[SPDY] Remove most code dealing with credential frames

The only thing left is the code in SpdyFramer, which will be taken care
of in a separate CL.

Credential frames will never be turned on, so this is all dead code.

Unhide a non-credentials-related test inadvertently put behind a
USE_OPENSSL check.

BUG=311852
R=darin@chromium.org, rch@chromium.org

Review URL: https://codereview.chromium.org/46373003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@231481 0039d316-1c4b-4281-b951-d872f2087c98

17 files changed, 9 insertions, 1050 deletions

diff --git a/net/spdy/buffered_spdy_framer.cc b/net/spdy/buffered_spdy_framer.cc
index 6d996d2..049c3da 100644
--- a/net/spdy/buffered_spdy_framer.cc
+++ b/net/spdy/buffered_spdy_framer.cc
@@ -302,11 +302,6 @@ SpdyFrame* BufferedSpdyFramer::CreateWindowUpdate(
   return spdy_framer_.CreateWindowUpdate(stream_id, delta_window_size);
 }
 
-SpdyFrame* BufferedSpdyFramer::CreateCredentialFrame(
-    const SpdyCredential& credential) const {
-  return spdy_framer_.CreateCredentialFrame(credential);
-}
-
 SpdyFrame* BufferedSpdyFramer::CreateDataFrame(SpdyStreamId stream_id,
                                                const char* data,
                                                uint32 len,
diff --git a/net/spdy/buffered_spdy_framer.h b/net/spdy/buffered_spdy_framer.h
index 1786067..85ad537 100644
--- a/net/spdy/buffered_spdy_framer.h
+++ b/net/spdy/buffered_spdy_framer.h
@@ -185,8 +185,6 @@ class NET_EXPORT_PRIVATE BufferedSpdyFramer
   SpdyFrame* CreateWindowUpdate(
       SpdyStreamId stream_id,
       uint32 delta_window_size) const;
-  SpdyFrame* CreateCredentialFrame(
-      const SpdyCredential& credential) const;
   SpdyFrame* CreateDataFrame(SpdyStreamId stream_id,
                              const char* data,
                              uint32 len,
diff --git a/net/spdy/spdy_credential_builder.cc b/net/spdy/spdy_credential_builder.cc
deleted file mode 100644
index 79567b6..0000000
--- a/net/spdy/spdy_credential_builder.cc
+++ /dev/null
@@ -1,86 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/spdy/spdy_credential_builder.h"
-
-#include "base/logging.h"
-#include "base/strings/string_piece.h"
-#include "crypto/ec_private_key.h"
-#include "crypto/ec_signature_creator.h"
-#include "net/base/net_errors.h"
-#include "net/cert/asn1_util.h"
-#include "net/socket/ssl_client_socket.h"
-#include "net/spdy/spdy_framer.h"
-#include "net/ssl/server_bound_cert_service.h"
-
-namespace net {
-
-namespace {
-
-std::vector<uint8> ToVector(base::StringPiece piece) {
-  return std::vector<uint8>(piece.data(), piece.data() + piece.length());
-}
-
-}  // namespace
-
-// static
-int SpdyCredentialBuilder::Build(const std::string& tls_unique,
-                                 const std::string& key,
-                                 const std::string& cert,
-                                 size_t slot,
-                                 SpdyCredential* credential) {
-  std::string secret = SpdyCredentialBuilder::GetCredentialSecret(tls_unique);
-
-  // Extract the SubjectPublicKeyInfo from the certificate.
-  base::StringPiece public_key_info;
-  if(!asn1::ExtractSPKIFromDERCert(cert, &public_key_info))
-    return ERR_BAD_SSL_CLIENT_AUTH_CERT;
-
-  // Next, extract the SubjectPublicKey data, which will actually
-  // be stored in the cert field of the credential frame.
-  base::StringPiece public_key;
-  if (!asn1::ExtractSubjectPublicKeyFromSPKI(public_key_info, &public_key))
-    return ERR_BAD_SSL_CLIENT_AUTH_CERT;
-  // Drop one byte of padding bits count from the BIT STRING
-  // (this will always be zero).  Drop one byte of X9.62 format specification
-  // (this will always be 4 to indicated an uncompressed point).
-  DCHECK_GT(public_key.length(), 2u);
-  DCHECK_EQ(0, static_cast<int>(public_key[0]));
-  DCHECK_EQ(4, static_cast<int>(public_key[1]));
-  public_key = public_key.substr(2, public_key.length());
-
-  // Convert the strings into a vector<unit8>
-  std::vector<uint8> der_signature;
-  scoped_ptr<crypto::ECPrivateKey> private_key(
-      crypto::ECPrivateKey::CreateFromEncryptedPrivateKeyInfo(
-          ServerBoundCertService::kEPKIPassword,
-          ToVector(key), ToVector(public_key_info)));
-  scoped_ptr<crypto::ECSignatureCreator> creator(
-      crypto::ECSignatureCreator::Create(private_key.get()));
-  creator->Sign(reinterpret_cast<const unsigned char *>(secret.data()),
-                secret.length(), &der_signature);
-
-  std::vector<uint8> proof_vector;
-  if (!creator->DecodeSignature(der_signature, &proof_vector)) {
-    NOTREACHED();
-    return ERR_UNEXPECTED;
-  }
-
-  credential->slot = slot;
-  credential->certs.push_back(public_key.as_string());
-  credential->proof.assign(proof_vector.begin(), proof_vector.end());
-  return OK;
-}
-
-// static
-std::string SpdyCredentialBuilder::GetCredentialSecret(
-    const std::string& tls_unique) {
-  const char prefix[] = "SPDY CREDENTIAL ChannelID\0client -> server";
-  std::string secret(prefix, arraysize(prefix));
-  secret.append(tls_unique);
-
-  return secret;
-}
-
-}  // namespace net
diff --git a/net/spdy/spdy_credential_builder.h b/net/spdy/spdy_credential_builder.h
deleted file mode 100644
index 3bdc0a1..0000000
--- a/net/spdy/spdy_credential_builder.h
+++ /dev/null
@@ -1,36 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_SPDY_SPDY_CREDENTIAL_BUILDER_H_
-#define NET_SPDY_SPDY_CREDENTIAL_BUILDER_H_
-
-#include <string>
-
-#include "net/base/net_export.h"
-
-namespace net {
-
-class SSLClientSocket;
-struct SpdyCredential;
-
-// This class provides facilities for building the various fields of
-// SPDY CREDENTIAL frames.
-class NET_EXPORT_PRIVATE SpdyCredentialBuilder {
- public:
-  static int Build(const std::string& tls_unique,
-                   const std::string& key,
-                   const std::string& cert,
-                   size_t slot,
-                   SpdyCredential* credential);
-
- private:
-  friend class SpdyCredentialBuilderTest;
-
-  // Returns the secret data to be signed as part of a credential frame.
-  static std::string GetCredentialSecret(const std::string& tls_unique);
-};
-
-}  // namespace net
-
-#endif  // NET_SPDY_SPDY_CREDENTIAL_BUILDER_H_
diff --git a/net/spdy/spdy_credential_builder_unittest.cc b/net/spdy/spdy_credential_builder_unittest.cc
deleted file mode 100644
index 84aff7a..0000000
--- a/net/spdy/spdy_credential_builder_unittest.cc
+++ /dev/null
@@ -1,145 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/spdy/spdy_credential_builder.h"
-
-#include "base/message_loop/message_loop_proxy.h"
-#include "crypto/ec_private_key.h"
-#include "crypto/ec_signature_creator.h"
-#include "net/cert/asn1_util.h"
-#include "net/spdy/spdy_test_util_common.h"
-#include "net/ssl/default_server_bound_cert_store.h"
-#include "net/ssl/server_bound_cert_service.h"
-#include "testing/platform_test.h"
-
-namespace net {
-
-namespace {
-
-const static size_t kSlot = 2;
-const static char kSecretPrefix[] =
-    "SPDY CREDENTIAL ChannelID\0client -> server";
-
-void CreateCertAndKey(std::string* cert, std::string* key) {
-  // TODO(rch): Share this code with ServerBoundCertServiceTest.
-  scoped_ptr<ServerBoundCertService> server_bound_cert_service(
-      new ServerBoundCertService(new DefaultServerBoundCertStore(NULL),
-                                 base::MessageLoopProxy::current()));
-
-  TestCompletionCallback callback;
-  ServerBoundCertService::RequestHandle request_handle;
-  int rv = server_bound_cert_service->GetOrCreateDomainBoundCert(
-      "www.google.com", key, cert, callback.callback(), &request_handle);
-  EXPECT_EQ(ERR_IO_PENDING, rv);
-  EXPECT_EQ(OK, callback.WaitForResult());
-}
-
-}  // namespace
-
-class SpdyCredentialBuilderTest : public testing::Test {
- public:
-  SpdyCredentialBuilderTest() {
-    CreateCertAndKey(&cert_, &key_);
-  }
-
- protected:
-  int Build() {
-    return SpdyCredentialBuilder::Build(
-        MockClientSocket::kTlsUnique, key_, cert_, kSlot, &credential_);
-  }
-
-  std::string GetCredentialSecret() {
-    return SpdyCredentialBuilder::GetCredentialSecret(
-        MockClientSocket::kTlsUnique);
-  }
-
-  std::string cert_;
-  std::string key_;
-  SpdyCredential credential_;
-  MockECSignatureCreatorFactory ec_signature_creator_factory_;
-};
-
-// http://crbug.com/142833, http://crbug.com/140991. The following tests fail
-// with OpenSSL due to the unimplemented ec_private_key_openssl.cc.
-#if defined(USE_OPENSSL)
-#define MAYBE_GetCredentialSecret DISABLED_GetCredentialSecret
-#else
-#define MAYBE_GetCredentialSecret GetCredentialSecret
-#endif
-
-TEST_F(SpdyCredentialBuilderTest, MAYBE_GetCredentialSecret) {
-  std::string secret_str(kSecretPrefix, arraysize(kSecretPrefix));
-  secret_str.append(MockClientSocket::kTlsUnique);
-
-  EXPECT_EQ(secret_str, GetCredentialSecret());
-}
-
-#if defined(USE_OPENSSL)
-#define MAYBE_Succeeds DISABLED_Succeeds
-#else
-#define MAYBE_Succeeds Succeeds
-#endif
-
-TEST_F(SpdyCredentialBuilderTest, MAYBE_Succeeds) {
-  EXPECT_EQ(OK, Build());
-}
-
-#if defined(USE_OPENSSL)
-#define MAYBE_SetsSlotCorrectly DISABLED_SetsSlotCorrectly
-#else
-#define MAYBE_SetsSlotCorrectly SetsSlotCorrectly
-#endif
-
-TEST_F(SpdyCredentialBuilderTest, MAYBE_SetsSlotCorrectly) {
-  ASSERT_EQ(OK, Build());
-  EXPECT_EQ(kSlot, credential_.slot);
-}
-
-#if defined(USE_OPENSSL)
-#define MAYBE_SetsCertCorrectly DISABLED_SetsCertCorrectly
-#else
-#define MAYBE_SetsCertCorrectly SetsCertCorrectly
-#endif
-
-TEST_F(SpdyCredentialBuilderTest, MAYBE_SetsCertCorrectly) {
-  ASSERT_EQ(OK, Build());
-  base::StringPiece spki;
-  ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(cert_, &spki));
-  base::StringPiece spk;
-  ASSERT_TRUE(asn1::ExtractSubjectPublicKeyFromSPKI(spki, &spk));
-  EXPECT_EQ(1u, credential_.certs.size());
-  EXPECT_EQ(0, (int)spk[0]);
-  EXPECT_EQ(4, (int)spk[1]);
-  EXPECT_EQ(spk.substr(2, spk.length()).as_string(), credential_.certs[0]);
-}
-
-#if defined(USE_OPENSSL)
-#define MAYBE_SetsProofCorrectly DISABLED_SetsProofCorrectly
-#else
-#define MAYBE_SetsProofCorrectly SetsProofCorrectly
-#endif
-
-TEST_F(SpdyCredentialBuilderTest, MAYBE_SetsProofCorrectly) {
-  ASSERT_EQ(OK, Build());
-  base::StringPiece spki;
-  ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(cert_, &spki));
-  std::vector<uint8> spki_data(spki.data(),
-                               spki.data() + spki.size());
-  std::vector<uint8> key_data(key_.data(),
-                              key_.data() + key_.length());
-  std::vector<uint8> proof_data;
-  scoped_ptr<crypto::ECPrivateKey> private_key(
-      crypto::ECPrivateKey::CreateFromEncryptedPrivateKeyInfo(
-          ServerBoundCertService::kEPKIPassword, key_data, spki_data));
-  scoped_ptr<crypto::ECSignatureCreator> creator(
-      crypto::ECSignatureCreator::Create(private_key.get()));
-  std::string secret = GetCredentialSecret();
-  creator->Sign(reinterpret_cast<const unsigned char *>(secret.data()),
-                secret.length(), &proof_data);
-
-  std::string proof(proof_data.begin(), proof_data.end());
-  EXPECT_EQ(proof, credential_.proof);
-}
-
-}  // namespace net
diff --git a/net/spdy/spdy_credential_state.cc b/net/spdy/spdy_credential_state.cc
deleted file mode 100644
index 4549b37..0000000
--- a/net/spdy/spdy_credential_state.cc
+++ /dev/null
@@ -1,69 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/spdy/spdy_credential_state.h"
-
-#include "base/logging.h"
-#include "base/strings/string_util.h"
-#include "net/ssl/server_bound_cert_service.h"
-
-namespace net {
-
-namespace {
-
-GURL GetCanonicalOrigin(const GURL& url) {
-  std::string domain =
-      ServerBoundCertService::GetDomainForHost(url.host());
-  DCHECK(!domain.empty());
-  if (domain == url.host())
-    return url.GetOrigin();
-  return GURL(url.scheme() + "://" + domain + ":" + url.port());
-}
-
-}  // namespace
-
-const size_t SpdyCredentialState::kDefaultNumSlots = 8;
-const size_t SpdyCredentialState::kNoEntry = 0;
-
-SpdyCredentialState::SpdyCredentialState(size_t num_slots)
-  : slots_(num_slots),
-    last_added_(-1) {}
-
-SpdyCredentialState::~SpdyCredentialState() {}
-
-bool SpdyCredentialState::HasCredential(const GURL& origin) const {
-  return FindCredentialSlot(origin) != kNoEntry;
-}
-
-size_t SpdyCredentialState::SetHasCredential(const GURL& origin) {
-  size_t i = FindCredentialSlot(origin);
-  if (i != kNoEntry)
-    return i;
-  // Add the new entry at the next index following the index of the last
-  // entry added, or at index 0 if the last added index is the last index.
-  if (last_added_ + 1 == slots_.size()) {
-    last_added_ = 0;
-  } else {
-    last_added_++;
-  }
-  slots_[last_added_] = GetCanonicalOrigin(origin);
-  return last_added_ + 1;
-}
-
-size_t SpdyCredentialState::FindCredentialSlot(const GURL& origin) const {
-  GURL url = GetCanonicalOrigin(origin);
-  for (size_t i = 0; i < slots_.size(); i++) {
-    if (url == slots_[i])
-      return i + 1;
-  }
-  return kNoEntry;
-}
-
-void SpdyCredentialState::Resize(size_t size) {
-  slots_.resize(size);
-  if (last_added_ >= slots_.size())
-    last_added_ = slots_.size() - 1;
-}
-
-}  // namespace net
diff --git a/net/spdy/spdy_credential_state.h b/net/spdy/spdy_credential_state.h
deleted file mode 100644
index 505b012..0000000
--- a/net/spdy/spdy_credential_state.h
+++ /dev/null
@@ -1,56 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_SPDY_SPDY_CREDENTIAL_STATE_H_
-#define NET_SPDY_SPDY_CREDENTIAL_STATE_H_
-
-#include <vector>
-
-#include "net/base/net_export.h"
-#include "url/gurl.h"
-
-namespace net {
-
-// A class for tracking the credentials associated with a SPDY session.
-class NET_EXPORT_PRIVATE SpdyCredentialState {
- public:
-  explicit SpdyCredentialState(size_t num_slots);
-  ~SpdyCredentialState();
-
-  // Changes the number of credentials being tracked.  If the new size is
-  // larger, then empty slots will be added to the end.  If the new size is
-  // smaller than the current size, then the extra slots will be truncated
-  // from the end.
-  void Resize(size_t size);
-
-  // Returns the one-based index in |slots_| for |url| or kNoEntry, if no entry
-  // for |url| exists.
-  size_t FindCredentialSlot(const GURL& url) const;
-
-  // Returns true if there is a credential associated with |url|.
-  bool HasCredential(const GURL& url) const;
-
-  // Adds the new credentials to be associated with all origins matching
-  // |url|.  If there is space, then it will add in the first available
-  // position.  Otherwise, an existing credential will be evicted.  Returns
-  // the slot in which this domain was added.
-  size_t SetHasCredential(const GURL& url);
-
-  // This value is defined as the default initial value in the SPDY spec unless
-  // otherwise negotiated via SETTINGS.
-  static const size_t kDefaultNumSlots;
-
-  // Sentinel value to be returned by FindCredentialSlot when no entry exists.
-  static const size_t kNoEntry;
-
- private:
-  // Vector of origins that have credentials.
-  std::vector<GURL> slots_;
-  // Index of the last origin added to |slots_|.
-  size_t last_added_;
-};
-
-}  // namespace net
-
-#endif  // NET_SPDY_SPDY_CREDENTIAL_STATE_H_
diff --git a/net/spdy/spdy_credential_state_unittest.cc b/net/spdy/spdy_credential_state_unittest.cc
deleted file mode 100644
index b512921..0000000
--- a/net/spdy/spdy_credential_state_unittest.cc
+++ /dev/null
@@ -1,108 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/spdy/spdy_credential_state.h"
-
-#include "net/base/host_port_pair.h"
-#include "testing/platform_test.h"
-
-namespace net {
-
-class SpdyCredentialStateTest : public PlatformTest {
- public:
-  SpdyCredentialStateTest()
-    : state_(4),
-      origin1_("https://1.com"),
-      origin2_("https://2.com"),
-      origin3_("https://3.com"),
-      origin4_("https://4.com"),
-      origin5_("https://5.com"),
-      origin6_("https://6.com"),
-      origin11_("https://11.com"),
-      host1_("https://www.1.com:443") {
-  }
-
- protected:
-  SpdyCredentialState state_;
-  const GURL origin1_;
-  const GURL origin2_;
-  const GURL origin3_;
-  const GURL origin4_;
-  const GURL origin5_;
-  const GURL origin6_;
-  const GURL origin11_;
-  const GURL host1_;
-
-  DISALLOW_COPY_AND_ASSIGN(SpdyCredentialStateTest);
-};
-
-TEST_F(SpdyCredentialStateTest, HasCredentialReturnsFalseWhenEmpty) {
-  EXPECT_FALSE(state_.HasCredential(origin1_));
-  EXPECT_FALSE(state_.HasCredential(origin2_));
-  EXPECT_FALSE(state_.HasCredential(origin3_));
-}
-
-TEST_F(SpdyCredentialStateTest, HasCredentialReturnsTrueWhenAdded) {
-  state_.SetHasCredential(origin1_);
-  EXPECT_TRUE(state_.HasCredential(origin1_));
-  EXPECT_TRUE(state_.HasCredential(host1_));
-  EXPECT_FALSE(state_.HasCredential(origin11_));
-  EXPECT_FALSE(state_.HasCredential(origin2_));
-  EXPECT_FALSE(state_.HasCredential(origin3_));
-}
-
-TEST_F(SpdyCredentialStateTest, SetCredentialAddsToEndOfList) {
-  EXPECT_EQ(1u, (state_.SetHasCredential(origin1_)));
-  EXPECT_EQ(2u, (state_.SetHasCredential(origin2_)));
-  EXPECT_EQ(3u, (state_.SetHasCredential(origin3_)));
-}
-
-TEST_F(SpdyCredentialStateTest, SetReturnsPositionIfAlreadyInList) {
-  EXPECT_EQ(1u, (state_.SetHasCredential(origin1_)));
-  EXPECT_EQ(2u, (state_.SetHasCredential(origin2_)));
-  EXPECT_EQ(1u, (state_.SetHasCredential(origin1_)));
-  EXPECT_EQ(2u, (state_.SetHasCredential(origin2_)));
-}
-
-TEST_F(SpdyCredentialStateTest, SetReplacesOldestElementWhenFull) {
-  EXPECT_EQ(1u, (state_.SetHasCredential(origin1_)));
-  EXPECT_EQ(2u, (state_.SetHasCredential(origin2_)));
-  EXPECT_EQ(3u, (state_.SetHasCredential(origin3_)));
-  EXPECT_EQ(4u, (state_.SetHasCredential(origin4_)));
-  EXPECT_EQ(1u, (state_.SetHasCredential(origin5_)));
-  EXPECT_EQ(2u, (state_.SetHasCredential(origin6_)));
-  EXPECT_EQ(3u, (state_.SetHasCredential(origin1_)));
-  EXPECT_EQ(4u, (state_.SetHasCredential(origin2_)));
-}
-
-TEST_F(SpdyCredentialStateTest, ResizeAddsEmptySpaceAtEnd) {
-  EXPECT_EQ(1u, (state_.SetHasCredential(origin1_)));
-  EXPECT_EQ(2u, (state_.SetHasCredential(origin2_)));
-  EXPECT_EQ(3u, (state_.SetHasCredential(origin3_)));
-  EXPECT_EQ(4u, (state_.SetHasCredential(origin4_)));
-  state_.Resize(6);
-  EXPECT_EQ(1u, (state_.SetHasCredential(origin1_)));
-  EXPECT_EQ(2u, (state_.SetHasCredential(origin2_)));
-  EXPECT_EQ(3u, (state_.SetHasCredential(origin3_)));
-  EXPECT_EQ(4u, (state_.SetHasCredential(origin4_)));
-  EXPECT_EQ(5u, (state_.SetHasCredential(origin5_)));
-  EXPECT_EQ(6u, (state_.SetHasCredential(origin6_)));
-}
-
-TEST_F(SpdyCredentialStateTest, ResizeTrunatesFromEnd) {
-  EXPECT_EQ(1u, (state_.SetHasCredential(origin1_)));
-  EXPECT_EQ(2u, (state_.SetHasCredential(origin2_)));
-  EXPECT_EQ(3u, (state_.SetHasCredential(origin3_)));
-  EXPECT_EQ(4u, (state_.SetHasCredential(origin4_)));
-  state_.Resize(2);
-  EXPECT_TRUE(state_.HasCredential(origin1_));
-  EXPECT_TRUE(state_.HasCredential(origin2_));
-  EXPECT_FALSE(state_.HasCredential(origin3_));
-  EXPECT_FALSE(state_.HasCredential(origin4_));
-  EXPECT_EQ(1u, (state_.SetHasCredential(origin5_)));
-  EXPECT_EQ(2u, (state_.SetHasCredential(origin6_)));
-}
-
-
-}  // namespace net
diff --git a/net/spdy/spdy_framer.h b/net/spdy/spdy_framer.h
index 9627c8f..9ae1c89 100644
--- a/net/spdy/spdy_framer.h
+++ b/net/spdy/spdy_framer.h
@@ -19,6 +19,8 @@
 #include "net/spdy/spdy_header_block.h"
 #include "net/spdy/spdy_protocol.h"
 
+// TODO(akalin): Remove support for CREDENTIAL frames.
+
 typedef struct z_stream_s z_stream;  // Forward declaration for zlib.
 
 namespace net {
diff --git a/net/spdy/spdy_http_stream_unittest.cc b/net/spdy/spdy_http_stream_unittest.cc
index f132d6c..5a58703 100644
--- a/net/spdy/spdy_http_stream_unittest.cc
+++ b/net/spdy/spdy_http_stream_unittest.cc
@@ -23,7 +23,6 @@
 #include "net/http/http_response_info.h"
 #include "net/socket/next_proto.h"
 #include "net/socket/socket_test_util.h"
-#include "net/spdy/spdy_credential_builder.h"
 #include "net/spdy/spdy_http_utils.h"
 #include "net/spdy/spdy_session.h"
 #include "net/spdy/spdy_test_util_common.h"
@@ -533,159 +532,6 @@ TEST_P(SpdyHttpStreamTest, SpdyURLTest) {
   EXPECT_TRUE(data()->at_write_eof());
 }
 
-namespace {
-
-void GetECServerBoundCertAndProof(
-    const std::string& host,
-    ServerBoundCertService* server_bound_cert_service,
-    std::string* cert,
-    std::string* proof) {
-  TestCompletionCallback callback;
-  std::string key;
-  ServerBoundCertService::RequestHandle request_handle;
-  int rv = server_bound_cert_service->GetOrCreateDomainBoundCert(
-      host, &key, cert, callback.callback(),
-      &request_handle);
-  EXPECT_EQ(ERR_IO_PENDING, rv);
-  EXPECT_EQ(OK, callback.WaitForResult());
-
-  SpdyCredential credential;
-  EXPECT_EQ(OK,
-            SpdyCredentialBuilder::Build(
-                MockClientSocket::kTlsUnique, key, *cert, 2, &credential));
-
-  ASSERT_FALSE(credential.certs.empty());
-  cert->assign(credential.certs[0]);
-  proof->assign(credential.proof);
-}
-
-// Constructs a standard SPDY SYN_STREAM frame for a GET request with
-// a credential set.
-SpdyFrame* ConstructCredentialRequestFrame(NextProto next_proto,
-                                           size_t slot, const GURL& url,
-                                           SpdyStreamId stream_id) {
-  SpdyTestUtil util(next_proto);
-
-  const SpdyHeaderInfo syn_headers = {
-    SYN_STREAM,
-    stream_id,
-    0,
-    ConvertRequestPriorityToSpdyPriority(LOWEST, 3),
-    slot,
-    CONTROL_FLAG_FIN,
-    false,
-    RST_STREAM_INVALID,
-    NULL,
-    0,
-    DATA_FLAG_NONE
-  };
-
-  scoped_ptr<SpdyHeaderBlock> headers(util.ConstructGetHeaderBlock(url.spec()));
-  return util.ConstructSpdyFrame(syn_headers, headers.Pass());
-}
-
-}  // namespace
-
-// TODO(rch): When openssl supports server bound certifictes, this
-// guard can be removed
-#if !defined(USE_OPENSSL)
-// Test that if we request a resource for a new origin on a session that
-// used domain bound certificates, that we send a CREDENTIAL frame for
-// the new domain before we send the new request.
-void SpdyHttpStreamTest::TestSendCredentials(
-    ServerBoundCertService* server_bound_cert_service,
-    const std::string& cert,
-    const std::string& proof) {
-  const char* kUrl1 = "https://www.google.com/";
-  const char* kUrl2 = "https://www.gmail.com/";
-
-  SpdyCredential cred;
-  cred.slot = 2;
-  cred.proof = proof;
-  cred.certs.push_back(cert);
-
-  scoped_ptr<SpdyFrame> req(ConstructCredentialRequestFrame(
-      GetParam(), 1, GURL(kUrl1), 1));
-  scoped_ptr<SpdyFrame> credential(
-      spdy_util_.ConstructSpdyCredential(cred));
-  scoped_ptr<SpdyFrame> req2(ConstructCredentialRequestFrame(
-      GetParam(), 2, GURL(kUrl2), 3));
-  MockWrite writes[] = {
-    CreateMockWrite(*req.get(), 0),
-    CreateMockWrite(*credential.get(), 2),
-    CreateMockWrite(*req2.get(), 3),
-  };
-
-  scoped_ptr<SpdyFrame> resp(spdy_util_.ConstructSpdyGetSynReply(NULL, 0, 1));
-  scoped_ptr<SpdyFrame> resp2(spdy_util_.ConstructSpdyGetSynReply(NULL, 0, 3));
-  MockRead reads[] = {
-    CreateMockRead(*resp, 1),
-    CreateMockRead(*resp2, 4),
-    MockRead(SYNCHRONOUS, 0, 5)  // EOF
-  };
-
-  HostPortPair host_port_pair(HostPortPair::FromURL(GURL(kUrl1)));
-  SpdySessionKey key(host_port_pair, ProxyServer::Direct(),
-                     kPrivacyModeDisabled);
-
-  DeterministicMockClientSocketFactory* socket_factory =
-      session_deps_.deterministic_socket_factory.get();
-  DeterministicSocketData data(reads, arraysize(reads),
-                               writes, arraysize(writes));
-  socket_factory->AddSocketDataProvider(&data);
-  SSLSocketDataProvider ssl(SYNCHRONOUS, OK);
-  ssl.channel_id_sent = true;
-  ssl.server_bound_cert_service = server_bound_cert_service;
-  ssl.protocol_negotiated = GetParam();
-  socket_factory->AddSSLSocketDataProvider(&ssl);
-  http_session_ = SpdySessionDependencies::SpdyCreateSessionDeterministic(
-      &session_deps_);
-  session_ = CreateSecureSpdySession(http_session_, key, BoundNetLog());
-
-  HttpRequestInfo request;
-  request.method = "GET";
-  request.url = GURL(kUrl1);
-  HttpResponseInfo response;
-  HttpRequestHeaders headers;
-  BoundNetLog net_log;
-  scoped_ptr<SpdyHttpStream> http_stream(new SpdyHttpStream(session_, true));
-  ASSERT_EQ(
-      OK,
-      http_stream->InitializeStream(&request, DEFAULT_PRIORITY,
-                                    net_log, CompletionCallback()));
-
-  //  EXPECT_FALSE(session_->NeedsCredentials(request.url));
-  //  GURL new_origin(kUrl2);
-  //  EXPECT_TRUE(session_->NeedsCredentials(new_origin));
-
-  TestCompletionCallback callback;
-  EXPECT_EQ(ERR_IO_PENDING, http_stream->SendRequest(headers, &response,
-                                                     callback.callback()));
-  EXPECT_TRUE(HasSpdySession(http_session_->spdy_session_pool(), key));
-
-  data.RunFor(2);
-  callback.WaitForResult();
-
-  // Start up second request for resource on a new origin.
-  scoped_ptr<SpdyHttpStream> http_stream2(new SpdyHttpStream(session_, true));
-  request.url = GURL(kUrl2);
-  ASSERT_EQ(
-      OK,
-      http_stream2->InitializeStream(&request, DEFAULT_PRIORITY,
-                                     net_log, CompletionCallback()));
-  EXPECT_EQ(ERR_IO_PENDING, http_stream2->SendRequest(headers, &response,
-                                                      callback.callback()));
-  data.RunFor(2);
-  callback.WaitForResult();
-
-  EXPECT_EQ(ERR_IO_PENDING, http_stream2->ReadResponseHeaders(
-      callback.callback()));
-  data.RunFor(1);
-  EXPECT_EQ(OK, callback.WaitForResult());
-  ASSERT_TRUE(response.headers.get() != NULL);
-  ASSERT_EQ(200, response.headers->response_code());
-}
-
 // The tests below are only for SPDY/3 and above.
 
 // Test the receipt of a WINDOW_UPDATE frame while waiting for a chunk to be
@@ -780,112 +626,6 @@ TEST_P(SpdyHttpStreamTest, DelayedSendChunkedPostWithWindowUpdate) {
   EXPECT_TRUE(deterministic_data_->at_write_eof());
 }
 
-TEST_P(SpdyHttpStreamTest, SendCredentialsEC) {
-  if (GetParam() < kProtoSPDY3)
-    return;
-
-  scoped_ptr<ServerBoundCertService> server_bound_cert_service(
-      new ServerBoundCertService(new DefaultServerBoundCertStore(NULL),
-                                 base::MessageLoopProxy::current()));
-  std::string cert;
-  std::string proof;
-  GetECServerBoundCertAndProof("www.gmail.com",
-                               server_bound_cert_service.get(),
-                               &cert, &proof);
-
-  TestSendCredentials(server_bound_cert_service.get(), cert, proof);
-}
-
-TEST_P(SpdyHttpStreamTest, DontSendCredentialsForHttpUrlsEC) {
-  if (GetParam() < kProtoSPDY3)
-    return;
-
-  scoped_ptr<ServerBoundCertService> server_bound_cert_service(
-      new ServerBoundCertService(new DefaultServerBoundCertStore(NULL),
-                                 base::MessageLoopProxy::current()));
-  std::string cert;
-  std::string proof;
-  GetECServerBoundCertAndProof("proxy.google.com",
-                               server_bound_cert_service.get(),
-                               &cert, &proof);
-
-  const char* kUrl1 = "http://www.google.com/";
-  const char* kUrl2 = "http://www.gmail.com/";
-
-  SpdyCredential cred;
-  cred.slot = 2;
-  cred.proof = proof;
-  cred.certs.push_back(cert);
-
-  scoped_ptr<SpdyFrame> req(ConstructCredentialRequestFrame(
-      GetParam(), 0, GURL(kUrl1), 1));
-  scoped_ptr<SpdyFrame> req2(ConstructCredentialRequestFrame(
-      GetParam(), 0, GURL(kUrl2), 3));
-  MockWrite writes[] = {
-    CreateMockWrite(*req.get(), 0),
-    CreateMockWrite(*req2.get(), 2),
-  };
-
-  scoped_ptr<SpdyFrame> resp(spdy_util_.ConstructSpdyGetSynReply(NULL, 0, 1));
-  scoped_ptr<SpdyFrame> resp2(spdy_util_.ConstructSpdyGetSynReply(NULL, 0, 3));
-  MockRead reads[] = {
-    CreateMockRead(*resp, 1),
-    CreateMockRead(*resp2, 3),
-    MockRead(ASYNC, 0, 4)  // EOF
-  };
-
-  HostPortPair host_port_pair(HostPortPair::FromURL(GURL(kUrl1)));
-  SpdySessionKey key(host_port_pair,
-                     ProxyServer::FromURI("proxy.google.com",
-                                          ProxyServer::SCHEME_HTTPS),
-                     kPrivacyModeDisabled);
-  InitSessionDeterministic(reads, arraysize(reads),
-                           writes, arraysize(writes),
-                           key);
-
-  HttpRequestInfo request;
-  request.method = "GET";
-  request.url = GURL(kUrl1);
-  HttpResponseInfo response;
-  HttpRequestHeaders headers;
-  BoundNetLog net_log;
-  scoped_ptr<SpdyHttpStream> http_stream(new SpdyHttpStream(session_, true));
-  ASSERT_EQ(
-      OK,
-      http_stream->InitializeStream(&request, DEFAULT_PRIORITY,
-                                    net_log, CompletionCallback()));
-
-  TestCompletionCallback callback;
-  EXPECT_EQ(ERR_IO_PENDING, http_stream->SendRequest(headers, &response,
-                                                     callback.callback()));
-  EXPECT_TRUE(HasSpdySession(http_session_->spdy_session_pool(), key));
-
-  deterministic_data_->RunFor(2);
-  EXPECT_EQ(OK, callback.WaitForResult());
-
-  // Start up second request for resource on a new origin.
-  scoped_ptr<SpdyHttpStream> http_stream2(new SpdyHttpStream(session_, true));
-  request.url = GURL(kUrl2);
-  ASSERT_EQ(
-      OK,
-      http_stream2->InitializeStream(&request, DEFAULT_PRIORITY,
-                                     net_log, CompletionCallback()));
-  EXPECT_EQ(ERR_IO_PENDING, http_stream2->SendRequest(headers, &response,
-                                                      callback.callback()));
-  deterministic_data_->RunFor(1);
-  EXPECT_EQ(OK, callback.WaitForResult());
-
-  EXPECT_EQ(ERR_IO_PENDING, http_stream2->ReadResponseHeaders(
-      callback.callback()));
-  deterministic_data_->RunFor(1);
-  EXPECT_EQ(OK, callback.WaitForResult());
-  ASSERT_TRUE(response.headers.get() != NULL);
-  ASSERT_EQ(200, response.headers->response_code());
-  deterministic_data_->RunFor(1);
-}
-
-#endif  // !defined(USE_OPENSSL)
-
 // TODO(willchan): Write a longer test for SpdyStream that exercises all
 // methods.
 
diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc
index b00eae2..16a8d83 100644
--- a/net/spdy/spdy_session.cc
+++ b/net/spdy/spdy_session.cc
@@ -32,7 +32,6 @@
 #include "net/http/http_network_session.h"
 #include "net/http/http_server_properties.h"
 #include "net/spdy/spdy_buffer_producer.h"
-#include "net/spdy/spdy_credential_builder.h"
 #include "net/spdy/spdy_frame_builder.h"
 #include "net/spdy/spdy_http_utils.h"
 #include "net/spdy/spdy_protocol.h"
@@ -378,7 +377,6 @@ SpdySession::SpdySession(
     const base::WeakPtr<HttpServerProperties>& http_server_properties,
     bool verify_domain_authentication,
     bool enable_sending_initial_data,
-    bool enable_credential_frames,
     bool enable_compression,
     bool enable_ping_based_connection_checking,
     NextProto default_protocol,
@@ -433,12 +431,10 @@ SpdySession::SpdySession(
       net_log_(BoundNetLog::Make(net_log, NetLog::SOURCE_SPDY_SESSION)),
       verify_domain_authentication_(verify_domain_authentication),
       enable_sending_initial_data_(enable_sending_initial_data),
-      enable_credential_frames_(enable_credential_frames),
       enable_compression_(enable_compression),
       enable_ping_based_connection_checking_(
           enable_ping_based_connection_checking),
       protocol_(default_protocol),
-      credential_state_(SpdyCredentialState::kDefaultNumSlots),
       connection_at_risk_of_loss_time_(
           base::TimeDelta::FromSeconds(kDefaultConnectionAtRiskOfLossSeconds)),
       hung_interval_(
@@ -504,14 +500,6 @@ Error SpdySession::InitializeWithSocket(
   DCHECK_GE(protocol_, kProtoSPDYMinimumVersion);
   DCHECK_LE(protocol_, kProtoSPDYMaximumVersion);
 
-  SSLClientSocket* ssl_socket = GetSSLClientSocket();
-  if (ssl_socket && ssl_socket->WasChannelIDSent()) {
-    // According to the SPDY spec, the credential associated with the TLS
-    // connection is stored in slot[1].
-    credential_state_.SetHasCredential(GURL("https://" +
-                                            host_port_pair().ToString()));
-  }
-
   if (protocol_ == kProtoHTTP2Draft04)
     send_connection_header_prefix_ = true;
 
@@ -570,11 +558,12 @@ bool SpdySession::VerifyDomainAuthentication(const std::string& domain) {
     return true;   // This is not a secure session, so all domains are okay.
 
   bool unused = false;
-  return !ssl_info.client_cert_sent &&
-      (enable_credential_frames_ || !ssl_info.channel_id_sent ||
-       ServerBoundCertService::GetDomainForHost(domain) ==
-       ServerBoundCertService::GetDomainForHost(host_port_pair().host())) &&
-       ssl_info.cert->VerifyNameMatch(domain, &unused);
+  return
+      !ssl_info.client_cert_sent &&
+      (!ssl_info.channel_id_sent ||
+       (ServerBoundCertService::GetDomainForHost(domain) ==
+        ServerBoundCertService::GetDomainForHost(host_port_pair().host()))) &&
+      ssl_info.cert->VerifyNameMatch(domain, &unused);
 }
 
 int SpdySession::GetPushStream(
@@ -776,15 +765,6 @@ void SpdySession::ProcessPendingStreamRequests() {
   }
 }
 
-bool SpdySession::NeedsCredentials() const {
-  if (!is_secure_)
-    return false;
-  SSLClientSocket* ssl_socket = GetSSLClientSocket();
-  if (ssl_socket->GetNegotiatedProtocol() < kProtoSPDY3)
-    return false;
-  return ssl_socket->WasChannelIDSent();
-}
-
 void SpdySession::AddPooledAlias(const SpdySessionKey& alias_key) {
   pooled_aliases_.insert(alias_key);
 }
@@ -861,39 +841,6 @@ scoped_ptr<SpdyFrame> SpdySession::CreateSynStream(
   return syn_frame.Pass();
 }
 
-int SpdySession::CreateCredentialFrame(
-    const std::string& origin,
-    const std::string& key,
-    const std::string& cert,
-    RequestPriority priority,
-    scoped_ptr<SpdyFrame>* credential_frame) {
-  DCHECK(is_secure_);
-  SSLClientSocket* ssl_socket = GetSSLClientSocket();
-  DCHECK(ssl_socket);
-  DCHECK(ssl_socket->WasChannelIDSent());
-
-  SpdyCredential credential;
-  std::string tls_unique;
-  ssl_socket->GetTLSUniqueChannelBinding(&tls_unique);
-  size_t slot = credential_state_.SetHasCredential(GURL(origin));
-  int rv = SpdyCredentialBuilder::Build(tls_unique, key, cert, slot,
-                                        &credential);
-  DCHECK_NE(rv, ERR_IO_PENDING);
-  if (rv != OK)
-    return rv;
-
-  DCHECK(buffered_spdy_framer_.get());
-  credential_frame->reset(
-      buffered_spdy_framer_->CreateCredentialFrame(credential));
-
-  if (net_log().IsLoggingAllEvents()) {
-    net_log().AddEvent(
-        NetLog::TYPE_SPDY_SESSION_SEND_CREDENTIAL,
-        base::Bind(&NetLogSpdyCredentialCallback, credential.slot, &origin));
-  }
-  return OK;
-}
-
 scoped_ptr<SpdyBuffer> SpdySession::CreateDataBuffer(SpdyStreamId stream_id,
                                                      IOBuffer* data,
                                                      int len,
@@ -1834,12 +1781,6 @@ bool SpdySession::GetSSLCertRequestInfo(
   return true;
 }
 
-ServerBoundCertService* SpdySession::GetServerBoundCertService() const {
-  if (!is_secure_)
-    return NULL;
-  return GetSSLClientSocket()->GetServerBoundCertService();
-}
-
 void SpdySession::OnError(SpdyFramer::SpdyError error_code) {
   CHECK(in_io_loop_);
 
diff --git a/net/spdy/spdy_session.h b/net/spdy/spdy_session.h
index 9121a92..e81ab26 100644
--- a/net/spdy/spdy_session.h
+++ b/net/spdy/spdy_session.h
@@ -28,7 +28,6 @@
 #include "net/socket/stream_socket.h"
 #include "net/spdy/buffered_spdy_framer.h"
 #include "net/spdy/spdy_buffer.h"
-#include "net/spdy/spdy_credential_state.h"
 #include "net/spdy/spdy_framer.h"
 #include "net/spdy/spdy_header_block.h"
 #include "net/spdy/spdy_protocol.h"
@@ -207,7 +206,6 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
               const base::WeakPtr<HttpServerProperties>& http_server_properties,
               bool verify_domain_authentication,
               bool enable_sending_initial_data,
-              bool enable_credential_frames,
               bool enable_compression,
               bool enable_ping_based_connection_checking,
               NextProto default_protocol,
@@ -292,15 +290,6 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
       SpdyControlFlags flags,
       const SpdyHeaderBlock& headers);
 
-  // Tries to create a CREDENTIAL frame. If successful, fills in
-  // |credential_frame| and returns OK. Returns the error (guaranteed
-  // to not be ERR_IO_PENDING) otherwise.
-  int CreateCredentialFrame(const std::string& origin,
-                            const std::string& key,
-                            const std::string& cert,
-                            RequestPriority priority,
-                            scoped_ptr<SpdyFrame>* credential_frame);
-
   // Creates and returns a SpdyBuffer holding a data frame with the
   // given data. May return NULL if stalled by flow control.
   scoped_ptr<SpdyBuffer> CreateDataBuffer(SpdyStreamId stream_id,
@@ -341,10 +330,6 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
   // true when SSL is in use.
   bool GetSSLCertRequestInfo(SSLCertRequestInfo* cert_request_info);
 
-  // Returns the ServerBoundCertService used by this Socket, or NULL
-  // if server bound certs are not supported in this session.
-  ServerBoundCertService* GetServerBoundCertService() const;
-
   // Send a WINDOW_UPDATE frame for a stream. Called by a stream
   // whenever receive window size is increased.
   void SendStreamWindowUpdate(SpdyStreamId stream_id,
@@ -440,11 +425,6 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
   int GetPeerAddress(IPEndPoint* address) const;
   int GetLocalAddress(IPEndPoint* address) const;
 
-  // Returns true if requests on this session require credentials.
-  bool NeedsCredentials() const;
-
-  SpdyCredentialState* credential_state() { return &credential_state_; }
-
   // Adds |alias| to set of aliases associated with this session.
   void AddPooledAlias(const SpdySessionKey& alias_key);
 
@@ -1094,7 +1074,6 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
   // Outside of tests, these should always be true.
   bool verify_domain_authentication_;
   bool enable_sending_initial_data_;
-  bool enable_credential_frames_;
   bool enable_compression_;
   bool enable_ping_based_connection_checking_;
 
@@ -1102,8 +1081,6 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
   // kProtoSPDYMaximumVersion.
   NextProto protocol_;
 
-  SpdyCredentialState credential_state_;
-
   // |connection_at_risk_of_loss_time_| is an optimization to avoid sending
   // wasteful preface pings (when we just got some data).
   //
diff --git a/net/spdy/spdy_session_pool.cc b/net/spdy/spdy_session_pool.cc
index e72064b..9cfd9c0 100644
--- a/net/spdy/spdy_session_pool.cc
+++ b/net/spdy/spdy_session_pool.cc
@@ -33,7 +33,6 @@ SpdySessionPool::SpdySessionPool(
     const base::WeakPtr<HttpServerProperties>& http_server_properties,
     bool force_single_domain,
     bool enable_ip_pooling,
-    bool enable_credential_frames,
     bool enable_compression,
     bool enable_ping_based_connection_checking,
     NextProto default_protocol,
@@ -49,7 +48,6 @@ SpdySessionPool::SpdySessionPool(
       enable_sending_initial_data_(true),
       force_single_domain_(force_single_domain),
       enable_ip_pooling_(enable_ip_pooling),
-      enable_credential_frames_(enable_credential_frames),
       enable_compression_(enable_compression),
       enable_ping_based_connection_checking_(
           enable_ping_based_connection_checking),
@@ -99,7 +97,6 @@ net::Error SpdySessionPool::CreateAvailableSessionFromSocket(
                       http_server_properties_,
                       verify_domain_authentication_,
                       enable_sending_initial_data_,
-                      enable_credential_frames_,
                       enable_compression_,
                       enable_ping_based_connection_checking_,
                       default_protocol_,
diff --git a/net/spdy/spdy_session_pool.h b/net/spdy/spdy_session_pool.h
index 812b7bd..79900af 100644
--- a/net/spdy/spdy_session_pool.h
+++ b/net/spdy/spdy_session_pool.h
@@ -52,7 +52,6 @@ class NET_EXPORT SpdySessionPool
       const base::WeakPtr<HttpServerProperties>& http_server_properties,
       bool force_single_domain,
       bool enable_ip_pooling,
-      bool enable_credential_frames,
       bool enable_compression,
       bool enable_ping_based_connection_checking,
       NextProto default_protocol,
@@ -214,7 +213,6 @@ class NET_EXPORT SpdySessionPool
   bool enable_sending_initial_data_;
   bool force_single_domain_;
   bool enable_ip_pooling_;
-  bool enable_credential_frames_;
   bool enable_compression_;
   bool enable_ping_based_connection_checking_;
   const NextProto default_protocol_;
diff --git a/net/spdy/spdy_session_unittest.cc b/net/spdy/spdy_session_unittest.cc
index 4d7c2c4..2f185c7 100644
--- a/net/spdy/spdy_session_unittest.cc
+++ b/net/spdy/spdy_session_unittest.cc
@@ -2285,38 +2285,6 @@ TEST_P(SpdySessionTest, CancelTwoStalledCreateStream) {
   EXPECT_EQ(0u, session->pending_create_stream_queue_size(LOWEST));
 }
 
-TEST_P(SpdySessionTest, NeedsCredentials) {
-  MockConnect connect_data(SYNCHRONOUS, OK);
-  MockRead reads[] = {
-    MockRead(SYNCHRONOUS, ERR_IO_PENDING)  // Stall forever.
-  };
-  StaticSocketDataProvider data(reads, arraysize(reads), NULL, 0);
-  data.set_connect_data(connect_data);
-  session_deps_.socket_factory->AddSocketDataProvider(&data);
-
-  SSLSocketDataProvider ssl(SYNCHRONOUS, OK);
-  ssl.channel_id_sent = true;
-  ssl.protocol_negotiated = GetParam();
-  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl);
-
-  CreateNetworkSession();
-
-  const GURL url("https://www.foo.com");
-  HostPortPair test_host_port_pair(url.host(), 443);
-  SpdySessionKey key(test_host_port_pair, ProxyServer::Direct(),
-                     kPrivacyModeDisabled);
-
-  base::WeakPtr<SpdySession> session =
-      CreateSecureSpdySession(http_session_, key, BoundNetLog());
-
-  EXPECT_EQ(spdy_util_.spdy_version() >= SPDY3, session->NeedsCredentials());
-
-  // Flush the read completion task.
-  base::MessageLoop::current()->RunUntilIdle();
-
-  session->CloseSessionOnError(ERR_ABORTED, std::string());
-}
-
 // Test that SpdySession::DoReadLoop reads data from the socket
 // without yielding.  This test makes 32k - 1 bytes of data available
 // on the socket for reading. It then verifies that it has read all
@@ -3076,49 +3044,6 @@ TEST_P(SpdySessionTest, CreateStreamOnStreamReset) {
 
 // The tests below are only for SPDY/3 and above.
 
-TEST_P(SpdySessionTest, SendCredentials) {
-  if (GetParam() < kProtoSPDY3)
-    return;
-
-  MockConnect connect_data(SYNCHRONOUS, OK);
-  MockRead reads[] = {
-    MockRead(SYNCHRONOUS, ERR_IO_PENDING)  // Stall forever.
-  };
-  SettingsMap settings;
-  scoped_ptr<SpdyFrame> settings_frame(
-      spdy_util_.ConstructSpdySettings(settings));
-  MockWrite writes[] = {
-    CreateMockWrite(*settings_frame),
-  };
-  StaticSocketDataProvider data(reads, arraysize(reads),
-                                writes, arraysize(writes));
-  data.set_connect_data(connect_data);
-  session_deps_.socket_factory->AddSocketDataProvider(&data);
-
-  SSLSocketDataProvider ssl(SYNCHRONOUS, OK);
-  ssl.channel_id_sent = true;
-  ssl.protocol_negotiated = GetParam();
-  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl);
-
-  CreateNetworkSession();
-
-  const GURL kTestUrl("https://www.foo.com");
-  HostPortPair test_host_port_pair(kTestUrl.host(), 443);
-  SpdySessionKey key(test_host_port_pair, ProxyServer::Direct(),
-                     kPrivacyModeDisabled);
-
-  base::WeakPtr<SpdySession> session =
-      CreateSecureSpdySession(http_session_, key, BoundNetLog());
-
-  EXPECT_TRUE(session->NeedsCredentials());
-
-  // Flush the read completion task.
-  base::MessageLoop::current()->RunUntilIdle();
-
-  session->CloseSessionOnError(ERR_ABORTED, std::string());
-  EXPECT_FALSE(HasSpdySession(spdy_session_pool_, key));
-}
-
 TEST_P(SpdySessionTest, UpdateStreamsSendWindowSize) {
   if (GetParam() < kProtoSPDY3)
     return;
diff --git a/net/spdy/spdy_stream.cc b/net/spdy/spdy_stream.cc
index 3500d1b..0a1f0e9 100644
--- a/net/spdy/spdy_stream.cc
+++ b/net/spdy/spdy_stream.cc
@@ -583,7 +583,7 @@ int SpdyStream::SendRequestHeaders(scoped_ptr<SpdyHeaderBlock> request_headers,
   CHECK_EQ(io_state_, STATE_NONE);
   request_headers_ = request_headers.Pass();
   send_status_ = send_status;
-  io_state_ = STATE_GET_DOMAIN_BOUND_CERT;
+  io_state_ = STATE_SEND_REQUEST_HEADERS;
   return DoLoop(OK);
 }
 
@@ -656,11 +656,6 @@ bool SpdyStream::HasUrlFromHeaders() const {
   return !GetUrlFromHeaders().is_empty();
 }
 
-void SpdyStream::OnGetDomainBoundCertComplete(int result) {
-  DCHECK_EQ(io_state_, STATE_GET_DOMAIN_BOUND_CERT_COMPLETE);
-  DoLoop(result);
-}
-
 int SpdyStream::DoLoop(int result) {
   CHECK(!in_do_loop_);
   in_do_loop_ = true;
@@ -669,20 +664,6 @@ int SpdyStream::DoLoop(int result) {
     State state = io_state_;
     io_state_ = STATE_NONE;
     switch (state) {
-      case STATE_GET_DOMAIN_BOUND_CERT:
-        CHECK_EQ(result, OK);
-        result = DoGetDomainBoundCert();
-        break;
-      case STATE_GET_DOMAIN_BOUND_CERT_COMPLETE:
-        result = DoGetDomainBoundCertComplete(result);
-        break;
-      case STATE_SEND_DOMAIN_BOUND_CERT:
-        CHECK_EQ(result, OK);
-        result = DoSendDomainBoundCert();
-        break;
-      case STATE_SEND_DOMAIN_BOUND_CERT_COMPLETE:
-        result = DoSendDomainBoundCertComplete(result);
-        break;
       case STATE_SEND_REQUEST_HEADERS:
         CHECK_EQ(result, OK);
         result = DoSendRequestHeaders();
@@ -722,91 +703,6 @@ int SpdyStream::DoLoop(int result) {
   return result;
 }
 
-int SpdyStream::DoGetDomainBoundCert() {
-  CHECK(request_headers_);
-  DCHECK_NE(type_, SPDY_PUSH_STREAM);
-  GURL url = GetUrlFromHeaders();
-  if (!session_->NeedsCredentials() || !url.SchemeIs("https")) {
-    // Proceed directly to sending the request headers
-    io_state_ = STATE_SEND_REQUEST_HEADERS;
-    return OK;
-  }
-
-  slot_ = session_->credential_state()->FindCredentialSlot(GetUrlFromHeaders());
-  if (slot_ != SpdyCredentialState::kNoEntry) {
-    // Proceed directly to sending the request headers
-    io_state_ = STATE_SEND_REQUEST_HEADERS;
-    return OK;
-  }
-
-  io_state_ = STATE_GET_DOMAIN_BOUND_CERT_COMPLETE;
-  ServerBoundCertService* sbc_service = session_->GetServerBoundCertService();
-  DCHECK(sbc_service != NULL);
-  int rv = sbc_service->GetOrCreateDomainBoundCert(
-      url.GetOrigin().host(),
-      &domain_bound_private_key_,
-      &domain_bound_cert_,
-      base::Bind(&SpdyStream::OnGetDomainBoundCertComplete, GetWeakPtr()),
-      &domain_bound_cert_request_handle_);
-  return rv;
-}
-
-int SpdyStream::DoGetDomainBoundCertComplete(int result) {
-  DCHECK_NE(type_, SPDY_PUSH_STREAM);
-  if (result != OK)
-    return result;
-
-  io_state_ = STATE_SEND_DOMAIN_BOUND_CERT;
-  slot_ =  session_->credential_state()->SetHasCredential(GetUrlFromHeaders());
-  return OK;
-}
-
-int SpdyStream::DoSendDomainBoundCert() {
-  CHECK(request_headers_);
-  DCHECK_NE(type_, SPDY_PUSH_STREAM);
-  io_state_ = STATE_SEND_DOMAIN_BOUND_CERT_COMPLETE;
-
-  std::string origin = GetUrlFromHeaders().GetOrigin().spec();
-  DCHECK(origin[origin.length() - 1] == '/');
-  origin.erase(origin.length() - 1);  // Trim trailing slash.
-  scoped_ptr<SpdyFrame> frame;
-  int rv = session_->CreateCredentialFrame(
-      origin,
-      domain_bound_private_key_,
-      domain_bound_cert_,
-      priority_,
-      &frame);
-  if (rv != OK) {
-    DCHECK_NE(rv, ERR_IO_PENDING);
-    return rv;
-  }
-
-  DCHECK(frame);
-  // TODO(akalin): Fix the following race condition:
-  //
-  // Since this is decoupled from sending the SYN_STREAM frame, it is
-  // possible that other domain-bound cert frames will clobber ours
-  // before our SYN_STREAM frame gets sent. This can be solved by
-  // immediately enqueueing the SYN_STREAM frame here and adjusting
-  // the state machine appropriately.
-  session_->EnqueueStreamWrite(
-      GetWeakPtr(), CREDENTIAL,
-      scoped_ptr<SpdyBufferProducer>(
-          new SimpleBufferProducer(
-              scoped_ptr<SpdyBuffer>(new SpdyBuffer(frame.Pass())))));
-  return ERR_IO_PENDING;
-}
-
-int SpdyStream::DoSendDomainBoundCertComplete(int result) {
-  DCHECK_NE(type_, SPDY_PUSH_STREAM);
-  if (result != OK)
-    return result;
-
-  DCHECK_EQ(just_completed_frame_type_, CREDENTIAL);
-  io_state_ = STATE_SEND_REQUEST_HEADERS;
-  return OK;
-}
-
 int SpdyStream::DoSendRequestHeaders() {
   DCHECK_NE(type_, SPDY_PUSH_STREAM);
   io_state_ = STATE_SEND_REQUEST_HEADERS_COMPLETE;
diff --git a/net/spdy/spdy_stream.h b/net/spdy/spdy_stream.h
index 01d8ed6..02be61e 100644
--- a/net/spdy/spdy_stream.h
+++ b/net/spdy/spdy_stream.h
@@ -412,26 +412,16 @@ class NET_EXPORT_PRIVATE SpdyStream {
 
   enum State {
     STATE_NONE,
-    STATE_GET_DOMAIN_BOUND_CERT,
-    STATE_GET_DOMAIN_BOUND_CERT_COMPLETE,
-    STATE_SEND_DOMAIN_BOUND_CERT,
-    STATE_SEND_DOMAIN_BOUND_CERT_COMPLETE,
     STATE_SEND_REQUEST_HEADERS,
     STATE_SEND_REQUEST_HEADERS_COMPLETE,
     STATE_IDLE,
     STATE_CLOSED
   };
 
-  void OnGetDomainBoundCertComplete(int result);
-
   // Try to make progress sending/receiving the request/response.
   int DoLoop(int result);
 
   // The implementations of each state of the state machine.
-  int DoGetDomainBoundCert();
-  int DoGetDomainBoundCertComplete(int result);
-  int DoSendDomainBoundCert();
-  int DoSendDomainBoundCertComplete(int result);
   int DoSendRequestHeaders();
   int DoSendRequestHeadersComplete();
   int DoReadHeaders();