Revert 52799 - Add support for parsing certificate formats other than raw, DER-encoded certificates - specifically formats that represent collections of certificates. The certificate format can now be specified as an explicit format, or as a bit-mask of formats that are acceptable/expected, with the first parsable format winning.

This is one half of a commit to address BUG #37142, with the second half involving connecting this through the X509UserCertHandler and the actual UI.

R=wtc
BUG=37142
TEST=X509CertificateParseTest* and PEMTokenizerTest.*

Review URL: http://codereview.chromium.org/2819018

TBR=rsleevi@chromium.org
Review URL: http://codereview.chromium.org/2812064

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@52801 0039d316-1c4b-4281-b951-d872f2087c98

17 files changed, 19 insertions, 986 deletions

diff --git a/net/base/pem_tokenizer.cc b/net/base/pem_tokenizer.cc
deleted file mode 100644
index 0abe5db..0000000
--- a/net/base/pem_tokenizer.cc
+++ /dev/null
@@ -1,95 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/base/pem_tokenizer.h"
-
-#include "base/base64.h"
-#include "base/string_util.h"
-
-namespace {
-
-const char kPEMSearchBlock[] = "-----BEGIN ";
-const char kPEMBeginBlock[] = "-----BEGIN %s-----";
-const char kPEMEndBlock[] = "-----END %s-----";
-
-}  // namespace
-
-namespace net {
-
-using base::StringPiece;
-
-PEMTokenizer::PEMTokenizer(
-    const StringPiece& str,
-    const std::vector<std::string>& allowed_block_types) {
-  Init(str, allowed_block_types);
-}
-
-bool PEMTokenizer::GetNext() {
-  while (pos_ != StringPiece::npos) {
-    // Scan for the beginning of the next PEM encoded block.
-    pos_ = str_.find(kPEMSearchBlock, pos_);
-    if (pos_ == StringPiece::npos)
-      return false;  // No more PEM blocks
-
-    std::vector<PEMType>::const_iterator it;
-    // Check to see if it is of an acceptable block type.
-    for (it = block_types_.begin(); it != block_types_.end(); ++it) {
-      if (!str_.substr(pos_).starts_with(it->header))
-        continue;
-
-      // Look for a footer matching the header. If none is found, then all
-      // data following this point is invalid and should not be parsed.
-      StringPiece::size_type footer_pos = str_.find(it->footer, pos_);
-      if (footer_pos == StringPiece::npos) {
-        pos_ = StringPiece::npos;
-        return false;
-      }
-
-      // Chop off the header and footer and parse the data in between.
-      StringPiece::size_type data_begin = pos_ + it->header.size();
-      pos_ = footer_pos + it->footer.size();
-      block_type_ = it->type;
-
-      StringPiece encoded = str_.substr(data_begin,
-                                        footer_pos - data_begin);
-      if (!base::Base64Decode(CollapseWhitespaceASCII(encoded.as_string(),
-                                                      true), &data_)) {
-        // The most likely cause for a decode failure is a datatype that
-        // includes PEM headers, which are not supported.
-        break;
-      }
-
-      return true;
-    }
-
-    // If the block did not match any acceptable type, move past it and
-    // continue the search. Otherwise, |pos_| has been updated to the most
-    // appropriate search position to continue searching from and should not
-    // be adjusted.
-    if (it == block_types_.end())
-      pos_ += sizeof(kPEMSearchBlock);
-  }
-
-  return false;
-}
-
-void PEMTokenizer::Init(
-    const StringPiece& str,
-    const std::vector<std::string>& allowed_block_types) {
-  str_ = str;
-  pos_ = 0;
-
-  // Construct PEM header/footer strings for all the accepted types, to
-  // reduce parsing later.
-  for (std::vector<std::string>::const_iterator it =
-       allowed_block_types.begin(); it != allowed_block_types.end(); ++it) {
-    PEMType allowed_type;
-    allowed_type.type = *it;
-    allowed_type.header = StringPrintf(kPEMBeginBlock, it->c_str());
-    allowed_type.footer = StringPrintf(kPEMEndBlock, it->c_str());
-    block_types_.push_back(allowed_type);
-  }
-}
-
-}  // namespace net
diff --git a/net/base/pem_tokenizer.h b/net/base/pem_tokenizer.h
deleted file mode 100644
index eebba2d..0000000
--- a/net/base/pem_tokenizer.h
+++ /dev/null
@@ -1,79 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_BASE_PEM_TOKENIZER_H_
-#define NET_BASE_PEM_TOKENIZER_H_
-
-#include <string>
-#include <vector>
-
-#include "base/string_piece.h"
-
-namespace net {
-
-// PEMTokenizer is a utility class for the parsing of data encapsulated
-// using RFC 1421, Privacy Enhancement for Internet Electronic Mail. It
-// does not implement the full specification, most notably it does not
-// support the Encapsulated Header Portion described in Section 4.4.
-class PEMTokenizer {
- public:
-  // Create a new PEMTokenizer that iterates through |str| searching for
-  // instances of PEM encoded blocks that are of the |allowed_block_types|.
-  // |str| must remain valid for the duration of the PEMTokenizer.
-  PEMTokenizer(const base::StringPiece& str,
-               const std::vector<std::string>& allowed_block_types);
-
-  // Attempts to decode the next PEM block in the string. Returns false if no
-  // PEM blocks can be decoded. The decoded PEM block will be available via
-  // data().
-  bool GetNext();
-
-  // Returns the PEM block type (eg: CERTIFICATE) of the last successfully
-  // decoded PEM block.
-  // GetNext() must have returned true before calling this method.
-  const std::string& block_type() const { return block_type_; }
-
-  // Returns the raw, Base64-decoded data of the last successfully decoded
-  // PEM block.
-  // GetNext() must have returned true before calling this method.
-  const std::string& data() const { return data_; }
-
- private:
-  void Init(const base::StringPiece& str,
-            const std::vector<std::string>& allowed_block_types);
-
-  // A simple cache of the allowed PEM header and footer for a given PEM
-  // block type, so that it is only computed once.
-  struct PEMType {
-    std::string type;
-    std::string header;
-    std::string footer;
-  };
-
-  // The string to search, which must remain valid for as long as this class
-  // is around.
-  base::StringPiece str_;
-
-  // The current position within |str_| that searching should begin from,
-  // or StringPiece::npos if iteration is complete
-  base::StringPiece::size_type pos_;
-
-  // The type of data that was encoded, as indicated in the PEM
-  // Pre-Encapsulation Boundary (eg: CERTIFICATE, PKCS7, or
-  // PRIVACY-ENHANCED MESSAGE).
-  std::string block_type_;
-
-  // The types of PEM blocks that are allowed. PEM blocks that are not of
-  // one of these types will be skipped.
-  std::vector<PEMType> block_types_;
-
-  // The raw (Base64-decoded) data of the last successfully decoded block.
-  std::string data_;
-
-  DISALLOW_COPY_AND_ASSIGN(PEMTokenizer);
-};
-
-}  // namespace net
-
-#endif  // NET_BASE_PEM_TOKENIZER_H_
diff --git a/net/base/pem_tokenizer_unittest.cc b/net/base/pem_tokenizer_unittest.cc
deleted file mode 100644
index af2446c..0000000
--- a/net/base/pem_tokenizer_unittest.cc
+++ /dev/null
@@ -1,169 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/base/pem_tokenizer.h"
-
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace net {
-
-TEST(PEMTokenizerTest, BasicParsing) {
-  const char data[] =
-      "-----BEGIN EXPECTED-BLOCK-----\n"
-      "TWF0Y2hlc0FjY2VwdGVkQmxvY2tUeXBl\n"
-      "-----END EXPECTED-BLOCK-----\n";
-  base::StringPiece string_piece(data);
-  std::vector<std::string> accepted_types;
-  accepted_types.push_back("EXPECTED-BLOCK");
-
-  PEMTokenizer tokenizer(string_piece, accepted_types);
-  EXPECT_TRUE(tokenizer.GetNext());
-
-  EXPECT_EQ("EXPECTED-BLOCK", tokenizer.block_type());
-  EXPECT_EQ("MatchesAcceptedBlockType", tokenizer.data());
-
-  EXPECT_FALSE(tokenizer.GetNext());
-}
-
-TEST(PEMTokenizerTest, CarriageReturnLineFeeds) {
-  const char data[] =
-      "-----BEGIN EXPECTED-BLOCK-----\r\n"
-      "TWF0Y2hlc0FjY2VwdGVkQmxvY2tUeXBl\r\n"
-      "-----END EXPECTED-BLOCK-----\r\n";
-  base::StringPiece string_piece(data);
-  std::vector<std::string> accepted_types;
-  accepted_types.push_back("EXPECTED-BLOCK");
-
-  PEMTokenizer tokenizer(string_piece, accepted_types);
-  EXPECT_TRUE(tokenizer.GetNext());
-
-  EXPECT_EQ("EXPECTED-BLOCK", tokenizer.block_type());
-  EXPECT_EQ("MatchesAcceptedBlockType", tokenizer.data());
-
-  EXPECT_FALSE(tokenizer.GetNext());
-}
-
-TEST(PEMTokenizerTest, NoAcceptedBlockTypes) {
-  const char data[] =
-      "-----BEGIN UNEXPECTED-BLOCK-----\n"
-      "SWdub3Jlc1JlamVjdGVkQmxvY2tUeXBl\n"
-      "-----END UNEXPECTED-BLOCK-----\n";
-  base::StringPiece string_piece(data);
-  std::vector<std::string> accepted_types;
-  accepted_types.push_back("EXPECTED-BLOCK");
-
-  PEMTokenizer tokenizer(string_piece, accepted_types);
-  EXPECT_FALSE(tokenizer.GetNext());
-}
-
-TEST(PEMTokenizerTest, MultipleAcceptedBlockTypes) {
-  const char data[] =
-      "-----BEGIN BLOCK-ONE-----\n"
-      "RW5jb2RlZERhdGFPbmU=\n"
-      "-----END BLOCK-ONE-----\n"
-      "-----BEGIN BLOCK-TWO-----\n"
-      "RW5jb2RlZERhdGFUd28=\n"
-      "-----END BLOCK-TWO-----\n";
-  base::StringPiece string_piece(data);
-  std::vector<std::string> accepted_types;
-  accepted_types.push_back("BLOCK-ONE");
-  accepted_types.push_back("BLOCK-TWO");
-
-  PEMTokenizer tokenizer(string_piece, accepted_types);
-  EXPECT_TRUE(tokenizer.GetNext());
-
-  EXPECT_EQ("BLOCK-ONE", tokenizer.block_type());
-  EXPECT_EQ("EncodedDataOne", tokenizer.data());
-
-  EXPECT_TRUE(tokenizer.GetNext());
-
-  EXPECT_EQ("BLOCK-TWO", tokenizer.block_type());
-  EXPECT_EQ("EncodedDataTwo", tokenizer.data());
-
-  EXPECT_FALSE(tokenizer.GetNext());
-}
-
-TEST(PEMTokenizerTest, MissingFooter) {
-  const char data[] =
-      "-----BEGIN MISSING-FOOTER-----\n"
-      "RW5jb2RlZERhdGFPbmU=\n"
-      "-----END MISSING-FOOTER-----\n"
-      "-----BEGIN MISSING-FOOTER-----\n"
-      "RW5jb2RlZERhdGFUd28=\n";
-  base::StringPiece string_piece(data);
-  std::vector<std::string> accepted_types;
-  accepted_types.push_back("MISSING-FOOTER");
-
-  PEMTokenizer tokenizer(string_piece, accepted_types);
-  EXPECT_TRUE(tokenizer.GetNext());
-
-  EXPECT_EQ("MISSING-FOOTER", tokenizer.block_type());
-  EXPECT_EQ("EncodedDataOne", tokenizer.data());
-
-  EXPECT_FALSE(tokenizer.GetNext());
-}
-
-TEST(PEMTokenizerTest, NestedEncoding) {
-  const char data[] =
-      "-----BEGIN BLOCK-ONE-----\n"
-      "RW5jb2RlZERhdGFPbmU=\n"
-      "-----BEGIN BLOCK-TWO-----\n"
-      "RW5jb2RlZERhdGFUd28=\n"
-      "-----END BLOCK-TWO-----\n"
-      "-----END BLOCK-ONE-----\n"
-      "-----BEGIN BLOCK-ONE-----\n"
-      "RW5jb2RlZERhdGFUaHJlZQ==\n"
-      "-----END BLOCK-ONE-----\n";
-  base::StringPiece string_piece(data);
-  std::vector<std::string> accepted_types;
-  accepted_types.push_back("BLOCK-ONE");
-
-  PEMTokenizer tokenizer(string_piece, accepted_types);
-  EXPECT_TRUE(tokenizer.GetNext());
-
-  EXPECT_EQ("BLOCK-ONE", tokenizer.block_type());
-  EXPECT_EQ("EncodedDataThree", tokenizer.data());
-
-  EXPECT_FALSE(tokenizer.GetNext());
-}
-
-TEST(PEMTokenizerTest, EmptyAcceptedTypes) {
-  const char data[] =
-      "-----BEGIN BLOCK-ONE-----\n"
-      "RW5jb2RlZERhdGFPbmU=\n"
-      "-----END BLOCK-ONE-----\n";
-  base::StringPiece string_piece(data);
-  std::vector<std::string> accepted_types;
-
-  PEMTokenizer tokenizer(string_piece, accepted_types);
-  EXPECT_FALSE(tokenizer.GetNext());
-}
-
-TEST(PEMTokenizerTest, BlockWithHeader) {
-  const char data[] =
-      "-----BEGIN BLOCK-ONE-----\n"
-      "Header-One: Data data data\n"
-      "Header-Two: \n"
-      "  continuation\n"
-      "Header-Three: Mix-And,Match\n"
-      "\n"
-      "RW5jb2RlZERhdGFPbmU=\n"
-      "-----END BLOCK-ONE-----\n"
-      "-----BEGIN BLOCK-ONE-----\n"
-      "RW5jb2RlZERhdGFUd28=\n"
-      "-----END BLOCK-ONE-----\n";
-  base::StringPiece string_piece(data);
-  std::vector<std::string> accepted_types;
-  accepted_types.push_back("BLOCK-ONE");
-
-  PEMTokenizer tokenizer(string_piece, accepted_types);
-  EXPECT_TRUE(tokenizer.GetNext());
-
-  EXPECT_EQ("BLOCK-ONE", tokenizer.block_type());
-  EXPECT_EQ("EncodedDataTwo", tokenizer.data());
-
-  EXPECT_FALSE(tokenizer.GetNext());
-}
-
-}  // namespace net
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index 1230f27..f5b28a6 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -15,9 +15,7 @@
 #include "base/histogram.h"
 #include "base/logging.h"
 #include "base/singleton.h"
-#include "base/string_piece.h"
 #include "base/time.h"
-#include "net/base/pem_tokenizer.h"
 
 namespace net {
 
@@ -33,18 +31,6 @@ bool IsNullFingerprint(const SHA1Fingerprint& fingerprint) {
   return true;
 }
 
-// Indicates the order to use when trying to decode binary data, which is
-// based on (speculation) as to what will be most common -> least common
-const X509Certificate::Format kFormatDecodePriority[] = {
-  X509Certificate::FORMAT_DER,
-  X509Certificate::FORMAT_PKCS7
-};
-
-// The PEM block header used for DER certificates
-const char kCertificateHeader[] = "CERTIFICATE";
-// The PEM block header used for PKCS#7 data
-const char kPKCS7Header[] = "PKCS7";
-
 }  // namespace
 
 // static
@@ -200,81 +186,6 @@ X509Certificate* X509Certificate::CreateFromBytes(const char* data,
   return cert;
 }
 
-CertificateList X509Certificate::CreateCertificateListFromBytes(
-    const char* data, int length, int format) {
-  OSCertHandles certificates;
-
-  // Try each of the formats, in order of parse preference, to see if |data|
-  // contains the binary representation of a Format.
-  for (size_t i = 0; certificates.empty() &&
-       i < arraysize(kFormatDecodePriority); ++i) {
-    if (format & kFormatDecodePriority[i])
-      certificates = CreateOSCertHandlesFromBytes(data, length,
-                                                  kFormatDecodePriority[i]);
-  }
-
-  // No certs were read. Check to see if it is in a PEM-encoded form.
-  if (certificates.empty()) {
-    base::StringPiece data_string(data, length);
-    std::vector<std::string> pem_headers;
-
-    // To maintain compatibility with NSS/Firefox, CERTIFICATE is a universally
-    // valid PEM block header for any format.
-    pem_headers.push_back(kCertificateHeader);
-    if (format & FORMAT_PKCS7)
-      pem_headers.push_back(kPKCS7Header);
-
-    PEMTokenizer pem_tok(data_string, pem_headers);
-    while (pem_tok.GetNext()) {
-      std::string decoded(pem_tok.data());
-
-      OSCertHandle handle = NULL;
-      if (format & FORMAT_PEM)
-        handle = CreateOSCertHandleFromBytes(decoded.c_str(), decoded.size());
-      if (handle != NULL) {
-        // Parsed a DER encoded certificate. All PEM blocks that follow must
-        // also be DER encoded certificates wrapped inside of PEM blocks.
-        format = FORMAT_PEM;
-        certificates.push_back(handle);
-        continue;
-      }
-
-      // If the first block failed to parse as a DER certificate, and
-      // formats other than PEM are acceptable, check to see if the decoded
-      // data is one of the accepted formats.
-      if (format & ~FORMAT_PEM) {
-        for (size_t i = 0; certificates.empty() &&
-             i < arraysize(kFormatDecodePriority); ++i) {
-          if (format & kFormatDecodePriority[i]) {
-            certificates = CreateOSCertHandlesFromBytes(decoded.c_str(),
-                decoded.size(), kFormatDecodePriority[i]);
-          }
-        }
-      }
-
-      // Stop parsing after the first block for any format but a sequence of
-      // PEM-encoded DER certificates. The case of FORMAT_PEM is handled
-      // above, and continues processing until a certificate fails to parse.
-      break;
-    }
-  }
-
-  CertificateList results;
-  // No certificates parsed.
-  if (certificates.empty())
-    return results;
-
-  for (OSCertHandles::iterator it = certificates.begin();
-       it != certificates.end(); ++it) {
-    X509Certificate* result = CreateFromHandle(*it, SOURCE_LONE_CERT_IMPORT,
-                                               OSCertHandles());
-    results.push_back(scoped_refptr<X509Certificate>(result));
-    FreeOSCertHandle(*it);
-  }
-
-  return results;
-}
-
 X509Certificate::X509Certificate(OSCertHandle cert_handle,
                                  Source source,
                                  const OSCertHandles& intermediates)
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index 284d2fb..d6b3447 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -32,8 +32,6 @@ namespace net {
 
 class CertVerifyResult;
 
-typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
-
 // X509Certificate represents an X.509 certificate used by SSL.
 class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
  public:
@@ -74,27 +72,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
     VERIFY_EV_CERT = 1 << 1,
   };
 
-  enum Format {
-    // The data contains a single DER-encoded certificate, or a PEM-encoded
-    // DER certificate with the PEM encoding block name of "CERTIFICATE".
-    // Any subsequent blocks will be ignored.
-    FORMAT_DER = 1 << 0,
-
-    // The data contains a sequence of one or more PEM-encoded, DER
-    // certificates, with the PEM encoding block name of "CERTIFICATE".
-    // All PEM blocks will be parsed, until the first error is encountered.
-    FORMAT_PEM = 1 << 1,
-
-    // The data contains a PKCS#7 SignedData structure, whose certificates
-    // member is to be used to initialize the certificate and intermediates.
-    // The data my further be encoding using PEM, specifying block names of
-    // either "PKCS7" or "CERTIFICATE".
-    FORMAT_PKCS7 = 1 << 2,
-
-    // Automatically detect the format.
-    FORMAT_AUTO = FORMAT_DER | FORMAT_PEM | FORMAT_PKCS7,
-  };
-
   // Create an X509Certificate from a handle to the certificate object in the
   // underlying crypto library. |source| specifies where |cert_handle| comes
   // from.  Given two certificate handles for the same certificate, our
@@ -107,7 +84,7 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
       Source source,
       const OSCertHandles& intermediates);
 
-  // Create an X509Certificate from the DER-encoded representation.
+  // Create an X509Certificate from the BER-encoded representation.
   // Returns NULL on failure.
   //
   // The returned pointer must be stored in a scoped_refptr<X509Certificate>.
@@ -122,14 +99,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   static X509Certificate* CreateFromPickle(const Pickle& pickle,
                                            void** pickle_iter);
 
-  // Parses all of the certificates possible from |data|. |format| is a
-  // bit-wise OR of Format, indicating the possible formats the
-  // certificates may have been serialized as. If an error occurs, an empty
-  // collection will be returned.
-  static CertificateList CreateCertificateListFromBytes(const char* data,
-                                                        int length,
-                                                        int format);
-
   // Creates a X509Certificate from the ground up.  Used by tests that simulate
   // SSL connections.
   X509Certificate(const std::string& subject, const std::string& issuer,
@@ -234,11 +203,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
   static OSCertHandle CreateOSCertHandleFromBytes(const char* data,
                                                   int length);
 
-  // Creates all possible OS certificate handles from |data| encoded in a
-  // specific |format|. Returns an empty collection on failure.
-  static OSCertHandles CreateOSCertHandlesFromBytes(
-      const char* data, int length, Format format);
-
   // Duplicates (or adds a reference to) an OS certificate handle.
   static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
 
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index 727fde9..ed46adc 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -8,9 +8,9 @@
 #include <Security/Security.h>
 #include <time.h>
 
+#include "base/scoped_cftyperef.h"
 #include "base/logging.h"
 #include "base/pickle.h"
-#include "base/scoped_cftyperef.h"
 #include "base/sys_string_conversions.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
@@ -372,44 +372,6 @@ bool ExtendedKeyUsageAllows(const CE_ExtendedKeyUsage* usage,
   return false;
 }
 
-// Parses |data| of length |length|, attempting to decode it as the specified
-// |format|. If |data| is in the specified format, any certificates contained
-// within are stored into |output|.
-void AddCertificatesFromBytes(const char* data, size_t length,
-                              SecExternalFormat format,
-                              X509Certificate::OSCertHandles* output) {
-  SecExternalFormat input_format = format;
-  scoped_cftyperef<CFDataRef> local_data(CFDataCreateWithBytesNoCopy(
-      kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data),
-      length, kCFAllocatorNull));
-
-  CFArrayRef items = NULL;
-  OSStatus status = SecKeychainItemImport(local_data, NULL, &input_format,
-                                          NULL, 0, NULL, NULL, &items);
-  if (status) {
-    DLOG(WARNING) << status << " Unable to import items from data of length "
-                  << length;
-    return;
-  }
-
-  scoped_cftyperef<CFArrayRef> scoped_items(items);
-  CFTypeID cert_type_id = SecCertificateGetTypeID();
-
-  for (CFIndex i = 0; i < CFArrayGetCount(items); ++i) {
-    SecKeychainItemRef item = reinterpret_cast<SecKeychainItemRef>(
-        const_cast<void*>(CFArrayGetValueAtIndex(items, i)));
-
-    // While inputFormat implies only certificates will be imported, if/when
-    // other formats (eg: PKCS#12) are supported, this may also include
-    // private keys or other items types, so filter appropriately.
-    if (CFGetTypeID(item) == cert_type_id) {
-      SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(item);
-      CFRetain(cert);
-      output->push_back(cert);
-    }
-  }
-}
-
 }  // namespace
 
 void X509Certificate::Initialize() {
@@ -707,53 +669,15 @@ X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
   OSCertHandle cert_handle = NULL;
   OSStatus status = SecCertificateCreateFromData(&cert_data,
                                                  CSSM_CERT_X_509v3,
-                                                 CSSM_CERT_ENCODING_DER,
+                                                 CSSM_CERT_ENCODING_BER,
                                                  &cert_handle);
   if (status)
     return NULL;
 
-  // SecCertificateCreateFromData() unfortunately will not return any
-  // errors, as long as simply all pointers are present. The actual decoding
-  // of the certificate does not happen until an API that requires a CDSA
-  // handle is called. While SecCertificateGetCLHandle is the most likely
-  // candidate, as it initializes the parsing, it does not check whether the
-  // parsing was successful. Instead, SecCertificateGetSubject is used
-  // (supported since 10.3), as a means to double-check that the parsed
-  // parsed certificate is valid.
-  const CSSM_X509_NAME* sanity_check = NULL;
-  status = SecCertificateGetSubject(cert_handle, &sanity_check);
-  if (status || !sanity_check) {
-    CFRelease(cert_handle);
-    return NULL;
-  }
-
   return cert_handle;
 }
 
 // static
-X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
-    const char* data, int length, Format format) {
-  OSCertHandles results;
-
-  switch (format) {
-    case FORMAT_DER: {
-      OSCertHandle handle = CreateOSCertHandleFromBytes(data, length);
-      if (handle)
-        results.push_back(handle);
-      break;
-    }
-    case FORMAT_PKCS7:
-      AddCertificatesFromBytes(data, length, kSecFormatPKCS7, &results);
-      break;
-    default:
-      NOTREACHED() << "Certificate format " << format << " unimplemented";
-      break;
-  }
-
-  return results;
-}
-
-// static
 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
     OSCertHandle handle) {
   if (!handle)
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc
index dbc4d18..8eb337f 100644
--- a/net/base/x509_certificate_nss.cc
+++ b/net/base/x509_certificate_nss.cc
@@ -16,7 +16,6 @@
 
 #include "base/logging.h"
 #include "base/pickle.h"
-#include "base/scoped_ptr.h"
 #include "base/time.h"
 #include "base/nss_util.h"
 #include "net/base/cert_status_flags.h"
@@ -572,22 +571,6 @@ bool CheckCertPolicies(X509Certificate::OSCertHandle cert_handle,
   return false;
 }
 
-SECStatus PR_CALLBACK
-CollectCertsCallback(void* arg, SECItem** certs, int num_certs) {
-  X509Certificate::OSCertHandles* results =
-      reinterpret_cast<X509Certificate::OSCertHandles*>(arg);
-
-  for (int i = 0; i < num_certs; ++i) {
-    X509Certificate::OSCertHandle handle =
-        X509Certificate::CreateOSCertHandleFromBytes(
-            reinterpret_cast<char*>(certs[i]->data), certs[i]->len);
-    if (handle)
-      results->push_back(handle);
-  }
-
-  return SECSuccess;
-}
-
 }  // namespace
 
 void X509Certificate::Initialize() {
@@ -738,59 +721,21 @@ bool X509Certificate::VerifyEV() const {
 // static
 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
     const char* data, int length) {
-  if (length < 0)
-    return NULL;
-
   base::EnsureNSSInit();
 
   if (!NSS_IsInitialized())
     return NULL;
 
-  SECItem der_cert;
-  der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
-  der_cert.len  = length;
-  der_cert.type = siDERCertBuffer;
+  // Make a copy of |data| since CERT_DecodeCertPackage might modify it.
+  char* data_copy = new char[length];
+  memcpy(data_copy, data, length);
 
   // Parse into a certificate structure.
-  return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL,
-                                 PR_FALSE, PR_TRUE);
-}
-
-// static
-X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
-    const char* data, int length, Format format) {
-  OSCertHandles results;
-  if (length < 0)
-    return results;
-
-  base::EnsureNSSInit();
-
-  if (!NSS_IsInitialized())
-    return results;
-
-  switch (format) {
-    case FORMAT_DER: {
-      OSCertHandle handle = CreateOSCertHandleFromBytes(data, length);
-      if (handle)
-        results.push_back(handle);
-      break;
-    }
-    case FORMAT_PKCS7: {
-      // Make a copy since CERT_DecodeCertPackage may modify it
-      std::vector<char> data_copy(data, data + length);
-
-      SECStatus result = CERT_DecodeCertPackage(&data_copy[0],
-          length, CollectCertsCallback, &results);
-      if (result != SECSuccess)
-        results.clear();
-      break;
-    }
-    default:
-      NOTREACHED() << "Certificate format " << format << " unimplemented";
-      break;
-  }
-
-  return results;
+  CERTCertificate* cert = CERT_DecodeCertFromPackage(data_copy, length);
+  delete [] data_copy;
+  if (!cert)
+    LOG(ERROR) << "Couldn't parse a certificate from " << length << " bytes";
+  return cert;
 }
 
 // static
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 6becea0..63eec15 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -76,93 +76,6 @@ unsigned char unosoft_hu_fingerprint[] = {
   0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8
 };
 
-// The fingerprint of the Google certificate used in the parsing tests,
-// which is newer than the one included in the x509_certificate_data.h
-unsigned char google_parse_fingerprint[] = {
-  0x40, 0x50, 0x62, 0xe5, 0xbe, 0xfd, 0xe4, 0xaf, 0x97, 0xe9, 0x38, 0x2a,
-  0xf1, 0x6c, 0xc8, 0x7c, 0x8f, 0xb7, 0xc4, 0xe2
-};
-
-// The fingerprint for the Thawte SGC certificate
-unsigned char thawte_parse_fingerprint[] = {
-  0xec, 0x07, 0x10, 0x03, 0xd8, 0xf5, 0xa3, 0x7f, 0x42, 0xc4, 0x55, 0x7f,
-  0x65, 0x6a, 0xae, 0x86, 0x65, 0xfa, 0x4b, 0x02
-};
-
-// Dec 18 00:00:00 2009 GMT
-const double kGoogleParseValidFrom = 1261094400;
-// Dec 18 23:59:59 2011 GMT
-const double kGoogleParseValidTo = 1324252799;
-
-struct CertificateFormatTestData {
-  const char* file_name;
-  X509Certificate::Format format;
-  unsigned char* chain_fingerprints[3];
-};
-
-const CertificateFormatTestData FormatTestData[] = {
-  // DER Parsing - single certificate, DER encoded
-  { "google.single.der", X509Certificate::FORMAT_DER,
-    { google_parse_fingerprint,
-      NULL, } },
-  // DER parsing - single certificate, PEM encoded
-  { "google.single.pem", X509Certificate::FORMAT_DER,
-    { google_parse_fingerprint,
-      NULL, } },
-  // PEM parsing - single certificate, PEM encoded with a PEB of
-  // "CERTIFICATE"
-  { "google.single.pem", X509Certificate::FORMAT_PEM,
-    { google_parse_fingerprint,
-      NULL, } },
-  // PEM parsing - sequence of certificates, PEM encoded with a PEB of
-  // "CERTIFICATE"
-  { "google.chain.pem", X509Certificate::FORMAT_PEM,
-    { google_parse_fingerprint,
-      thawte_parse_fingerprint,
-      NULL, } },
-  // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER
-  // encoding
-  { "google.binary.p7b", X509Certificate::FORMAT_PKCS7,
-    { google_parse_fingerprint,
-      thawte_parse_fingerprint,
-      NULL, } },
-  // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM
-  // encoded with a PEM PEB of "CERTIFICATE"
-  { "google.pem_cert.p7b", X509Certificate::FORMAT_PKCS7,
-    { google_parse_fingerprint,
-      thawte_parse_fingerprint,
-      NULL, } },
-  // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM
-  // encoded with a PEM PEB of "PKCS7"
-  { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_PKCS7,
-    { google_parse_fingerprint,
-      thawte_parse_fingerprint,
-      NULL, } },
-  // All of the above, this time using auto-detection
-  { "google.single.der", X509Certificate::FORMAT_AUTO,
-    { google_parse_fingerprint,
-      NULL, } },
-  { "google.single.pem", X509Certificate::FORMAT_AUTO,
-    { google_parse_fingerprint,
-      NULL, } },
-  { "google.chain.pem", X509Certificate::FORMAT_AUTO,
-    { google_parse_fingerprint,
-      thawte_parse_fingerprint,
-      NULL, } },
-  { "google.binary.p7b", X509Certificate::FORMAT_AUTO,
-    { google_parse_fingerprint,
-      thawte_parse_fingerprint,
-      NULL, } },
-  { "google.pem_cert.p7b", X509Certificate::FORMAT_AUTO,
-    { google_parse_fingerprint,
-      thawte_parse_fingerprint,
-      NULL, } },
-  { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_AUTO,
-    { google_parse_fingerprint,
-      thawte_parse_fingerprint,
-      NULL, } },
-};
-
 // Returns a FilePath object representing the src/net/data/ssl/certificates
 // directory in the source tree.
 FilePath GetTestCertsDirectory() {
@@ -187,22 +100,12 @@ X509Certificate* ImportCertFromFile(const FilePath& certs_dir,
   return X509Certificate::CreateFromBytes(cert_data.data(), cert_data.size());
 }
 
-CertificateList CreateCertificateListFromFile(
-    const FilePath& certs_dir,
-    const std::string& cert_file,
-    int format) {
-  FilePath cert_path = certs_dir.AppendASCII(cert_file);
-  std::string cert_data;
-  if (!file_util::ReadFileToString(cert_path, &cert_data))
-    return CertificateList();
-  return X509Certificate::CreateCertificateListFromBytes(cert_data.data(),
-                                                         cert_data.size(),
-                                                         format);
-}
+}  // namespace
+
+TEST(X509CertificateTest, GoogleCertParsing) {
+  scoped_refptr<X509Certificate> google_cert = X509Certificate::CreateFromBytes(
+      reinterpret_cast<const char*>(google_der), sizeof(google_der));
 
-void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert,
-                     unsigned char* expected_fingerprint,
-                     double valid_from, double valid_to) {
   ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert);
 
   const CertPrincipal& subject = google_cert->subject();
@@ -229,14 +132,14 @@ void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert,
 
   // Use DoubleT because its epoch is the same on all platforms
   const Time& valid_start = google_cert->valid_start();
-  EXPECT_EQ(valid_from, valid_start.ToDoubleT());
+  EXPECT_EQ(1238192407, valid_start.ToDoubleT());  // Mar 27 22:20:07 2009 GMT
 
   const Time& valid_expiry = google_cert->valid_expiry();
-  EXPECT_EQ(valid_to, valid_expiry.ToDoubleT());
+  EXPECT_EQ(1269728407, valid_expiry.ToDoubleT());  // Mar 27 22:20:07 2010 GMT
 
   const SHA1Fingerprint& fingerprint = google_cert->fingerprint();
   for (size_t i = 0; i < 20; ++i)
-    EXPECT_EQ(expected_fingerprint[i], fingerprint.data[i]);
+    EXPECT_EQ(google_fingerprint[i], fingerprint.data[i]);
 
   std::vector<std::string> dns_names;
   google_cert->GetDNSNames(&dns_names);
@@ -253,18 +156,6 @@ void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert,
 #endif
 }
 
-}  // namespace
-
-TEST(X509CertificateTest, GoogleCertParsing) {
-  scoped_refptr<X509Certificate> google_cert =
-      X509Certificate::CreateFromBytes(
-          reinterpret_cast<const char*>(google_der), sizeof(google_der));
-
-  CheckGoogleCert(google_cert, google_fingerprint,
-                  1238192407,   // Mar 27 22:20:07 2009 GMT
-                  1269728407);  // Mar 27 22:20:07 2010 GMT
-}
-
 TEST(X509CertificateTest, WebkitCertParsing) {
   scoped_refptr<X509Certificate> webkit_cert = X509Certificate::CreateFromBytes(
       reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der));
@@ -637,41 +528,4 @@ TEST(X509CertificateTest, IntermediateCertificates) {
 }
 #endif
 
-class X509CertificateParseTest
-    : public testing::TestWithParam<CertificateFormatTestData> {
- public:
-  virtual ~X509CertificateParseTest() {}
-  virtual void SetUp() {
-    test_data_ = GetParam();
-  }
-  virtual void TearDown() {}
-
- protected:
-  CertificateFormatTestData test_data_;
-};
-
-TEST_P(X509CertificateParseTest, CanParseFormat) {
-  FilePath certs_dir = GetTestCertsDirectory();
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, test_data_.file_name, test_data_.format);
-  ASSERT_FALSE(certs.empty());
-  ASSERT_LE(certs.size(), arraysize(test_data_.chain_fingerprints));
-  CheckGoogleCert(certs.front(), google_parse_fingerprint,
-                  kGoogleParseValidFrom, kGoogleParseValidTo);
-
-  size_t i;
-  for (i = 0; i < arraysize(test_data_.chain_fingerprints) &&
-       i < certs.size() && test_data_.chain_fingerprints[i] != NULL; ++i) {
-    const X509Certificate* cert = certs[i];
-    const SHA1Fingerprint& actual_fingerprint = cert->fingerprint();
-    unsigned char* expected_fingerprint = test_data_.chain_fingerprints[i];
-
-    for (size_t j = 0; j < 20; ++j)
-      EXPECT_EQ(expected_fingerprint[j], actual_fingerprint.data[j]);
-  }
-}
-
-INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest,
-                        testing::ValuesIn(FormatTestData));
-
 }  // namespace net
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index faa8871..901c0a6 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -434,54 +434,6 @@ void ParsePrincipal(const std::string& description,
   }
 }
 
-void AddCertsFromStore(HCERTSTORE store,
-                       X509Certificate::OSCertHandles* results) {
-  PCCERT_CONTEXT cert = NULL;
-
-  while ((cert = CertEnumCertificatesInStore(store, cert)) != NULL) {
-    PCCERT_CONTEXT to_add = NULL;
-    if (CertAddCertificateContextToStore(
-        NULL,  // The cert won't be persisted in any cert store. This breaks
-               // any association the context currently has to |store|, which
-               // allows us, the caller, to safely close |store| without
-               // releasing the cert handles.
-        cert,
-        CERT_STORE_ADD_USE_EXISTING,
-        &to_add) && to_add != NULL) {
-      // When processing stores generated from PKCS#7/PKCS#12 files, it
-      // appears that the order returned is the inverse of the order that it
-      // appeared in the file.
-      // TODO(rsleevi): Ensure this order is consistent across all Win
-      // versions
-      results->insert(results->begin(), to_add);
-    }
-  }
-}
-
-X509Certificate::OSCertHandles ParsePKCS7(const char* data, size_t length) {
-  X509Certificate::OSCertHandles results;
-  CERT_BLOB data_blob;
-  data_blob.cbData = length;
-  data_blob.pbData = reinterpret_cast<BYTE*>(const_cast<char*>(data));
-
-  HCERTSTORE out_store = NULL;
-
-  DWORD expected_types = CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED |
-                         CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED |
-                         CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED;
-
-  if (!CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &data_blob, expected_types,
-                        CERT_QUERY_FORMAT_FLAG_BINARY, 0, NULL, NULL, NULL,
-                        &out_store, NULL, NULL) || out_store == NULL) {
-    return results;
-  }
-
-  AddCertsFromStore(out_store, &results);
-  CertCloseStore(out_store, CERT_CLOSE_STORE_CHECK_FLAG);
-
-  return results;
-}
-
 }  // namespace
 
 void X509Certificate::Initialize() {
@@ -801,27 +753,6 @@ X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
   return cert_handle;
 }
 
-X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
-    const char* data, int length, Format format) {
-  OSCertHandles results;
-  switch (format) {
-    case FORMAT_DER: {
-      OSCertHandle handle = CreateOSCertHandleFromBytes(data, length);
-      if (handle != NULL)
-        results.push_back(handle);
-      break;
-    }
-    case FORMAT_PKCS7:
-      results = ParsePKCS7(data, length);
-      break;
-    default:
-      NOTREACHED() << "Certificate format " << format << " unimplemented";
-      break;
-  }
-
-  return results;
-}
-
 
 // static
 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
diff --git a/net/data/ssl/certificates/google.binary.p7b b/net/data/ssl/certificates/google.binary.p7b
deleted file mode 100644
index 052e388..0000000
--- a/net/data/ssl/certificates/google.binary.p7b
+++ /dev/null
diff --git a/net/data/ssl/certificates/google.chain.pem b/net/data/ssl/certificates/google.chain.pem
deleted file mode 100644
index e78af71..0000000
--- a/net/data/ssl/certificates/google.chain.pem
+++ /dev/null
@@ -1,38 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM
-MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
-THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x
-MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
-MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
-FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
-gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN
-gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L
-05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM
-BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
-LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
-BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
-Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
-ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
-AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5
-u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6
-z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDIzCCAoygAwIBAgIEMAAAAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJV
-UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi
-bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNTEzMDAw
-MDAwWhcNMTQwNTEyMjM1OTU5WjBMMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
-d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBD
-QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1NNn0I0Vf67NMf59HZGhPwtx
-PKzMyGT7Y/wySweUvW+Aui/hBJPAM/wJMyPpC3QrccQDxtLN4i/1CWPN/0ilAL/g
-5/OIty0y3pg25gqtAHvEZEo7hHUD8nCSfQ5i9SGraTaEMXWQ+L/HbIgbBpV8yeWo
-3nWhLHpo39XKHIdYYBkCAwEAAaOB/jCB+zASBgNVHRMBAf8ECDAGAQH/AgEAMAsG
-A1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwKAYDVR0RBCEwH6QdMBsxGTAX
-BgNVBAMTEFByaXZhdGVMYWJlbDMtMTUwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDov
-L2NybC52ZXJpc2lnbi5jb20vcGNhMy5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
-AQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMDQGA1UdJQQtMCsGCCsGAQUF
-BwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEB
-BQUAA4GBAFWsY+reod3SkF+fC852vhNRj5PZBSvIG3dLrWlQoe7e3P3bB+noOZTc
-q3J5Lwa/q4FwxKjt6lM07e8eU9kGx1Yr0Vz00YqOtCuxN5BICEIlxT6Ky3/rbwTR
-bcV0oveifHtgPHfNDs5IAn8BL7abN+AqKjbc1YXWrOU/VG+WHgWv
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/net/data/ssl/certificates/google.pem_cert.p7b b/net/data/ssl/certificates/google.pem_cert.p7b
deleted file mode 100644
index ba80fb0..0000000
--- a/net/data/ssl/certificates/google.pem_cert.p7b
+++ /dev/null
@@ -1,37 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIGeQYJKoZIhvcNAQcCoIIGajCCBmYCAQExADALBgkqhkiG9w0BBwGgggZMMIID
-ITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBMMQsw
-CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRk
-LjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0xMTEy
-MTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
-FAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcwFQYD
-VQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jNgtXj
-9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L05vu
-uWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAMBgNV
-HRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3RlLmNv
-bS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMC
-BglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRwOi8v
-b2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0ZS5j
-b20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUFAAOB
-gQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5u2ON
-gJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6z5nR
-UP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXzCCAyMwggKMoAMCAQIC
-BDAAAAIwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZl
-cmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENl
-cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDUxMzAwMDAwMFoXDTE0MDUxMjIz
-NTk1OVowTDELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5n
-IChQdHkpIEx0ZC4xFjAUBgNVBAMTDVRoYXd0ZSBTR0MgQ0EwgZ8wDQYJKoZIhvcN
-AQEBBQADgY0AMIGJAoGBANTTZ9CNFX+uzTH+fR2RoT8LcTyszMhk+2P8MksHlL1v
-gLov4QSTwDP8CTMj6Qt0K3HEA8bSzeIv9Qljzf9IpQC/4OfziLctMt6YNuYKrQB7
-xGRKO4R1A/Jwkn0OYvUhq2k2hDF1kPi/x2yIGwaVfMnlqN51oSx6aN/VyhyHWGAZ
-AgMBAAGjgf4wgfswEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwEQYJ
-YIZIAYb4QgEBBAQDAgEGMCgGA1UdEQQhMB+kHTAbMRkwFwYDVQQDExBQcml2YXRl
-TGFiZWwzLTE1MDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24u
-Y29tL3BjYTMuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
-L29jc3AudGhhd3RlLmNvbTA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIG
-CWCGSAGG+EIEAQYKYIZIAYb4RQEIATANBgkqhkiG9w0BAQUFAAOBgQBVrGPq3qHd
-0pBfnwvOdr4TUY+T2QUryBt3S61pUKHu3tz92wfp6DmU3KtyeS8Gv6uBcMSo7epT
-NO3vHlPZBsdWK9Fc9NGKjrQrsTeQSAhCJcU+ist/628E0W3FdKL3onx7YDx3zQ7O
-SAJ/AS+2mzfgKio23NWF1qzlP1Rvlh4Fr6EAMQA=
------END CERTIFICATE-----
diff --git a/net/data/ssl/certificates/google.pem_pkcs7.p7b b/net/data/ssl/certificates/google.pem_pkcs7.p7b
deleted file mode 100644
index 49e2eec..0000000
--- a/net/data/ssl/certificates/google.pem_pkcs7.p7b
+++ /dev/null
@@ -1,37 +0,0 @@
------BEGIN PKCS7-----
-MIIGeQYJKoZIhvcNAQcCoIIGajCCBmYCAQExADALBgkqhkiG9w0BBwGgggZMMIID
-ITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBMMQsw
-CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRk
-LjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0xMTEy
-MTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
-FAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcwFQYD
-VQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jNgtXj
-9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L05vu
-uWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAMBgNV
-HRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3RlLmNv
-bS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMC
-BglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRwOi8v
-b2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0ZS5j
-b20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUFAAOB
-gQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5u2ON
-gJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6z5nR
-UP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXzCCAyMwggKMoAMCAQIC
-BDAAAAIwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZl
-cmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENl
-cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDUxMzAwMDAwMFoXDTE0MDUxMjIz
-NTk1OVowTDELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5n
-IChQdHkpIEx0ZC4xFjAUBgNVBAMTDVRoYXd0ZSBTR0MgQ0EwgZ8wDQYJKoZIhvcN
-AQEBBQADgY0AMIGJAoGBANTTZ9CNFX+uzTH+fR2RoT8LcTyszMhk+2P8MksHlL1v
-gLov4QSTwDP8CTMj6Qt0K3HEA8bSzeIv9Qljzf9IpQC/4OfziLctMt6YNuYKrQB7
-xGRKO4R1A/Jwkn0OYvUhq2k2hDF1kPi/x2yIGwaVfMnlqN51oSx6aN/VyhyHWGAZ
-AgMBAAGjgf4wgfswEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwEQYJ
-YIZIAYb4QgEBBAQDAgEGMCgGA1UdEQQhMB+kHTAbMRkwFwYDVQQDExBQcml2YXRl
-TGFiZWwzLTE1MDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24u
-Y29tL3BjYTMuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
-L29jc3AudGhhd3RlLmNvbTA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIG
-CWCGSAGG+EIEAQYKYIZIAYb4RQEIATANBgkqhkiG9w0BAQUFAAOBgQBVrGPq3qHd
-0pBfnwvOdr4TUY+T2QUryBt3S61pUKHu3tz92wfp6DmU3KtyeS8Gv6uBcMSo7epT
-NO3vHlPZBsdWK9Fc9NGKjrQrsTeQSAhCJcU+ist/628E0W3FdKL3onx7YDx3zQ7O
-SAJ/AS+2mzfgKio23NWF1qzlP1Rvlh4Fr6EAMQA=
------END PKCS7-----
diff --git a/net/data/ssl/certificates/google.single.der b/net/data/ssl/certificates/google.single.der
deleted file mode 100644
index f73df17..0000000
--- a/net/data/ssl/certificates/google.single.der
+++ /dev/null
diff --git a/net/data/ssl/certificates/google.single.pem b/net/data/ssl/certificates/google.single.pem
deleted file mode 100644
index a03adc4..0000000
--- a/net/data/ssl/certificates/google.single.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM
-MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
-THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x
-MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
-MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
-FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
-gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN
-gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L
-05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM
-BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
-LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
-BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
-Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
-ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
-AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5
-u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6
-z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw==
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/net/data/ssl/certificates/thawte.single.pem b/net/data/ssl/certificates/thawte.single.pem
deleted file mode 100644
index d326459..0000000
--- a/net/data/ssl/certificates/thawte.single.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDIzCCAoygAwIBAgIEMAAAAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJV
-UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi
-bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNTEzMDAw
-MDAwWhcNMTQwNTEyMjM1OTU5WjBMMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
-d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBD
-QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1NNn0I0Vf67NMf59HZGhPwtx
-PKzMyGT7Y/wySweUvW+Aui/hBJPAM/wJMyPpC3QrccQDxtLN4i/1CWPN/0ilAL/g
-5/OIty0y3pg25gqtAHvEZEo7hHUD8nCSfQ5i9SGraTaEMXWQ+L/HbIgbBpV8yeWo
-3nWhLHpo39XKHIdYYBkCAwEAAaOB/jCB+zASBgNVHRMBAf8ECDAGAQH/AgEAMAsG
-A1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwKAYDVR0RBCEwH6QdMBsxGTAX
-BgNVBAMTEFByaXZhdGVMYWJlbDMtMTUwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDov
-L2NybC52ZXJpc2lnbi5jb20vcGNhMy5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
-AQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMDQGA1UdJQQtMCsGCCsGAQUF
-BwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEB
-BQUAA4GBAFWsY+reod3SkF+fC852vhNRj5PZBSvIG3dLrWlQoe7e3P3bB+noOZTc
-q3J5Lwa/q4FwxKjt6lM07e8eU9kGx1Yr0Vz00YqOtCuxN5BICEIlxT6Ky3/rbwTR
-bcV0oveifHtgPHfNDs5IAn8BL7abN+AqKjbc1YXWrOU/VG+WHgWv
------END CERTIFICATE-----
\ No newline at end of file
diff --git a/net/net.gyp b/net/net.gyp
index ea740ff..98dc526 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -125,8 +125,6 @@
         'base/network_change_notifier_win.h',
         'base/nss_memio.c',
         'base/nss_memio.h',
-        'base/pem_tokenizer.cc',
-        'base/pem_tokenizer.h',
         'base/platform_mime_util.h',
         # TODO(tc): gnome-vfs? xdgmime? /etc/mime.types?
         'base/platform_mime_util_linux.cc',
@@ -676,7 +674,6 @@
         'base/net_test_constants.h',
         'base/net_test_suite.h',
         'base/net_util_unittest.cc',
-        'base/pem_tokenizer_unittest.cc',
         'base/registry_controlled_domain_unittest.cc',
         'base/run_all_unittests.cc',
         'base/sdch_filter_unittest.cc',