--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -1518,17 +1518,16 @@ VerifyCertAtTime(nsIX509Cert* aCert,
NS_ENSURE_TRUE(nssCertList, NS_ERROR_FAILURE);
if (srv == SECSuccess) {
if (evOidPolicy != SEC_OID_UNKNOWN) {
*aHasEVPolicy = true;
}
*_retval = 0;
} else {
- NS_ENSURE_TRUE(evOidPolicy == SEC_OID_UNKNOWN, NS_ERROR_FAILURE);
NS_ENSURE_TRUE(error != 0, NS_ERROR_FAILURE);
*_retval = error;
}
nssCertList.forget(aVerifiedChain);
return NS_OK;
}
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -558,16 +558,20 @@ function getFailingHttpServer(serverPort
//
// serverPort is the port of the http OCSP responder
// identity is the http hostname that will answer the OCSP requests
// nssDBLocation is the location of the NSS database from where the OCSP
// responses will be generated (assumes appropiate keys are present)
// expectedCertNames is an array of nicks of the certs to be responsed
// expectedBasePaths is an optional array that is used to indicate
// what is the expected base path of the OCSP request.
+// expectedMethods is an optional array of methods ("GET" or "POST") indicating
+// by which HTTP method the server is expected to be queried.
+// expectedResponseTypes is an optional array of OCSP response types to use (see
+// GenerateOCSPResponse.cpp).
function startOCSPResponder(serverPort, identity, nssDBLocation,
expectedCertNames, expectedBasePaths,
expectedMethods, expectedResponseTypes) {
let ocspResponseGenerationArgs = expectedCertNames.map(
function(expectedNick) {
let responseType = "good";
if (expectedResponseTypes && expectedResponseTypes.length >= 1) {
responseType = expectedResponseTypes.shift();--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -1,338 +1,338 @@
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
"use strict";
+// Tests that end-entity certificates that should successfully verify as EV
+// (Extended Validation) do so and that end-entity certificates that should not
+// successfully verify as EV do not. Also tests related situations (e.g. that
+// failure to fetch an OCSP response results in no EV treatment).
+//
+// A quick note about the certificates in these tests: generally, an EV
+// certificate chain will have an end-entity with a specific policy OID followed
+// by an intermediate with the anyPolicy OID chaining to a root with no policy
+// OID (since it's a trust anchor, it can be omitted). In these tests, the
+// specific policy OID is 1.3.6.1.4.1.13769.666.666.666.1.500.9.1 and is
+// referred to as the test OID. In order to reflect what will commonly be
+// encountered, the end-entity of any given test path will have the test OID
+// unless otherwise specified in the name of the test path. Similarly, the
+// intermediate will have the anyPolicy OID, again unless otherwise specified.
+// For example, for the path where the end-entity does not have an OCSP URI
+// (referred to as "no-ocsp-ee-path-{ee,int}", the end-entity has the test OID
+// whereas the intermediate has the anyPolicy OID.
+// For another example, for the test OID path ("test-oid-path-{ee,int}"), both
+// the end-entity and the intermediate have the test OID.
+
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
-const evrootnick = "evroot";
+do_register_cleanup(() => {
+ Services.prefs.clearUserPref("network.dns.localDomains");
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+});
-// This is the list of certificates needed for the test
-// The certificates prefixed by 'int-' are intermediates
-var certList = [
- // Test for successful EV validation
- 'int-ev-valid',
- 'ev-valid',
- 'ev-valid-anypolicy-int',
- 'int-ev-valid-anypolicy-int',
- 'no-ocsp-url-cert', // a cert signed by the EV auth that has no OCSP url
- // but that contains a valid CRLDP.
-
- // Testing a root that looks like EV but is not EV enabled
- 'int-non-ev-root',
- 'non-ev-root',
-];
-
-function load_ca(ca_name) {
- addCertFromFile(certdb, `test_ev_certs/${ca_name}.pem`, "CTu,CTu,CTu");
-}
+Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "test_ev_certs/non-evroot-ca.pem", "CTu,,");
const SERVER_PORT = 8888;
function failingOCSPResponder() {
return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
}
-function start_ocsp_responder(expectedCertNames) {
- let expectedPaths = expectedCertNames.slice();
- return startOCSPResponder(SERVER_PORT, "www.example.com", "test_ev_certs",
- expectedCertNames, expectedPaths);
+class EVCertVerificationResult {
+ constructor(testcase, expectedPRErrorCode, expectedEV, resolve,
+ ocspResponder) {
+ this.testcase = testcase;
+ this.expectedPRErrorCode = expectedPRErrorCode;
+ this.expectedEV = expectedEV;
+ this.resolve = resolve;
+ this.ocspResponder = ocspResponder;
+ }
+
+ verifyCertFinished(prErrorCode, verifiedChain, hasEVPolicy) {
+ equal(prErrorCode, this.expectedPRErrorCode,
+ `${this.testcase} should have expected error code`);
+ equal(hasEVPolicy, this.expectedEV,
+ `${this.testcase} should result in expected EV status`);
+ this.ocspResponder.stop(this.resolve);
+ }
+}
+
+function asyncTestEV(cert, expectedPRErrorCode, expectedEV,
+ expectedOCSPRequestPaths, ocspResponseTypes = undefined)
+{
+ let now = Date.now() / 1000;
+ return new Promise((resolve, reject) => {
+ let ocspResponder = expectedOCSPRequestPaths.length > 0
+ ? startOCSPResponder(SERVER_PORT, "www.example.com",
+ "test_ev_certs",
+ expectedOCSPRequestPaths,
+ expectedOCSPRequestPaths.slice(),
+ null, ocspResponseTypes)
+ : failingOCSPResponder();
+ let result = new EVCertVerificationResult(cert.subjectName,
+ expectedPRErrorCode, expectedEV,
+ resolve, ocspResponder);
+ certdb.asyncVerifyCertAtTime(cert, certificateUsageSSLServer, 0,
+ "ev-test.example.com", now, result);
+ });
+}
+
+function ensureVerifiesAsEV(testcase) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ let expectedOCSPRequestPaths = gEVExpected
+ ? [ `${testcase}-int`, `${testcase}-ee` ]
+ : [ `${testcase}-ee` ];
+ return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected,
+ expectedOCSPRequestPaths);
+}
+
+function ensureVerifiesAsEVWithNoOCSPRequests(testcase) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected, []);
+}
+
+function ensureVerifiesAsDV(testcase, expectedOCSPRequestPaths = undefined) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ return asyncTestEV(cert, PRErrorCodeSuccess, false,
+ expectedOCSPRequestPaths ? expectedOCSPRequestPaths
+ : [ `${testcase}-ee` ]);
}
-function check_cert_err(cert_name, expected_error) {
- let cert = certdb.findCertByNickname(cert_name);
- checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
+function ensureVerificationFails(testcase, expectedPRErrorCode) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ return asyncTestEV(cert, expectedPRErrorCode, false, []);
+}
+
+function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ let now = Date.now() / 1000;
+ let expectedErrorCode = SEC_ERROR_POLICY_VALIDATION_FAILED;
+ if (expectSuccess && gEVExpected) {
+ expectedErrorCode = PRErrorCodeSuccess;
+ }
+ return new Promise((resolve, reject) => {
+ let ocspResponder = failingOCSPResponder();
+ let result = new EVCertVerificationResult(
+ cert.subjectName, expectedErrorCode, expectSuccess && gEVExpected,
+ resolve, ocspResponder);
+ let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
+ Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
+ certdb.asyncVerifyCertAtTime(cert, certificateUsageSSLServer, flags,
+ "ev-test.example.com", now, result);
+ });
+}
+
+function ensureNoOCSPMeansNoEV(testcase) {
+ return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, false);
}
+function ensureVerifiesAsEVWithFLAG_LOCAL_ONLY(testcase) {
+ return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, true);
+}
-function check_ee_for_ev(cert_name, expected_ev) {
- let cert = certdb.findCertByNickname(cert_name);
- checkEVStatus(certdb, cert, certificateUsageSSLServer, expected_ev);
+function ensureOneCRLSkipsOCSPForIntermediates(testcase) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected,
+ [ `${testcase}-ee` ]);
+}
+
+function verifyWithDifferentOCSPResponseTypes(testcase, responses, expectEV) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ let expectedOCSPRequestPaths = gEVExpected
+ ? [ `${testcase}-int`, `${testcase}-ee` ]
+ : [ `${testcase}-ee` ];
+ let ocspResponseTypes = gEVExpected ? responses : responses.slice(1);
+ return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected && expectEV,
+ expectedOCSPRequestPaths, ocspResponseTypes);
+}
+
+function ensureVerifiesAsEVWithOldIntermediateOCSPResponse(testcase) {
+ return verifyWithDifferentOCSPResponseTypes(
+ testcase, [ "longvalidityalmostold", "good" ], true);
+}
+
+function ensureVerifiesAsDVWithOldEndEntityOCSPResponse(testcase) {
+ return verifyWithDifferentOCSPResponseTypes(
+ testcase, [ "good", "longvalidityalmostold" ], false);
+}
+
+function ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(testcase) {
+ return verifyWithDifferentOCSPResponseTypes(
+ testcase, [ "good", "ancientstillvalid" ], false);
}
-function run_test() {
- for (let i = 0 ; i < certList.length; i++) {
- let cert_filename = certList[i] + ".pem";
- addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,');
- }
- load_ca("evroot");
- load_ca("non-evroot-ca");
-
- // setup and start ocsp responder
- Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
- Services.prefs.setIntPref("security.OCSP.enabled", 1);
+// These should all verify as EV.
+add_task(function* plainExpectSuccessEVTests() {
+ yield ensureVerifiesAsEV("anyPolicy-int-path");
+ yield ensureVerifiesAsEV("test-oid-path");
+});
- add_test(function () {
- clearOCSPCache();
- let ocspResponder = start_ocsp_responder(
- gEVExpected ? ["int-ev-valid", "ev-valid"]
- : ["ev-valid"]);
- check_ee_for_ev("ev-valid", gEVExpected);
- ocspResponder.stop(run_next_test);
- });
-
- add_test(function () {
- clearOCSPCache();
+// These fail for various reasons to verify as EV, but fallback to DV should
+// succeed.
+add_task(function* expectDVFallbackTests() {
+ yield ensureVerifiesAsDV("anyPolicy-ee-path");
+ yield ensureVerifiesAsDV("non-ev-root-path");
+ yield ensureVerifiesAsDV("no-ocsp-ee-path",
+ gEVExpected ? [ "no-ocsp-ee-path-int" ] : []);
+ yield ensureVerifiesAsDV("no-ocsp-int-path");
+});
- let ocspResponder = start_ocsp_responder(
- gEVExpected ? ["int-ev-valid-anypolicy-int", "ev-valid-anypolicy-int"]
- : ["ev-valid-anypolicy-int"]);
- check_ee_for_ev("ev-valid-anypolicy-int", gEVExpected);
- ocspResponder.stop(run_next_test);
- });
-
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = start_ocsp_responder(["non-ev-root"]);
- check_ee_for_ev("non-ev-root", false);
- ocspResponder.stop(run_next_test);
- });
-
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = gEVExpected ? start_ocsp_responder(["int-ev-valid"])
- : failingOCSPResponder();
- check_ee_for_ev("no-ocsp-url-cert", false);
- ocspResponder.stop(run_next_test);
- });
-
- // bug 917380: Check that explicitly removing trust from an EV root actually
- // causes the root to be untrusted.
- const nsIX509Cert = Ci.nsIX509Cert;
- add_test(function() {
- let evRootCA = certdb.findCertByNickname(evrootnick);
- certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
-
- clearOCSPCache();
- let ocspResponder = failingOCSPResponder();
- check_cert_err("ev-valid", SEC_ERROR_UNKNOWN_ISSUER);
- ocspResponder.stop(run_next_test);
- });
+// Test that removing the trust bits from an EV root causes verifications
+// relying on that root to fail (and then test that adding back the trust bits
+// causes the verifications to succeed again).
+add_task(function* evRootTrustTests() {
+ clearOCSPCache();
+ let evroot = certdb.findCertByNickname("evroot");
+ do_print("untrusting evroot");
+ certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.UNTRUSTED);
+ yield ensureVerificationFails("test-oid-path", SEC_ERROR_UNKNOWN_ISSUER);
+ do_print("re-trusting evroot");
+ certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL);
+ yield ensureVerifiesAsEV("test-oid-path");
+});
- // bug 917380: Check that a trusted EV root is trusted after disabling and
- // re-enabling trust.
- add_test(function() {
- let evRootCA = certdb.findCertByNickname(evrootnick);
- certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
- Ci.nsIX509CertDB.TRUSTED_SSL |
- Ci.nsIX509CertDB.TRUSTED_EMAIL |
- Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
+// Test that if FLAG_LOCAL_ONLY and FLAG_MUST_BE_EV are specified, that no OCSP
+// requests are made (this also means that nothing will verify as EV).
+add_task(function* localOnlyMustBeEVTests() {
+ clearOCSPCache();
+ yield ensureNoOCSPMeansNoEV("anyPolicy-ee-path");
+ yield ensureNoOCSPMeansNoEV("anyPolicy-int-path");
+ yield ensureNoOCSPMeansNoEV("non-ev-root-path");
+ yield ensureNoOCSPMeansNoEV("no-ocsp-ee-path");
+ yield ensureNoOCSPMeansNoEV("no-ocsp-int-path");
+ yield ensureNoOCSPMeansNoEV("test-oid-path");
+});
- clearOCSPCache();
- let ocspResponder = start_ocsp_responder(
- gEVExpected ? ["int-ev-valid", "ev-valid"]
- : ["ev-valid"]);
- check_ee_for_ev("ev-valid", gEVExpected);
- ocspResponder.stop(run_next_test);
- });
- add_test(function () {
- check_no_ocsp_requests("ev-valid", SEC_ERROR_POLICY_VALIDATION_FAILED);
- });
-
- add_test(function () {
- check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED);
- });
-
- add_test(function () {
- check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED);
- });
+// Under certain conditions, OneCRL allows us to skip OCSP requests for
+// intermediates.
+add_task(function* oneCRLTests() {
+ clearOCSPCache();
- // Check OneCRL OCSP request skipping works correctly
- add_test(function () {
- // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
- Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
- // set the blocklist-background-update-timer value to the recent past
- Services.prefs.setIntPref("services.blocklist.onecrl.checked",
- Math.floor(Date.now() / 1000) - 1);
- Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
- Math.floor(Date.now() / 1000) - 1);
- clearOCSPCache();
- // the intermediate should not have an associated OCSP request
- let ocspResponder = start_ocsp_responder(["ev-valid"]);
- check_ee_for_ev("ev-valid", gEVExpected);
- Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
- ocspResponder.stop(run_next_test);
- });
+ // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+ Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+ 108000);
+ // set the blocklist-background-update-timer value to the recent past
+ Services.prefs.setIntPref("services.blocklist.onecrl.checked",
+ Math.floor(Date.now() / 1000) - 1);
+ Services.prefs.setIntPref(
+ "app.update.lastUpdateTime.blocklist-background-update-timer",
+ Math.floor(Date.now() / 1000) - 1);
- add_test(function () {
- // disable OneCRL OCSP Skipping (no staleness allowed)
- Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
- clearOCSPCache();
- let ocspResponder = start_ocsp_responder(
- gEVExpected ? ["int-ev-valid", "ev-valid"]
- : ["ev-valid"]);
- check_ee_for_ev("ev-valid", gEVExpected);
- Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
- ocspResponder.stop(run_next_test);
- });
+ yield ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
+ yield ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
+ yield ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
- add_test(function () {
- // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
- Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
- // set the blocklist-background-update-timer value to the more distant past
- Services.prefs.setIntPref("services.blocklist.onecrl.checked",
- Math.floor(Date.now() / 1000) - 108080);
- Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
- Math.floor(Date.now() / 1000) - 108080);
- clearOCSPCache();
- let ocspResponder = start_ocsp_responder(
- gEVExpected ? ["int-ev-valid", "ev-valid"]
- : ["ev-valid"]);
- check_ee_for_ev("ev-valid", gEVExpected);
- Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ // disable OneCRL OCSP Skipping (no staleness allowed)
+ Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
+ yield ensureVerifiesAsEV("anyPolicy-int-path");
+ // Because the intermediate in this case is missing an OCSP URI, it will not
+ // validate as EV, but it should fall back to DV.
+ yield ensureVerifiesAsDV("no-ocsp-int-path");
+ yield ensureVerifiesAsEV("test-oid-path");
- add_test(function () {
- // test that setting "security.onecrl.via.amo" results in the correct
- // OCSP behavior when services.blocklist.onecrl.checked is in the distant past
- // and blacklist-background-update-timer is recent
- Services.prefs.setBoolPref("security.onecrl.via.amo", false);
- // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
- Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
- // set the blocklist-background-update-timer value to the recent past
- // (services.blocklist.onecrl.checked defaults to 0)
- Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
- Math.floor(Date.now() / 1000) - 1);
- clearOCSPCache();
- // the intermediate should have an associated OCSP request
- let ocspResponder = start_ocsp_responder(
- gEVExpected ? ["int-ev-valid", "ev-valid"]
- : ["ev-valid"]);
- check_ee_for_ev("ev-valid", gEVExpected);
- ocspResponder.stop(run_next_test);
- });
-
- add_test(function () {
- // test that setting "security.onecrl.via.amo" results in the correct
- // OCSP behavior when services.blocklist.onecrl.checked is recent
- Services.prefs.setBoolPref("security.onecrl.via.amo", false);
-
- // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
- Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 108000);
-
- // now set services.blocklist.onecrl.checked to a recent value
- Services.prefs.setIntPref("services.blocklist.onecrl.checked",
- Math.floor(Date.now() / 1000) - 1);
+ clearOCSPCache();
+ // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+ Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+ 108000);
+ // set the blocklist-background-update-timer value to the more distant past
+ Services.prefs.setIntPref("services.blocklist.onecrl.checked",
+ Math.floor(Date.now() / 1000) - 108080);
+ Services.prefs.setIntPref(
+ "app.update.lastUpdateTime.blocklist-background-update-timer",
+ Math.floor(Date.now() / 1000) - 108080);
+ yield ensureVerifiesAsEV("anyPolicy-int-path");
+ yield ensureVerifiesAsDV("no-ocsp-int-path");
+ yield ensureVerifiesAsEV("test-oid-path");
- clearOCSPCache();
- // the intermediate should not have an associated OCSP request
- let ocspResponder = start_ocsp_responder(["ev-valid"]);
- check_ee_for_ev("ev-valid", gEVExpected);
- // The tests following this assume no OCSP bypass
- Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
- Services.prefs.clearUserPref("security.onecrl.via.amo");
- Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ // test that setting "security.onecrl.via.amo" results in the correct
+ // OCSP behavior when services.blocklist.onecrl.checked is in the distant past
+ // and blacklist-background-update-timer is recent
+ Services.prefs.setBoolPref("security.onecrl.via.amo", false);
+ // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+ Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+ 108000);
+ // set the blocklist-background-update-timer value to the recent past
+ // (services.blocklist.onecrl.checked defaults to 0)
+ Services.prefs.setIntPref(
+ "app.update.lastUpdateTime.blocklist-background-update-timer",
+ Math.floor(Date.now() / 1000) - 1);
- // Test the EV continues to work with flags after successful EV verification
- add_test(function () {
- clearOCSPCache();
- let ocspResponder = start_ocsp_responder(
- gEVExpected ? ["int-ev-valid", "ev-valid"]
- : ["ev-valid"]);
- check_ee_for_ev("ev-valid", gEVExpected);
- ocspResponder.stop(function () {
- // without net it must be able to EV verify
- let failingOcspResponder = failingOCSPResponder();
- let cert = certdb.findCertByNickname("ev-valid");
- let hasEVPolicy = {};
- let verifiedChain = {};
- let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
- Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
-
- let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags,
- null, verifiedChain, hasEVPolicy);
- equal(hasEVPolicy.value, gEVExpected,
- "Actual and expected EV status should match for local only EV");
- equal(error,
- gEVExpected ? PRErrorCodeSuccess : SEC_ERROR_POLICY_VALIDATION_FAILED,
- "Actual and expected error code should match for local only EV");
- failingOcspResponder.stop(run_next_test);
- });
- });
+ yield ensureVerifiesAsEV("anyPolicy-int-path");
+ yield ensureVerifiesAsDV("no-ocsp-int-path");
+ yield ensureVerifiesAsEV("test-oid-path");
- // Bug 991815 old but valid intermediates are OK
- add_test(function () {
- clearOCSPCache();
- let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
- "test_ev_certs",
- gEVExpected ? ["int-ev-valid", "ev-valid"]
- : ["ev-valid"],
- [], [],
- gEVExpected ? ["longvalidityalmostold", "good"]
- : ["good"]);
- check_ee_for_ev("ev-valid", gEVExpected);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ // test that setting "security.onecrl.via.amo" results in the correct
+ // OCSP behavior when services.blocklist.onecrl.checked is recent
+ Services.prefs.setBoolPref("security.onecrl.via.amo", false);
+ // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
+ Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
+ 108000);
+ // now set services.blocklist.onecrl.checked to a recent value
+ Services.prefs.setIntPref("services.blocklist.onecrl.checked",
+ Math.floor(Date.now() / 1000) - 1);
+ yield ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
+ yield ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
+ yield ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
- // Bug 991815 old but valid end-entities are NOT OK for EV
- // Unfortunately because of soft-fail we consider these OK for DV.
- add_test(function () {
- clearOCSPCache();
- // Since Mozilla::pkix does not consider the old almost invalid OCSP
- // response valid, it does not cache the old response and thus
- // makes a separate request for DV
- let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
- let debugResponseArray = ["good", "longvalidityalmostold",
- "longvalidityalmostold"];
- let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
- "test_ev_certs",
- gEVExpected ? debugCertNickArray : ["ev-valid"],
- [], [],
- gEVExpected ? debugResponseArray
- : ["longvalidityalmostold"]);
- check_ee_for_ev("ev-valid", false);
- ocspResponder.stop(run_next_test);
- });
+ Services.prefs.clearUserPref("security.onecrl.via.amo");
+ Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
+ Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
+ Services.prefs.clearUserPref(
+ "app.update.lastUpdateTime.blocklist-background-update-timer");
+});
+
+// Prime the OCSP cache and then ensure that we can validate certificates as EV
+// without hitting the network. There's two cases here: one where we simply
+// validate like normal and then check that the network was never accessed and
+// another where we use flags to mandate that the network not be used.
+add_task(function* ocspCachingTests() {
+ clearOCSPCache();
- // Bug 991815 Valid but Ancient (almost two year old) responses are Not OK for
- // EV (still OK for soft fail DV)
- add_test(function () {
- clearOCSPCache();
- let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
- let debugResponseArray = ["good", "ancientstillvalid",
- "ancientstillvalid"];
- let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com",
- "test_ev_certs",
- gEVExpected ? debugCertNickArray : ["ev-valid"],
- [], [],
- gEVExpected ? debugResponseArray
- : ["ancientstillvalid"]);
- check_ee_for_ev("ev-valid", false);
- ocspResponder.stop(run_next_test);
- });
+ yield ensureVerifiesAsEV("anyPolicy-int-path");
+ yield ensureVerifiesAsEV("test-oid-path");
- run_next_test();
-}
+ yield ensureVerifiesAsEVWithNoOCSPRequests("anyPolicy-int-path");
+ yield ensureVerifiesAsEVWithNoOCSPRequests("test-oid-path");
+
+ yield ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("anyPolicy-int-path");
+ yield ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("test-oid-path");
+});
-// bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
-// to prevent spurious OCSP requests that race with OCSP stapling.
-// This has the side-effect of saying an EV certificate is not EV if
-// it hasn't already been verified (e.g. on the verification thread when
-// connecting to a site).
-// This flag is mostly a hack that should be removed once FLAG_LOCAL_ONLY
-// works as intended.
-function check_no_ocsp_requests(cert_name, expected_error) {
+// Old-but-still-valid OCSP responses are accepted for intermediates but not
+// end-entity certificates (because of OCSP soft-fail this results in DV
+// fallback).
+add_task(function* oldOCSPResponseTests() {
clearOCSPCache();
- let ocspResponder = failingOCSPResponder();
- let cert = certdb.findCertByNickname(cert_name);
- let hasEVPolicy = {};
- let verifiedChain = {};
- let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
- Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
- let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags,
- null, verifiedChain, hasEVPolicy);
- // Since we're not doing OCSP requests, no certificate will be EV.
- equal(hasEVPolicy.value, false,
- "EV status should be false when not doing OCSP requests");
- equal(error, expected_error,
- "Actual and expected error should match when not doing OCSP requests");
- ocspResponder.stop(run_next_test);
-}
+
+ yield ensureVerifiesAsEVWithOldIntermediateOCSPResponse("anyPolicy-int-path");
+ yield ensureVerifiesAsEVWithOldIntermediateOCSPResponse("test-oid-path");
+
+ clearOCSPCache();
+ yield ensureVerifiesAsDVWithOldEndEntityOCSPResponse("anyPolicy-int-path");
+ yield ensureVerifiesAsDVWithOldEndEntityOCSPResponse("test-oid-path");
+
+ clearOCSPCache();
+ yield ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(
+ "anyPolicy-int-path");
+ yield ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse("test-oid-path");
+});new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUzCCAj2gAwIBAgIUE20vV8zM9OXxDcXIQL8GFm0SKrgwCwYJKoZIhvcNAQEL
+MCAxHjAcBgNVBAMMFWFueVBvbGljeS1lZS1wYXRoLWludDAiGA8yMDE0MTEyNzAw
+MDAwMFoYDzIwMTcwMjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRhbnlQb2xpY3ktZWUt
+cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBhTCBgjBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGG
+MWh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQb2xpY3ktZWUtcGF0aC1l
+ZS8wEQYDVR0gBAowCDAGBgRVHSAAMB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBs
+ZS5jb20wCwYJKoZIhvcNAQELA4IBAQAiyZHRImgu1XH/X6KY6duEjEP8hPvIc+Vw
+Vyej3Aaa9NjWpDrO0eCm+08msuiOOYdnTvfudbyDorWY6D8jbTy3re6MLaY+GFY7
+9E18zdDk4t4Ssg1O1ous7MGfKKygNQ0eTB4aJH83jWjfpmNTvXggkA7Zp1SfOVv+
+2OMv066Vwewafrr1pgKl8IuSdTjCpaqCMzZDZf4cwL9tdadF1k9NqjInrinlUI+9
+nbb0WLL3fttvFGsee370t9Q+GRNd1S8nGuxpcXq4Yo51MDRk+HwjPPSBowfg+Tki
+Pk6RSND8FSjn22A+JUNT8u6MnNUOj4wh0N8RzEEQEW6GADH5hZdS
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:anyPolicy-ee-path-int
+subject:anyPolicy-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-ee/
+extension:certificatePolicies:any
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiqgAwIBAgIUI2XRNlfIQthAhAOq8dL98Ifp8wMwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAgMR4wHAYDVQQDDBVhbnlQb2xpY3ktZWUtcGF0aC1pbnQwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+gYAwfjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBOBggrBgEFBQcBAQRCMEAw
+PgYIKwYBBQUHMAGGMmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQb2xp
+Y3ktZWUtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADALBgkqhkiG9w0BAQsD
+ggEBAG8A4LEmQDAvr6U+NShqPkyxi9d+kMGSHaKV75bJJgbtAkb5ZWG0LQdi4IxV
+MR/IE73jWJSUCEaIUsYjXVsQE+7CJLLUVCt7w3zRf7EoQV2hDp2+WCME6/q0L0HK
+EdK9DAe7UegvxLLSKS12rq/LhNB+XUYTFqQFfmSYSbNqNqzyDgqipPcicBs1RPlO
+HlKISVlKH4uV5FXaGb9FVZAP9J80YI5iHH7fCkJloMKEghnnqA79/Np0eDXt3JzJ
+O+x+I/DiUveAMlz5q72ou3pIOATsgOXRBs7neYgTR9hQ8q3jexidTIWwOuUjzDpt
+BhxQXS5JZ/owc3H0NJ33helcoXE=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:anyPolicy-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-int/
+extension:certificatePolicies:any
rename from security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
@@ -1,20 +1,21 @@
-----BEGIN CERTIFICATE-----
-MIIDSDCCAjKgAwIBAgIUby+kueFNWXyfsUNUp9JXQ4u/CgYwCwYJKoZIhvcNAQEL
-MCUxIzAhBgNVBAMMGmludC1ldi12YWxpZC1hbnlwb2xpY3ktaW50MCIYDzIwMTQx
-MTI3MDAwMDAwWhgPMjAxNzAyMDQwMDAwMDBaMCExHzAdBgNVBAMMFmV2LXZhbGlk
-LWFueXBvbGljeS1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
-iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
-4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
-8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
-Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
-77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
-I/pyUcQx1QOs2hgKNe2NAgMBAAGjdDByME8GCCsGAQUFBwEBBEMwQTA/BggrBgEF
-BQcwAYYzaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2V2LXZhbGlkLWFueXBv
-bGljeS1pbnQvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMAsGCSqG
-SIb3DQEBCwOCAQEAV2WSrBkRIiml/Nc0WyZwX7MnHLwQe4V4z9mCXdBRwwgZv8Cd
-ALzlKgj3Uz18CVYh3ZH4XCIxxJRvLy4eBbGsWRuS5c4ZaAPoeIur8WVURscEGu2k
-FT2cM7eA38Z7f0WYnuGbTBZ+sN7Hsm7HpV1dpBuI7RaJ9hwAlcvmKvgHBLsJZbyd
-yW7Vpu7KJ0S2djFhBPqjZ7xsIHIfbHuaYBhuO3xlmmx0YbgCS9HGkmuA6RXsSqd1
-15Iu8mT0mpq/SqxLRXi79f+HWpPAP9ERkNF+Ea0zIkIsK8d5PSnQqIKj5QugXSBE
-44He3YH8teY36VHQqApV3VGZ5mtMwVLAjMF8rg==
+MIIDZDCCAk6gAwIBAgIURy0a2jqjnawhuv+eW/eeWdMx8MkwCwYJKoZIhvcNAQEL
+MCExHzAdBgNVBAMMFmFueVBvbGljeS1pbnQtcGF0aC1pbnQwIhgPMjAxNDExMjcw
+MDAwMDBaGA8yMDE3MDIwNDAwMDAwMFowIDEeMBwGA1UEAwwVYW55UG9saWN5LWlu
+dC1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo4GUMIGRME4GCCsGAQUFBwEBBEIwQDA+BggrBgEFBQcw
+AYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBvbGljeS1pbnQtcGF0
+aC1lZS8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcw
+FYITZXYtdGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGhjgde0w84T
+oegn3iGIIOB3q27pqH5nzwv4o5yThG0CmDRvTjBnK8yqlPdNvqx3YmnNh4aWlh94
+Z7XeFA5bPMQq2bCDdBD94g0j3hvBiNqy00Ou34uKm9tNFcQH6kecIjgrInpoxK84
+v2RJ9fjd79503cIuvSw9y3X63DnJn8+ml1Yjt5uO+URpZVDEjJB1mliG1NHdAZ3D
+qDM13f7pphIYggo+ZBlcOVEbh+uDu81gc/Y1JN1ZUOoKBWMx3TVFctYQ6f+uJcem
+xbYsnCK3FuCYTgf1zPye1gILCxvRfRiVw5ojnZ5daxPpfq9Ugv+T9DROuzZgHin1
+WYeP+oiXygI=
-----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
@@ -1,4 +1,5 @@
-issuer:int-ev-valid-anypolicy-int
-subject:ev-valid-anypolicy-int
-extension:authorityInformationAccess:http://www.example.com:8888/ev-valid-anypolicy-int/
+issuer:anyPolicy-int-path-int
+subject:anyPolicy-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-ee/
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDSzCCAjWgAwIBAgIUaYYtOBr1wZWTYvHqYsRinupYgT4wCwYJKoZIhvcNAQEL
+MIIDQjCCAiygAwIBAgIUI4h7bIgXBroqPq3r8qcqzWTPiTwwCwYJKoZIhvcNAQEL
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
-MDAwMDAwWjAlMSMwIQYDVQQDDBppbnQtZXYtdmFsaWQtYW55cG9saWN5LWludDCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
-PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
-HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
-Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
-EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
-lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
-AwEAAaOBhjCBgzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBTBggrBgEFBQcB
-AQRHMEUwQwYIKwYBBQUHMAGGN2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9p
-bnQtZXYtdmFsaWQtYW55cG9saWN5LWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsG
-CSqGSIb3DQEBCwOCAQEAqnqfTrqYSYeWWRX6GfGKkCVfmksgIA3OnvRD8gE895qU
-JS5Ke/3d/4+3beSlfNueL+JSriA+BqqlK6wrxI7xo7H4xjbUV/DrEXEfhUg052O1
-gC1oqObWsZenegoQBZ0mQUT0uqshj7IHWzED2GQZmjEt7F6Il5bjvy49OQ5A++/O
-m+YUr579TZ8r02WU0/+TNln6PnM+6uhoizF2bgh/fCcMlFqLUcJ4FNVi5CgT/oiR
-Wxv8FO2N3ijfQ1Qwnt2Ti0lGby//rrbdnE9tHJb22COxu8QuOi+z/meh4TL+UG3r
-HeCP5545zGOyBOzCrHNioeGVE13svKQFM4T+eguckQ==
+MDAwMDAwWjAhMR8wHQYDVQQDDBZhbnlQb2xpY3ktaW50LXBhdGgtaW50MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+o4GBMH8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEEQzBB
+MD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9s
+aWN5LWludC1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsGCSqGSIb3DQEB
+CwOCAQEAaar6+lvsKAL6fuKS9b8HOSI1Q6c+7/PDAo+YPVsDyzg4OYpFHfrJqveK
+vmwWSnUngX/V702znW4woDu1ZjXLWpTG4xx87FU7b0BIrL7r1N1twAohOYFUMnjl
+TW7RMjTgMGIgxybQc3N0snwf2SJedUu78xekdLW1/jTiMuIEys/+44tqGzVsFu9j
+XrFxPxNBHVzR8UFGICREeE2nFeOnqj3uQPh1JJszKUlfXbYtjgPFKfbbsPzzGLJ3
+tLmzPZLSeEed/AYvegq00CybA5f6UDY1uMnECekHAWFzv/yhZZsL+hMSGXTctE7+
+C+WTNlFX41Gi6uvck6N8T3ABNVTk8A==
-----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
@@ -1,7 +1,7 @@
issuer:evroot
-subject:int-ev-valid-anypolicy-int
+subject:anyPolicy-int-path-int
issuerKey:ev
extension:basicConstraints:cA,
extension:keyUsage:cRLSign,keyCertSign
-extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid-anypolicy-int/
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/
extension:certificatePolicies:any
--- a/security/manager/ssl/tests/unit/test_ev_certs/moz.build
+++ b/security/manager/ssl/tests/unit/test_ev_certs/moz.build
@@ -1,29 +1,34 @@
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Temporarily disabled. See bug 1256495.
#test_certificates = (
-# 'ev-valid-anypolicy-int.pem',
-# 'ev-valid.pem',
+# 'anyPolicy-ee-path-ee.pem',
+# 'anyPolicy-ee-path-int.pem',
+# 'anyPolicy-int-path-ee.pem',
+# 'anyPolicy-int-path-int.pem',
# 'evroot.pem',
-# 'int-ev-valid-anypolicy-int.pem',
-# 'int-ev-valid.pem',
-# 'int-non-ev-root.pem',
-# 'no-ocsp-url-cert.pem',
-# 'non-ev-root.pem',
+# 'no-ocsp-ee-path-ee.pem',
+# 'no-ocsp-ee-path-int.pem',
+# 'no-ocsp-int-path-ee.pem',
+# 'no-ocsp-int-path-int.pem',
+# 'non-ev-root-path-ee.pem',
+# 'non-ev-root-path-int.pem',
# 'non-evroot-ca.pem',
+# 'test-oid-path-ee.pem',
+# 'test-oid-path-int.pem',
#)
#
#for test_certificate in test_certificates:
# GeneratedTestCertificate(test_certificate)
#
#test_keys = (
# 'evroot.key',
-# 'int-ev-valid.key',
+# 'test-oid-path-int.key',
#)
#
#for test_key in test_keys:
# GeneratedTestKey(test_key)
rename from security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
@@ -1,18 +1,19 @@
-----BEGIN CERTIFICATE-----
-MIIC4zCCAc2gAwIBAgIUd5B8Tu9tyK8u9ciEb+vs5wAhPjcwCwYJKoZIhvcNAQEL
-MBcxFTATBgNVBAMMDGludC1ldi12YWxpZDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIw
-MTcwMjA0MDAwMDAwWjAbMRkwFwYDVQQDDBBuby1vY3NwLXVybC1jZXJ0MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
-5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
-An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
-ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
-zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
-JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
-oyMwITAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATALBgkqhkiG9w0B
-AQsDggEBAGD4KgUYaMaVoU2ioXkVXR99IrOz65d6DsI8JZHlI1/5fykVbzPq7gpI
-fHB2iIp5RzP/eDDZPyriJ7L2LEUIGC/yr68C96d5FqlpeTL9hgkWQaM2Z9hisgoe
-vk1uBsvZ6KmCQhG9TTCcEAQks7Qe9qDo3j3zk35795Q57w4xYYJZKiBtKFgMTtF2
-nkpoSTHQ8wmPgok0T7H4c3WxXwRz9Pxa+X63q5Whd8tDeHHp2o+Fm3HzW7aGTb1t
-F1UJQsF4hCEsnqhfbx2pEPUkYHjtLi2WXFT/AYDbYsqzly4PZhMOdNldJu/S3TS0
-wSsKiflXOecc1Voy2BHO3igasqYZ6Tk=
+MIIDDDCCAfagAwIBAgIUN1tZuouNywOlI92yfPVp0g1KyqswCwYJKoZIhvcNAQEL
+MB4xHDAaBgNVBAMME25vLW9jc3AtZWUtcGF0aC1pbnQwIhgPMjAxNDExMjcwMDAw
+MDBaGA8yMDE3MDIwNDAwMDAwMFowHTEbMBkGA1UEAwwSbm8tb2NzcC1lZS1wYXRo
+LWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABo0MwQTAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAe
+BgNVHREEFzAVghNldi10ZXN0LmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA
+PIRn3vteO/sx0OrU73mnICPuA8sVwv+bC8LbVAV8hgboad6ypC6/i/l3KComDtgK
+NsbANmhq8gF3XpvHzxvlBqnjO9qaZnmV4ETJMlSISm8NaK6xFJvHxLrbpH82g7WH
+5eLUxDNvkXBDClcs5iwa5cDnRykdXFttmxN5riw+dAT7rCsrNQODnYvF6C5J9e/S
+I7wyDkbfAdEsioDBHC2xAjuxdKLJr7+YKAaxN54q0U5EZ8dIThuAGLxQK2hSAw8O
+e34OwOPK11tH3tsrbxXAlaykuFgEeJnBfurq3Ff2OO8WirQ8pFiqYxl93sLIPFd6
+nMpuKlS/wpXkZV+NwwwJaQ==
-----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
@@ -1,3 +1,4 @@
-issuer:int-ev-valid
-subject:no-ocsp-url-cert
+issuer:no-ocsp-ee-path-int
+subject:no-ocsp-ee-path-ee
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOzCCAiWgAwIBAgIUY7txKTVVTBc2roj9KXXVlQxF20YwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAeMRwwGgYDVQQDDBNuby1vY3NwLWVlLXBhdGgtaW50MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo34w
+fDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBMBggrBgEFBQcBAQRAMD4wPAYI
+KwYBBQUHMAGGMGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9uby1vY3NwLWVl
+LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwCwYJKoZIhvcNAQELA4IBAQCE
+tGJOFahnFAubE9prxtKV5wEHxGhHWlwXC3lCFFeNMjZ0jOaMeI7JpeX18Nnzvy9u
+qNZfsvzUZk0fu22MDjwOSjJmZk3OI2B9Sc01gXU/IEQH7Jw3uy8NwVOGZctHjMyn
+MDIIaFcNDaAIQgjTRCLMyjrD0A86qSG795TQj6xjRuPy5NByLuT3We8cml3AJqy0
+F0dhLoeFbL5f4HN2xJFsb6UcTMb0bMAAtsvkIu3TTI01mu4ffiI6JVhWfraLLTig
+X30yMU8oJjeYGfcOyxrnvD/Y6MzIWQat97U8mRnuyfuISxilWvLeTJCasnpmnNWH
+wrWzbB62tJ1DJw3ngTGj
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:no-ocsp-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-ee-path-int/
+extension:certificatePolicies:any
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXjCCAkigAwIBAgIUNQic6jgct61lYPUlwpd2hHK2YJMwCwYJKoZIhvcNAQEL
+MB8xHTAbBgNVBAMMFG5vLW9jc3AtaW50LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAw
+MDAwWhgPMjAxNzAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME25vLW9jc3AtaW50LXBh
+dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjgZIwgY8wTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBo
+dHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvbm8tb2NzcC1pbnQtcGF0aC1lZS8w
+HwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYt
+dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAH5n55Iw3ulJPDVG7pjY
+SZHl1wfxcr0mhJ8wSJtv+QwPJDc6dDEAyttdiwZPlTZ/zPAws7xChsYaSsPlHnUG
+QSMDpssbEa4HNz4z+dAMp8lcMO4mwJi8z/hoB+G4J/yW6zWJpIqENrgyZmS2w/zR
+4ztwIEgEOPH5wsglxhrSzwihYr6lk0LMaOPU+EQ9a+ohbAJeFF9mPyc8VtWOhsYY
+5o2eHCl9BgIJQ5zuqpul2Liv6lLQQLmu9Y40TPp30lWtUX4I1KechDaRySZDeScx
+dFvF87rn3X09R+KBDUxcQMxAuJG9lzgAegxSwsCwQduE03+Ba3zJCXoFUTo1CVuc
+zLc=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:no-ocsp-int-path-int
+subject:no-ocsp-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7jCCAdigAwIBAgIUdXjljKCreZHFVnBN7VXrPJiBz8AwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAfMR0wGwYDVQQDDBRuby1vY3NwLWludC1wYXRoLWludDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMw
+MC4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
+MAsGCSqGSIb3DQEBCwOCAQEAkCLoPzlhyoE0haiNXg2V767zsoTJMxA4XDKh2Ndb
+oaMfxJdqit/4yQregeCMh+zbgOt5i7gs5OQ0JR3Mo3fZ6HYxNLukCmxKD7OjYRAp
+ZsUbXQAeuNN+0q49rB1Sf7/Huk0WLbS8fG/oAK7HUwpJBxfzgCPbLRYt0ZeXooD+
+glh+2nUmlMmmjWgzc3xbQ1K1shqWatDT49BPcBel/GHsfpyDuJzzAvop8itJY+I0
+rUfrA+kJzojBJOykoucNx2cYx/0NxT+Rv3jWL4Qp0YdjCa9huJzdAFv0q0Rk6IlJ
+ef+7wWlvP6YoDUgwT4H8JPq/vSfCsB5yXKz/Hu0Ykc+3hQ==
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec
@@ -0,0 +1,6 @@
+issuer:evroot
+subject:no-ocsp-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:certificatePolicies:any
rename from security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
@@ -1,19 +1,21 @@
-----BEGIN CERTIFICATE-----
-MIIDJzCCAhGgAwIBAgIULwMSM80UKgeh7YdspJB7dG8Yn3owCwYJKoZIhvcNAQEL
-MBoxGDAWBgNVBAMMD2ludC1ub24tZXYtcm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoY
-DzIwMTcwMjA0MDAwMDAwWjAWMRQwEgYDVQQDDAtub24tZXYtcm9vdDCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
-SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
-zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
-K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
-bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
-JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNp
-MGcwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vd3d3LmV4YW1w
-bGUuY29tOjg4ODgvbm9uLWV2LXJvb3QvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUa
-hRqFGgGDdAkBMAsGCSqGSIb3DQEBCwOCAQEAAtXIU+ufmDNCqfjUZiJ+9nHcE14I
-t158M0bTBeAsmwtenY9WsBz2Svd3JJ4k8/0OjIfS44o9XPnGvAT/KmHKcTjmTkHR
-vixUvEa3923AsJzoGzxQcF2BtyQufGWBW8/Oq5d6G5ISB/C4VA3Ez8j7o+OE+6bp
-ID60osGbUJsQ/mknXxj0MsZoeuz3upbdTDe49jNYPkyyJqKnctOacq3PIs1Ai10A
-iMgKtn0e5wEEUCouKwuKXxK1kFIrxDiiKLWEhgBKTPxDf8E+ZuJbp+nZo3TDfI1j
-rQDQsbH6cao5EzrVe/weHRYDQMJ1tk17RXrW+PPsgWYia8Mi11qbI9w+1Q==
+MIIDXjCCAkigAwIBAgIUPx1bQ/YwNzxyiIIEYEoQjqZUmHUwCwYJKoZIhvcNAQEL
+MB8xHTAbBgNVBAMMFG5vbi1ldi1yb290LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAw
+MDAwWhgPMjAxNzAyMDQwMDAwMDBaMB4xHDAaBgNVBAMME25vbi1ldi1yb290LXBh
+dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjgZIwgY8wTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzABhjBo
+dHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvbm9uLWV2LXJvb3QtcGF0aC1lZS8w
+HwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYt
+dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAIkYTJJR3JK3wbcNaBKL
+5R2qbPJLSJSP2ZbwyBF28HnzrOncI6elJFi9LxVwTDLKIchJolUqQmxLTbmuO/Y5
+hH9VXBKmct1PbWuDuH2ASFXVTvf3FREg+qHH9/s+GGnIxTSleS0lj2RsHdrC9Q8O
+ChtSg1Fcuz6ZDMEQgpc52tGaTmB2Q/ZHFV6dIdcZtwxH0AqSy1aX432MAjyaEg6G
+dFX4ObU/JWOPk8qz+Mw/q0d8b4U6OP7uP2buURYR60KFJx1Iqfcwu2bWl0VdaHrQ
+1xU1SGViOHaCZMTXrV8l3cvAGbpnFXTp6MAdiTMc8+44M9/SOQVmqWVwULpCtNNv
+e5M=
-----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
@@ -1,4 +1,5 @@
-issuer:int-non-ev-root
-subject:non-ev-root
-extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root/
+issuer:non-ev-root-path-int
+subject:non-ev-root-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-ee/
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
rename from security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDSjCCAjSgAwIBAgIUD22BRPEQk1ohdq0TWpDiC9DX0QgwCwYJKoZIhvcNAQEL
+MIIDRDCCAi6gAwIBAgIUe8flRD9fpbyM3B5myFA50T3jScUwCwYJKoZIhvcNAQEL
MBgxFjAUBgNVBAMMDW5vbi1ldnJvb3QtY2EwIhgPMjAxNDExMjcwMDAwMDBaGA8y
-MDE3MDIwNDAwMDAwMFowGjEYMBYGA1UEAwwPaW50LW5vbi1ldi1yb290MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
-5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
-An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
-ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
-zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
-JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
-o4GJMIGGMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEgGCCsGAQUFBwEBBDww
-OjA4BggrBgEFBQcwAYYsaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2ludC1u
-b24tZXYtcm9vdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCwYJ
-KoZIhvcNAQELA4IBAQCNfizDGiKBxkquDAvy/RDTwOiYDliOvReGjlZOZrQBkf52
-xvfHAkl/m/GluDeCjHSSlGU/8cloXnyN6PRzRfxf46Lx+RuiStgDPS1OfqGw961l
-dV2xEa2g5SHkHS1aTnadO83GxkagYes6OEZbe7fexrOnPIhNx4Da9wfFyQBOi8/t
-4Y69eBk+cC5AaSBwHpf12TDc4NKvW2/Qtl1G8idn24OhPlucxBd/dPOxduztde5a
-bmvQW4m66HHjF5aIXaJn7I5+drY2vSIJz3Nry05pgrJapf7rOi0iKNrv5vKoAyi9
-IYeIPTOD377JbUBdSOt0yGV2yx5bkvWfMUET51i3
+MDE3MDIwNDAwMDAwMFowHzEdMBsGA1UEAwwUbm9uLWV2LXJvb3QtcGF0aC1pbnQw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjfzB9MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME0GCCsGAQUFBwEB
+BEEwPzA9BggrBgEFBQcwAYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L25v
+bi1ldi1yb290LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwCwYJKoZIhvcN
+AQELA4IBAQCw1nYDX13O3uLXnQBJ5aM8/x6IM1tzVd6UWqgtbLDiTDqmQIRw52jz
+n+Fl/feTEjYn2/GF++LgKS031wXSjbAs2EIe3QtKQZfpMo+XtJzYtOmkQ6dzM5PV
+GsV5PJG/JvUgC4X/FpSFNbh+5jNEuU8nZatrhqlVShTVmFCHC8bpcQhZlyt3uwY2
+Vd7x2qSem5XCPP+7Hmvt6jlP0ZO1oTyqfMf1K7Q1m+r97pmHj3xkhYQKTBkiwRMJ
++pwIkbvYJONIR30V2tg3bZuJwzwt9R4f4dl2J03UQkg1ge2eJUF9d3odaWmLma7N
+nuwrO2Y0DpQv3HqvZZOOYX8chPO8IIVe
-----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
@@ -1,6 +1,6 @@
issuer:non-evroot-ca
-subject:int-non-ev-root
+subject:non-ev-root-path-int
extension:basicConstraints:cA,
extension:keyUsage:cRLSign,keyCertSign
-extension:authorityInformationAccess:http://www.example.com:8888/int-non-ev-root/
-extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-int/
+extension:certificatePolicies:any
rename from security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
@@ -1,19 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgigAwIBAgIUIWjgvey0rx7/CM8k0zC+FVdlHG0wCwYJKoZIhvcNAQEL
-MBcxFTATBgNVBAMMDGludC1ldi12YWxpZDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIw
-MTcwMjA0MDAwMDAwWjATMREwDwYDVQQDDAhldi12YWxpZDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
-bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
-OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
-uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
-t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
-NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNmMGQwQQYI
-KwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vd3d3LmV4YW1wbGUuY29t
-Ojg4ODgvZXYtdmFsaWQvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB
-MAsGCSqGSIb3DQEBCwOCAQEAAZ49c1ZNqOYEz0x2EzYaInvPcK2Fxbc8CjX71xIj
-ahLnIZ1cb/VIe88wvidZdQYQdRn0aTfc8Z7+P62XnPqM3nlF85b7g4H2yxJRq7or
-V1skztvKxm+YC/iY4ogsR8x24gdEn/IdwAdjtfZnI471A69CN3t0V6tmt26SNGix
-jNnabOus9JGfhii+qL8svIYR6T+Gmr2fDuQBEJtTpcHjLbrPAV4pOlFu3WmOsVsF
-9yaUy72WFBXg0kas+Tz1QvKWgi4XZ9640HoBVdmHGBnAiBjx62d4pxf4ttbrvh9r
-G26w6vWsfTKWDsoJKi1gYtf9hTcG04jrHg2EAx06+A0yFw==
+MIIDVTCCAj+gAwIBAgIULwfe1XYxIxI1GOvu3ZnTqxvVOYYwCwYJKoZIhvcNAQEL
+MBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MCIYDzIwMTQxMTI3MDAwMDAw
+WhgPMjAxNzAyMDQwMDAwMDBaMBsxGTAXBgNVBAMMEHRlc3Qtb2lkLXBhdGgtZWUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjgY8wgYwwSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8v
+d3d3LmV4YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtcGF0aC1lZS8wHwYDVR0gBBgw
+FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt
+cGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGBM93ylo+yXjVAr7GHY2/Suvddfd47X
+i+0qQc5Aif2f5okWm7k8BaLdhQYMcLo/D/AZzKcPvO5wUFdiInHPF069ebu8s6qL
+qZ7ybJK7AR/UfkS4Yn+gTdvPUxasFCtorT3tx8aws3Y9NBK0YV2IImgC+wS2Qe37
+XBUF+526UjJ/ooInFnW6Ukf8rdhxMpSOAXzblJCfHMnnkg36m5zSWNH83oTWEGwe
+tWolqulTICNpRA4rqwO7i2BRHkgQrq9lhQS3/rCyGYgeqware7QPSj5S4WXBLM3p
+a7je/NteBTOUVsfngQSz5ETVu3Bj7mgJYmtkCC5ZRVfQmjWsfPyqslE=
-----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/ev-valid.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
@@ -1,4 +1,5 @@
-issuer:int-ev-valid
-subject:ev-valid
-extension:authorityInformationAccess:http://www.example.com:8888/ev-valid/
+issuer:test-oid-path-int
+subject:test-oid-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.key.keyspec
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDPTCCAiegAwIBAgIUJ6ZiwLEBBmRIxjG+KN4K/KQ+NKkwCwYJKoZIhvcNAQEL
+MIIDRzCCAjGgAwIBAgIUXX3/aud0LGpAvxl0RGcu8j7gbsAwCwYJKoZIhvcNAQEL
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
-MDAwMDAwWjAXMRUwEwYDVQQDDAxpbnQtZXYtdmFsaWQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
-e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
-KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
-YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
-lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
-HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgYYwgYMwDAYD
-VR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUF
-BzABhilodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvaW50LWV2LXZhbGlkLzAf
-BgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATALBgkqhkiG9w0BAQsDggEB
-AHuI7ZqTAYzCj2QtErvEKbo16WctTXslepQmnD9hrAFNkhrT9ParJ+EViwaq8wXL
-RpBs4QNtH5j1lrlIIY3SEeGRvNv7pIC1vQoBa15ieg6IJOxs0Zq/TszAEcdIQSpr
-p1fcl/51kAoXoV74VBOer6dIqenuK043aa2aai58Jz/cMaWd7E55Ak+aU9pb+Mdc
-x6k9vV8sSfkpSR2Jmx5GEq5Sat8eJ7lib9/+wHGGCObUzxXnMJN50ZsR6R77DP/E
-+cafdtTxYgFTsPdA1OTBxUEbk2hx3c08T1kmPL+nmg3WoSu8fXuaZWzCBegDMFMI
-wgiVIyUZPm9H356bgW+nVeo=
+MDAwMDAwWjAcMRowGAYDVQQDDBF0ZXN0LW9pZC1wYXRoLWludDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBizCB
+iDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBKBggrBgEFBQcBAQQ+MDwwOgYI
+KwYBBQUHMAGGLmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LW9pZC1w
+YXRoLWludC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwCwYJKoZI
+hvcNAQELA4IBAQBonq8E1t3lQQAdEimupSIEFehQNe5wE69Hj9O941yTTIYZazR/
+kgKiFb4daLhvmeay1WxKq2D4SabCyvQpkU2acUunOolNcUUYwzqjeOr3OB369vvy
+13vshQs6PL9y5sTNEFCt8xYeBgiMoUKrelLe9iql4h/jyqOBYAuk8hQzztaW986p
+q8mF0V59hT3EZNEGdHf2LcPBlR24i7mdA45mWHQ+v5zySVptxJG9xi5bv2PoT3i3
+HUcBfOERE+6d14OZmMsDcmv3G6JRtbAow0ZKbi7UXemrHk0Xszb570gEvii2PKyD
+mQbrJ3k0g8SGTK+mWEYtpowoPVWMa3Do/KpO
-----END CERTIFICATE-----
\ No newline at end of file
rename from security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem.certspec
rename to security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
@@ -1,7 +1,7 @@
issuer:evroot
-subject:int-ev-valid
+subject:test-oid-path-int
issuerKey:ev
extension:basicConstraints:cA,
extension:keyUsage:cRLSign,keyCertSign
-extension:authorityInformationAccess:http://www.example.com:8888/int-ev-valid/
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-int/
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
--- a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
@@ -36,26 +36,26 @@ function testOff() {
do_print("Setting security.OCSP.enabled to 0");
run_next_test();
});
// EV chains should verify successfully but never get EV status.
add_test(() => {
clearOCSPCache();
let ocspResponder = getFailingOCSPResponder();
- checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+ checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
false);
ocspResponder.stop(run_next_test);
});
// A DV chain should verify successfully.
add_test(() => {
clearOCSPCache();
let ocspResponder = getFailingOCSPResponder();
- checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+ checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess, certificateUsageSSLServer);
ocspResponder.stop(run_next_test);
});
}
// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
function testOn() {
add_test(() => {
@@ -64,29 +64,29 @@ function testOn() {
run_next_test();
});
// If a successful OCSP response is fetched, then an EV chain should verify
// successfully and get EV status as well.
add_test(() => {
clearOCSPCache();
let ocspResponder =
- getOCSPResponder(gEVExpected ? ["int-ev-valid", "ev-valid"]
- : ["ev-valid"]);
- checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+ getOCSPResponder(gEVExpected ? ["test-oid-path-int", "test-oid-path-ee"]
+ : ["test-oid-path-ee"]);
+ checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
gEVExpected);
ocspResponder.stop(run_next_test);
});
// If a successful OCSP response is fetched, then a DV chain should verify
// successfully.
add_test(() => {
clearOCSPCache();
- let ocspResponder = getOCSPResponder(["non-ev-root"]);
- checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+ let ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
+ checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess, certificateUsageSSLServer);
ocspResponder.stop(run_next_test);
});
}
// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
function testEVOnly() {
add_test(() => {
@@ -95,28 +95,28 @@ function testEVOnly() {
run_next_test();
});
// If a successful OCSP response is fetched, then an EV chain should verify
// successfully and get EV status as well.
add_test(() => {
clearOCSPCache();
let ocspResponder = gEVExpected
- ? getOCSPResponder(["int-ev-valid", "ev-valid"])
+ ? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"])
: getFailingOCSPResponder();
- checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+ checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
gEVExpected);
ocspResponder.stop(run_next_test);
});
// A DV chain should verify successfully even without doing OCSP fetches.
add_test(() => {
clearOCSPCache();
let ocspResponder = getFailingOCSPResponder();
- checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+ checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess, certificateUsageSSLServer);
ocspResponder.stop(run_next_test);
});
}
function run_test() {
do_register_cleanup(() => {
Services.prefs.clearUserPref("network.dns.localDomains");
@@ -124,18 +124,18 @@ function run_test() {
Services.prefs.clearUserPref("security.OCSP.require");
});
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
// Enable hard fail to ensure chains that should only succeed because they get
// a good OCSP response do not succeed due to soft fail leniency.
Services.prefs.setBoolPref("security.OCSP.require", true);
loadCert("evroot", "CTu,,");
- loadCert("int-ev-valid", ",,");
+ loadCert("test-oid-path-int", ",,");
loadCert("non-evroot-ca", "CTu,,");
- loadCert("int-non-ev-root", ",,");
+ loadCert("non-ev-root-path-int", ",,");
testOff();
testOn();
testEVOnly();
run_next_test();
}