Implement a MockCertVerifier that can be used to avoid

calling OS API routines for certificate verification. This
allows tests that depend on SSL to cycle noticably faster,
particularly when under memory instrumentation.

R=wtc
BUG=none
TEST=existing unittests


Review URL: http://codereview.chromium.org/9956047

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@131509 0039d316-1c4b-4281-b951-d872f2087c98

18 files changed, 242 insertions, 97 deletions

diff --git a/chrome/browser/net/connection_tester_unittest.cc b/chrome/browser/net/connection_tester_unittest.cc
index 099b355..3ecfa48 100644
--- a/chrome/browser/net/connection_tester_unittest.cc
+++ b/chrome/browser/net/connection_tester_unittest.cc
@@ -6,7 +6,7 @@
 
 #include "chrome/test/base/testing_pref_service.h"
 #include "content/test/test_browser_thread.h"
-#include "net/base/cert_verifier.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/mock_host_resolver.h"
 #include "net/base/ssl_config_service_defaults.h"
 #include "net/cookies/cookie_monster.h"
@@ -119,7 +119,7 @@ class ConnectionTesterTest : public PlatformTest {
  private:
   void InitializeRequestContext() {
     proxy_script_fetcher_context_->set_host_resolver(&host_resolver_);
-    cert_verifier_.reset(net::CertVerifier::CreateDefault());
+    cert_verifier_.reset(new net::MockCertVerifier);
     proxy_script_fetcher_context_->set_cert_verifier(cert_verifier_.get());
     proxy_script_fetcher_context_->set_http_auth_handler_factory(
         &http_auth_handler_factory_);
diff --git a/jingle/notifier/base/chrome_async_socket_unittest.cc b/jingle/notifier/base/chrome_async_socket_unittest.cc
index a64e03f..0b1af48 100644
--- a/jingle/notifier/base/chrome_async_socket_unittest.cc
+++ b/jingle/notifier/base/chrome_async_socket_unittest.cc
@@ -13,7 +13,7 @@
 #include "base/message_loop.h"
 #include "base/sys_byteorder.h"
 #include "jingle/notifier/base/resolving_client_socket_factory.h"
-#include "net/base/cert_verifier.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/net_errors.h"
 #include "net/base/ssl_config_service.h"
 #include "net/socket/socket_test_util.h"
@@ -121,7 +121,7 @@ class MockXmppClientSocketFactory : public ResolvingClientSocketFactory {
       const net::AddressList& address_list)
           : mock_client_socket_factory_(mock_client_socket_factory),
             address_list_(address_list),
-            cert_verifier_(net::CertVerifier::CreateDefault()) {
+            cert_verifier_(new net::MockCertVerifier) {
   }
 
   // ResolvingClientSocketFactory implementation.
diff --git a/net/base/cert_status_flags.h b/net/base/cert_status_flags.h
index 7adddc5..83aa935 100644
--- a/net/base/cert_status_flags.h
+++ b/net/base/cert_status_flags.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -51,7 +51,7 @@ NET_EXPORT bool IsCertStatusMinorError(CertStatus cert_status);
 
 // Maps a network error code to the equivalent certificate status flag.  If
 // the error code is not a certificate error, it is mapped to 0.
-CertStatus MapNetErrorToCertStatus(int error);
+NET_EXPORT CertStatus MapNetErrorToCertStatus(int error);
 
 // Maps the most serious certificate error in the certificate status flags
 // to the equivalent network error code.
diff --git a/net/base/mock_cert_verifier.cc b/net/base/mock_cert_verifier.cc
new file mode 100644
index 0000000..9006374
--- /dev/null
+++ b/net/base/mock_cert_verifier.cc
@@ -0,0 +1,83 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/mock_cert_verifier.h"
+
+#include "base/memory/ref_counted.h"
+#include "base/string_util.h"
+#include "net/base/cert_status_flags.h"
+#include "net/base/cert_verify_result.h"
+#include "net/base/net_errors.h"
+#include "net/base/x509_certificate.h"
+
+namespace net {
+
+struct MockCertVerifier::Rule {
+  Rule(X509Certificate* cert,
+       const std::string& hostname,
+       const CertVerifyResult& result,
+       int rv)
+      : cert(cert),
+        hostname(hostname),
+        result(result),
+        rv(rv) {
+    DCHECK(cert);
+    DCHECK(result.verified_cert);
+  }
+
+  scoped_refptr<X509Certificate> cert;
+  std::string hostname;
+  CertVerifyResult result;
+  int rv;
+};
+
+MockCertVerifier::MockCertVerifier() : default_result_(ERR_CERT_INVALID) {}
+
+MockCertVerifier::~MockCertVerifier() {}
+
+int MockCertVerifier::Verify(X509Certificate* cert,
+                             const std::string& hostname,
+                             int flags,
+                             CRLSet* crl_set,
+                             CertVerifyResult* verify_result,
+                             const CompletionCallback& callback,
+                             RequestHandle* out_req,
+                             const BoundNetLog& net_log) {
+  RuleList::const_iterator it;
+  for (it = rules_.begin(); it != rules_.end(); ++it) {
+    // Check just the server cert. Intermediates will be ignored.
+    if (!it->cert->Equals(cert))
+      continue;
+    if (!MatchPattern(hostname, it->hostname))
+      continue;
+    *verify_result = it->result;
+    return it->rv;
+  }
+
+  // Fall through to the default.
+  verify_result->verified_cert = cert;
+  verify_result->cert_status = MapNetErrorToCertStatus(default_result_);
+  return default_result_;
+}
+
+void MockCertVerifier::CancelRequest(RequestHandle req) {
+  NOTIMPLEMENTED();
+}
+
+void MockCertVerifier::AddResultForCert(X509Certificate* cert,
+                                        const CertVerifyResult& verify_result,
+                                        int rv) {
+  AddResultForCertAndHost(cert, "*", verify_result, rv);
+}
+
+void MockCertVerifier::AddResultForCertAndHost(
+    X509Certificate* cert,
+    const std::string& host_pattern,
+    const CertVerifyResult& verify_result,
+    int rv) {
+  Rule rule(cert, host_pattern, verify_result, rv);
+  rules_.push_back(rule);
+}
+
+}  // namespace net
diff --git a/net/base/mock_cert_verifier.h b/net/base/mock_cert_verifier.h
new file mode 100644
index 0000000..60000a1
--- /dev/null
+++ b/net/base/mock_cert_verifier.h
@@ -0,0 +1,70 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_MOCK_CERT_VERIFIER_H_
+#define NET_BASE_MOCK_CERT_VERIFIER_H_
+#pragma once
+
+#include <list>
+
+#include "net/base/cert_verifier.h"
+#include "net/base/cert_verify_result.h"
+
+namespace net {
+
+class MockCertVerifier : public CertVerifier {
+ public:
+  // Creates a new MockCertVerifier. By default, any call to Verify() will
+  // result in the cert status being flagged as CERT_STATUS_INVALID and return
+  // an ERR_CERT_INVALID network error code. This behaviour can be overridden
+  // by calling set_default_result() to change the default return value for
+  // Verify() or by calling one of the AddResult*() methods to specifically
+  // handle a certificate or certificate and host.
+  MockCertVerifier();
+
+  virtual ~MockCertVerifier();
+
+  // CertVerifier implementation
+  virtual int Verify(X509Certificate* cert,
+                     const std::string& hostname,
+                     int flags,
+                     CRLSet* crl_set,
+                     CertVerifyResult* verify_result,
+                     const CompletionCallback& callback,
+                     RequestHandle* out_req,
+                     const BoundNetLog& net_log) OVERRIDE;
+  virtual void CancelRequest(RequestHandle req) OVERRIDE;
+
+  // Sets the default return value for Verify() for certificates/hosts that do
+  // not have explicit results added via the AddResult*() methods.
+  void set_default_result(int default_result) {
+    default_result_ = default_result;
+  }
+
+  // Adds a rule that will cause any call to Verify() for |cert| to return rv,
+  // copying |verify_result| into the verified result.
+  // Note: Only the primary certificate of |cert| is checked. Any intermediate
+  // certificates will be ignored.
+  void AddResultForCert(X509Certificate* cert,
+                        const CertVerifyResult& verify_result,
+                        int rv);
+
+  // Same as AddResultForCert(), but further restricts it to only return for
+  // hostnames that match |host_pattern|.
+  void AddResultForCertAndHost(X509Certificate* cert,
+                               const std::string& host_pattern,
+                               const CertVerifyResult& verify_result,
+                               int rv);
+
+ private:
+  struct Rule;
+  typedef std::list<Rule> RuleList;
+
+  int default_result_;
+  RuleList rules_;
+};
+
+}  // namespace net
+
+#endif  // NET_BASE_MOCK_CERT_VERIFIER_H_
diff --git a/net/http/disk_cache_based_ssl_host_info_unittest.cc b/net/http/disk_cache_based_ssl_host_info_unittest.cc
index 41b200f..2bb3db7 100644
--- a/net/http/disk_cache_based_ssl_host_info_unittest.cc
+++ b/net/http/disk_cache_based_ssl_host_info_unittest.cc
@@ -6,7 +6,7 @@
 #include "base/bind_helpers.h"
 #include "base/compiler_specific.h"
 #include "base/message_loop.h"
-#include "net/base/cert_verifier.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/net_errors.h"
 #include "net/base/ssl_config_service.h"
 #include "net/http/disk_cache_based_ssl_host_info.h"
@@ -34,8 +34,7 @@ const MockTransaction kHostInfoTransaction = {
 // Tests that we can delete a DiskCacheBasedSSLHostInfo object in a
 // completion callback for DiskCacheBasedSSLHostInfo::WaitForDataReady.
 TEST(DiskCacheBasedSSLHostInfo, DeleteInCallback) {
-  scoped_ptr<net::CertVerifier> cert_verifier(
-      net::CertVerifier::CreateDefault());
+  scoped_ptr<net::CertVerifier> cert_verifier(new net::MockCertVerifier);
   // Use the blocking mock backend factory to force asynchronous completion
   // of ssl_host_info->WaitForDataReady(), so that the callback will run.
   MockBlockingBackendFactory* factory = new MockBlockingBackendFactory();
@@ -61,8 +60,7 @@ TEST(DiskCacheBasedSSLHostInfo, Update) {
   net::TestCompletionCallback callback;
 
   // Store a certificate chain.
-  scoped_ptr<net::CertVerifier> cert_verifier(
-      net::CertVerifier::CreateDefault());
+  scoped_ptr<net::CertVerifier> cert_verifier(new net::MockCertVerifier);
   net::SSLConfig ssl_config;
   scoped_ptr<net::SSLHostInfo> ssl_host_info(
       new net::DiskCacheBasedSSLHostInfo("https://www.google.com", ssl_config,
diff --git a/net/http/http_network_layer_unittest.cc b/net/http/http_network_layer_unittest.cc
index 596b1ab..167b209 100644
--- a/net/http/http_network_layer_unittest.cc
+++ b/net/http/http_network_layer_unittest.cc
@@ -4,7 +4,7 @@
 
 #include "net/http/http_network_layer.h"
 
-#include "net/base/cert_verifier.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/mock_host_resolver.h"
 #include "net/base/net_log.h"
 #include "net/base/ssl_config_service_defaults.h"
@@ -24,7 +24,7 @@ namespace {
 class HttpNetworkLayerTest : public PlatformTest {
  protected:
   HttpNetworkLayerTest()
-      : cert_verifier_(CertVerifier::CreateDefault()),
+      : cert_verifier_(new MockCertVerifier),
         proxy_service_(ProxyService::CreateDirect()),
         ssl_config_service_(new SSLConfigServiceDefaults) {
     HttpNetworkSession::Params session_params;
diff --git a/net/http/http_network_transaction_spdy2_unittest.cc b/net/http/http_network_transaction_spdy2_unittest.cc
index 17781f1..e9ef256 100644
--- a/net/http/http_network_transaction_spdy2_unittest.cc
+++ b/net/http/http_network_transaction_spdy2_unittest.cc
@@ -21,6 +21,7 @@
 #include "net/base/capturing_net_log.h"
 #include "net/base/completion_callback.h"
 #include "net/base/host_cache.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/mock_host_resolver.h"
 #include "net/base/net_log.h"
 #include "net/base/net_log_unittest.h"
@@ -122,7 +123,7 @@ struct SessionDependencies {
   // Default set of dependencies -- "null" proxy service.
   SessionDependencies()
       : host_resolver(new MockHostResolver),
-        cert_verifier(CertVerifier::CreateDefault()),
+        cert_verifier(new MockCertVerifier),
         proxy_service(ProxyService::CreateDirect()),
         ssl_config_service(new SSLConfigServiceDefaults),
         http_auth_handler_factory(
@@ -132,7 +133,7 @@ struct SessionDependencies {
   // Custom proxy service dependency.
   explicit SessionDependencies(ProxyService* proxy_service)
       : host_resolver(new MockHostResolver),
-        cert_verifier(CertVerifier::CreateDefault()),
+        cert_verifier(new MockCertVerifier),
         proxy_service(proxy_service),
         ssl_config_service(new SSLConfigServiceDefaults),
         http_auth_handler_factory(
diff --git a/net/http/http_network_transaction_spdy3_unittest.cc b/net/http/http_network_transaction_spdy3_unittest.cc
index 86a81e4..4c73e94 100644
--- a/net/http/http_network_transaction_spdy3_unittest.cc
+++ b/net/http/http_network_transaction_spdy3_unittest.cc
@@ -19,9 +19,9 @@
 #include "base/utf_string_conversions.h"
 #include "net/base/auth.h"
 #include "net/base/capturing_net_log.h"
-#include "net/base/cert_verifier.h"
 #include "net/base/completion_callback.h"
 #include "net/base/host_cache.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/mock_host_resolver.h"
 #include "net/base/net_log.h"
 #include "net/base/net_log_unittest.h"
@@ -123,7 +123,7 @@ struct SessionDependencies {
   // Default set of dependencies -- "null" proxy service.
   SessionDependencies()
       : host_resolver(new MockHostResolver),
-        cert_verifier(CertVerifier::CreateDefault()),
+        cert_verifier(new MockCertVerifier),
         proxy_service(ProxyService::CreateDirect()),
         ssl_config_service(new SSLConfigServiceDefaults),
         http_auth_handler_factory(
@@ -133,7 +133,7 @@ struct SessionDependencies {
   // Custom proxy service dependency.
   explicit SessionDependencies(ProxyService* proxy_service)
       : host_resolver(new MockHostResolver),
-        cert_verifier(CertVerifier::CreateDefault()),
+        cert_verifier(new MockCertVerifier),
         proxy_service(proxy_service),
         ssl_config_service(new SSLConfigServiceDefaults),
         http_auth_handler_factory(
diff --git a/net/http/http_proxy_client_socket_pool_spdy2_unittest.cc b/net/http/http_proxy_client_socket_pool_spdy2_unittest.cc
index 5647d33..8e46efe 100644
--- a/net/http/http_proxy_client_socket_pool_spdy2_unittest.cc
+++ b/net/http/http_proxy_client_socket_pool_spdy2_unittest.cc
@@ -8,6 +8,7 @@
 #include "base/compiler_specific.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/mock_host_resolver.h"
 #include "net/base/net_errors.h"
 #include "net/base/ssl_config_service_defaults.h"
@@ -63,7 +64,7 @@ class HttpProxyClientSocketPoolSpdy2Test : public TestWithHttpParam {
             &tcp_histograms_,
             &socket_factory_),
         ssl_histograms_("MockSSL"),
-        cert_verifier_(CertVerifier::CreateDefault()),
+        cert_verifier_(new MockCertVerifier),
         proxy_service_(ProxyService::CreateDirect()),
         ssl_config_service_(new SSLConfigServiceDefaults),
         ssl_socket_pool_(kMaxSockets, kMaxSocketsPerGroup,
diff --git a/net/http/http_proxy_client_socket_pool_spdy3_unittest.cc b/net/http/http_proxy_client_socket_pool_spdy3_unittest.cc
index e06573e..f1bf16a 100644
--- a/net/http/http_proxy_client_socket_pool_spdy3_unittest.cc
+++ b/net/http/http_proxy_client_socket_pool_spdy3_unittest.cc
@@ -8,7 +8,7 @@
 #include "base/compiler_specific.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
-#include "net/base/cert_verifier.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/mock_host_resolver.h"
 #include "net/base/net_errors.h"
 #include "net/base/ssl_config_service_defaults.h"
@@ -64,7 +64,7 @@ class HttpProxyClientSocketPoolSpdy3Test : public TestWithHttpParam {
             &tcp_histograms_,
             &socket_factory_),
         ssl_histograms_("MockSSL"),
-        cert_verifier_(CertVerifier::CreateDefault()),
+        cert_verifier_(new MockCertVerifier),
         proxy_service_(ProxyService::CreateDirect()),
         ssl_config_service_(new SSLConfigServiceDefaults),
         ssl_socket_pool_(kMaxSockets, kMaxSocketsPerGroup,
diff --git a/net/http/http_stream_factory_impl_unittest.cc b/net/http/http_stream_factory_impl_unittest.cc
index c69ef8f..0184a9d9 100644
--- a/net/http/http_stream_factory_impl_unittest.cc
+++ b/net/http/http_stream_factory_impl_unittest.cc
@@ -7,7 +7,7 @@
 #include <string>
 
 #include "base/basictypes.h"
-#include "net/base/cert_verifier.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/mock_host_resolver.h"
 #include "net/base/net_log.h"
 #include "net/base/ssl_config_service_defaults.h"
@@ -118,7 +118,7 @@ struct SessionDependencies {
   // Custom proxy service dependency.
   explicit SessionDependencies(ProxyService* proxy_service)
       : host_resolver(new MockHostResolver),
-        cert_verifier(CertVerifier::CreateDefault()),
+        cert_verifier(new MockCertVerifier),
         proxy_service(proxy_service),
         ssl_config_service(new SSLConfigServiceDefaults),
         http_auth_handler_factory(
diff --git a/net/net.gyp b/net/net.gyp
index eb8ce22..43790d8 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -1535,6 +1535,8 @@
       'sources': [
         'base/cert_test_util.cc',
         'base/cert_test_util.h',
+        'base/mock_cert_verifier.cc',
+        'base/mock_cert_verifier.h',
         'base/mock_file_stream.cc',
         'base/mock_file_stream.h',
         'base/mock_host_resolver.cc',
diff --git a/net/proxy/proxy_script_fetcher_impl_unittest.cc b/net/proxy/proxy_script_fetcher_impl_unittest.cc
index f365393..8881161 100644
--- a/net/proxy/proxy_script_fetcher_impl_unittest.cc
+++ b/net/proxy/proxy_script_fetcher_impl_unittest.cc
@@ -10,7 +10,7 @@
 #include "base/compiler_specific.h"
 #include "base/path_service.h"
 #include "base/utf_string_conversions.h"
-#include "net/base/cert_verifier.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/net_util.h"
 #include "net/base/load_flags.h"
 #include "net/base/ssl_config_service_defaults.h"
@@ -73,7 +73,7 @@ class RequestContext : public URLRequestContext {
         CreateSystemHostResolver(HostResolver::kDefaultParallelism,
                                  HostResolver::kDefaultRetryAttempts,
                                  NULL));
-    storage_.set_cert_verifier(CertVerifier::CreateDefault());
+    storage_.set_cert_verifier(new MockCertVerifier);
     storage_.set_proxy_service(ProxyService::CreateFixed(no_proxy));
     storage_.set_ssl_config_service(new SSLConfigServiceDefaults);
     storage_.set_http_server_properties(new HttpServerPropertiesImpl);
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index 85ef0a7..4e0fd86 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -6,9 +6,9 @@
 
 #include "net/base/address_list.h"
 #include "net/base/cert_test_util.h"
-#include "net/base/cert_verifier.h"
 #include "net/base/host_resolver.h"
 #include "net/base/io_buffer.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/net_log.h"
 #include "net/base/net_log_unittest.h"
 #include "net/base/net_errors.h"
@@ -31,7 +31,8 @@ class SSLClientSocketTest : public PlatformTest {
  public:
   SSLClientSocketTest()
       : socket_factory_(net::ClientSocketFactory::GetDefaultFactory()),
-        cert_verifier_(net::CertVerifier::CreateDefault()) {
+        cert_verifier_(new net::MockCertVerifier) {
+    cert_verifier_->set_default_result(net::OK);
   }
 
  protected:
@@ -49,7 +50,7 @@ class SSLClientSocketTest : public PlatformTest {
   }
 
   net::ClientSocketFactory* socket_factory_;
-  scoped_ptr<net::CertVerifier> cert_verifier_;
+  scoped_ptr<net::MockCertVerifier> cert_verifier_;
 };
 
 //-----------------------------------------------------------------------------
@@ -86,12 +87,9 @@ TEST_F(SSLClientSocketTest, Connect) {
     rv = callback.WaitForResult();
   EXPECT_EQ(net::OK, rv);
 
-  net::SSLClientSocketContext context;
-  context.cert_verifier = cert_verifier_.get();
   scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(
-          transport, test_server.host_port_pair(), kDefaultSSLConfig,
-          NULL, context));
+      CreateSSLClientSocket(transport, test_server.host_port_pair(),
+                            kDefaultSSLConfig));
 
   EXPECT_FALSE(sock->IsConnected());
 
@@ -118,6 +116,8 @@ TEST_F(SSLClientSocketTest, ConnectExpired) {
   net::TestServer test_server(https_options, FilePath());
   ASSERT_TRUE(test_server.Start());
 
+  cert_verifier_->set_default_result(net::ERR_CERT_DATE_INVALID);
+
   net::AddressList addr;
   ASSERT_TRUE(test_server.GetAddressList(&addr));
 
@@ -161,6 +161,8 @@ TEST_F(SSLClientSocketTest, ConnectMismatched) {
   net::TestServer test_server(https_options, FilePath());
   ASSERT_TRUE(test_server.Start());
 
+  cert_verifier_->set_default_result(net::ERR_CERT_COMMON_NAME_INVALID);
+
   net::AddressList addr;
   ASSERT_TRUE(test_server.GetAddressList(&addr));
 
@@ -394,12 +396,9 @@ TEST_F(SSLClientSocketTest, Read_FullDuplex) {
     rv = callback.WaitForResult();
   EXPECT_EQ(net::OK, rv);
 
-  net::SSLClientSocketContext context;
-  context.cert_verifier = cert_verifier_.get();
   scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(
-          transport, test_server.host_port_pair(), kDefaultSSLConfig,
-          NULL, context));
+      CreateSSLClientSocket(transport, test_server.host_port_pair(),
+                            kDefaultSSLConfig));
 
   rv = sock->Connect(callback.callback());
   if (rv == net::ERR_IO_PENDING)
@@ -759,15 +758,12 @@ TEST_F(SSLClientSocketTest, ClientSocketHandleNotFromPool) {
   net::ClientSocketHandle* socket_handle = new net::ClientSocketHandle();
   socket_handle->set_socket(transport);
 
-  net::SSLClientSocketContext context;
-  context.cert_verifier = cert_verifier_.get();
-  scoped_ptr<net::SSLClientSocket> ssl_socket(
-      socket_factory_->CreateSSLClientSocket(
-          socket_handle, test_server.host_port_pair(), kDefaultSSLConfig,
-          NULL, context));
+  scoped_ptr<net::SSLClientSocket> sock(
+      CreateSSLClientSocket(transport, test_server.host_port_pair(),
+                            kDefaultSSLConfig));
 
-  EXPECT_FALSE(ssl_socket->IsConnected());
-  rv = ssl_socket->Connect(callback.callback());
+  EXPECT_FALSE(sock->IsConnected());
+  rv = sock->Connect(callback.callback());
   if (rv == net::ERR_IO_PENDING)
     rv = callback.WaitForResult();
   EXPECT_EQ(net::OK, rv);
@@ -793,12 +789,9 @@ TEST_F(SSLClientSocketTest, ExportKeyingMaterial) {
     rv = callback.WaitForResult();
   EXPECT_EQ(net::OK, rv);
 
-  net::SSLClientSocketContext context;
-  context.cert_verifier = cert_verifier_.get();
   scoped_ptr<net::SSLClientSocket> sock(
-      socket_factory_->CreateSSLClientSocket(
-          transport, test_server.host_port_pair(), kDefaultSSLConfig,
-          NULL, context));
+      CreateSSLClientSocket(transport, test_server.host_port_pair(),
+                            kDefaultSSLConfig));
 
   rv = sock->Connect(callback.callback());
   if (rv == net::ERR_IO_PENDING)
@@ -835,40 +828,37 @@ TEST(SSLClientSocket, ClearSessionCache) {
 // verified, not the chain as served by the server. (They may be different.)
 //
 // CERT_CHAIN_WRONG_ROOT is redundant-server-chain.pem. It contains A
-// (end-entity) -> B -> C, and C is signed by D. We do not set D to be a
-// trusted root in this test. Instead, we install C2 as a root; C2 contains
-// the same public key as C. redundant-server-chain.pem should therefore
-// validate as A -> B -> C2. If it does, this test passes.
-//
-// This test is the upper-layer analogue for
-// X509CertificateTest.VerifyReturnChainProperlyOrdered.
-#if defined(OS_MACOSX)
-// TODO(rsleevi): http://crbug.com/114343 / http://crbug.com/69278 - OS X
-// path building fails to properly handle cross-certified intermediates
-// without AIA information, so this test is disabled.
-#define MAYBE_VerifyReturnChainProperlyOrdered \
-    DISABLED_VerifyReturnChainProperlyOrdered
-#elif defined(OS_ANDROID)
-// TODO(jnd): http://crbug.com/116838 - Requires support of Android APIs
-#define MAYBE_VerifyReturnChainProperlyOrdered \
-    DISABLED_VerifyReturnChainProperlyOrdered
-#elif defined(USE_OPENSSL)
-// TODO(jnd): http://crbug.com/117196 - OpenSSL doesn't support arbitrary
-// trust anchors or cross-signed certificate chain path building until
-// OpenSSL 1.1.0.
-#define MAYBE_VerifyReturnChainProperlyOrdered \
-    DISABLED_VerifyReturnChainProperlyOrdered
-#else
-#define MAYBE_VerifyReturnChainProperlyOrdered \
-    VerifyReturnChainProperlyOrdered
-#endif
-TEST_F(SSLClientSocketTest, MAYBE_VerifyReturnChainProperlyOrdered) {
+// (end-entity) -> B -> C, and C is signed by D. redundant-validated-chain.pem
+// contains a chain of A -> B -> C2, where C2 is the same public key as C, but
+// a self-signed root. Such a situation can occur when a new root (C2) is
+// cross-certified by an old root (D) and has two different versions of its
+// floating around. Servers may supply C2 as an intermediate, but the
+// SSLClientSocket should return the chain that was verified, from
+// verify_result, instead.
+TEST_F(SSLClientSocketTest, VerifyReturnChainProperlyOrdered) {
+  // By default, cause the CertVerifier to treat all certificates as
+  // expired.
+  cert_verifier_->set_default_result(net::ERR_CERT_DATE_INVALID);
+
   // We will expect SSLInfo to ultimately contain this chain.
   net::CertificateList certs = CreateCertificateListFromFile(
       net::GetTestCertsDirectory(), "redundant-validated-chain.pem",
       net::X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, certs.size());
 
+  net::X509Certificate::OSCertHandles temp_intermediates;
+  temp_intermediates.push_back(certs[1]->os_cert_handle());
+  temp_intermediates.push_back(certs[2]->os_cert_handle());
+
+  net::CertVerifyResult verify_result;
+  verify_result.verified_cert =
+      net::X509Certificate::CreateFromHandle(certs[0]->os_cert_handle(),
+                                             temp_intermediates);
+
+  // Add a rule that maps the server cert (A) to the chain of A->B->C2
+  // rather than A->B->C.
+  cert_verifier_->AddResultForCert(certs[0], verify_result, net::OK);
+
   // Load and install the root for the validated chain.
   scoped_refptr<net::X509Certificate> root_cert =
     net::ImportCertFromFile(net::GetTestCertsDirectory(),
diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc
index b456b74..97841ff 100644
--- a/net/socket/ssl_server_socket_unittest.cc
+++ b/net/socket/ssl_server_socket_unittest.cc
@@ -29,11 +29,11 @@
 #include "net/base/address_list.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_test_util.h"
-#include "net/base/cert_verifier.h"
 #include "net/base/completion_callback.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/ip_endpoint.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/base/ssl_config_service.h"
@@ -57,8 +57,7 @@ class FakeDataChannel {
         ALLOW_THIS_IN_INITIALIZER_LIST(weak_factory_(this)) {
   }
 
-  virtual int Read(IOBuffer* buf, int buf_len,
-                   const CompletionCallback& callback) {
+  int Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback) {
     if (data_.empty()) {
       read_callback_ = callback;
       read_buf_ = buf;
@@ -68,8 +67,7 @@ class FakeDataChannel {
     return PropogateData(buf, buf_len);
   }
 
-  virtual int Write(IOBuffer* buf, int buf_len,
-                    const CompletionCallback& callback) {
+  int Write(IOBuffer* buf, int buf_len, const CompletionCallback& callback) {
     data_.push(new net::DrainableIOBuffer(buf, buf_len));
     MessageLoop::current()->PostTask(
         FROM_HERE, base::Bind(&FakeDataChannel::DoReadCallback,
@@ -251,7 +249,8 @@ class SSLServerSocketTest : public PlatformTest {
  public:
   SSLServerSocketTest()
       : socket_factory_(net::ClientSocketFactory::GetDefaultFactory()),
-        cert_verifier_(net::CertVerifier::CreateDefault()) {
+        cert_verifier_(new MockCertVerifier()) {
+    cert_verifier_->set_default_result(net::CERT_STATUS_AUTHORITY_INVALID);
   }
 
  protected:
@@ -308,7 +307,7 @@ class SSLServerSocketTest : public PlatformTest {
   scoped_ptr<net::SSLClientSocket> client_socket_;
   scoped_ptr<net::SSLServerSocket> server_socket_;
   net::ClientSocketFactory* socket_factory_;
-  scoped_ptr<net::CertVerifier> cert_verifier_;
+  scoped_ptr<net::MockCertVerifier> cert_verifier_;
 };
 
 // SSLServerSocket is only implemented using NSS.
@@ -459,14 +458,14 @@ TEST_F(SSLServerSocketTest, ExportKeyingMaterial) {
   int rv = server_socket_->ExportKeyingMaterial(kKeyingLabel,
                                                 false, kKeyingContext,
                                                 server_out, sizeof(server_out));
-  ASSERT_EQ(rv, net::OK);
+  ASSERT_EQ(net::OK, rv);
 
   unsigned char client_out[kKeyingMaterialSize];
   rv = client_socket_->ExportKeyingMaterial(kKeyingLabel,
                                             false, kKeyingContext,
                                             client_out, sizeof(client_out));
-  ASSERT_EQ(rv, net::OK);
-  EXPECT_TRUE(memcmp(server_out, client_out, sizeof(server_out)) == 0);
+  ASSERT_EQ(net::OK, rv);
+  EXPECT_EQ(0, memcmp(server_out, client_out, sizeof(server_out)));
 
   const char* kKeyingLabelBad = "EXPERIMENTAL-server-socket-test-bad";
   unsigned char client_bad[kKeyingMaterialSize];
@@ -474,7 +473,7 @@ TEST_F(SSLServerSocketTest, ExportKeyingMaterial) {
                                             false, kKeyingContext,
                                             client_bad, sizeof(client_bad));
   ASSERT_EQ(rv, net::OK);
-  EXPECT_TRUE(memcmp(server_out, client_bad, sizeof(server_out)) != 0);
+  EXPECT_NE(0, memcmp(server_out, client_bad, sizeof(server_out)));
 }
 #endif
 
diff --git a/net/spdy/spdy_test_util_spdy2.cc b/net/spdy/spdy_test_util_spdy2.cc
index 4f2411a..1e39e62 100644
--- a/net/spdy/spdy_test_util_spdy2.cc
+++ b/net/spdy/spdy_test_util_spdy2.cc
@@ -10,7 +10,7 @@
 #include "base/compiler_specific.h"
 #include "base/string_number_conversions.h"
 #include "base/string_util.h"
-#include "net/base/cert_verifier.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_network_transaction.h"
 #include "net/http/http_server_properties_impl.h"
@@ -900,7 +900,7 @@ int CombineFrames(const SpdyFrame** frames, int num_frames,
 
 SpdySessionDependencies::SpdySessionDependencies()
     : host_resolver(new MockCachingHostResolver),
-      cert_verifier(CertVerifier::CreateDefault()),
+      cert_verifier(new MockCertVerifier),
       proxy_service(ProxyService::CreateDirect()),
       ssl_config_service(new SSLConfigServiceDefaults),
       socket_factory(new MockClientSocketFactory),
@@ -918,7 +918,7 @@ SpdySessionDependencies::SpdySessionDependencies()
 
 SpdySessionDependencies::SpdySessionDependencies(ProxyService* proxy_service)
     : host_resolver(new MockHostResolver),
-      cert_verifier(CertVerifier::CreateDefault()),
+      cert_verifier(new MockCertVerifier),
       proxy_service(proxy_service),
       ssl_config_service(new SSLConfigServiceDefaults),
       socket_factory(new MockClientSocketFactory),
@@ -962,7 +962,7 @@ HttpNetworkSession* SpdySessionDependencies::SpdyCreateSessionDeterministic(
 SpdyURLRequestContext::SpdyURLRequestContext()
     : ALLOW_THIS_IN_INITIALIZER_LIST(storage_(this)) {
   storage_.set_host_resolver(new MockHostResolver());
-  storage_.set_cert_verifier(CertVerifier::CreateDefault());
+  storage_.set_cert_verifier(new MockCertVerifier);
   storage_.set_proxy_service(ProxyService::CreateDirect());
   storage_.set_ssl_config_service(new SSLConfigServiceDefaults);
   storage_.set_http_auth_handler_factory(HttpAuthHandlerFactory::CreateDefault(
diff --git a/net/spdy/spdy_test_util_spdy3.cc b/net/spdy/spdy_test_util_spdy3.cc
index fc58945..258382a 100644
--- a/net/spdy/spdy_test_util_spdy3.cc
+++ b/net/spdy/spdy_test_util_spdy3.cc
@@ -10,6 +10,7 @@
 #include "base/compiler_specific.h"
 #include "base/string_number_conversions.h"
 #include "base/string_util.h"
+#include "net/base/mock_cert_verifier.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_network_transaction.h"
 #include "net/http/http_server_properties_impl.h"
@@ -882,7 +883,7 @@ int CombineFrames(const SpdyFrame** frames, int num_frames,
 
 SpdySessionDependencies::SpdySessionDependencies()
     : host_resolver(new MockCachingHostResolver),
-      cert_verifier(CertVerifier::CreateDefault()),
+      cert_verifier(new MockCertVerifier),
       proxy_service(ProxyService::CreateDirect()),
       ssl_config_service(new SSLConfigServiceDefaults),
       socket_factory(new MockClientSocketFactory),
@@ -900,7 +901,7 @@ SpdySessionDependencies::SpdySessionDependencies()
 
 SpdySessionDependencies::SpdySessionDependencies(ProxyService* proxy_service)
     : host_resolver(new MockHostResolver),
-      cert_verifier(CertVerifier::CreateDefault()),
+      cert_verifier(new MockCertVerifier),
       proxy_service(proxy_service),
       ssl_config_service(new SSLConfigServiceDefaults),
       socket_factory(new MockClientSocketFactory),
@@ -944,7 +945,7 @@ HttpNetworkSession* SpdySessionDependencies::SpdyCreateSessionDeterministic(
 SpdyURLRequestContext::SpdyURLRequestContext()
     : ALLOW_THIS_IN_INITIALIZER_LIST(storage_(this)) {
   storage_.set_host_resolver(new MockHostResolver());
-  storage_.set_cert_verifier(CertVerifier::CreateDefault());
+  storage_.set_cert_verifier(new MockCertVerifier);
   storage_.set_proxy_service(ProxyService::CreateDirect());
   storage_.set_ssl_config_service(new SSLConfigServiceDefaults);
   storage_.set_http_auth_handler_factory(HttpAuthHandlerFactory::CreateDefault(