(),
                        ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
       TransportSecurityState::kDynamicExpectCTFeature);
 
@@ skipping 20 matching lines @@
   EXPECT_EQ(443, reporter.host_port_pair().port());
   EXPECT_EQ(cert1.get(), reporter.validated_certificate_chain());
   EXPECT_EQ(cert2.get(), reporter.served_certificate_chain());
   EXPECT_EQ(sct_list.size(), reporter.signed_certificate_timestamps().size());
   EXPECT_EQ(sct_list[0].status,
             reporter.signed_certificate_timestamps()[0].status);
   EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct);
 }
 
 }  // namespace net