Work around the NSS bugs in the AIA certificate fetch code by retrying...

net/base/test_certificate_data.h

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "base/pickle.h"
-#include "net/base/cert_status_flags.h"
-#include "net/base/cert_verify_result.h"
-#include "net/base/net_errors.h"
-#include "net/base/x509_certificate.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-// Unit tests aren't allowed to access external resources. Unfortunately, to
-// properly verify the EV-ness of a cert, we need to check for its revocation
-// through online servers. If you're manually running unit tests, feel free to
-// turn this on to test EV certs. But leave it turned off for the automated
-// testing.
-#define ALLOW_EXTERNAL_ACCESS 0
-
-#if ALLOW_EXTERNAL_ACCESS && defined(OS_WIN)
-#define TEST_EV 1  // Test CERT_STATUS_IS_EV
-#endif
-
-using base::Time;
-
 namespace {
 
 // Certificates for test data. They're obtained with:
 //
 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null
 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der
 // $ xxd -i /tmp/host.der
 //
-// For fingerprint
-// $ openssl x509 -inform DER -fingerprint -noout < /tmp/host.der
-
-// For valid_start, valid_expiry
-// $ openssl x509 -inform DER -text -noout < /tmp/host.der |
-//    grep -A 2 Validity
-// $ date +%s -d '<date str>'
+// TODO(wtc): move these certificates to data files in the
+// src/net/data/ssl/certificates directory.
 
 // Google's cert.
 
 unsigned char google_der[] = {
   0x30, 0x82, 0x03, 0x21, 0x30, 0x82, 0x02, 0x8a, 0xa0, 0x03, 0x02, 0x01,
   0x02, 0x02, 0x10, 0x01, 0x2a, 0x39, 0x76, 0x0d, 0x3f, 0x4f, 0xc9, 0x0b,
   0xe7, 0xbd, 0x2b, 0xcf, 0x95, 0x2e, 0x7a, 0x30, 0x0d, 0x06, 0x09, 0x2a,
   0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x4c,
   0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x5a,
   0x41, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x1c,
@@ skipping 54 matching lines @@
   0x98, 0x72, 0x07, 0x80, 0xc3, 0x59, 0x48, 0x14, 0xe2, 0xd6, 0xef, 0xd0,
   0x8f, 0x33, 0x6a, 0x68, 0x31, 0xfa, 0xb7, 0xbb, 0x85, 0xcc, 0xf7, 0xc7,
   0x47, 0x7b, 0x67, 0x93, 0x3c, 0xc3, 0x16, 0x51, 0x9b, 0x6f, 0x87, 0x20,
   0xfd, 0x67, 0x4c, 0x2b, 0xea, 0x6a, 0x49, 0xdb, 0x11, 0xd1, 0xbd, 0xd7,
   0x95, 0x22, 0x43, 0x7a, 0x06, 0x7b, 0x4e, 0xf6, 0x37, 0x8e, 0xa2, 0xb9,
   0xcf, 0x1f, 0xa5, 0xd2, 0xbd, 0x3b, 0x04, 0x97, 0x39, 0xb3, 0x0f, 0xfa,
   0x38, 0xb5, 0xaf, 0x55, 0x20, 0x88, 0x60, 0x93, 0xf2, 0xde, 0xdb, 0xff,
   0xdf
 };
 
-unsigned char google_fingerprint[] = {
-  0xab, 0xbe, 0x5e, 0xb4, 0x93, 0x88, 0x4e, 0xe4, 0x60, 0xc6, 0xef, 0xf8,
-  0xea, 0xd4, 0xb1, 0x55, 0x4b, 0xc9, 0x59, 0x3c
-};
-
 // webkit.org's cert.
 
 unsigned char webkit_der[] = {
   0x30, 0x82, 0x05, 0x0d, 0x30, 0x82, 0x03, 0xf5, 0xa0, 0x03, 0x02, 0x01,
   0x02, 0x02, 0x03, 0x43, 0xdd, 0x63, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
   0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81, 0xca,
   0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
   0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x07,
   0x41, 0x72, 0x69, 0x7a, 0x6f, 0x6e, 0x61, 0x31, 0x13, 0x30, 0x11, 0x06,
   0x03, 0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x63, 0x6f, 0x74, 0x74, 0x73,
@@ skipping 94 matching lines @@
   0x0c, 0xa4, 0xff, 0x93, 0x13, 0x1f, 0xfc, 0xba, 0x94, 0x93, 0x8c, 0x64,
   0x15, 0x2e, 0x28, 0xa9, 0x55, 0x8c, 0x2c, 0x48, 0xd3, 0xd3, 0xc1, 0x50,
   0x69, 0x19, 0xe8, 0x34, 0xd3, 0xf1, 0x04, 0x9f, 0x0a, 0x7a, 0x21, 0x87,
   0xbf, 0xb9, 0x59, 0x37, 0x2e, 0xf4, 0x71, 0xa5, 0x3e, 0xbe, 0xcd, 0x70,
   0x83, 0x18, 0xf8, 0x8a, 0x72, 0x85, 0x45, 0x1f, 0x08, 0x01, 0x6f, 0x37,
   0xf5, 0x2b, 0x7b, 0xea, 0xb9, 0x8b, 0xa3, 0xcc, 0xfd, 0x35, 0x52, 0xdd,
   0x66, 0xde, 0x4f, 0x30, 0xc5, 0x73, 0x81, 0xb6, 0xe8, 0x3c, 0xd8, 0x48,
   0x8a
 };
 
-unsigned char webkit_fingerprint[] = {
-  0xa1, 0x4a, 0x94, 0x46, 0x22, 0x8e, 0x70, 0x66, 0x2b, 0x94, 0xf9, 0xf8,
-  0x57, 0x83, 0x2d, 0xa2, 0xff, 0xbc, 0x84, 0xc2
-};
-
 // thawte.com's cert (it's EV-licious!).
 unsigned char thawte_der[] = {
   0x30, 0x82, 0x04, 0xa5, 0x30, 0x82, 0x03, 0x8d, 0xa0, 0x03, 0x02, 0x01,
   0x02, 0x02, 0x10, 0x17, 0x76, 0x05, 0x88, 0x95, 0x58, 0xee, 0xbb, 0x00,
   0xda, 0x10, 0xe5, 0xf0, 0xf3, 0x9c, 0xf0, 0x30, 0x0d, 0x06, 0x09, 0x2a,
   0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81,
   0x8b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
   0x55, 0x53, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
   0x0c, 0x74, 0x68, 0x61, 0x77, 0x74, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63,
   0x2e, 0x31, 0x39, 0x30, 0x37, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x30,
@@ skipping 84 matching lines @@
   0x05, 0x4b, 0xf7, 0x2d, 0x02, 0xee, 0x50, 0x26, 0xd1, 0x48, 0x01, 0x60,
   0xdc, 0x3c, 0xa7, 0xdb, 0xeb, 0xca, 0x8b, 0xa6, 0xff, 0x9e, 0x47, 0x5d,
   0x87, 0x40, 0xf8, 0xd2, 0x82, 0xd7, 0x13, 0x64, 0x0e, 0xd4, 0xb3, 0x29,
   0x22, 0xa7, 0xe0, 0xc8, 0xcd, 0x8c, 0x4d, 0xf5, 0x11, 0x21, 0x26, 0x02,
   0x43, 0x33, 0x8e, 0xa9, 0x3f, 0x91, 0xd4, 0x05, 0x97, 0xc9, 0xd3, 0x42,
   0x6b, 0x05, 0x99, 0xf6, 0x16, 0x71, 0x67, 0x65, 0xc7, 0x96, 0xdf, 0x2a,
   0xd7, 0x54, 0x63, 0x25, 0xc0, 0x28, 0xf7, 0x1c, 0xee, 0xcd, 0x8b, 0xe4,
   0x9d, 0x32, 0xa3, 0x81, 0x55
 };
 
-unsigned char thawte_fingerprint[] = {
-  0x85, 0x04, 0x2d, 0xfd, 0x2b, 0x0e, 0xc6, 0xc8, 0xaf, 0x2d, 0x77, 0xd6,
-  0xa1, 0x3a, 0x64, 0x04, 0x27, 0x90, 0x97, 0x37
-};
-
 // A certificate for www.paypal.com with a NULL byte in the common name.
 // From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
 unsigned char paypal_null_der[] = {
   0x30, 0x82, 0x06, 0x44, 0x30, 0x82, 0x05, 0xad, 0xa0, 0x03, 0x02, 0x01,
   0x02, 0x02, 0x03, 0x00, 0xf0, 0x9b, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
   0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x82, 0x01,
   0x12, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
   0x45, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13,
   0x09, 0x42, 0x61, 0x72, 0x63, 0x65, 0x6c, 0x6f, 0x6e, 0x61, 0x31, 0x12,
   0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x42, 0x61, 0x72,
@@ skipping 119 matching lines @@
   0x9e, 0x38, 0x05, 0x9d, 0x52, 0x60, 0xa9, 0x99, 0x0a, 0x81, 0xb4, 0x98,
   0x90, 0x1d, 0xae, 0xbb, 0x4a, 0xd7, 0xb9, 0xdc, 0x88, 0x9e, 0x37, 0x78,
   0x41, 0x5b, 0xf7, 0x82, 0xa5, 0xf2, 0xba, 0x41, 0x25, 0x5a, 0x90, 0x1a,
   0x1e, 0x45, 0x38, 0xa1, 0x52, 0x58, 0x75, 0x94, 0x26, 0x44, 0xfb, 0x20,
   0x07, 0xba, 0x44, 0xcc, 0xe5, 0x4a, 0x2d, 0x72, 0x3f, 0x98, 0x47, 0xf6,
   0x26, 0xdc, 0x05, 0x46, 0x05, 0x07, 0x63, 0x21, 0xab, 0x46, 0x9b, 0x9c,
   0x78, 0xd5, 0x54, 0x5b, 0x3d, 0x0c, 0x1e, 0xc8, 0x64, 0x8c, 0xb5, 0x50,
   0x23, 0x82, 0x6f, 0xdb, 0xb8, 0x22, 0x1c, 0x43, 0x96, 0x07, 0xa8, 0xbb
 };
 
-unsigned char paypal_null_fingerprint[] = {
-  0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba,
-  0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7
+// A certificate for https://www.unosoft.hu/, whose AIA extension contains
+// an LDAP URL without a host name.
+unsigned char unosoft_hu_der[] = {
+  0x30, 0x82, 0x05, 0x5c, 0x30, 0x82, 0x04, 0x44, 0xa0, 0x03, 0x02, 0x01,
+  0x02, 0x02, 0x0a, 0x75, 0x02, 0x28, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x20, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+  0x01, 0x05, 0x05, 0x00, 0x30, 0x4a, 0x31, 0x15, 0x30, 0x13, 0x06, 0x0a,
+  0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x05,
+  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x31, 0x17, 0x30, 0x15, 0x06, 0x0a, 0x09,
+  0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x07, 0x75,
+  0x6e, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
+  0x55, 0x04, 0x03, 0x13, 0x0f, 0x55, 0x4e, 0x4f, 0x2d, 0x53, 0x4f, 0x46,
+  0x54, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,
+  0x30, 0x38, 0x31, 0x32, 0x30, 0x34, 0x31, 0x34, 0x30, 0x37, 0x35, 0x35,
+  0x5a, 0x17, 0x0d, 0x30, 0x39, 0x31, 0x32, 0x30, 0x34, 0x31, 0x34, 0x31,
+  0x37, 0x35, 0x35, 0x5a, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06,
+  0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x48, 0x55, 0x31, 0x0d, 0x30, 0x0b,
+  0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x04, 0x50, 0x45, 0x53, 0x54, 0x31,
+  0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x08, 0x42, 0x75,
+  0x64, 0x61, 0x70, 0x65, 0x73, 0x74, 0x31, 0x27, 0x30, 0x25, 0x06, 0x03,
+  0x55, 0x04, 0x0a, 0x13, 0x1e, 0x55, 0x4e, 0x4f, 0x2d, 0x53, 0x4f, 0x46,
+  0x54, 0x20, 0x53, 0x7a, 0x61, 0x6d, 0x69, 0x74, 0x61, 0x73, 0x74, 0x65,
+  0x63, 0x68, 0x6e, 0x69, 0x6b, 0x61, 0x69, 0x20, 0x4b, 0x46, 0x54, 0x31,
+  0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0e, 0x77, 0x77,
+  0x77, 0x2e, 0x75, 0x6e, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x68, 0x75,
+  0x31, 0x1e, 0x30, 0x1c, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+  0x01, 0x09, 0x01, 0x16, 0x0f, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x75, 0x6e,
+  0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x68, 0x75, 0x30, 0x81, 0x9f, 0x30,
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
+  0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81,
+  0x00, 0xb2, 0x5a, 0xb4, 0xb8, 0x5d, 0x5a, 0xc0, 0x1c, 0x66, 0x80, 0xc2,
+  0x8c, 0x8d, 0xf6, 0xbd, 0x2b, 0x69, 0x34, 0xf3, 0xe8, 0x34, 0x44, 0xe2,
+  0x95, 0x0e, 0xad, 0xbb, 0xa4, 0x6a, 0xcd, 0xdc, 0x61, 0xad, 0x7f, 0x7d,
+  0x07, 0x7b, 0x21, 0x86, 0xaf, 0x8c, 0x6c, 0x04, 0x6b, 0xaf, 0x99, 0x84,
+  0xfd, 0x0d, 0xf5, 0xe4, 0x5c, 0xe5, 0x16, 0x22, 0x06, 0xd1, 0xd9, 0x4c,
+  0xbe, 0x53, 0xaa, 0x76, 0x7f, 0x7b, 0x34, 0xaf, 0x5a, 0x92, 0xbb, 0xf1,
+  0x43, 0xc0, 0xf3, 0x55, 0x83, 0xb2, 0x1a, 0xea, 0x1d, 0x78, 0xc3, 0xf4,
+  0x80, 0xbe, 0xb0, 0xbb, 0x9a, 0xf2, 0x01, 0x9e, 0xcf, 0xec, 0x88, 0xd3,
+  0xa6, 0x49, 0x1f, 0xc4, 0xbb, 0x63, 0x38, 0xb8, 0x90, 0xa8, 0xce, 0xbc,
+  0x31, 0x9d, 0x01, 0xdb, 0x4c, 0x9f, 0x37, 0x16, 0xdf, 0xd5, 0x3b, 0x81,
+  0xf9, 0x9c, 0x74, 0xe6, 0xe2, 0x74, 0xa7, 0xc5, 0x11, 0x02, 0x03, 0x01,
+  0x00, 0x01, 0xa3, 0x82, 0x02, 0x7e, 0x30, 0x82, 0x02, 0x7a, 0x30, 0x1d,
+  0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xab, 0x19, 0xb6,
+  0x23, 0xbf, 0xff, 0x13, 0x66, 0x09, 0xd4, 0x3f, 0x46, 0x6f, 0x6d, 0x6c,
+  0xc9, 0x60, 0x2b, 0xb2, 0x0f, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
+  0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x29, 0x53, 0x4a, 0x9d, 0x9c, 0xd9,
+  0xf9, 0xda, 0x04, 0xfe, 0x46, 0x3a, 0x76, 0x49, 0x5c, 0xdd, 0x3b, 0x0e,
+  0x98, 0x76, 0x30, 0x82, 0x01, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04,
+  0x82, 0x01, 0x05, 0x30, 0x82, 0x01, 0x01, 0x30, 0x81, 0xfe, 0xa0, 0x81,
+  0xfb, 0xa0, 0x81, 0xf8, 0x86, 0x81, 0xb8, 0x6c, 0x64, 0x61, 0x70, 0x3a,
+  0x2f, 0x2f, 0x2f, 0x43, 0x4e, 0x3d, 0x55, 0x4e, 0x4f, 0x2d, 0x53, 0x4f,
+  0x46, 0x54, 0x25, 0x32, 0x30, 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x41, 0x2c,
+  0x43, 0x4e, 0x3d, 0x55, 0x4e, 0x4f, 0x44, 0x43, 0x2c, 0x43, 0x4e, 0x3d,
+  0x43, 0x44, 0x50, 0x2c, 0x43, 0x4e, 0x3d, 0x50, 0x75, 0x62, 0x6c, 0x69,
+  0x63, 0x25, 0x32, 0x30, 0x4b, 0x65, 0x79, 0x25, 0x32, 0x30, 0x53, 0x65,
+  0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2c, 0x43, 0x4e, 0x3d, 0x53, 0x65,
+  0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2c, 0x43, 0x4e, 0x3d, 0x43, 0x6f,
+  0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2c,
+  0x44, 0x43, 0x3d, 0x75, 0x6e, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2c, 0x44,
+  0x43, 0x3d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x3f, 0x63, 0x65, 0x72, 0x74,
+  0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x76, 0x6f, 0x63,
+  0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4c, 0x69, 0x73, 0x74, 0x3f, 0x62, 0x61,
+  0x73, 0x65, 0x3f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6c, 0x61,
+  0x73, 0x73, 0x3d, 0x63, 0x52, 0x4c, 0x44, 0x69, 0x73, 0x74, 0x72, 0x69,
+  0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x69, 0x6e, 0x74, 0x86,
+  0x3b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x75, 0x6e, 0x6f, 0x64,
+  0x63, 0x2e, 0x75, 0x6e, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x6c, 0x6f,
+  0x63, 0x61, 0x6c, 0x2f, 0x43, 0x65, 0x72, 0x74, 0x45, 0x6e, 0x72, 0x6f,
+  0x6c, 0x6c, 0x2f, 0x55, 0x4e, 0x4f, 0x2d, 0x53, 0x4f, 0x46, 0x54, 0x25,
+  0x32, 0x30, 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x41, 0x2e, 0x63, 0x72, 0x6c,
+  0x30, 0x82, 0x01, 0x24, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
+  0x01, 0x01, 0x04, 0x82, 0x01, 0x16, 0x30, 0x82, 0x01, 0x12, 0x30, 0x81,
+  0xb2, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86,
+  0x81, 0xa5, 0x6c, 0x64, 0x61, 0x70, 0x3a, 0x2f, 0x2f, 0x2f, 0x43, 0x4e,
+  0x3d, 0x55, 0x4e, 0x4f, 0x2d, 0x53, 0x4f, 0x46, 0x54, 0x25, 0x32, 0x30,
+  0x52, 0x6f, 0x6f, 0x74, 0x43, 0x41, 0x2c, 0x43, 0x4e, 0x3d, 0x41, 0x49,
+  0x41, 0x2c, 0x43, 0x4e, 0x3d, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x25,
+  0x32, 0x30, 0x4b, 0x65, 0x79, 0x25, 0x32, 0x30, 0x53, 0x65, 0x72, 0x76,
+  0x69, 0x63, 0x65, 0x73, 0x2c, 0x43, 0x4e, 0x3d, 0x53, 0x65, 0x72, 0x76,
+  0x69, 0x63, 0x65, 0x73, 0x2c, 0x43, 0x4e, 0x3d, 0x43, 0x6f, 0x6e, 0x66,
+  0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x44, 0x43,
+  0x3d, 0x75, 0x6e, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2c, 0x44, 0x43, 0x3d,
+  0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x3f, 0x63, 0x41, 0x43, 0x65, 0x72, 0x74,
+  0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x3f, 0x62, 0x61, 0x73, 0x65,
+  0x3f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6c, 0x61, 0x73, 0x73,
+  0x3d, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
+  0x6f, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30,
+  0x5b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86,
+  0x4f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x75, 0x6e, 0x6f, 0x64,
+  0x63, 0x2e, 0x75, 0x6e, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x6c, 0x6f,
+  0x63, 0x61, 0x6c, 0x2f, 0x43, 0x65, 0x72, 0x74, 0x45, 0x6e, 0x72, 0x6f,
+  0x6c, 0x6c, 0x2f, 0x55, 0x4e, 0x4f, 0x44, 0x43, 0x2e, 0x75, 0x6e, 0x6f,
+  0x73, 0x6f, 0x66, 0x74, 0x2e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x55,
+  0x4e, 0x4f, 0x2d, 0x53, 0x4f, 0x46, 0x54, 0x25, 0x32, 0x30, 0x52, 0x6f,
+  0x6f, 0x74, 0x43, 0x41, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
+  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03,
+  0x82, 0x01, 0x01, 0x00, 0x12, 0x4c, 0xed, 0xb1, 0x85, 0xb3, 0x95, 0x66,
+  0xe6, 0xd0, 0xa6, 0x4c, 0x5c, 0x5b, 0x7f, 0x64, 0xa0, 0xdc, 0x42, 0x56,
+  0x31, 0xb7, 0xa7, 0x4c, 0xd2, 0x34, 0x08, 0x28, 0xbb, 0xbf, 0xad, 0xee,
+  0xcf, 0xdd, 0xcc, 0xb0, 0x89, 0xea, 0x56, 0x9d, 0xcc, 0xc2, 0xfd, 0x64,
+  0x7f, 0x4d, 0x2a, 0xa3, 0x32, 0xa1, 0x4f, 0xb0, 0x8c, 0xd7, 0xa9, 0xb2,
+  0xd0, 0xcc, 0x89, 0x10, 0x59, 0x0d, 0x6b, 0x41, 0x5a, 0x63, 0x3e, 0x08,
+  0x54, 0x87, 0x81, 0x74, 0x6d, 0x0e, 0x2f, 0xce, 0x56, 0xf1, 0xde, 0xf2,
+  0x32, 0x63, 0xd5, 0xbc, 0xbe, 0x0b, 0x79, 0x67, 0x87, 0x19, 0xde, 0x12,
+  0xc5, 0xe1, 0xba, 0xc3, 0xae, 0x21, 0xf5, 0x39, 0x17, 0x1f, 0xbd, 0x53,
+  0xd2, 0x1d, 0x90, 0x48, 0x3b, 0x65, 0x5d, 0xc7, 0x2f, 0x8a, 0xb2, 0x92,
+  0xba, 0xd5, 0xd6, 0x5e, 0x6b, 0x07, 0x1d, 0xb7, 0x35, 0x93, 0x02, 0x6f,
+  0xe3, 0x9e, 0xc5, 0x3a, 0xf9, 0xed, 0xf4, 0x11, 0x78, 0xf4, 0x65, 0xe9,
+  0xe1, 0x3e, 0xee, 0xca, 0xfa, 0x76, 0xe5, 0x50, 0x4f, 0x78, 0xe7, 0xc0,
+  0x8a, 0x17, 0xfe, 0xbf, 0x3c, 0x6d, 0x03, 0xf2, 0xbe, 0x9f, 0xa8, 0x84,
+  0xe8, 0x24, 0xb4, 0xd4, 0x45, 0x95, 0x0b, 0x7d, 0x47, 0xfd, 0xe0, 0x96,
+  0x13, 0x53, 0x3f, 0x1a, 0x75, 0xd7, 0x10, 0x57, 0xbf, 0xf6, 0xf9, 0x0e,
+  0xf1, 0x84, 0x09, 0x77, 0x99, 0x2b, 0xae, 0x2e, 0x71, 0x19, 0x2f, 0x92,
+  0x22, 0x00, 0x70, 0xb1, 0x3e, 0xcc, 0x41, 0x37, 0x9f, 0x4c, 0xd8, 0x84,
+  0x02, 0x97, 0x74, 0x1b, 0xc6, 0x43, 0x54, 0x26, 0xed, 0x8e, 0x92, 0xe5,
+  0x33, 0x27, 0x64, 0x21, 0xc9, 0x52, 0xde, 0xfe, 0x49, 0x29, 0xb8, 0x65,
+  0x6e, 0x32, 0xa0, 0x65, 0x86, 0xe3, 0x52, 0x90, 0x44, 0x2c, 0x30, 0x86,
+  0x63, 0x50, 0x96, 0x9a, 0x0b, 0x23, 0x0f, 0x40
 };
 
 }  // namespace
-
-namespace net {
-
-TEST(X509CertificateTest, GoogleCertParsing) {
-  scoped_refptr<X509Certificate> google_cert = X509Certificate::CreateFromBytes(
-      reinterpret_cast<const char*>(google_der), sizeof(google_der));
-
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert);
-
-  const X509Certificate::Principal& subject = google_cert->subject();
-  EXPECT_EQ("www.google.com", subject.common_name);
-  EXPECT_EQ("Mountain View", subject.locality_name);
-  EXPECT_EQ("California", subject.state_or_province_name);
-  EXPECT_EQ("US", subject.country_name);
-  EXPECT_EQ(0U, subject.street_addresses.size());
-  EXPECT_EQ(1U, subject.organization_names.size());
-  EXPECT_EQ("Google Inc", subject.organization_names[0]);
-  EXPECT_EQ(0U, subject.organization_unit_names.size());
-  EXPECT_EQ(0U, subject.domain_components.size());
-
-  const X509Certificate::Principal& issuer = google_cert->issuer();
-  EXPECT_EQ("Thawte SGC CA", issuer.common_name);
-  EXPECT_EQ("", issuer.locality_name);
-  EXPECT_EQ("", issuer.state_or_province_name);
-  EXPECT_EQ("ZA", issuer.country_name);
-  EXPECT_EQ(0U, issuer.street_addresses.size());
-  EXPECT_EQ(1U, issuer.organization_names.size());
-  EXPECT_EQ("Thawte Consulting (Pty) Ltd.", issuer.organization_names[0]);
-  EXPECT_EQ(0U, issuer.organization_unit_names.size());
-  EXPECT_EQ(0U, issuer.domain_components.size());
-
-  // Use DoubleT because its epoch is the same on all platforms
-  const Time& valid_start = google_cert->valid_start();
-  EXPECT_EQ(1238192407, valid_start.ToDoubleT());  // Mar 27 22:20:07 2009 GMT
-
-  const Time& valid_expiry = google_cert->valid_expiry();
-  EXPECT_EQ(1269728407, valid_expiry.ToDoubleT());  // Mar 27 22:20:07 2010 GMT
-
-  const X509Certificate::Fingerprint& fingerprint = google_cert->fingerprint();
-  for (size_t i = 0; i < 20; ++i)
-    EXPECT_EQ(google_fingerprint[i], fingerprint.data[i]);
-
-  std::vector<std::string> dns_names;
-  google_cert->GetDNSNames(&dns_names);
-  EXPECT_EQ(1U, dns_names.size());
-  EXPECT_EQ("www.google.com", dns_names[0]);
-
-#if TEST_EV
-  // TODO(avi): turn this on for the Mac once EV checking is implemented.
-  CertVerifyResult verify_result;
-  int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
-                X509Certificate::VERIFY_EV_CERT;
-  EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, &verify_result));
-  EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV);
-#endif
-}
-
-TEST(X509CertificateTest, WebkitCertParsing) {
-  scoped_refptr<X509Certificate> webkit_cert = X509Certificate::CreateFromBytes(
-      reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der));
-
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), webkit_cert);
-
-  const X509Certificate::Principal& subject = webkit_cert->subject();
-  EXPECT_EQ("Cupertino", subject.locality_name);
-  EXPECT_EQ("California", subject.state_or_province_name);
-  EXPECT_EQ("US", subject.country_name);
-  EXPECT_EQ(0U, subject.street_addresses.size());
-  EXPECT_EQ(1U, subject.organization_names.size());
-  EXPECT_EQ("Apple Inc.", subject.organization_names[0]);
-  EXPECT_EQ(1U, subject.organization_unit_names.size());
-  EXPECT_EQ("Mac OS Forge", subject.organization_unit_names[0]);
-  EXPECT_EQ(0U, subject.domain_components.size());
-
-  const X509Certificate::Principal& issuer = webkit_cert->issuer();
-  EXPECT_EQ("Go Daddy Secure Certification Authority", issuer.common_name);
-  EXPECT_EQ("Scottsdale", issuer.locality_name);
-  EXPECT_EQ("Arizona", issuer.state_or_province_name);
-  EXPECT_EQ("US", issuer.country_name);
-  EXPECT_EQ(0U, issuer.street_addresses.size());
-  EXPECT_EQ(1U, issuer.organization_names.size());
-  EXPECT_EQ("GoDaddy.com, Inc.", issuer.organization_names[0]);
-  EXPECT_EQ(1U, issuer.organization_unit_names.size());
-  EXPECT_EQ("http://certificates.godaddy.com/repository",
-      issuer.organization_unit_names[0]);
-  EXPECT_EQ(0U, issuer.domain_components.size());
-
-  // Use DoubleT because its epoch is the same on all platforms
-  const Time& valid_start = webkit_cert->valid_start();
-  EXPECT_EQ(1205883319, valid_start.ToDoubleT());  // Mar 18 23:35:19 2008 GMT
-
-  const Time& valid_expiry = webkit_cert->valid_expiry();
-  EXPECT_EQ(1300491319, valid_expiry.ToDoubleT());  // Mar 18 23:35:19 2011 GMT
-
-  const X509Certificate::Fingerprint& fingerprint = webkit_cert->fingerprint();
-  for (size_t i = 0; i < 20; ++i)
-    EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]);
-
-  std::vector<std::string> dns_names;
-  webkit_cert->GetDNSNames(&dns_names);
-  EXPECT_EQ(2U, dns_names.size());
-  EXPECT_EQ("*.webkit.org", dns_names[0]);
-  EXPECT_EQ("webkit.org", dns_names[1]);
-
-#if TEST_EV
-  int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
-                X509Certificate::VERIFY_EV_CERT;
-  CertVerifyResult verify_result;
-  EXPECT_EQ(OK, webkit_cert->Verify("webkit.org", flags, &verify_result));
-  EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV);
-#endif
-}
-
-TEST(X509CertificateTest, ThawteCertParsing) {
-  scoped_refptr<X509Certificate> thawte_cert = X509Certificate::CreateFromBytes(
-      reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der));
-
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert);
-
-  const X509Certificate::Principal& subject = thawte_cert->subject();
-  EXPECT_EQ("www.thawte.com", subject.common_name);
-  EXPECT_EQ("Mountain View", subject.locality_name);
-  EXPECT_EQ("California", subject.state_or_province_name);
-  EXPECT_EQ("US", subject.country_name);
-  EXPECT_EQ(0U, subject.street_addresses.size());
-  EXPECT_EQ(1U, subject.organization_names.size());
-  EXPECT_EQ("Thawte Inc", subject.organization_names[0]);
-  EXPECT_EQ(0U, subject.organization_unit_names.size());
-  EXPECT_EQ(0U, subject.domain_components.size());
-
-  const X509Certificate::Principal& issuer = thawte_cert->issuer();
-  EXPECT_EQ("thawte Extended Validation SSL CA", issuer.common_name);
-  EXPECT_EQ("", issuer.locality_name);
-  EXPECT_EQ("", issuer.state_or_province_name);
-  EXPECT_EQ("US", issuer.country_name);
-  EXPECT_EQ(0U, issuer.street_addresses.size());
-  EXPECT_EQ(1U, issuer.organization_names.size());
-  EXPECT_EQ("thawte, Inc.", issuer.organization_names[0]);
-  EXPECT_EQ(1U, issuer.organization_unit_names.size());
-  EXPECT_EQ("Terms of use at https://www.thawte.com/cps (c)06",
-            issuer.organization_unit_names[0]);
-  EXPECT_EQ(0U, issuer.domain_components.size());
-
-  // Use DoubleT because its epoch is the same on all platforms
-  const Time& valid_start = thawte_cert->valid_start();
-  EXPECT_EQ(1227052800, valid_start.ToDoubleT());  // Nov 19 00:00:00 2008 GMT
-
-  const Time& valid_expiry = thawte_cert->valid_expiry();
-  EXPECT_EQ(1263772799, valid_expiry.ToDoubleT());  // Jan 17 23:59:59 2010 GMT
-
-  const X509Certificate::Fingerprint& fingerprint = thawte_cert->fingerprint();
-  for (size_t i = 0; i < 20; ++i)
-    EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]);
-
-  std::vector<std::string> dns_names;
-  thawte_cert->GetDNSNames(&dns_names);
-  EXPECT_EQ(1U, dns_names.size());
-  EXPECT_EQ("www.thawte.com", dns_names[0]);
-
-#if TEST_EV
-  int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
-                X509Certificate::VERIFY_EV_CERT;
-  CertVerifyResult verify_result;
-  // EV cert verification requires revocation checking.
-  EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result));
-  EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_IS_EV);
-  // Consequently, if we don't have revocation checking enabled, we can't claim
-  // any cert is EV.
-  flags = X509Certificate::VERIFY_EV_CERT;
-  EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result));
-  EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV);
-#endif
-}
-
-TEST(X509CertificateTest, PaypalNullCertParsing) {
-  scoped_refptr<X509Certificate> paypal_null_cert =
-      X509Certificate::CreateFromBytes(
-          reinterpret_cast<const char*>(paypal_null_der),
-          sizeof(paypal_null_der));
-
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert);
-
-  const X509Certificate::Fingerprint& fingerprint =
-      paypal_null_cert->fingerprint();
-  for (size_t i = 0; i < 20; ++i)
-    EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = paypal_null_cert->Verify("www.paypal.com", flags,
-                                       &verify_result);
-  EXPECT_NE(OK, error);
-  // Either the system crypto library should correctly report a certificate
-  // name mismatch, or our certificate blacklist should cause us to report an
-  // invalid certificate.
-#if defined(OS_WIN)
-  // TODO(wtc): The Linux try bots still have NSS 3.12.0.  They need to be
-  // updated to NSS 3.12.3.1 or later.
-  EXPECT_NE(0, verify_result.cert_status &
-            (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
-#endif
-}
-
-// Tests X509Certificate::Cache via X509Certificate::CreateFromHandle.  We
-// call X509Certificate::CreateFromHandle several times and observe whether
-// it returns a cached or new X509Certificate object.
-//
-// All the OS certificate handles in this test are actually from the same
-// source (the bytes of a lone certificate), but we pretend that some of them
-// come from the network.
-TEST(X509CertificateTest, Cache) {
-  X509Certificate::OSCertHandle google_cert_handle;
-
-  // Add a certificate from the source SOURCE_LONE_CERT_IMPORT to our
-  // certificate cache.
-  google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
-      reinterpret_cast<const char*>(google_der), sizeof(google_der));
-  scoped_refptr<X509Certificate> cert1 = X509Certificate::CreateFromHandle(
-      google_cert_handle, X509Certificate::SOURCE_LONE_CERT_IMPORT);
-
-  // Add a certificate from the same source (SOURCE_LONE_CERT_IMPORT).  This
-  // should return the cached certificate (cert1).
-  google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
-      reinterpret_cast<const char*>(google_der), sizeof(google_der));
-  scoped_refptr<X509Certificate> cert2 = X509Certificate::CreateFromHandle(
-      google_cert_handle, X509Certificate::SOURCE_LONE_CERT_IMPORT);
-
-  EXPECT_EQ(cert1, cert2);
-
-  // Add a certificate from the network.  This should kick out the original
-  // cached certificate (cert1) and return a new certificate.
-  google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
-      reinterpret_cast<const char*>(google_der), sizeof(google_der));
-  scoped_refptr<X509Certificate> cert3 = X509Certificate::CreateFromHandle(
-      google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK);
-
-  EXPECT_NE(cert1, cert3);
-
-  // Add one certificate from each source.  Both should return the new cached
-  // certificate (cert3).
-  google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
-      reinterpret_cast<const char*>(google_der), sizeof(google_der));
-  scoped_refptr<X509Certificate> cert4 = X509Certificate::CreateFromHandle(
-      google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK);
-
-  EXPECT_EQ(cert3, cert4);
-
-  google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
-      reinterpret_cast<const char*>(google_der), sizeof(google_der));
-  scoped_refptr<X509Certificate> cert5 = X509Certificate::CreateFromHandle(
-      google_cert_handle, X509Certificate::SOURCE_FROM_NETWORK);
-
-  EXPECT_EQ(cert3, cert5);
-}
-
-TEST(X509CertificateTest, Pickle) {
-  scoped_refptr<X509Certificate> cert1 = X509Certificate::CreateFromBytes(
-      reinterpret_cast<const char*>(google_der), sizeof(google_der));
-
-  Pickle pickle;
-  cert1->Persist(&pickle);
-
-  void* iter = NULL;
-  scoped_refptr<X509Certificate> cert2 =
-      X509Certificate::CreateFromPickle(pickle, &iter);
-
-  EXPECT_EQ(cert1, cert2);
-}
-
-TEST(X509CertificateTest, Policy) {
-  scoped_refptr<X509Certificate> google_cert = X509Certificate::CreateFromBytes(
-      reinterpret_cast<const char*>(google_der), sizeof(google_der));
-
-  scoped_refptr<X509Certificate> webkit_cert = X509Certificate::CreateFromBytes(
-      reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der));
-
-  X509Certificate::Policy policy;
-
-  EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::UNKNOWN);
-  EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::UNKNOWN);
-  EXPECT_FALSE(policy.HasAllowedCert());
-  EXPECT_FALSE(policy.HasDeniedCert());
-
-  policy.Allow(google_cert.get());
-
-  EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::ALLOWED);
-  EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::UNKNOWN);
-  EXPECT_TRUE(policy.HasAllowedCert());
-  EXPECT_FALSE(policy.HasDeniedCert());
-
-  policy.Deny(google_cert.get());
-
-  EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::DENIED);
-  EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::UNKNOWN);
-  EXPECT_FALSE(policy.HasAllowedCert());
-  EXPECT_TRUE(policy.HasDeniedCert());
-
-  policy.Allow(webkit_cert.get());
-
-  EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::DENIED);
-  EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::ALLOWED);
-  EXPECT_TRUE(policy.HasAllowedCert());
-  EXPECT_TRUE(policy.HasDeniedCert());
-}
-
-}  // namespace net