Introduce CertVerifierProc to handle system cert validation.

net/base/x509_certificate_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/file_path.h"
-#include "base/file_util.h"
-#include "base/path_service.h"
+#include "base/memory/scoped_ptr.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/string_number_conversions.h"
 #include "base/string_split.h"
 #include "crypto/rsa_private_key.h"
 #include "net/base/asn1_util.h"
-#include "net/base/cert_status_flags.h"
 #include "net/base/cert_test_util.h"
-#include "net/base/cert_verify_result.h"
-#include "net/base/crl_set.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_certificate_data.h"
-#include "net/base/test_root_certs.h"
 #include "net/base/x509_certificate.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 #if defined(USE_NSS)
 #include <cert.h>
 #endif
 
-#if defined(OS_WIN)
-#include "base/win/windows_version.h"
-#elif defined(OS_MACOSX)
-#include "base/mac/mac_util.h"
-#endif
-
 using base::HexEncode;
 using base::Time;
 
 namespace net {
 
 // Certificates for test data. They're obtained with:
 //
 // $ openssl s_client -connect [host]:443 -showcerts > /tmp/host.pem < /dev/null
 // $ openssl x509 -inform PEM -outform DER < /tmp/host.pem > /tmp/host.der
 //
@@ skipping 16 matching lines @@
   0xa1, 0x4a, 0x94, 0x46, 0x22, 0x8e, 0x70, 0x66, 0x2b, 0x94, 0xf9, 0xf8,
   0x57, 0x83, 0x2d, 0xa2, 0xff, 0xbc, 0x84, 0xc2
 };
 
 // thawte.com's cert (it's EV-licious!).
 unsigned char thawte_fingerprint[] = {
   0x85, 0x04, 0x2d, 0xfd, 0x2b, 0x0e, 0xc6, 0xc8, 0xaf, 0x2d, 0x77, 0xd6,
   0xa1, 0x3a, 0x64, 0x04, 0x27, 0x90, 0x97, 0x37
 };
 
-// A certificate for www.paypal.com with a NULL byte in the common name.
-// From http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/70363
-unsigned char paypal_null_fingerprint[] = {
-  0x4c, 0x88, 0x9e, 0x28, 0xd7, 0x7a, 0x44, 0x1e, 0x13, 0xf2, 0x6a, 0xba,
-  0x1f, 0xe8, 0x1b, 0xd6, 0xab, 0x7b, 0xe8, 0xd7
-};
-
 // A certificate for https://www.unosoft.hu/, whose AIA extension contains
 // an LDAP URL without a host name.
 unsigned char unosoft_hu_fingerprint[] = {
   0x32, 0xff, 0xe3, 0xbe, 0x2c, 0x3b, 0xc7, 0xca, 0xbf, 0x2d, 0x64, 0xbd,
   0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8
 };
 
 // The fingerprint of the Google certificate used in the parsing tests,
 // which is newer than the one included in the x509_certificate_data.h
 unsigned char google_parse_fingerprint[] = {
@@ skipping 183 matching lines @@
   EXPECT_EQ("webkit.org", dns_names[1]);
 
   // Test that the wildcard cert matches properly.
   EXPECT_TRUE(webkit_cert->VerifyNameMatch("www.webkit.org"));
   EXPECT_TRUE(webkit_cert->VerifyNameMatch("foo.webkit.org"));
   EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org"));
   EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.webkit.com"));
   EXPECT_FALSE(webkit_cert->VerifyNameMatch("www.foo.webkit.com"));
 }
 
-TEST(X509CertificateTest, WithoutRevocationChecking) {
-  // Check that verification without revocation checking works.
-  CertificateList certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(),
-      "googlenew.chain.pem",
-      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[1]->os_cert_handle());
-
-  scoped_refptr<X509Certificate> google_full_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
-
-  CertVerifyResult verify_result;
-  EXPECT_EQ(OK, google_full_chain->Verify("www.google.com", 0 /* flags */, NULL,
-                                          &verify_result));
-}
-
 TEST(X509CertificateTest, ThawteCertParsing) {
   scoped_refptr<X509Certificate> thawte_cert(X509Certificate::CreateFromBytes(
       reinterpret_cast<const char*>(thawte_der), sizeof(thawte_der)));
 
   ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert);
 
   const CertPrincipal& subject = thawte_cert->subject();
   EXPECT_EQ("www.thawte.com", subject.common_name);
   EXPECT_EQ("Mountain View", subject.locality_name);
   EXPECT_EQ("California", subject.state_or_province_name);
@@ skipping 27 matching lines @@
   const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint();
   for (size_t i = 0; i < 20; ++i)
     EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]);
 
   std::vector<std::string> dns_names;
   thawte_cert->GetDNSNames(&dns_names);
   ASSERT_EQ(1U, dns_names.size());
   EXPECT_EQ("www.thawte.com", dns_names[0]);
 }
 
-#if defined(OS_ANDROID) || defined(USE_OPENSSL)
-// TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
-#define MAYBE_EVVerification DISABLED_EVVerification
-#else
-#define MAYBE_EVVerification EVVerification
-#endif
-TEST(X509CertificateTest, MAYBE_EVVerification) {
-  // This certificate will expire Jun 21, 2013.
-  CertificateList certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(),
-      "comodo.chain.pem",
-      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
-  ASSERT_EQ(3U, certs.size());
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[1]->os_cert_handle());
-  intermediates.push_back(certs[2]->os_cert_handle());
-
-  scoped_refptr<X509Certificate> comodo_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
-
-  scoped_refptr<CRLSet> crl_set(CRLSet::EmptyCRLSetForTesting());
-  CertVerifyResult verify_result;
-  int flags = X509Certificate::VERIFY_EV_CERT;
-  int error = comodo_chain->Verify(
-      "comodo.com", flags, crl_set.get(), &verify_result);
-  EXPECT_EQ(OK, error);
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
-}
-
 // Test that all desired AttributeAndValue pairs can be extracted when only
 // a single RelativeDistinguishedName is present. "Normally" there is only
 // one AVA per RDN, but some CAs place all AVAs within a single RDN.
 // This is a regression test for http://crbug.com/101009
 TEST(X509CertificateTest, MultivalueRDN) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   scoped_refptr<X509Certificate> multivalue_rdn_cert =
       ImportCertFromFile(certs_dir, "multivalue_rdn.pem");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), multivalue_rdn_cert);
@@ skipping 30 matching lines @@
   ASSERT_EQ(1U, subject.street_addresses.size());
   EXPECT_EQ("1600 Amphitheatre Parkway", subject.street_addresses[0]);
   ASSERT_EQ(1U, subject.organization_names.size());
   EXPECT_EQ("Chromium = \"net_unittests\"", subject.organization_names[0]);
   ASSERT_EQ(2U, subject.organization_unit_names.size());
   EXPECT_EQ("net_unittests", subject.organization_unit_names[0]);
   EXPECT_EQ("Chromium", subject.organization_unit_names[1]);
   EXPECT_EQ(0U, subject.domain_components.size());
 }
 
-TEST(X509CertificateTest, PaypalNullCertParsing) {
-  scoped_refptr<X509Certificate> paypal_null_cert(
-      X509Certificate::CreateFromBytes(
-          reinterpret_cast<const char*>(paypal_null_der),
-          sizeof(paypal_null_der)));
-
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert);
-
-  const SHA1Fingerprint& fingerprint =
-      paypal_null_cert->fingerprint();
-  for (size_t i = 0; i < 20; ++i)
-    EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = paypal_null_cert->Verify("www.paypal.com", flags, NULL,
-                                       &verify_result);
-#if defined(USE_OPENSSL) || defined(OS_MACOSX) || defined(OS_WIN)
-  // TOOD(bulach): investigate why macosx and win aren't returning
-  // ERR_CERT_INVALID or ERR_CERT_COMMON_NAME_INVALID.
-  EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
-#else
-  EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
-#endif
-  // Either the system crypto library should correctly report a certificate
-  // name mismatch, or our certificate blacklist should cause us to report an
-  // invalid certificate.
-#if !defined(OS_MACOSX) && !defined(USE_OPENSSL)
-  EXPECT_TRUE(verify_result.cert_status &
-              (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
-#endif
-}
-
 TEST(X509CertificateTest, SerialNumbers) {
   scoped_refptr<X509Certificate> google_cert(
       X509Certificate::CreateFromBytes(
           reinterpret_cast<const char*>(google_der), sizeof(google_der)));
 
   static const uint8 google_serial[16] = {
     0x01,0x2a,0x39,0x76,0x0d,0x3f,0x4f,0xc9,
     0x0b,0xe7,0xbd,0x2b,0xcf,0x95,0x2e,0x7a,
   };
 
@@ skipping 62 matching lines @@
     0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09
   };
   EXPECT_TRUE(memcmp(cert_chain1->ca_fingerprint().data,
                      cert_chain1_ca_fingerprint, 20) == 0);
   EXPECT_TRUE(memcmp(cert_chain2->ca_fingerprint().data,
                      cert_chain2_ca_fingerprint, 20) == 0);
   EXPECT_TRUE(memcmp(cert_chain3->ca_fingerprint().data,
                      cert_chain3_ca_fingerprint, 20) == 0);
 }
 
-// A regression test for http://crbug.com/31497.
-// This certificate will expire on 2012-04-08. The test will still
-// pass if error == ERR_CERT_DATE_INVALID.  TODO(wtc): generate test
-// certificates for this unit test. http://crbug.com/111742
-TEST(X509CertificateTest, IntermediateCARequireExplicitPolicy) {
-  FilePath certs_dir = GetTestCertsDirectory();
-
-  scoped_refptr<X509Certificate> server_cert =
-      ImportCertFromFile(certs_dir, "www_us_army_mil_cert.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
-
-  // The intermediate CA certificate's policyConstraints extension has a
-  // requireExplicitPolicy field with SkipCerts=0.
-  scoped_refptr<X509Certificate> intermediate_cert =
-      ImportCertFromFile(certs_dir, "dod_ca_17_cert.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
-
-  scoped_refptr<X509Certificate> root_cert =
-      ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der");
-  ScopedTestRoot scoped_root(root_cert);
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(intermediate_cert->os_cert_handle());
-  scoped_refptr<X509Certificate> cert_chain =
-      X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
-                                        intermediates);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = cert_chain->Verify("www.us.army.mil", flags, NULL,
-                                 &verify_result);
-  if (error == OK) {
-    EXPECT_EQ(0U, verify_result.cert_status);
-  } else {
-    EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
-    EXPECT_EQ(CERT_STATUS_DATE_INVALID, verify_result.cert_status);
-  }
-}
-
-// Test for bug 58437.
-// This certificate will expire on 2011-12-21. The test will still
-// pass if error == ERR_CERT_DATE_INVALID.
-// This test is DISABLED because it appears that we cannot do
-// certificate revocation checking when running all of the net unit tests.
-// This test passes when run individually, but when run with all of the net
-// unit tests, the call to PKIXVerifyCert returns the NSS error -8180, which is
-// SEC_ERROR_REVOKED_CERTIFICATE. This indicates a lack of revocation
-// status, i.e. that the revocation check is failing for some reason.
-TEST(X509CertificateTest, DISABLED_GlobalSignR3EVTest) {
-  FilePath certs_dir = GetTestCertsDirectory();
-
-  scoped_refptr<X509Certificate> server_cert =
-      ImportCertFromFile(certs_dir, "2029_globalsign_com_cert.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
-
-  scoped_refptr<X509Certificate> intermediate_cert =
-      ImportCertFromFile(certs_dir, "globalsign_ev_sha256_ca_cert.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(intermediate_cert->os_cert_handle());
-  scoped_refptr<X509Certificate> cert_chain =
-      X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
-                                        intermediates);
-
-  CertVerifyResult verify_result;
-  int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
-              X509Certificate::VERIFY_EV_CERT;
-  int error = cert_chain->Verify("2029.globalsign.com", flags, NULL,
-                                 &verify_result);
-  if (error == OK)
-    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
-  else
-    EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
-}
-
-// Currently, only RSA and DSA keys are checked for weakness, and our example
-// weak size is 768. These could change in the future.
-//
-// Note that this means there may be false negatives: keys for other
-// algorithms and which are weak will pass this test.
-static bool IsWeakKeyType(const std::string& key_type) {
-  size_t pos = key_type.find("-");
-  std::string size = key_type.substr(0, pos);
-  std::string type = key_type.substr(pos + 1);
-
-  if (type == "rsa" || type == "dsa")
-    return size == "768";
-
-  return false;
-}
-
-TEST(X509CertificateTest, RejectWeakKeys) {
-  FilePath certs_dir = GetTestCertsDirectory();
-  typedef std::vector<std::string> Strings;
-  Strings key_types;
-
-  // generate-weak-test-chains.sh currently has:
-  //     key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa"
-  // We must use the same key types here. The filenames generated look like:
-  //     2048-rsa-ee-by-768-rsa-intermediate.pem
-  key_types.push_back("768-rsa");
-  key_types.push_back("1024-rsa");
-  key_types.push_back("2048-rsa");
-
-  bool use_ecdsa = true;
-#if defined(OS_WIN)
-  use_ecdsa = base::win::GetVersion() > base::win::VERSION_XP;
-#elif defined(OS_MACOSX)
-  use_ecdsa = base::mac::IsOSSnowLeopardOrLater();
-#endif
-
-  if (use_ecdsa)
-    key_types.push_back("prime256v1-ecdsa");
-
-  // Add the root that signed the intermediates for this test.
-  scoped_refptr<X509Certificate> root_cert =
-      ImportCertFromFile(certs_dir, "2048-rsa-root.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
-  ScopedTestRoot scoped_root(root_cert);
-
-  // Now test each chain.
-  for (Strings::const_iterator ee_type = key_types.begin();
-       ee_type != key_types.end(); ++ee_type) {
-    for (Strings::const_iterator signer_type = key_types.begin();
-         signer_type != key_types.end(); ++signer_type) {
-      std::string basename = *ee_type + "-ee-by-" + *signer_type +
-          "-intermediate.pem";
-      SCOPED_TRACE(basename);
-      scoped_refptr<X509Certificate> ee_cert =
-          ImportCertFromFile(certs_dir, basename);
-      ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
-
-      basename = *signer_type + "-intermediate.pem";
-      scoped_refptr<X509Certificate> intermediate =
-          ImportCertFromFile(certs_dir, basename);
-      ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate);
-
-      X509Certificate::OSCertHandles intermediates;
-      intermediates.push_back(intermediate->os_cert_handle());
-      scoped_refptr<X509Certificate> cert_chain =
-          X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
-                                            intermediates);
-
-      CertVerifyResult verify_result;
-      int error = cert_chain->Verify("127.0.0.1", 0, NULL, &verify_result);
-
-      if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) {
-        EXPECT_NE(OK, error);
-        EXPECT_EQ(CERT_STATUS_WEAK_KEY,
-                  verify_result.cert_status & CERT_STATUS_WEAK_KEY);
-      } else {
-        EXPECT_EQ(OK, error);
-        EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
-      }
-    }
-  }
-}
-
-// Test for bug 108514.
-// The certificate will expire on 2012-07-20. The test will still
-// pass if error == ERR_CERT_DATE_INVALID.  TODO(rsleevi): generate test
-// certificates for this unit test.  http://crbug.com/111730
-TEST(X509CertificateTest, ExtraneousMD5RootCert) {
-  FilePath certs_dir = GetTestCertsDirectory();
-
-  scoped_refptr<X509Certificate> server_cert =
-      ImportCertFromFile(certs_dir, "images_etrade_wallst_com.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
-
-  scoped_refptr<X509Certificate> intermediate_cert =
-      ImportCertFromFile(certs_dir, "globalsign_orgv1_ca.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
-
-  scoped_refptr<X509Certificate> md5_root_cert =
-      ImportCertFromFile(certs_dir, "globalsign_root_ca_md5.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), md5_root_cert);
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(intermediate_cert->os_cert_handle());
-  intermediates.push_back(md5_root_cert->os_cert_handle());
-  scoped_refptr<X509Certificate> cert_chain =
-      X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
-                                        intermediates);
-
-  CertVerifyResult verify_result;
-  int flags = 0;
-  int error = cert_chain->Verify("images.etrade.wallst.com", flags, NULL,
-                                 &verify_result);
-  if (error != OK)
-    EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
-
-  EXPECT_FALSE(verify_result.has_md5);
-  EXPECT_FALSE(verify_result.has_md5_ca);
-}
-
-// Test for bug 94673.
-TEST(X509CertificateTest, GoogleDigiNotarTest) {
-  FilePath certs_dir = GetTestCertsDirectory();
-
-  scoped_refptr<X509Certificate> server_cert =
-      ImportCertFromFile(certs_dir, "google_diginotar.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
-
-  scoped_refptr<X509Certificate> intermediate_cert =
-      ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(intermediate_cert->os_cert_handle());
-  scoped_refptr<X509Certificate> cert_chain =
-      X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
-                                        intermediates);
-
-  CertVerifyResult verify_result;
-  int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED;
-  int error = cert_chain->Verify("mail.google.com", flags, NULL,
-                                 &verify_result);
-  EXPECT_NE(OK, error);
-
-  // Now turn off revocation checking.  Certificate verification should still
-  // fail.
-  flags = 0;
-  error = cert_chain->Verify("mail.google.com", flags, NULL, &verify_result);
-  EXPECT_NE(OK, error);
-}
-
 TEST(X509CertificateTest, DigiNotarCerts) {
   static const char* const kDigiNotarFilenames[] = {
     "diginotar_root_ca.pem",
     "diginotar_cyber_ca.pem",
     "diginotar_services_1024_ca.pem",
     "diginotar_pkioverheid.pem",
     "diginotar_pkioverheid_g2.pem",
     NULL,
   };
 
@@ skipping 15 matching lines @@
     SHA1Fingerprint fingerprint;
     ASSERT_EQ(sizeof(fingerprint.data), spki_sha1.size());
     memcpy(fingerprint.data, spki_sha1.data(), spki_sha1.size());
     public_keys.push_back(fingerprint);
 
     EXPECT_TRUE(X509Certificate::IsPublicKeyBlacklisted(public_keys)) <<
         "Public key not blocked for " << kDigiNotarFilenames[i];
   }
 }
 
-// Bug 111893: This test needs a new certificate.
-TEST(X509CertificateTest, DISABLED_TestKnownRoot) {
-  FilePath certs_dir = GetTestCertsDirectory();
-  scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(certs_dir, "nist.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
-
-  // This intermediate is only needed for old Linux machines. Modern NSS
-  // includes it as a root already.
-  scoped_refptr<X509Certificate> intermediate_cert =
-      ImportCertFromFile(certs_dir, "nist_intermediate.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(intermediate_cert->os_cert_handle());
-  scoped_refptr<X509Certificate> cert_chain =
-      X509Certificate::CreateFromHandle(cert->os_cert_handle(),
-                                        intermediates);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  // This is going to blow up in Feb 2012. Sorry! Disable and file a bug
-  // against agl. Also see PublicKeyHashes in this file.
-  int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result);
-  EXPECT_EQ(OK, error);
-  EXPECT_EQ(0U, verify_result.cert_status);
-  EXPECT_TRUE(verify_result.is_issued_by_known_root);
-}
-
-// This is the SHA1 hash of the SubjectPublicKeyInfo of nist.der.
-static const char nistSPKIHash[] =
-    "\x15\x60\xde\x65\x4e\x03\x9f\xd0\x08\x82"
-    "\xa9\x6a\xc4\x65\x8e\x6f\x92\x06\x84\x35";
-
 TEST(X509CertificateTest, ExtractSPKIFromDERCert) {
   FilePath certs_dir = GetTestCertsDirectory();
   scoped_refptr<X509Certificate> cert =
       ImportCertFromFile(certs_dir, "nist.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
 
   std::string derBytes;
   EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
                                              &derBytes));
 
@@ skipping 20 matching lines @@
   std::vector<base::StringPiece> crl_urls;
   EXPECT_TRUE(asn1::ExtractCRLURLsFromDERCert(derBytes, &crl_urls));
 
   EXPECT_EQ(1u, crl_urls.size());
   if (crl_urls.size() > 0) {
     EXPECT_EQ("http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl",
               crl_urls[0].as_string());
   }
 }
 
-// Bug 111893: This test needs a new certificate.
-TEST(X509CertificateTest, DISABLED_PublicKeyHashes) {
-  FilePath certs_dir = GetTestCertsDirectory();
-  // This is going to blow up in Feb 2012. Sorry! Disable and file a bug
-  // against agl. Also see TestKnownRoot in this file.
-  scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(certs_dir, "nist.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
-
-  // This intermediate is only needed for old Linux machines. Modern NSS
-  // includes it as a root already.
-  scoped_refptr<X509Certificate> intermediate_cert =
-      ImportCertFromFile(certs_dir, "nist_intermediate.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
-
-  ScopedTestRoot scoped_intermediate(intermediate_cert);
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(intermediate_cert->os_cert_handle());
-  scoped_refptr<X509Certificate> cert_chain =
-      X509Certificate::CreateFromHandle(cert->os_cert_handle(),
-                                        intermediates);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-
-  int error = cert_chain->Verify("www.nist.gov", flags, NULL, &verify_result);
-  EXPECT_EQ(OK, error);
-  EXPECT_EQ(0U, verify_result.cert_status);
-  ASSERT_LE(2u, verify_result.public_key_hashes.size());
-  EXPECT_EQ(HexEncode(nistSPKIHash, base::kSHA1Length),
-      HexEncode(verify_result.public_key_hashes[0].data, base::kSHA1Length));
-  EXPECT_EQ("83244223D6CBF0A26FC7DE27CEBCA4BDA32612AD",
-      HexEncode(verify_result.public_key_hashes[1].data, base::kSHA1Length));
-}
-
-// A regression test for http://crbug.com/70293.
-// The Key Usage extension in this RSA SSL server certificate does not have
-// the keyEncipherment bit.
-TEST(X509CertificateTest, InvalidKeyUsage) {
-  FilePath certs_dir = GetTestCertsDirectory();
-
-  scoped_refptr<X509Certificate> server_cert =
-      ImportCertFromFile(certs_dir, "invalid_key_usage_cert.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error = server_cert->Verify("jira.aquameta.com", flags, NULL,
-                                  &verify_result);
-#if defined(USE_OPENSSL)
-  // This certificate has two errors: "invalid key usage" and "untrusted CA".
-  // However, OpenSSL returns only one (the latter), and we can't detect
-  // the other errors.
-  EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
-#else
-  EXPECT_EQ(ERR_CERT_INVALID, error);
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
-#endif
-  // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
-  // from NSS.
-#if !defined(USE_NSS)
-  // The certificate is issued by an unknown CA.
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
-#endif
-}
-
 // Tests X509CertificateCache via X509Certificate::CreateFromHandle.  We
 // call X509Certificate::CreateFromHandle several times and observe whether
 // it returns a cached or new OSCertHandle.
 TEST(X509CertificateTest, Cache) {
   X509Certificate::OSCertHandle google_cert_handle;
   X509Certificate::OSCertHandle thawte_cert_handle;
 
   // Add a single certificate to the certificate cache.
   google_cert_handle = X509Certificate::CreateOSCertHandleFromBytes(
       reinterpret_cast<const char*>(google_der), sizeof(google_der));
@@ skipping 142 matching lines @@
   ASSERT_EQ(2u, cert2_intermediates.size());
   EXPECT_TRUE(X509Certificate::IsSameOSCert(cert2_intermediates[0],
                                             webkit_cert->os_cert_handle()));
   EXPECT_TRUE(X509Certificate::IsSameOSCert(cert2_intermediates[1],
                                             thawte_cert->os_cert_handle()));
 
   // Cleanup
   X509Certificate::FreeOSCertHandle(google_handle);
 }
 
-// Basic test for returning the chain in CertVerifyResult. Note that the
-// returned chain may just be a reflection of the originally supplied chain;
-// that is, if any errors occur, the default chain returned is an exact copy
-// of the certificate to be verified. The remaining VerifyReturn* tests are
-// used to ensure that the actual, verified chain is being returned by
-// Verify().
-TEST(X509CertificateTest, VerifyReturnChainBasic) {
-  FilePath certs_dir = GetTestCertsDirectory();
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "x509_verify_results.chain.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[1]->os_cert_handle());
-  intermediates.push_back(certs[2]->os_cert_handle());
-
-  ScopedTestRoot scoped_root(certs[2]);
-
-  scoped_refptr<X509Certificate> google_full_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
-  ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
-
-  CertVerifyResult verify_result;
-  EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
-  int error = google_full_chain->Verify("127.0.0.1", 0, NULL, &verify_result);
-  EXPECT_EQ(OK, error);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
-
-  EXPECT_NE(google_full_chain, verify_result.verified_cert);
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(
-      google_full_chain->os_cert_handle(),
-      verify_result.verified_cert->os_cert_handle()));
-  const X509Certificate::OSCertHandles& return_intermediates =
-      verify_result.verified_cert->GetIntermediateCertificates();
-  ASSERT_EQ(2U, return_intermediates.size());
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
-                                            certs[1]->os_cert_handle()));
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
-                                            certs[2]->os_cert_handle()));
-}
-
-// Test that the certificate returned in CertVerifyResult is able to reorder
-// certificates that are not ordered from end-entity to root. While this is
-// a protocol violation if sent during a TLS handshake, if multiple sources
-// of intermediate certificates are combined, it's possible that order may
-// not be maintained.
-TEST(X509CertificateTest, VerifyReturnChainProperlyOrdered) {
-  FilePath certs_dir = GetTestCertsDirectory();
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "x509_verify_results.chain.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
-
-  // Construct the chain out of order.
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[2]->os_cert_handle());
-  intermediates.push_back(certs[1]->os_cert_handle());
-
-  ScopedTestRoot scoped_root(certs[2]);
-
-  scoped_refptr<X509Certificate> google_full_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
-  ASSERT_EQ(2U, google_full_chain->GetIntermediateCertificates().size());
-
-  CertVerifyResult verify_result;
-  EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
-  int error = google_full_chain->Verify("127.0.0.1", 0, NULL, &verify_result);
-  EXPECT_EQ(OK, error);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
-
-  EXPECT_NE(google_full_chain, verify_result.verified_cert);
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(
-      google_full_chain->os_cert_handle(),
-      verify_result.verified_cert->os_cert_handle()));
-  const X509Certificate::OSCertHandles& return_intermediates =
-      verify_result.verified_cert->GetIntermediateCertificates();
-  ASSERT_EQ(2U, return_intermediates.size());
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
-                                            certs[1]->os_cert_handle()));
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
-                                            certs[2]->os_cert_handle()));
-}
-
-// Test that Verify() filters out certificates which are not related to
-// or part of the certificate chain being verified.
-TEST(X509CertificateTest, VerifyReturnChainFiltersUnrelatedCerts) {
-  FilePath certs_dir = GetTestCertsDirectory();
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "x509_verify_results.chain.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
-  ScopedTestRoot scoped_root(certs[2]);
-
-  scoped_refptr<X509Certificate> unrelated_dod_certificate =
-      ImportCertFromFile(certs_dir, "dod_ca_17_cert.der");
-  scoped_refptr<X509Certificate> unrelated_dod_certificate2 =
-      ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der");
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), unrelated_dod_certificate2);
-
-  // Interject unrelated certificates into the list of intermediates.
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(unrelated_dod_certificate->os_cert_handle());
-  intermediates.push_back(certs[1]->os_cert_handle());
-  intermediates.push_back(unrelated_dod_certificate2->os_cert_handle());
-  intermediates.push_back(certs[2]->os_cert_handle());
-
-  scoped_refptr<X509Certificate> google_full_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), google_full_chain);
-  ASSERT_EQ(4U, google_full_chain->GetIntermediateCertificates().size());
-
-  CertVerifyResult verify_result;
-  EXPECT_EQ(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
-  int error = google_full_chain->Verify("127.0.0.1", 0, NULL, &verify_result);
-  EXPECT_EQ(OK, error);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), verify_result.verified_cert);
-
-  EXPECT_NE(google_full_chain, verify_result.verified_cert);
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(
-      google_full_chain->os_cert_handle(),
-      verify_result.verified_cert->os_cert_handle()));
-  const X509Certificate::OSCertHandles& return_intermediates =
-      verify_result.verified_cert->GetIntermediateCertificates();
-  ASSERT_EQ(2U, return_intermediates.size());
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[0],
-                                            certs[1]->os_cert_handle()));
-  EXPECT_TRUE(X509Certificate::IsSameOSCert(return_intermediates[1],
-                                            certs[2]->os_cert_handle()));
-}
-
 #if defined(OS_MACOSX)
 TEST(X509CertificateTest, IsIssuedBy) {
   FilePath certs_dir = GetTestCertsDirectory();
 
   // Test a client certificate from MIT.
   scoped_refptr<X509Certificate> mit_davidben_cert(
       ImportCertFromFile(certs_dir, "mit.davidben.der"));
   ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert);
 
   CertPrincipal mit_issuer;
@@ skipping 151 matching lines @@
       X509Certificate::CreateSelfSigned(
           private_key.get(), "CN=subject", 0, base::TimeDelta::FromDays(1));
 
   std::string der_cert;
   EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
                                              &der_cert));
   EXPECT_FALSE(der_cert.empty());
 }
 #endif
 
-#if defined(USE_NSS) || defined(OS_WIN) || defined(OS_MACOSX)
-static const uint8 kCRLSetThawteSPKIBlocked[] = {
-  0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
-  0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
-  0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
-  0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
-  0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
-  0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
-  0x30, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
-  0x49, 0x73, 0x22, 0x3a, 0x5b, 0x22, 0x36, 0x58, 0x36, 0x4d, 0x78, 0x52, 0x37,
-  0x58, 0x70, 0x4d, 0x51, 0x4b, 0x78, 0x49, 0x41, 0x39, 0x50, 0x6a, 0x36, 0x37,
-  0x36, 0x38, 0x76, 0x74, 0x55, 0x6b, 0x6b, 0x7a, 0x48, 0x79, 0x7a, 0x41, 0x6f,
-  0x6d, 0x6f, 0x4f, 0x68, 0x4b, 0x55, 0x6e, 0x7a, 0x73, 0x55, 0x3d, 0x22, 0x5d,
-  0x7d,
-};
-
-static const uint8 kCRLSetThawteSerialBlocked[] = {
-  0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
-  0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
-  0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
-  0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
-  0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
-  0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
-  0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
-  0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0xb1, 0x12, 0x41, 0x42, 0xa5, 0xa1,
-  0xa5, 0xa2, 0x88, 0x19, 0xc7, 0x35, 0x34, 0x0e, 0xff, 0x8c, 0x9e, 0x2f, 0x81,
-  0x68, 0xfe, 0xe3, 0xba, 0x18, 0x7f, 0x25, 0x3b, 0xc1, 0xa3, 0x92, 0xd7, 0xe2,
-  // Note that this is actually blocking two serial numbers because on XP and
-  // Vista, CryptoAPI finds a different Thawte certificate.
-  0x02, 0x00, 0x00, 0x00,
-  0x04, 0x30, 0x00, 0x00, 0x02,
-  0x04, 0x30, 0x00, 0x00, 0x06,
-};
-
-static const uint8 kCRLSetGoogleSerialBlocked[] = {
-  0x60, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
-  0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
-  0x65, 0x22, 0x3a, 0x22, 0x43, 0x52, 0x4c, 0x53, 0x65, 0x74, 0x22, 0x2c, 0x22,
-  0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x30, 0x2c, 0x22,
-  0x44, 0x65, 0x6c, 0x74, 0x61, 0x46, 0x72, 0x6f, 0x6d, 0x22, 0x3a, 0x30, 0x2c,
-  0x22, 0x4e, 0x75, 0x6d, 0x50, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x3a,
-  0x31, 0x2c, 0x22, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x53, 0x50, 0x4b,
-  0x49, 0x73, 0x22, 0x3a, 0x5b, 0x5d, 0x7d, 0xe9, 0x7e, 0x8c, 0xc5, 0x1e, 0xd7,
-  0xa4, 0xc4, 0x0a, 0xc4, 0x80, 0x3d, 0x3e, 0x3e, 0xbb, 0xeb, 0xcb, 0xed, 0x52,
-  0x49, 0x33, 0x1f, 0x2c, 0xc0, 0xa2, 0x6a, 0x0e, 0x84, 0xa5, 0x27, 0xce, 0xc5,
-  0x01, 0x00, 0x00, 0x00, 0x10, 0x4f, 0x9d, 0x96, 0xd9, 0x66, 0xb0, 0x99, 0x2b,
-  0x54, 0xc2, 0x95, 0x7c, 0xb4, 0x15, 0x7d, 0x4d,
-};
-
-// Test that CRLSets are effective in making a certificate appear to be
-// revoked.
-TEST(X509CertificateTest, CRLSet) {
-  CertificateList certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(),
-      "googlenew.chain.pem",
-      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(certs[1]->os_cert_handle());
-
-  scoped_refptr<X509Certificate> google_full_chain =
-      X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
-                                        intermediates);
-
-  CertVerifyResult verify_result;
-  int error = google_full_chain->Verify(
-      "www.google.com", 0, NULL, &verify_result);
-  EXPECT_EQ(OK, error);
-
-  // First test blocking by SPKI.
-  base::StringPiece crl_set_bytes(
-      reinterpret_cast<const char*>(kCRLSetThawteSPKIBlocked),
-      sizeof(kCRLSetThawteSPKIBlocked));
-  scoped_refptr<CRLSet> crl_set;
-  ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
-
-  error = google_full_chain->Verify(
-      "www.google.com", 0, crl_set.get(), &verify_result);
-  EXPECT_EQ(ERR_CERT_REVOKED, error);
-
-  // Second, test revocation by serial number of a cert directly under the
-  // root.
-  crl_set_bytes = base::StringPiece(
-      reinterpret_cast<const char*>(kCRLSetThawteSerialBlocked),
-      sizeof(kCRLSetThawteSerialBlocked));
-  ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
-
-  error = google_full_chain->Verify(
-      "www.google.com", 0, crl_set.get(), &verify_result);
-  EXPECT_EQ(ERR_CERT_REVOKED, error);
-
-  // Lastly, test revocation by serial number of a certificate not under the
-  // root.
-  crl_set_bytes = base::StringPiece(
-      reinterpret_cast<const char*>(kCRLSetGoogleSerialBlocked),
-      sizeof(kCRLSetGoogleSerialBlocked));
-  ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
-
-  error = google_full_chain->Verify(
-      "www.google.com", 0, crl_set.get(), &verify_result);
-  EXPECT_EQ(ERR_CERT_REVOKED, error);
-}
-#endif
-
 class X509CertificateParseTest
     : public testing::TestWithParam<CertificateFormatTestData> {
  public:
   virtual ~X509CertificateParseTest() {}
   virtual void SetUp() {
     test_data_ = GetParam();
   }
   virtual void TearDown() {}
 
  protected:
@@ skipping 240 matching lines @@
     }
   }
 
   EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname(
       test_data.hostname, common_name, dns_names, ip_addressses));
 }
 
 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest,
                         testing::ValuesIn(kNameVerifyTestData));
 
-struct WeakDigestTestData {
-  const char* root_cert_filename;
-  const char* intermediate_cert_filename;
-  const char* ee_cert_filename;
-  bool expected_has_md5;
-  bool expected_has_md4;
-  bool expected_has_md2;
-  bool expected_has_md5_ca;
-  bool expected_has_md2_ca;
-};
-
-// GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
-// to output the parameter that was passed. Without this, it will simply
-// attempt to print out the first twenty bytes of the object, which depending
-// on platform and alignment, may result in an invalid read.
-void PrintTo(const WeakDigestTestData& data, std::ostream* os) {
-  *os << "root: "
-      << (data.root_cert_filename ? data.root_cert_filename : "none")
-      << "; intermediate: " << data.intermediate_cert_filename
-      << "; end-entity: " << data.ee_cert_filename;
-}
-
-class X509CertificateWeakDigestTest
-    : public testing::TestWithParam<WeakDigestTestData> {
- public:
-  X509CertificateWeakDigestTest() {}
-  virtual ~X509CertificateWeakDigestTest() {}
-};
-
-TEST_P(X509CertificateWeakDigestTest, Verify) {
-  WeakDigestTestData data = GetParam();
-  FilePath certs_dir = GetTestCertsDirectory();
-
-  ScopedTestRoot test_root;
-  if (data.root_cert_filename) {
-     scoped_refptr<X509Certificate> root_cert =
-         ImportCertFromFile(certs_dir, data.root_cert_filename);
-     ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
-     test_root.Reset(root_cert);
-  }
-
-  scoped_refptr<X509Certificate> intermediate_cert =
-      ImportCertFromFile(certs_dir, data.intermediate_cert_filename);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
-  scoped_refptr<X509Certificate> ee_cert =
-      ImportCertFromFile(certs_dir, data.ee_cert_filename);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
-
-  X509Certificate::OSCertHandles intermediates;
-  intermediates.push_back(intermediate_cert->os_cert_handle());
-
-  scoped_refptr<X509Certificate> ee_chain =
-      X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
-                                        intermediates);
-  ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_chain);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int rv = ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result);
-  EXPECT_EQ(data.expected_has_md5, verify_result.has_md5);
-  EXPECT_EQ(data.expected_has_md4, verify_result.has_md4);
-  EXPECT_EQ(data.expected_has_md2, verify_result.has_md2);
-  EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca);
-  EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca);
-
-  // Ensure that MD4 and MD2 are tagged as invalid.
-  if (data.expected_has_md4 || data.expected_has_md2) {
-    EXPECT_EQ(CERT_STATUS_INVALID,
-              verify_result.cert_status & CERT_STATUS_INVALID);
-  }
-
-  // Ensure that MD5 is flagged as weak.
-  if (data.expected_has_md5) {
-    EXPECT_EQ(
-        CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
-        verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
-  }
-
-  // If a root cert is present, then check that the chain was rejected if any
-  // weak algorithms are present. This is only checked when a root cert is
-  // present because the error reported for incomplete chains with weak
-  // algorithms depends on which implementation was used to validate (NSS,
-  // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm
-  // present (MD2, MD4, MD5).
-  if (data.root_cert_filename) {
-    if (data.expected_has_md4 || data.expected_has_md2) {
-      EXPECT_EQ(ERR_CERT_INVALID, rv);
-    } else if (data.expected_has_md5) {
-      EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv);
-    } else {
-      EXPECT_EQ(OK, rv);
-    }
-  }
-}
-
-// Unlike TEST/TEST_F, which are macros that expand to further macros,
-// INSTANTIATE_TEST_CASE_P is a macro that expands directly to code that
-// stringizes the arguments. As a result, macros passed as parameters (such as
-// prefix or test_case_name) will not be expanded by the preprocessor. To work
-// around this, indirect the macro for INSTANTIATE_TEST_CASE_P, so that the
-// pre-processor will expand macros such as MAYBE_test_name before
-// instantiating the test.
-#define WRAPPED_INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \
-    INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator)
-
-// The signature algorithm of the root CA should not matter.
-const WeakDigestTestData kVerifyRootCATestData[] = {
-  { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
-    "weak_digest_sha1_ee.pem", false, false, false, false, false },
-#if !defined(OS_MACOSX)  // MD4 is not supported.
-  { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
-    "weak_digest_sha1_ee.pem", false, false, false, false, false },
-#endif
-  { "weak_digest_md2_root.pem", "weak_digest_sha1_intermediate.pem",
-    "weak_digest_sha1_ee.pem", false, false, false, false, false },
-};
-INSTANTIATE_TEST_CASE_P(VerifyRoot, X509CertificateWeakDigestTest,
-                        testing::ValuesIn(kVerifyRootCATestData));
-
-// The signature algorithm of intermediates should be properly detected.
-const WeakDigestTestData kVerifyIntermediateCATestData[] = {
-  { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
-    "weak_digest_sha1_ee.pem", true, false, false, true, false },
-#if !defined(USE_NSS) && !defined(OS_MACOSX)  // MD4 is not supported.
-  { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
-    "weak_digest_sha1_ee.pem", false, true, false, false, false },
-#endif
-#if !defined(USE_NSS)  // MD2 is disabled by default.
-  { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
-    "weak_digest_sha1_ee.pem", false, false, true, false, true },
-#endif
-};
-INSTANTIATE_TEST_CASE_P(VerifyIntermediate, X509CertificateWeakDigestTest,
-                        testing::ValuesIn(kVerifyIntermediateCATestData));
-
-// The signature algorithm of end-entity should be properly detected.
-const WeakDigestTestData kVerifyEndEntityTestData[] = {
-  { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
-    "weak_digest_md5_ee.pem", true, false, false, false, false },
-#if !defined(USE_NSS) && !defined(OS_MACOSX)  // MD4 is not supported.
-  { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
-    "weak_digest_md4_ee.pem", false, true, false, false, false },
-#endif
-#if !defined(USE_NSS)  // MD2 is disabled by default.
-  { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
-    "weak_digest_md2_ee.pem", false, false, true, false, false },
-#endif
-};
-// Disabled on NSS - NSS caches chains/signatures in such a way that cannot
-// be cleared until NSS is cleanly shutdown, which is not presently supported
-// in Chromium.
-#if defined(USE_NSS)
-#define MAYBE_VerifyEndEntity DISABLED_VerifyEndEntity
-#else
-#define MAYBE_VerifyEndEntity VerifyEndEntity
-#endif
-WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity,
-                                X509CertificateWeakDigestTest,
-                                testing::ValuesIn(kVerifyEndEntityTestData));
-
-// Incomplete chains should still report the status of the intermediate.
-const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
-  { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
-    true, false, false, true, false },
-#if !defined(OS_MACOSX)  // MD4 is not supported.
-  { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
-    false, true, false, false, false },
-#endif
-  { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
-    false, false, true, false, true },
-};
-// Disabled on NSS - libpkix does not return constructed chains on error,
-// preventing us from detecting/inspecting the verified chain.
-#if defined(USE_NSS)
-#define MAYBE_VerifyIncompleteIntermediate \
-    DISABLED_VerifyIncompleteIntermediate
-#else
-#define MAYBE_VerifyIncompleteIntermediate VerifyIncompleteIntermediate
-#endif
-WRAPPED_INSTANTIATE_TEST_CASE_P(
-    MAYBE_VerifyIncompleteIntermediate,
-    X509CertificateWeakDigestTest,
-    testing::ValuesIn(kVerifyIncompleteIntermediateTestData));
-
-// Incomplete chains should still report the status of the end-entity.
-const WeakDigestTestData kVerifyIncompleteEETestData[] = {
-  { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
-    true, false, false, false, false },
-#if !defined(OS_MACOSX)  // MD4 is not supported.
-  { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
-    false, true, false, false, false },
-#endif
-  { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem",
-    false, false, true, false, false },
-};
-// Disabled on NSS - libpkix does not return constructed chains on error,
-// preventing us from detecting/inspecting the verified chain.
-#if defined(USE_NSS)
-#define MAYBE_VerifyIncompleteEndEntity DISABLED_VerifyIncompleteEndEntity
-#else
-#define MAYBE_VerifyIncompleteEndEntity VerifyIncompleteEndEntity
-#endif
-WRAPPED_INSTANTIATE_TEST_CASE_P(
-    MAYBE_VerifyIncompleteEndEntity,
-    X509CertificateWeakDigestTest,
-    testing::ValuesIn(kVerifyIncompleteEETestData));
-
-// Differing algorithms between the intermediate and the EE should still be
-// reported.
-const WeakDigestTestData kVerifyMixedTestData[] = {
-  { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
-    "weak_digest_md2_ee.pem", true, false, true, true, false },
-  { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
-    "weak_digest_md5_ee.pem", true, false, true, false, true },
-#if !defined(OS_MACOSX)  // MD4 is not supported.
-  { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
-    "weak_digest_md2_ee.pem", false, true, true, false, false },
-#endif
-};
-// NSS does not support MD4 and does not enable MD2 by default, making all
-// permutations invalid.
-#if defined(USE_NSS)
-#define MAYBE_VerifyMixed DISABLED_VerifyMixed
-#else
-#define MAYBE_VerifyMixed VerifyMixed
-#endif
-WRAPPED_INSTANTIATE_TEST_CASE_P(
-    MAYBE_VerifyMixed,
-    X509CertificateWeakDigestTest,
-    testing::ValuesIn(kVerifyMixedTestData));
-
 }  // namespace net