author J.C. Jones <jjones@mozilla.com>

Wed, 21 Feb 2018 14:08:47 -0500

changeset 758023 e57ffb2989337f2b601e5153eb45f839cf27c7be

parent 758022 6695c4b58a9769a22fae73965a3aec27771e09f8

child 758024 61f4b706401ac250cbadee8ca9e74f07532d867b

push id 99916

push user bmo:jjones@mozilla.com

push date Wed, 21 Feb 2018 19:10:27 +0000

reviewers fkiefer, keeler

bugs 1434300, 916730

milestone 60.0a1

security/certverifier/NSSCertDBTrustDomain.cpp file | annotate | diff | comparison | revisions

security/certverifier/TrustOverride-AppleGoogleData.inc file | annotate | diff | comparison | revisions

security/certverifier/TrustOverrideUtils.h file | annotate | diff | comparison | revisions

security/manager/ssl/nsNSSCallbacks.cpp file | annotate | diff | comparison | revisions

security/manager/ssl/tests/unit/test_symantec_apple_google.js file | annotate | diff | comparison | revisions

security/manager/ssl/tests/unit/test_symantec_apple_google/real-google-g2-intermediate.pem file | annotate | diff | comparison | revisions

security/manager/ssl/tests/unit/test_symantec_apple_google/real-googlecom.pem file | annotate | diff | comparison | revisions
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -899,17 +899,17 @@ NSSCertDBTrustDomain::IsChainValid(const
     }
 
     // PRTime is microseconds since the epoch, whereas JS time is milliseconds.
     // (new Date("2016-06-01T00:00:00Z")).getTime() * 1000
     static const PRTime JUNE_1_2016 = 1464739200000000;
 
     bool isDistrusted = false;
     nsrv = CheckForSymantecDistrust(intCerts, eeCert, JUNE_1_2016,
-                                    RootAppleAndGoogleDNs, isDistrusted);
+                                    RootAppleAndGoogleSPKIs, isDistrusted);
     if (NS_FAILED(nsrv)) {
       return Result::FATAL_ERROR_LIBRARY_FAILURE;
     }
     if (isDistrusted) {
       return Result::ERROR_UNKNOWN_ISSUER;
     }
   }
 
--- a/security/certverifier/TrustOverride-AppleGoogleData.inc
+++ b/security/certverifier/TrustOverride-AppleGoogleData.inc
@@ -1,138 +1,213 @@
 // Script from security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py
-// Invocation: crtshToIdentifyingStruct.py -dn -listname RootAppleAndGoogleDNs 142951186 23635000 5250464 12716200 19602712 19602724 21760447 19602706 19602741
+// Invocation: crtshToIdentifyingStruct.py -spki -listname RootAppleAndGoogleSPKIs 142951186 23635000 5250464 12716200 19602712 19602724 21760447 19602706 19602741
 
 // /C=US/O=Google Inc/CN=Google Internet Authority G2
 // SHA256 Fingerprint: 9B:75:9D:41:E3:DE:30:F9:D2:F9:02:02:7D:79:2B:65
 //                     D9:50:A9:8B:BB:6D:6D:56:BE:7F:25:28:45:3B:F8:E9
 // https://crt.sh/?id=142951186 (crt.sh ID=142951186)
 //
 // and
 //
 // /C=US/O=Google Inc/CN=Google Internet Authority G2
 // SHA256 Fingerprint: 9F:63:04:26:DF:1D:8A:BF:D8:0A:CE:98:87:1B:A8:33
 //                     AB:97:42:CB:34:83:8D:E2:B5:28:5E:D5:4C:0C:7D:CC
 // https://crt.sh/?id=23635000 (crt.sh ID=23635000)
-static const uint8_t CAGoogleInternetAuthorityG2DN[75] = {
-  0x30, 0x49, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
-  0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0A,
-  0x47, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x20, 0x49, 0x6E, 0x63, 0x31, 0x25, 0x30,
-  0x23, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x1C, 0x47, 0x6F, 0x6F, 0x67, 0x6C,
-  0x65, 0x20, 0x49, 0x6E, 0x74, 0x65, 0x72, 0x6E, 0x65, 0x74, 0x20, 0x41, 0x75,
-  0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
+static const uint8_t CAGoogleInternetAuthorityG2SPKI[294] = {
+  0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+  0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82,
+  0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0x9C, 0x2A, 0x04, 0x77, 0x5C, 0xD8,
+  0x50, 0x91, 0x3A, 0x06, 0xA3, 0x82, 0xE0, 0xD8, 0x50, 0x48, 0xBC, 0x89, 0x3F,
+  0xF1, 0x19, 0x70, 0x1A, 0x88, 0x46, 0x7E, 0xE0, 0x8F, 0xC5, 0xF1, 0x89, 0xCE,
+  0x21, 0xEE, 0x5A, 0xFE, 0x61, 0x0D, 0xB7, 0x32, 0x44, 0x89, 0xA0, 0x74, 0x0B,
+  0x53, 0x4F, 0x55, 0xA4, 0xCE, 0x82, 0x62, 0x95, 0xEE, 0xEB, 0x59, 0x5F, 0xC6,
+  0xE1, 0x05, 0x80, 0x12, 0xC4, 0x5E, 0x94, 0x3F, 0xBC, 0x5B, 0x48, 0x38, 0xF4,
+  0x53, 0xF7, 0x24, 0xE6, 0xFB, 0x91, 0xE9, 0x15, 0xC4, 0xCF, 0xF4, 0x53, 0x0D,
+  0xF4, 0x4A, 0xFC, 0x9F, 0x54, 0xDE, 0x7D, 0xBE, 0xA0, 0x6B, 0x6F, 0x87, 0xC0,
+  0xD0, 0x50, 0x1F, 0x28, 0x30, 0x03, 0x40, 0xDA, 0x08, 0x73, 0x51, 0x6C, 0x7F,
+  0xFF, 0x3A, 0x3C, 0xA7, 0x37, 0x06, 0x8E, 0xBD, 0x4B, 0x11, 0x04, 0xEB, 0x7D,
+  0x24, 0xDE, 0xE6, 0xF9, 0xFC, 0x31, 0x71, 0xFB, 0x94, 0xD5, 0x60, 0xF3, 0x2E,
+  0x4A, 0xAF, 0x42, 0xD2, 0xCB, 0xEA, 0xC4, 0x6A, 0x1A, 0xB2, 0xCC, 0x53, 0xDD,
+  0x15, 0x4B, 0x8B, 0x1F, 0xC8, 0x19, 0x61, 0x1F, 0xCD, 0x9D, 0xA8, 0x3E, 0x63,
+  0x2B, 0x84, 0x35, 0x69, 0x65, 0x84, 0xC8, 0x19, 0xC5, 0x46, 0x22, 0xF8, 0x53,
+  0x95, 0xBE, 0xE3, 0x80, 0x4A, 0x10, 0xC6, 0x2A, 0xEC, 0xBA, 0x97, 0x20, 0x11,
+  0xC7, 0x39, 0x99, 0x10, 0x04, 0xA0, 0xF0, 0x61, 0x7A, 0x95, 0x25, 0x8C, 0x4E,
+  0x52, 0x75, 0xE2, 0xB6, 0xED, 0x08, 0xCA, 0x14, 0xFC, 0xCE, 0x22, 0x6A, 0xB3,
+  0x4E, 0xCF, 0x46, 0x03, 0x97, 0x97, 0x03, 0x7E, 0xC0, 0xB1, 0xDE, 0x7B, 0xAF,
+  0x45, 0x33, 0xCF, 0xBA, 0x3E, 0x71, 0xB7, 0xDE, 0xF4, 0x25, 0x25, 0xC2, 0x0D,
+  0x35, 0x89, 0x9D, 0x9D, 0xFB, 0x0E, 0x11, 0x79, 0x89, 0x1E, 0x37, 0xC5, 0xAF,
+  0x8E, 0x72, 0x69, 0x02, 0x03, 0x01, 0x00, 0x01,
 };
 
 // /CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US
 // SHA256 Fingerprint: AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE
 //                     9D:1E:22:45:FC:E3:F5:7A:9C:DB:EC:77:29:6A:42:4B
 // https://crt.sh/?id=5250464 (crt.sh ID=5250464)
-static const uint8_t CAAppleISTCA2G1DN[100] = {
-  0x30, 0x62, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13,
-  0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x53, 0x54, 0x20, 0x43, 0x41, 0x20,
-  0x32, 0x20, 0x2D, 0x20, 0x47, 0x31, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55,
-  0x04, 0x0B, 0x13, 0x17, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
-  0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74,
-  0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0A, 0x41,
-  0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x0B, 0x30, 0x09,
-  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+static const uint8_t CAAppleISTCA2G1SPKI[294] = {
+  0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+  0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82,
+  0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xD0, 0x93, 0xA1, 0x1D, 0x47, 0x43,
+  0x20, 0x16, 0xB2, 0x0B, 0x6B, 0xEB, 0xC3, 0xD5, 0xB4, 0xE8, 0xC7, 0x98, 0xCD,
+  0xF3, 0xDE, 0xBF, 0xE8, 0x4D, 0xE9, 0xE3, 0x36, 0x80, 0x07, 0xFC, 0x45, 0x1B,
+  0x6A, 0x7C, 0x45, 0x86, 0xAE, 0x56, 0xD3, 0xA4, 0x09, 0x7F, 0x61, 0x0D, 0x6B,
+  0x5D, 0x7E, 0x52, 0x6B, 0x7D, 0xB4, 0xC8, 0x39, 0xC4, 0xF4, 0x67, 0x3A, 0xF7,
+  0x83, 0xCE, 0x19, 0x6F, 0x86, 0x2F, 0x7E, 0x45, 0x7E, 0x47, 0x1C, 0x67, 0x52,
+  0xCA, 0x95, 0x05, 0x5D, 0xE2, 0x36, 0x51, 0x85, 0xC0, 0xD4, 0x67, 0x80, 0x35,
+  0x6F, 0x15, 0xDD, 0x3E, 0xFD, 0x1D, 0xD2, 0xFD, 0x8F, 0x34, 0x50, 0xD8, 0xEC,
+  0x76, 0x2A, 0xBE, 0xE3, 0xD3, 0xDA, 0xE4, 0xFD, 0xC8, 0xEB, 0x28, 0x02, 0x96,
+  0x11, 0x97, 0x17, 0x61, 0x1C, 0xE9, 0xC4, 0x59, 0x3B, 0x42, 0xDC, 0x32, 0xD1,
+  0x09, 0x1D, 0xDA, 0xA6, 0xD1, 0x43, 0x86, 0xFF, 0x5E, 0xB2, 0xBC, 0x8C, 0xCF,
+  0x66, 0xDB, 0x01, 0x8B, 0x02, 0xAE, 0x94, 0x48, 0xF3, 0x38, 0x8F, 0xFD, 0xEA,
+  0x32, 0xA8, 0x08, 0xEC, 0x86, 0x97, 0x51, 0x94, 0x24, 0x3E, 0x49, 0x49, 0x96,
+  0x53, 0xE8, 0x79, 0xA1, 0x40, 0x81, 0xE9, 0x05, 0xBB, 0x93, 0x95, 0x51, 0xFC,
+  0xE3, 0xFD, 0x7C, 0x11, 0x4B, 0xF7, 0x9E, 0x08, 0xB3, 0x15, 0x49, 0x15, 0x07,
+  0xF9, 0xD1, 0x37, 0xA0, 0x9B, 0x4B, 0x32, 0xF6, 0xB5, 0xC4, 0xDC, 0x6A, 0xD1,
+  0xFC, 0x0A, 0xED, 0xF6, 0xE0, 0xC5, 0x29, 0xA0, 0xA8, 0x8B, 0x71, 0xFE, 0x0D,
+  0x92, 0xBC, 0xFE, 0x54, 0x70, 0x18, 0x0A, 0x6D, 0xC7, 0xED, 0x0C, 0xFB, 0xC9,
+  0x2D, 0x06, 0xC3, 0x8C, 0x85, 0xFC, 0xCB, 0x86, 0x5C, 0xD6, 0x36, 0x8E, 0x12,
+  0x8B, 0x09, 0x7F, 0xFB, 0x19, 0x1A, 0x38, 0xD5, 0xF0, 0x94, 0x30, 0x7A, 0x0F,
+  0xA6, 0x8C, 0xF3, 0x02, 0x03, 0x01, 0x00, 0x01,
 };
 
 // /CN=Apple IST CA 5 - G1/OU=Certification Authority/O=Apple Inc./C=US
 // SHA256 Fingerprint: 3D:B7:6D:1D:D7:D3:A7:59:DC:CC:3F:8F:A7:F6:86:75
 //                     C0:80:CB:09:5E:48:81:06:3A:6B:85:0F:DD:68:B8:BC
 // https://crt.sh/?id=12716200 (crt.sh ID=12716200)
-static const uint8_t CAAppleISTCA5G1DN[100] = {
-  0x30, 0x62, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13,
-  0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x53, 0x54, 0x20, 0x43, 0x41, 0x20,
-  0x35, 0x20, 0x2D, 0x20, 0x47, 0x31, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55,
-  0x04, 0x0B, 0x13, 0x17, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
-  0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74,
-  0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0A, 0x41,
-  0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x0B, 0x30, 0x09,
-  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+static const uint8_t CAAppleISTCA5G1SPKI[294] = {
+  0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+  0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82,
+  0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xF0, 0x8A, 0x08, 0xBA, 0x2C, 0x13,
+  0x5C, 0x5A, 0xF1, 0x98, 0xFD, 0x31, 0x59, 0x66, 0xC2, 0x56, 0x7A, 0x7E, 0x40,
+  0x2A, 0x4C, 0x94, 0xC9, 0x68, 0xB6, 0xB3, 0x23, 0xBD, 0x60, 0x1B, 0x3B, 0xE7,
+  0xFD, 0x3D, 0x5D, 0x70, 0x26, 0xC5, 0x3A, 0xAA, 0xB0, 0xCA, 0x69, 0x64, 0x0B,
+  0x62, 0x3E, 0x49, 0xE9, 0x4C, 0x05, 0x21, 0xBE, 0x34, 0xF4, 0xAA, 0x73, 0x21,
+  0x13, 0x31, 0x84, 0xE8, 0xCE, 0xEF, 0x38, 0xCF, 0x57, 0xE9, 0xDB, 0xCB, 0xCE,
+  0xD1, 0x6D, 0xFA, 0xC8, 0x81, 0x92, 0x2D, 0x22, 0xCE, 0x15, 0x7E, 0x7E, 0xB1,
+  0x07, 0xAC, 0x88, 0xC7, 0x18, 0x92, 0xC1, 0x96, 0xC6, 0x0C, 0x90, 0x26, 0x17,
+  0x55, 0x5F, 0x19, 0x1B, 0x25, 0xCF, 0x9E, 0x51, 0x34, 0xFA, 0xF3, 0xE7, 0xB1,
+  0x1C, 0x78, 0x18, 0xDA, 0xE4, 0x39, 0x1A, 0x91, 0x1B, 0xC2, 0xDF, 0xA8, 0x00,
+  0x5B, 0x5F, 0x4E, 0xC4, 0x22, 0xB4, 0xBA, 0x64, 0xE2, 0x4A, 0x77, 0xBA, 0xED,
+  0x2C, 0xEB, 0xFE, 0x8B, 0x61, 0x96, 0xF0, 0x1E, 0x84, 0x2D, 0x74, 0x0A, 0x7B,
+  0x17, 0xCD, 0xC3, 0xEE, 0x00, 0x6E, 0xD7, 0x66, 0x79, 0x8B, 0x50, 0xE9, 0x4F,
+  0xAF, 0xA6, 0x3D, 0x91, 0x31, 0x2F, 0xCA, 0x87, 0x2B, 0xCF, 0xF7, 0x08, 0x49,
+  0x14, 0x8A, 0x8E, 0x62, 0x7D, 0xAD, 0x56, 0xAA, 0x95, 0x62, 0xE3, 0xE9, 0x6B,
+  0x4E, 0x64, 0x41, 0xE2, 0x4F, 0x22, 0xF7, 0x4B, 0x56, 0xF1, 0x2C, 0xA8, 0x71,
+  0x11, 0x38, 0x09, 0x8B, 0x97, 0xB9, 0x08, 0xBF, 0xCF, 0x30, 0x26, 0x83, 0x40,
+  0x90, 0x63, 0x1A, 0xB6, 0x69, 0xBA, 0x79, 0xB7, 0xAE, 0x59, 0xEC, 0x6B, 0x0D,
+  0x84, 0x47, 0xA7, 0xAE, 0x0B, 0x47, 0x4C, 0x06, 0xFB, 0x76, 0x82, 0x69, 0x7B,
+  0x5E, 0x23, 0x60, 0x52, 0x35, 0xD0, 0xAC, 0x46, 0x1C, 0xEA, 0xA0, 0xB6, 0x5A,
+  0x8B, 0xD9, 0xED, 0x02, 0x03, 0x01, 0x00, 0x01,
 };
 
 // /CN=Apple IST CA 4 - G1/OU=Certification Authority/O=Apple Inc./C=US
 // SHA256 Fingerprint: 61:15:F0:6A:33:8A:64:9E:61:58:52:10:E7:6F:2E:CE
 //                     39:89:BC:A6:5A:62:B0:66:04:0C:D7:C5:F4:08:ED:D0
 // https://crt.sh/?id=19602712 (crt.sh ID=19602712)
-static const uint8_t CAAppleISTCA4G1DN[100] = {
-  0x30, 0x62, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x13,
-  0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x53, 0x54, 0x20, 0x43, 0x41, 0x20,
-  0x34, 0x20, 0x2D, 0x20, 0x47, 0x31, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55,
-  0x04, 0x0B, 0x0C, 0x17, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
-  0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74,
-  0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0A, 0x41,
-  0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x0B, 0x30, 0x09,
-  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+static const uint8_t CAAppleISTCA4G1SPKI[91] = {
+  0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
+  0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
+  0x04, 0x61, 0xC3, 0xA3, 0x9E, 0x49, 0x7E, 0xCA, 0x08, 0x86, 0xEB, 0x46, 0xD9,
+  0x46, 0x87, 0x67, 0xE0, 0x3A, 0x5D, 0xDB, 0x25, 0xE0, 0x83, 0x34, 0x03, 0xCB,
+  0xB7, 0xD1, 0xBE, 0xAD, 0x43, 0x1D, 0x10, 0x3A, 0xC4, 0x16, 0xDD, 0x71, 0x12,
+  0xB4, 0xFD, 0x93, 0x60, 0x69, 0x49, 0xFA, 0xBF, 0x4F, 0x90, 0xE0, 0xC7, 0x3F,
+  0x3F, 0xBE, 0x08, 0xC1, 0x28, 0xAE, 0xFE, 0x7F, 0x2D, 0x9E, 0x37, 0x08, 0x4F,
 };
 
 // /CN=Apple IST CA 7 - G1/OU=Certification Authority/O=Apple Inc./C=US
 // SHA256 Fingerprint: 17:F9:66:09:AC:6A:D0:A2:D6:AB:0A:21:B2:D1:B5:B2
 //                     94:6B:D0:4D:BF:12:07:03:D1:DE:F6:FB:62:F4:B6:61
 // https://crt.sh/?id=19602724 (crt.sh ID=19602724)
-static const uint8_t CAAppleISTCA7G1DN[100] = {
-  0x30, 0x62, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x13,
-  0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x53, 0x54, 0x20, 0x43, 0x41, 0x20,
-  0x37, 0x20, 0x2D, 0x20, 0x47, 0x31, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55,
-  0x04, 0x0B, 0x0C, 0x17, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
-  0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74,
-  0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0A, 0x41,
-  0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x0B, 0x30, 0x09,
-  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+static const uint8_t CAAppleISTCA7G1SPKI[91] = {
+  0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
+  0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
+  0x04, 0x55, 0x9A, 0x69, 0x4D, 0x4B, 0xE2, 0x14, 0xD3, 0xA7, 0xFF, 0x6A, 0xC4,
+  0x22, 0xD4, 0xDD, 0x76, 0x64, 0xE0, 0x64, 0xA6, 0x1D, 0x2A, 0x4D, 0x47, 0xB1,
+  0x4B, 0x13, 0x4A, 0x3E, 0xA6, 0xD2, 0x37, 0x18, 0xDF, 0xB4, 0x3B, 0x69, 0xB3,
+  0xFC, 0x20, 0xC8, 0x43, 0x4C, 0x3F, 0x26, 0x5C, 0xC0, 0xE6, 0x9F, 0x6D, 0xDA,
+  0x05, 0xFF, 0xD2, 0xAE, 0x58, 0xF0, 0xA4, 0xA1, 0xF1, 0xB4, 0x59, 0xB1, 0x8C,
 };
 
 // /CN=Apple IST CA 8 - G1/OU=Certification Authority/O=Apple Inc./C=US
 // SHA256 Fingerprint: A4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06
 //                     DE:B9:7C:A3:F9:09:DF:92:0A:C1:49:08:82:D4:88:ED
 // https://crt.sh/?id=21760447 (crt.sh ID=21760447)
-static const uint8_t CAAppleISTCA8G1DN[100] = {
-  0x30, 0x62, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x13,
-  0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x53, 0x54, 0x20, 0x43, 0x41, 0x20,
-  0x38, 0x20, 0x2D, 0x20, 0x47, 0x31, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55,
-  0x04, 0x0B, 0x0C, 0x17, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
-  0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74,
-  0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0A, 0x41,
-  0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x0B, 0x30, 0x09,
-  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+static const uint8_t CAAppleISTCA8G1SPKI[91] = {
+  0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
+  0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
+  0x04, 0x2D, 0x54, 0x8E, 0x68, 0xB0, 0x10, 0x13, 0xEF, 0xF4, 0x2D, 0xDB, 0xD8,
+  0x09, 0xB2, 0x43, 0xE8, 0x9D, 0x65, 0x99, 0x6E, 0x34, 0xB8, 0xD4, 0x97, 0xC9,
+  0x8E, 0xC9, 0xD6, 0xA8, 0x22, 0x37, 0x32, 0xC8, 0x71, 0x60, 0xEE, 0xB0, 0xF1,
+  0xF2, 0xC5, 0x64, 0xF6, 0xBA, 0x47, 0x5F, 0xFC, 0xE6, 0x07, 0x78, 0x32, 0x2D,
+  0xF6, 0xCA, 0x80, 0x20, 0xC9, 0xFD, 0x70, 0xF8, 0x72, 0x93, 0x21, 0x88, 0x45,
 };
 
 // /CN=Apple IST CA 3 - G1/OU=Certification Authority/O=Apple Inc./C=US
 // SHA256 Fingerprint: 6D:E9:09:78:91:04:22:A8:9E:26:F2:DF:85:97:14:30
 //                     C3:F4:4C:D1:78:5D:AD:94:30:8F:7C:A4:B6:FB:E5:21
 // https://crt.sh/?id=19602706 (crt.sh ID=19602706)
-static const uint8_t CAAppleISTCA3G1DN[100] = {
-  0x30, 0x62, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x13,
-  0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x53, 0x54, 0x20, 0x43, 0x41, 0x20,
-  0x33, 0x20, 0x2D, 0x20, 0x47, 0x31, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55,
-  0x04, 0x0B, 0x0C, 0x17, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
-  0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74,
-  0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0A, 0x41,
-  0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x0B, 0x30, 0x09,
-  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+static const uint8_t CAAppleISTCA3G1SPKI[294] = {
+  0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+  0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82,
+  0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xD7, 0xED, 0xF5, 0x8A, 0xCC, 0x0C,
+  0xA7, 0x2F, 0xCC, 0xFB, 0xA4, 0xC6, 0x26, 0x7C, 0x56, 0x7A, 0x47, 0xAE, 0xF9,
+  0xC2, 0x3D, 0xCC, 0x66, 0x9A, 0xE2, 0x6F, 0x52, 0x89, 0xC4, 0x98, 0x27, 0x9D,
+  0xB3, 0x17, 0x33, 0x55, 0xAC, 0xF3, 0xFF, 0xFD, 0xC1, 0xF6, 0xBA, 0x50, 0x14,
+  0x03, 0x72, 0xDD, 0xAB, 0x78, 0xFD, 0xFA, 0x7D, 0x20, 0xB3, 0x3E, 0x32, 0xFA,
+  0x44, 0xB8, 0xC9, 0x0D, 0x58, 0x28, 0x4E, 0x6C, 0x81, 0x78, 0x6D, 0xA3, 0x42,
+  0xD0, 0xA5, 0x6A, 0xE1, 0x69, 0xE7, 0xC2, 0x29, 0x24, 0xEC, 0x86, 0xA0, 0xA4,
+  0xF2, 0x36, 0x3D, 0xB4, 0x64, 0xAB, 0x16, 0x6F, 0x4B, 0xD7, 0x0D, 0xA6, 0xB4,
+  0x61, 0x3E, 0xD2, 0x7D, 0xF5, 0x2F, 0x22, 0x4F, 0x99, 0x11, 0x1F, 0x33, 0xA1,
+  0x15, 0xD7, 0x80, 0x7C, 0xD0, 0x65, 0xCA, 0xD4, 0xE0, 0x9B, 0x76, 0xF3, 0x56,
+  0x56, 0xEE, 0xB6, 0x56, 0x40, 0x4E, 0xA9, 0x2B, 0x78, 0x3E, 0xD2, 0xF4, 0x0B,
+  0x1E, 0x81, 0xFC, 0xE3, 0xFD, 0xAD, 0x94, 0x07, 0x15, 0x0F, 0x2A, 0x48, 0x19,
+  0xEE, 0xB8, 0xA1, 0x56, 0x1A, 0x3D, 0xBC, 0xA8, 0x38, 0xD7, 0x80, 0x0C, 0x14,
+  0x8F, 0x6C, 0xAD, 0x5F, 0xF3, 0x83, 0xD0, 0xE7, 0xDD, 0x5D, 0x25, 0xAB, 0x12,
+  0x95, 0x31, 0x8C, 0x7E, 0xF9, 0xA1, 0x38, 0xB8, 0x04, 0xB7, 0xE1, 0x73, 0x74,
+  0x52, 0xF9, 0x4B, 0x6F, 0xDA, 0x26, 0xB9, 0x40, 0x0D, 0x35, 0x41, 0x8D, 0x65,
+  0xA9, 0x25, 0xAB, 0xD2, 0xB5, 0xE2, 0x9C, 0x54, 0x93, 0x64, 0xFC, 0xE7, 0x9E,
+  0x67, 0x43, 0x31, 0xE5, 0x63, 0xF0, 0x15, 0x58, 0x39, 0x0A, 0x56, 0x8B, 0xEA,
+  0x8C, 0xB2, 0xBE, 0x72, 0x64, 0xF1, 0x2E, 0x35, 0x57, 0xF3, 0xCD, 0x22, 0x1B,
+  0x7A, 0xC3, 0x27, 0xD1, 0x65, 0x2C, 0x5B, 0xB3, 0xF5, 0xA4, 0x88, 0x64, 0x86,
+  0xAC, 0x70, 0x79, 0x02, 0x03, 0x01, 0x00, 0x01,
 };
 
 // /CN=Apple IST CA 6 - G1/OU=Certification Authority/O=Apple Inc./C=US
 // SHA256 Fingerprint: 90:4F:B5:A4:37:75:4B:1B:32:B8:0E:BA:E7:41:6D:B6
 //                     3D:05:F5:6A:99:39:72:0B:7C:8E:3D:CC:54:F6:A3:D1
 // https://crt.sh/?id=19602741 (crt.sh ID=19602741)
-static const uint8_t CAAppleISTCA6G1DN[100] = {
-  0x30, 0x62, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x13,
-  0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x53, 0x54, 0x20, 0x43, 0x41, 0x20,
-  0x36, 0x20, 0x2D, 0x20, 0x47, 0x31, 0x31, 0x20, 0x30, 0x1E, 0x06, 0x03, 0x55,
-  0x04, 0x0B, 0x0C, 0x17, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
-  0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74,
-  0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x0A, 0x41,
-  0x70, 0x70, 0x6C, 0x65, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x0B, 0x30, 0x09,
-  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+static const uint8_t CAAppleISTCA6G1SPKI[294] = {
+  0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+  0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82,
+  0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xE7, 0xDC, 0x81, 0xF0, 0x9A, 0x55,
+  0x51, 0xFD, 0x03, 0x80, 0xFD, 0xCA, 0xF5, 0xF8, 0x2E, 0xEF, 0xD4, 0xBC, 0xC1,
+  0xF0, 0x1F, 0x19, 0x09, 0x0C, 0x74, 0x3F, 0x55, 0x3A, 0xCA, 0x6E, 0xA5, 0x86,
+  0x2C, 0xFB, 0x65, 0x7E, 0x07, 0xDC, 0x18, 0x60, 0xE2, 0xDF, 0x0D, 0x09, 0x19,
+  0x84, 0xB1, 0xE5, 0x07, 0x1A, 0x1E, 0x08, 0x25, 0xCC, 0x59, 0x3E, 0x6B, 0x62,
+  0x81, 0xD1, 0x55, 0x85, 0xDC, 0x86, 0x91, 0x3F, 0xF1, 0xBB, 0xF7, 0x1C, 0xAE,
+  0x79, 0x7C, 0x41, 0xD0, 0x7D, 0xD0, 0x98, 0x3C, 0x2B, 0xCE, 0x53, 0x6F, 0x47,
+  0xD5, 0x6E, 0x48, 0x6F, 0x7E, 0x4D, 0x2E, 0x90, 0x37, 0x6F, 0x84, 0x4F, 0x20,
+  0x75, 0x8C, 0x1B, 0xAB, 0x3A, 0x00, 0xB2, 0xDC, 0xB2, 0x3A, 0x3F, 0x7F, 0xCD,
+  0xF7, 0xC6, 0xC0, 0x91, 0xA2, 0xBB, 0x0C, 0x55, 0x84, 0xB9, 0x85, 0xBE, 0x1D,
+  0xBB, 0x16, 0x8E, 0x81, 0x12, 0xCF, 0x0E, 0x3A, 0xBA, 0x36, 0x76, 0x0F, 0x14,
+  0xF9, 0x23, 0x04, 0x66, 0x03, 0x58, 0x22, 0xFC, 0xF8, 0x7E, 0x67, 0x3F, 0x5C,
+  0x6B, 0x8D, 0xAC, 0xAE, 0xE4, 0x2E, 0x6D, 0x2E, 0x18, 0xEB, 0xCC, 0xDD, 0x5C,
+  0x8F, 0x04, 0x97, 0xD3, 0xEF, 0x0F, 0x06, 0x02, 0x93, 0x16, 0x86, 0x46, 0xF5,
+  0x19, 0x5B, 0x6F, 0x72, 0x85, 0x07, 0x46, 0x09, 0x6F, 0xE9, 0x76, 0x17, 0xF7,
+  0x83, 0x18, 0x5F, 0xB7, 0x1A, 0xA2, 0x39, 0x97, 0xCA, 0x29, 0x60, 0xC2, 0xF2,
+  0x73, 0x83, 0x0D, 0x84, 0xD1, 0xBF, 0xDB, 0x9E, 0xEF, 0x6A, 0x7F, 0xD1, 0xD1,
+  0xFB, 0x76, 0xFC, 0xEF, 0x5C, 0xBB, 0x0F, 0x16, 0x0C, 0x8B, 0xC2, 0x0B, 0x70,
+  0x86, 0x5E, 0xD3, 0x52, 0xDD, 0x6E, 0x76, 0xB4, 0x7F, 0xBF, 0x50, 0x60, 0x38,
+  0xF1, 0x64, 0xF5, 0xD6, 0x50, 0xEF, 0x43, 0xAD, 0x6B, 0x8C, 0xD4, 0x30, 0xB0,
+  0xB3, 0xC9, 0x29, 0x02, 0x03, 0x01, 0x00, 0x01,
 };
 
-static const DataAndLength RootAppleAndGoogleDNs[]= {
-  { CAGoogleInternetAuthorityG2DN, sizeof(CAGoogleInternetAuthorityG2DN) },
-  { CAAppleISTCA2G1DN, sizeof(CAAppleISTCA2G1DN) },
-  { CAAppleISTCA5G1DN, sizeof(CAAppleISTCA5G1DN) },
-  { CAAppleISTCA4G1DN, sizeof(CAAppleISTCA4G1DN) },
-  { CAAppleISTCA7G1DN, sizeof(CAAppleISTCA7G1DN) },
-  { CAAppleISTCA8G1DN, sizeof(CAAppleISTCA8G1DN) },
-  { CAAppleISTCA3G1DN, sizeof(CAAppleISTCA3G1DN) },
-  { CAAppleISTCA6G1DN, sizeof(CAAppleISTCA6G1DN) },
+static const DataAndLength RootAppleAndGoogleSPKIs[]= {
+  { CAGoogleInternetAuthorityG2SPKI, sizeof(CAGoogleInternetAuthorityG2SPKI) },
+  { CAGoogleInternetAuthorityG2SPKI, sizeof(CAGoogleInternetAuthorityG2SPKI) },
+  { CAAppleISTCA2G1SPKI, sizeof(CAAppleISTCA2G1SPKI) },
+  { CAAppleISTCA5G1SPKI, sizeof(CAAppleISTCA5G1SPKI) },
+  { CAAppleISTCA4G1SPKI, sizeof(CAAppleISTCA4G1SPKI) },
+  { CAAppleISTCA7G1SPKI, sizeof(CAAppleISTCA7G1SPKI) },
+  { CAAppleISTCA8G1SPKI, sizeof(CAAppleISTCA8G1SPKI) },
+  { CAAppleISTCA3G1SPKI, sizeof(CAAppleISTCA3G1SPKI) },
+  { CAAppleISTCA6G1SPKI, sizeof(CAAppleISTCA6G1SPKI) },
 };
--- a/security/certverifier/TrustOverrideUtils.h
+++ b/security/certverifier/TrustOverrideUtils.h
@@ -121,17 +121,17 @@ CheckForSymantecDistrust(const nsCOMPtr<
     // Look for one of the intermediates to be in the whitelist
     RefPtr<nsNSSCertList> intCertList = intCerts->GetCertList();
 
     return intCertList->ForEachCertificateInChain(
       [&isDistrusted, &whitelist] (nsCOMPtr<nsIX509Cert> aCert, bool aHasMore,
                                    /* out */ bool& aContinue) {
         // We need an owning handle when calling nsIX509Cert::GetCert().
         UniqueCERTCertificate nssCert(aCert->GetCert());
-        if (CertDNIsInList(nssCert.get(), whitelist)) {
+        if (CertSPKIIsInList(nssCert.get(), whitelist)) {
           // In the whitelist
           isDistrusted = false;
           aContinue = false;
         }
         return NS_OK;
     });
 }
 
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -1278,17 +1278,17 @@ IsCertificateDistrustImminent(nsIX509Cer
 
   // Proceed with the Symantec imminent distrust algorithm. This algorithm is
   // to be removed in Firefox 63, when the validity period check will also be
   // removed from the code in NSSCertDBTrustDomain.
   if (CertDNIsInList(nssRootCert.get(), RootSymantecDNs)) {
     static const PRTime NULL_TIME = 0;
 
     rv = CheckForSymantecDistrust(intCerts, eeCert, NULL_TIME,
-                                  RootAppleAndGoogleDNs, isDistrusted);
+                                  RootAppleAndGoogleSPKIs, isDistrusted);
     if (NS_FAILED(rv)) {
       return rv;
     }
   }
   return NS_OK;
 }
 
 void HandshakeCallback(PRFileDesc* fd, void* client_data) {
--- a/security/manager/ssl/tests/unit/test_symantec_apple_google.js
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google.js
@@ -9,32 +9,42 @@
 // those from that date or later emit a warning to the console.
 
 function shouldBeImminentlyDistrusted(aTransportSecurityInfo) {
   let isDistrust = aTransportSecurityInfo.securityState &
                      Ci.nsIWebProgressListener.STATE_CERT_DISTRUST_IMMINENT;
   Assert.ok(isDistrust, "This host should be imminently distrusted");
 }
 
-function shouldNotBeImminentlyDistrusted(aTransportSecurityInfo) {
-  let isDistrust = aTransportSecurityInfo.securityState &
-                     Ci.nsIWebProgressListener.STATE_CERT_DISTRUST_IMMINENT;
-  Assert.ok(!isDistrust, "This host should not be imminently distrusted");
-}
-
 do_get_profile();
 
-add_tls_server_setup("SymantecSanctionsServer", "test_symantec_apple_google");
+const certDB = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
 
-// Whitelisted certs aren't to be distrusted
-add_connection_test("symantec-whitelist-after-cutoff.example.com",
-                    PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
-
-add_connection_test("symantec-whitelist-before-cutoff.example.com",
-                    PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
+add_tls_server_setup("SymantecSanctionsServer", "test_symantec_apple_google");
 
 // Not-whitelisted certs after the cutoff are to be distrusted
 add_connection_test("symantec-not-whitelisted-after-cutoff.example.com",
                     PRErrorCodeSuccess, null, shouldBeImminentlyDistrusted);
 
 // Not whitelisted certs before the cutoff are to be distrusted
 add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
                     SEC_ERROR_UNKNOWN_ISSUER, null, null);
+
+
+// Load the wildcard *.google.com cert and its intermediate, then verify
+// it at a reasonable time and make sure the whitelists work
+function run_test() {
+  addCertFromFile(certDB, "test_symantec_apple_google/real-google-g2-intermediate.pem", ",,");
+  let whitelistedCert = constructCertFromFile("test_symantec_apple_google/real-googlecom.pem");
+
+  // Since we don't want to actually try to fetch OCSP for this certificate,
+  // (as an external fetch is bad in the tests), disable OCSP first.
+  Services.prefs.setIntPref("security.OCSP.enabled", 0);
+
+  // (new Date("2018-02-16")).getTime() / 1000
+  const VALIDATION_TIME = 1518739200;
+
+  checkCertErrorGenericAtTime(certDB, whitelistedCert, PRErrorCodeSuccess,
+                              certificateUsageSSLServer, VALIDATION_TIME);
+
+  run_next_test();
+}
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/real-google-g2-intermediate.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEKDCCAxCgAwIBAgIQAQAhJYiw+lmnd+8Fe2Yn3zANBgkqhkiG9w0BAQsFADBC
+MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
+R2VvVHJ1c3QgR2xvYmFsIENBMB4XDTE3MDUyMjExMzIzN1oXDTE4MTIzMTIzNTk1
+OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
+HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCcKgR3XNhQkToGo4Lg2FBIvIk/8RlwGohGfuCPxfGJziHu
+Wv5hDbcyRImgdAtTT1WkzoJile7rWV/G4QWAEsRelD+8W0g49FP3JOb7kekVxM/0
+Uw30SvyfVN59vqBrb4fA0FAfKDADQNoIc1Fsf/86PKc3Bo69SxEE630k3ub5/DFx
++5TVYPMuSq9C0svqxGoassxT3RVLix/IGWEfzZ2oPmMrhDVpZYTIGcVGIvhTlb7j
+gEoQxirsupcgEcc5mRAEoPBhepUljE5SdeK27QjKFPzOImqzTs9GA5eXA37Asd57
+r0Uzz7o+cbfe9CUlwg01iZ2d+w4ReYkeN8WvjnJpAgMBAAGjggERMIIBDTAfBgNV
+HSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1
+dvWBtrtiGrpagS8wDgYDVR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggr
+BgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAw
+NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9i
+YWwuY3JsMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQDKSeWs
+12Rkd1u+cfrP9B4jx5ppY1Rf60zWGSgjZGaOHMeHgGRfBIsmr5jfCnC8vBk97nsz
+qX+99AXUcLsFJnnqmseYuQcZZTTMPOk/xQH6bwx+23pwXEz+LQDwyr4tjrSogPsB
+E4jLnD/lu3fKOmc2887VJwJyQ6C9bgLxRwVxPgFZ6RGeGvOED4Cmong1L7bHon8X
+fOGLVq7uZ4hRJzBgpWJSwzfVO+qFKgE4h6LPcK2kesnE58rF2rwjMvL+GMJ74N87
+L9TQEOaWTPtEtyFkDbkAlDASJodYmDkFOA/MgkgMCkdm7r+0X8T/cKjhf4t5K7hl
+MqO5tzHpCvX2HzLc
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/real-googlecom.pem
@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIHgzCCBmugAwIBAgIIQsrhz4cRtNQwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
+BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
+cm5ldCBBdXRob3JpdHkgRzIwHhcNMTgwMTMwMDgzMDQ1WhcNMTgwNDI0MDgzMDAw
+WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
+TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
+b29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfcqxFBn8JLSGSDgu
+sXeY+zZJyXFVGDt4rFMUUx0iWDjegJea9rk0yR0/J+h/DsFjxpR2lRX2HeNqpWEC
+3cxFOKOCBRswggUXMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIH
+gDCCA+EGA1UdEQSCA9gwggPUggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5jb22C
+FiouYXBwZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIUKi5k
+YjgzMzk1My5nb29nbGUuY26CBiouZy5jb4IOKi5nY3AuZ3Z0Mi5jb22CFiouZ29v
+Z2xlLWFuYWx5dGljcy5jb22CCyouZ29vZ2xlLmNhggsqLmdvb2dsZS5jbIIOKi5n
+b29nbGUuY28uaW6CDiouZ29vZ2xlLmNvLmpwgg4qLmdvb2dsZS5jby51a4IPKi5n
+b29nbGUuY29tLmFygg8qLmdvb2dsZS5jb20uYXWCDyouZ29vZ2xlLmNvbS5icoIP
+Ki5nb29nbGUuY29tLmNvgg8qLmdvb2dsZS5jb20ubXiCDyouZ29vZ2xlLmNvbS50
+coIPKi5nb29nbGUuY29tLnZuggsqLmdvb2dsZS5kZYILKi5nb29nbGUuZXOCCyou
+Z29vZ2xlLmZyggsqLmdvb2dsZS5odYILKi5nb29nbGUuaXSCCyouZ29vZ2xlLm5s
+ggsqLmdvb2dsZS5wbIILKi5nb29nbGUucHSCEiouZ29vZ2xlYWRhcGlzLmNvbYIP
+Ki5nb29nbGVhcGlzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNvbYIRKi5nb29nbGV2
+aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNvbYIKKi5ndnQxLmNv
+bYIKKi5ndnQyLmNvbYIUKi5tZXRyaWMuZ3N0YXRpYy5jb22CDCoudXJjaGluLmNv
+bYIQKi51cmwuZ29vZ2xlLmNvbYIWKi55b3V0dWJlLW5vY29va2llLmNvbYINKi55
+b3V0dWJlLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9uLmNvbYIHKi55dC5iZYILKi55
+dGltZy5jb22CGmFuZHJvaWQuY2xpZW50cy5nb29nbGUuY29tggthbmRyb2lkLmNv
+bYIbZGV2ZWxvcGVyLmFuZHJvaWQuZ29vZ2xlLmNughxkZXZlbG9wZXJzLmFuZHJv
+aWQuZ29vZ2xlLmNuggRnLmNvggZnb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29t
+ggpnb29nbGUuY29tghJnb29nbGVjb21tZXJjZS5jb22CGHNvdXJjZS5hbmRyb2lk
+Lmdvb2dsZS5jboIKdXJjaGluLmNvbYIKd3d3Lmdvby5nbIIIeW91dHUuYmWCC3lv
+dXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbYIFeXQuYmUwaAYIKwYBBQUH
+AQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIu
+Y3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3Nw
+MB0GA1UdDgQWBBS6J6RnRCWCaToeaLBcgAaUHc9xzDAMBgNVHRMBAf8EAjAAMB8G
+A1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYB
+BAHWeQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5n
+b29nbGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAG9Kpcnranqxj
+9vKV1y8jqnRJG/0M9bvAiRcHmnubtt4Q9yV79lj4tQQn3/p/XohPtPA8WX0Yt2pS
+vrmHxOdgrj/peT7TmldATA3wVnE5OW72V/bBYn3Fh5+8D+y0cokubjWpH5xA/VJ0
+Zcrs6vXJz6onCfo2oBPwJK+vxfL/xuTv18eBK1RpeN9flFEBuvMZ3eaTWWv63qa4
+1U+xujiCGrBtm0z5TSXLZe8QAaULaBGQTfpqGOdrEO6iJR/1++ktQkZKkpBCKeqT
+0vCJiZuxTaUceB59GWAkuzX4CuRN8W9KICfqqyjeiFIww/D8H1jRxJOYc7YPKb5C
+RLxt4tpXTw==
+-----END CERTIFICATE-----
author	J.C. Jones <jjones@mozilla.com>
	Wed, 21 Feb 2018 14:08:47 -0500
changeset 758023	e57ffb2989337f2b601e5153eb45f839cf27c7be
parent 758022	6695c4b58a9769a22fae73965a3aec27771e09f8
child 758024	61f4b706401ac250cbadee8ca9e74f07532d867b
push id	99916
push user	bmo:jjones@mozilla.com
push date	Wed, 21 Feb 2018 19:10:27 +0000
reviewers	fkiefer, keeler
bugs	1434300, 916730
milestone	60.0a1
security/certverifier/NSSCertDBTrustDomain.cpp		file \| annotate \| diff \| comparison \| revisions
security/certverifier/TrustOverride-AppleGoogleData.inc		file \| annotate \| diff \| comparison \| revisions
security/certverifier/TrustOverrideUtils.h		file \| annotate \| diff \| comparison \| revisions
security/manager/ssl/nsNSSCallbacks.cpp		file \| annotate \| diff \| comparison \| revisions
security/manager/ssl/tests/unit/test_symantec_apple_google.js		file \| annotate \| diff \| comparison \| revisions
security/manager/ssl/tests/unit/test_symantec_apple_google/real-google-g2-intermediate.pem		file \| annotate \| diff \| comparison \| revisions
security/manager/ssl/tests/unit/test_symantec_apple_google/real-googlecom.pem		file \| annotate \| diff \| comparison \| revisions