--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -6,16 +6,17 @@
#include "ExtendedValidation.h"
#include "base64.h"
#include "cert.h"
#include "certdb.h"
#include "hasht.h"
#include "mozilla/ArrayUtils.h"
+#include "mozilla/PodOperations.h"
#include "pk11pub.h"
#include "pkix/pkixtypes.h"
#include "prerror.h"
#include "prinit.h"
#include "secerr.h"
extern mozilla::LazyLogModule gPIPNSSLog;
@@ -1266,19 +1267,25 @@ RegisterOID(const SECItem& oidItem, cons
od.oid.data = oidItem.data;
od.offset = SEC_OID_UNKNOWN;
od.desc = oidName;
od.mechanism = CKM_INVALID_MECHANISM;
od.supportedExtension = INVALID_CERT_EXTENSION;
return SECOID_AddEntry(&od);
}
+static SECOidTag sCABForumEVOIDTag = SEC_OID_UNKNOWN;
+
static bool
isEVPolicy(SECOidTag policyOIDTag)
{
+ if (policyOIDTag != SEC_OID_UNKNOWN && policyOIDTag == sCABForumEVOIDTag) {
+ return true;
+ }
+
for (const nsMyTrustedEVInfo& entry : myTrustedEVInfos) {
if (policyOIDTag == entry.oid_tag) {
return true;
}
}
return false;
}
@@ -1289,32 +1296,51 @@ bool
CertIsAuthoritativeForEVPolicy(const UniqueCERTCertificate& cert,
const mozilla::pkix::CertPolicyId& policy)
{
PR_ASSERT(cert);
if (!cert) {
return false;
}
+ const SECOidData* cabforumOIDData = SECOID_FindOIDByTag(sCABForumEVOIDTag);
for (const nsMyTrustedEVInfo& entry : myTrustedEVInfos) {
if (entry.cert && CERT_CompareCerts(cert.get(), entry.cert.get())) {
+ if (cabforumOIDData && cabforumOIDData->oid.len == policy.numBytes &&
+ mozilla::PodEqual(cabforumOIDData->oid.data, policy.bytes,
+ policy.numBytes)) {
+ return true;
+ }
const SECOidData* oidData = SECOID_FindOIDByTag(entry.oid_tag);
if (oidData && oidData->oid.len == policy.numBytes &&
- !memcmp(oidData->oid.data, policy.bytes, policy.numBytes)) {
+ mozilla::PodEqual(oidData->oid.data, policy.bytes, policy.numBytes)) {
return true;
}
}
}
return false;
}
static PRStatus
IdentityInfoInit()
{
+ static const char* sCABForumOIDString = "2.23.140.1.1";
+ static const char* sCABForumOIDDescription = "CA/Browser Forum EV OID";
+
+ mozilla::ScopedAutoSECItem cabforumOIDItem;
+ if (SEC_StringToOID(nullptr, &cabforumOIDItem, sCABForumOIDString, 0)
+ != SECSuccess) {
+ return PR_FAILURE;
+ }
+ sCABForumEVOIDTag = RegisterOID(cabforumOIDItem, sCABForumOIDDescription);
+ if (sCABForumEVOIDTag == SEC_OID_UNKNOWN) {
+ return PR_FAILURE;
+ }
+
for (size_t iEV = 0; iEV < mozilla::ArrayLength(myTrustedEVInfos); ++iEV) {
nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
mozilla::ScopedAutoSECItem derIssuer;
SECStatus rv = ATOB_ConvertAsciiToItem(&derIssuer, entry.issuer_base64);
PR_ASSERT(rv == SECSuccess);
if (rv != SECSuccess) {
return PR_FAILURE;
--- a/security/manager/ssl/tests/unit/pycert.py
+++ b/security/manager/ssl/tests/unit/pycert.py
@@ -26,17 +26,17 @@ Known extensions are:
basicConstraints:[cA],[pathLenConstraint]
keyUsage:[digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment,keyAgreement,keyCertSign,cRLSign]
extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection
nsSGC, # Netscape Server Gated Crypto
OCSPSigning,timeStamping]
subjectAlternativeName:[<dNSName|directoryName>,...]
authorityInformationAccess:<OCSP URI>
-certificatePolicies:<policy OID>
+certificatePolicies:[<policy OID>,...]
nameConstraints:{permitted,excluded}:[<dNSName|directoryName>,...]
nsCertType:sslServer
TLSFeature:[<TLSFeature>,...]
Where:
[] indicates an optional field or component of a field
<> indicates a required component of a field
{} indicates a choice of exactly one value among a set of values
@@ -549,24 +549,25 @@ class Certificate(object):
self.addExtension(rfc2459.id_ce_subjectAltName, subjectAlternativeName, critical)
def addAuthorityInformationAccess(self, ocspURI, critical):
sequence = univ.Sequence()
accessDescription = stringToAccessDescription(ocspURI)
sequence.setComponentByPosition(0, accessDescription)
self.addExtension(rfc2459.id_pe_authorityInfoAccess, sequence, critical)
- def addCertificatePolicies(self, policyOID, critical):
+ def addCertificatePolicies(self, policyOIDs, critical):
policies = rfc2459.CertificatePolicies()
- policy = rfc2459.PolicyInformation()
- if policyOID == 'any':
- policyOID = '2.5.29.32.0'
- policyIdentifier = rfc2459.CertPolicyId(policyOID)
- policy.setComponentByName('policyIdentifier', policyIdentifier)
- policies.setComponentByPosition(0, policy)
+ for pos, policyOID in enumerate(policyOIDs.split(',')):
+ if policyOID == 'any':
+ policyOID = '2.5.29.32.0'
+ policy = rfc2459.PolicyInformation()
+ policyIdentifier = rfc2459.CertPolicyId(policyOID)
+ policy.setComponentByName('policyIdentifier', policyIdentifier)
+ policies.setComponentByPosition(pos, policy)
self.addExtension(rfc2459.id_ce_certificatePolicies, policies, critical)
def addNameConstraints(self, constraints, critical):
nameConstraints = NameConstraints()
if constraints.startswith('permitted:'):
(subtreesType, subtreesTag) = ('permittedSubtrees', 0)
elif constraints.startswith('excluded:'):
(subtreesType, subtreesTag) = ('excludedSubtrees', 1)
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -174,26 +174,44 @@ function ensureVerifiesAsDVWithVeryOldEn
return verifyWithDifferentOCSPResponseTypes(
testcase, [ "good", "ancientstillvalid" ], false);
}
// These should all verify as EV.
add_task(function* plainExpectSuccessEVTests() {
yield ensureVerifiesAsEV("anyPolicy-int-path");
yield ensureVerifiesAsEV("test-oid-path");
+ yield ensureVerifiesAsEV("cabforum-oid-path");
+ yield ensureVerifiesAsEV("cabforum-and-test-oid-ee-path");
+ yield ensureVerifiesAsEV("test-and-cabforum-oid-ee-path");
+ yield ensureVerifiesAsEV("reverse-order-oids-path");
+ // In this case, the end-entity has both the CA/B Forum OID and the test OID
+ // (in that order). The intermediate has the CA/B Forum OID. Since the
+ // implementation uses the first EV policy it encounters in the end-entity as
+ // the required one, this successfully verifies as EV.
+ yield ensureVerifiesAsEV("cabforum-and-test-oid-ee-cabforum-oid-int-path");
});
// These fail for various reasons to verify as EV, but fallback to DV should
// succeed.
add_task(function* expectDVFallbackTests() {
yield ensureVerifiesAsDV("anyPolicy-ee-path");
yield ensureVerifiesAsDV("non-ev-root-path");
yield ensureVerifiesAsDV("no-ocsp-ee-path",
gEVExpected ? [ "no-ocsp-ee-path-int" ] : []);
yield ensureVerifiesAsDV("no-ocsp-int-path");
+ // In this case, the end-entity has the test OID and the intermediate has the
+ // CA/B Forum OID. Since the CA/B Forum OID is not treated the same as the
+ // anyPolicy OID, this will not verify as EV.
+ yield ensureVerifiesAsDV("test-oid-ee-cabforum-oid-int-path");
+ // In this case, the end-entity has both the test OID and the CA/B Forum OID
+ // (in that order). The intermediate has only the CA/B Forum OID. Since the
+ // implementation uses the first EV policy it encounters in the end-entity as
+ // the required one, this fails to verify as EV.
+ yield ensureVerifiesAsDV("test-and-cabforum-oid-ee-cabforum-oid-int-path");
});
// Test that removing the trust bits from an EV root causes verifications
// relying on that root to fail (and then test that adding back the trust bits
// causes the verifications to succeed again).
add_task(function* evRootTrustTests() {
clearOCSPCache();
let evroot = certdb.findCertByNickname("evroot");
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqugAwIBAgIUOx1MEBSRFwRNyE/lVhLEutRPLFcwCwYJKoZIhvcNAQEL
+MD0xOzA5BgNVBAMMMmNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1jYWJmb3J1bS1v
+aWQtaW50LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAwMDAwWhgPMjAxNzAyMDQwMDAw
+MDBaMDwxOjA4BgNVBAMMMWNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1jYWJmb3J1
+bS1vaWQtaW50LXBhdGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgbkwgbYwagYIKwYBBQUHAQEEXjBcMFoG
+CCsGAQUFBzABhk5odHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvY2FiZm9ydW0t
+YW5kLXRlc3Qtb2lkLWVlLWNhYmZvcnVtLW9pZC1pbnQtcGF0aC1lZS8wKAYDVR0g
+BCEwHzAHBgVngQwBATAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYIT
+ZXYtdGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAECIbLN4d1BnTH04
+EVbS/RSwOKR9KLqUsFY8Il1z4gRewC8NgqwrN6KcU+NELJeUHvkgUOLidkorWNmq
+Ix2YYrU+b8k4gU8tPXpfdzmuiUoK6I1fB5JZN7U4ZZ+z+YqBPL2oGs3BRNgR5TFe
+IY06MnGXvfOsG7V9btZVM5csXsxShnK+kAC7Gzu0GjmnzwmLJmC6JkM1k3wNYY6l
+YTKx1b0ZBhDDSxy1+2o5HtOADBvJiMO8q/CKTWaHUsDqD6T/CKdg/Qprc+phuY2M
+d3ymeb/b+2yLzE4GL/k1CMkPsWR1zkn4zWqqx3XQ9CRu8XlrVzBtoRdOutjx3hPh
+AoDIaYE=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-and-test-oid-ee-cabforum-oid-int-path-int
+subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmagAwIBAgIUH3IgGS95xL4D72yo6ux5K7Ou8DQwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjA9MTswOQYDVQQDDDJjYWJmb3J1bS1hbmQtdGVzdC1vaWQtZWUtY2Fi
+Zm9ydW0tb2lkLWludC1wYXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBnzCBnDAMBgNVHRMEBTADAQH/
+MAsGA1UdDwQEAwIBBjBrBggrBgEFBQcBAQRfMF0wWwYIKwYBBQUHMAGGT2h0dHA6
+Ly93d3cuZXhhbXBsZS5jb206ODg4OC9jYWJmb3J1bS1hbmQtdGVzdC1vaWQtZWUt
+Y2FiZm9ydW0tb2lkLWludC1wYXRoLWludC8wEgYDVR0gBAswCTAHBgVngQwBATAL
+BgkqhkiG9w0BAQsDggEBABEz2gshOPDHlUj970qL22Fj4Lq5oKUGzXvmYGLKsBll
+OeElIkdkZfoyc2mHk+Tst1Void2oKseBE4HXJ8zX6bs+ZNt+pfarodjYA27Y2Jyq
+YE1EAOAFxtHInkrIoXUTVhk7a3HRdI+G9z279bo9TRsZoJyTjxPmIxGfFaRLlWIq
+0to41nKrDKmmtHXsOC7QYxZA8JAfKVmQd+rfZRXZrKIbeN5lelWtPLmczKx5KLkO
+17rYM/eKHjHxe0ODVdU3Swn8hbiFKifaIMW+lK6Ay3E5dN80z2s7w4vb061Vun0v
+PWx3x8GbDdmf+VibNIG6IGbMTvsilpQXrzB1yNVHg2U=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnigAwIBAgIUT41XsD/wd45NKGORdRRkahxwM5cwCwYJKoZIhvcNAQEL
+MCwxKjAoBgNVBAMMIWNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1wYXRoLWludDAi
+GA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAwMDAwWjArMSkwJwYDVQQDDCBj
+YWJmb3J1bS1hbmQtdGVzdC1vaWQtZWUtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBqDCBpTBZBggr
+BgEFBQcBAQRNMEswSQYIKwYBBQUHMAGGPWh0dHA6Ly93d3cuZXhhbXBsZS5jb206
+ODg4OC9jYWJmb3J1bS1hbmQtdGVzdC1vaWQtZWUtcGF0aC1lZS8wKAYDVR0gBCEw
+HzAHBgVngQwBATAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYt
+dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGf/I4T4khYf9jUgi95x
+GMjZo17bTulYt/twJj0VKCVrCrYPNESm+nqgyduQhJiMU16I+QwCBhbY2vOb7Dc8
+GAdZR7gP+J0SPFMjSNNQOxf+urAgd5O4GNdnBX2oY1pI7xpDhr/Fe10UpUBnW+gC
+i3wFXJZge9m2ZvsPluAzrksiAH1xBDw9uIETgoAKymv0JXEqxGfvcI5SStO0uC7J
+ePFrSJO/SuFQVAIpnShT5HEtJA31nogWtySaxMbfq9tLZ/s3Mm8/x/oXDGaRvD66
+IIhstpaonMewQJPOBFyZMK/61bf8kvLgOwl1Y8fYowdmZdQC/K5fOAm0msbG6/sd
+hVI=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-and-test-oid-ee-path-int
+subject:cabforum-and-test-oid-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWTCCAkOgAwIBAgIUW8OzTnn8Bt8zhvBk9lvX+vNAlqIwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAsMSowKAYDVQQDDCFjYWJmb3J1bS1hbmQtdGVzdC1vaWQtZWUtcGF0
+aC1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjgY0wgYowDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwWgYI
+KwYBBQUHAQEETjBMMEoGCCsGAQUFBzABhj5odHRwOi8vd3d3LmV4YW1wbGUuY29t
+Ojg4ODgvY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLXBhdGgtaW50LzARBgNVHSAE
+CjAIMAYGBFUdIAAwCwYJKoZIhvcNAQELA4IBAQCGg7HJv/88mU1/a9fiI+fM1mNv
+yS2TfvDiq2c7ybaT/ITSGJEPDY6a5D+Jb1bHULu6gk6rKrQ3Ze2oRfykVdFXpYt9
+PgcHzJYxTHW9yElcsp7qEM5kR8UzgzvoU3nbFHLX6AwXYFI8J0ObHKB5A2IJ19hM
+4bWEDNX+P7zBU0kz7x8/RV+Qnh+KMXlTfvLWQYRYoklfK0r/Vhz4pcF1ghjsy+mM
+/1PGE9ODi/KJggMnu9jKNIs4z5ErhPcjQebGs0cDfzf0DmgHffT2qcnL7rOpNJzs
+v/oqLCr35ejAScub6rYs0zm8WnP/ZIlyzWD8nNfeSlIHR7IbdPp/X1Km6/Kz
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-and-test-oid-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-int/
+extension:certificatePolicies:any
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAj6gAwIBAgIUA66/k+1WDtWyVI5P3m0fZH7rPv0wCwYJKoZIhvcNAQEL
+MCAxHjAcBgNVBAMMFWNhYmZvcnVtLW9pZC1wYXRoLWludDAiGA8yMDE0MTEyNzAw
+MDAwMFoYDzIwMTcwMjA0MDAwMDAwWjAfMR0wGwYDVQQDDBRjYWJmb3J1bS1vaWQt
+cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBhjCBgzBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAGG
+MWh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9jYWJmb3J1bS1vaWQtcGF0aC1l
+ZS8wEgYDVR0gBAswCTAHBgVngQwBATAeBgNVHREEFzAVghNldi10ZXN0LmV4YW1w
+bGUuY29tMAsGCSqGSIb3DQEBCwOCAQEAnnM+ymlJlBFHpNO1BA3SefbIfTlDcGoN
+gLTI5QBgH8QIhWEUxfQJJOqASJA1gYUia96HD+WKXIyZKesjKRBTXh9wimts7wjk
+wm33M6/7feS2t0aZzsWKcGVxvG3rjr2pYICZb0tLBe6p2dV+uut0mV/tjtbYb+a4
+RIQdVDPZqNyzB2fE9SN6zH23VuPlvpPdTMa6lEGajxAUM4N0cirHtxRsGrsCrO1K
+ne0Q2ZjMXbM0WnJRPLNnz7jzeUGwA3780iIlJUuqq7CK7ilzJJv9lPIIIwUeYndn
+qhBmhTGaYrKIjqD0MD2b24d8GIAMc8fvsH3aYjTpxMLjP3C1Ow5dXg==
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-oid-path-int
+subject:cabforum-oid-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-ee/
+extension:certificatePolicies:2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAiugAwIBAgIUcyiTXcKDMkOqMMltTMyBQVYObU4wCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAgMR4wHAYDVQQDDBVjYWJmb3J1bS1vaWQtcGF0aC1pbnQwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+gYEwfzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBOBggrBgEFBQcBAQRCMEAw
+PgYIKwYBBQUHMAGGMmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9jYWJmb3J1
+bS1vaWQtcGF0aC1pbnQvMBIGA1UdIAQLMAkwBwYFZ4EMAQEwCwYJKoZIhvcNAQEL
+A4IBAQAVTwBzJWNlukdnmi8a5L3EbmUh/lJaSC64Z56esQyI3TnRWesa1GVDZE8l
+PmeRE/fn3ICVt4ciPYotezUbBqWaSlhiVpMsI47gYAxMdyCi+UStMFoBucF0q2Qc
+Stqcxn/DvaA43pZDLC1O+SS5c6ukRVJtuPw/nwjDRw2cq6hs3hHlhD3qGqYajG7l
+iaLdf44w1C3GAmtB6n3vGT6kDzIv13Ib9ZXayE9MVAbPDyCmQrBtzCirYo7k7rfi
+cWqTw/shF/UFhx2OW2MmxE4GvYVmOi+E4LUHGqXwoaMYUyjoObLQnS5HKn5KYuin
+zOryzV4Q3Nilu31lZa2wMTyHzLR1
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-oid-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-int/
+extension:certificatePolicies:2.23.140.1.1
--- a/security/manager/ssl/tests/unit/test_ev_certs/moz.build
+++ b/security/manager/ssl/tests/unit/test_ev_certs/moz.build
@@ -5,24 +5,38 @@
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Temporarily disabled. See bug 1256495.
#test_certificates = (
# 'anyPolicy-ee-path-ee.pem',
# 'anyPolicy-ee-path-int.pem',
# 'anyPolicy-int-path-ee.pem',
# 'anyPolicy-int-path-int.pem',
+# 'cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem',
+# 'cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem',
+# 'cabforum-and-test-oid-ee-path-ee.pem',
+# 'cabforum-and-test-oid-ee-path-int.pem',
+# 'cabforum-oid-path-ee.pem',
+# 'cabforum-oid-path-int.pem',
# 'evroot.pem',
# 'no-ocsp-ee-path-ee.pem',
# 'no-ocsp-ee-path-int.pem',
# 'no-ocsp-int-path-ee.pem',
# 'no-ocsp-int-path-int.pem',
# 'non-ev-root-path-ee.pem',
# 'non-ev-root-path-int.pem',
# 'non-evroot-ca.pem',
+# 'reverse-order-oids-path-ee.pem',
+# 'reverse-order-oids-path-int.pem',
+# 'test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem',
+# 'test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem',
+# 'test-and-cabforum-oid-ee-path-ee.pem',
+# 'test-and-cabforum-oid-ee-path-int.pem',
+# 'test-oid-ee-cabforum-oid-int-path-ee.pem',
+# 'test-oid-ee-cabforum-oid-int-path-int.pem',
# 'test-oid-path-ee.pem',
# 'test-oid-path-int.pem',
#)
#
#for test_certificate in test_certificates:
# GeneratedTestCertificate(test_certificate)
#
#test_keys = (
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmagAwIBAgIUQ8ghAgsWqLQdi9QbN/oi49Skc7swCwYJKoZIhvcNAQEL
+MCYxJDAiBgNVBAMMG3JldmVyc2Utb3JkZXItb2lkcy1wYXRoLWludDAiGA8yMDE0
+MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAwMDAwWjAlMSMwIQYDVQQDDBpyZXZlcnNl
+LW9yZGVyLW9pZHMtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBojCBnzBTBggrBgEFBQcBAQRHMEUw
+QwYIKwYBBQUHMAGGN2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9yZXZlcnNl
+LW9yZGVyLW9pZHMtcGF0aC1lZS8wKAYDVR0gBCEwHzAHBgVngQwBATAUBhIrBgEE
+AetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFtcGxlLmNvbTAL
+BgkqhkiG9w0BAQsDggEBAHXaI2gprZyBRve5WtTqIcIJU5KY2IaivlJU3ya77JeY
+/izCZ3urDf/X4aV52wAJ5nks8PY48v5FdgFsDDiyyjuI/A5sCg8INy3ozBS6hiHb
+J/1h+xrZE1e++ExiiRjIVsTo85uYONaU1swxMAmx1OuBMA1ktZB86n1lwCwXmh+/
+eWpehrgyZXSTDkOiYasEgbKxnLf+LNHRq/mizTdSdLCQwRYdhOjWe051iw/Zek+W
+9Xc1ZhSWRGm25qocKzqMWo+PkXjuSSzriKYEjDvTndPdWL983I2uHow8pi4OfjyU
+zsUqol0If8yWOTL1qavh145iHsMdIFKftziK2zi3NL4=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:reverse-order-oids-path-int
+subject:reverse-order-oids-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZDCCAk6gAwIBAgIUUboBUO/yd3/FprcrzAYSe5zX28gwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAmMSQwIgYDVQQDDBtyZXZlcnNlLW9yZGVyLW9pZHMtcGF0aC1pbnQw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjgZ4wgZswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwVAYIKwYBBQUH
+AQEESDBGMEQGCCsGAQUFBzABhjhodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgv
+cmV2ZXJzZS1vcmRlci1vaWRzLXBhdGgtaW50LzAoBgNVHSAEITAfMBQGEisGAQQB
+60mFGoUahRoBg3QJATAHBgVngQwBATALBgkqhkiG9w0BAQsDggEBAGdCb9KbPBla
+VK4F97mGBPQ7yJo/ggvQg5qqSnB90QoD1lBJwHHPDfwHH9pC+Wf0peZQf/YAg2yc
+oDtZaZeddi6FBgSzaU82EsQsxI+Vj25G6tazFtkkX5x1mEQEb1TivhqspqQha+Zq
+s0a/EUm5LnWyc9q4fg8bJm52hFaidijHTF+6p1KUeWnVma/hFfzY/WTFyV65blTb
+1rqkDrHYDOFnkscILiaIepjAzceJvM8eeptPuxVy86cZVao0NLI0yN6rJred0wfv
+/uxo/7w3SQggWQta89s8Gmo/QeglSx8m9QTzRpJryqMy0bNpHfl4iUAg+N+axNBw
+3OQSjTr3o4s=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:reverse-order-oids-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-int/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqugAwIBAgIUcXWG5UHyfrNaIPc8Cx+A37nK7uQwCwYJKoZIhvcNAQEL
+MD0xOzA5BgNVBAMMMnRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1jYWJmb3J1bS1v
+aWQtaW50LXBhdGgtaW50MCIYDzIwMTQxMTI3MDAwMDAwWhgPMjAxNzAyMDQwMDAw
+MDBaMDwxOjA4BgNVBAMMMXRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1jYWJmb3J1
+bS1vaWQtaW50LXBhdGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgbkwgbYwagYIKwYBBQUHAQEEXjBcMFoG
+CCsGAQUFBzABhk5odHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvdGVzdC1hbmQt
+Y2FiZm9ydW0tb2lkLWVlLWNhYmZvcnVtLW9pZC1pbnQtcGF0aC1lZS8wKAYDVR0g
+BCEwHzAUBhIrBgEEAetJhRqFGoUaAYN0CQEwBwYFZ4EMAQEwHgYDVR0RBBcwFYIT
+ZXYtdGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAEAQ1s75nChdBAzq
+Xq6AzMlgPPcHMBlweEHZD+3GJd/TlzCZXS3fXUYdYtsXUGg9jxDe8lj8K/Nspy7r
+OOKO/NYAYLozIKQ6iavB13ffJq9tQSTwH/da6HWC/8v7KI9jvyL0Z7HN/STQlKry
+np+s+IWYlV/lB6uq8YlhMJYLqRnxCFhVryZi5y70Ao+d4NdV8x8oDXf0PKowLPE+
+Wyg6HVpyQu8BdJj1BhP91RgHg4bX1gTWrca0iyTomvK/XRP3vDVWM+0CfhCILEme
+3yBzQMOuqt9GhQqLcC9GhbNx8Rd3rs0/RBy708nbvJeu8qKjBxiQwEYQu3sNgHKU
+N/nXL7U=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-and-cabforum-oid-ee-cabforum-oid-int-path-int
+subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmagAwIBAgIUf2ZzMx9K1HgD5vSZlURE9tj6xhQwCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjA9MTswOQYDVQQDDDJ0ZXN0LWFuZC1jYWJmb3J1bS1vaWQtZWUtY2Fi
+Zm9ydW0tb2lkLWludC1wYXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBnzCBnDAMBgNVHRMEBTADAQH/
+MAsGA1UdDwQEAwIBBjBrBggrBgEFBQcBAQRfMF0wWwYIKwYBBQUHMAGGT2h0dHA6
+Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LWFuZC1jYWJmb3J1bS1vaWQtZWUt
+Y2FiZm9ydW0tb2lkLWludC1wYXRoLWludC8wEgYDVR0gBAswCTAHBgVngQwBATAL
+BgkqhkiG9w0BAQsDggEBAGsKlTLMWmc5j+tVmQ6TVzK0RhwBedkb7k1ti1wzt92P
+13EPZ8+RwH7AU7MNMkX6Y7lsDsBFvO65KTQiICFtLPaHyy1lA5ML0sgrNhyxXw4n
+wh0DMSMI3KNg6cLcz7XHjLJ3xU3WG2SPjoe9DeiEQUfY78+LFI3A1H4ybGotzmOH
+rwpBQeOrW7IkvibUEA86KdYXmX9tnfY3VTEcWIJy4K8mKHOzWXw/gawU0L47EB8p
+4YfpyGB2htUWz57Dr7EEqOGcjmY2yXYfgoDcbZ6fRHd/W0+JMUdcvhDdCfVj3DkU
+DpZzpWaBr33Iyhe4rKXa0Pc5l+9gC9YccwVlOmCcEaQ=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnigAwIBAgIUC/Dc55VfICdZspIza0S6Grgf1RowCwYJKoZIhvcNAQEL
+MCwxKjAoBgNVBAMMIXRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1wYXRoLWludDAi
+GA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAwMDAwWjArMSkwJwYDVQQDDCB0
+ZXN0LWFuZC1jYWJmb3J1bS1vaWQtZWUtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBqDCBpTBZBggr
+BgEFBQcBAQRNMEswSQYIKwYBBQUHMAGGPWh0dHA6Ly93d3cuZXhhbXBsZS5jb206
+ODg4OC90ZXN0LWFuZC1jYWJmb3J1bS1vaWQtZWUtcGF0aC1lZS8wKAYDVR0gBCEw
+HzAUBhIrBgEEAetJhRqFGoUaAYN0CQEwBwYFZ4EMAQEwHgYDVR0RBBcwFYITZXYt
+dGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAJnoapkgmRWQYP6anuT/
+faYrcruPB1DoLBgxCarbisc0xqkJw/oJ0lrBUVT7uPAABFIIX+zDzfKNQy+xEbbN
+zv2MA7u6S9dvG2QytMHqY6bh15Y+LaDzV/Krj8HndlU7vSi/1RXWQxnahtvCIosG
+VTpPjB9kIZtpLhw7AdcNewYab7uCAbS9P0ZVBEos7Nq/zr3dZkIVevbDdPSJxBT1
+p+cgdwyfS4TSWSi8Y3eWNWU6UxPL0spIJwRgxRM7+kCYBK/j1wWqTdoPFyYbqwFR
+2AfiX7eRQ4ZS9vkcSGn5CY8O9rxxSsOcO6DIfTL8Ji1NiJhGuynDeg5JGr0blsV4
+Tv0=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-and-cabforum-oid-ee-path-int
+subject:test-and-cabforum-oid-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWTCCAkOgAwIBAgIUWyFPTQyQUnNq/1f02LZZRnQV3JswCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAsMSowKAYDVQQDDCF0ZXN0LWFuZC1jYWJmb3J1bS1vaWQtZWUtcGF0
+aC1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjgY0wgYowDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwWgYI
+KwYBBQUHAQEETjBMMEoGCCsGAQUFBzABhj5odHRwOi8vd3d3LmV4YW1wbGUuY29t
+Ojg4ODgvdGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLXBhdGgtaW50LzARBgNVHSAE
+CjAIMAYGBFUdIAAwCwYJKoZIhvcNAQELA4IBAQA5hjGsqHqWWwZXgt048pcAS+SJ
+9FLZLRd/ZJtQVjB6Cyiuuc0PENs+fz0/NmYpTP/mK1JLEPLrnPp16pV/UnUXtqnJ
+vIZFe1Cad3h7vwT9DckH7yXCtulYSM65ArJ0RQcPtXFUt/7Nj8Io/+mXp/J6Mmw1
+AqAEr7zTrxl9aISnUY73NEs9FeGrMWriOBMY0vzMw1Ie8MmxggycRZpBqrS7ay+b
+MGRN+Xvz5aIX2rDoQCxeBarA5rs95kAbG4YueQn7Ya/ssls/mSKcfOcZLOscT/BX
+7juX9os5+FD72O0ea5RDBR/SMbpGF+ZhG7FiHxLe0kR6JBIbcyMaVwnmnhlP
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-and-cabforum-oid-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-int/
+extension:certificatePolicies:any
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkTCCAnugAwIBAgIUJ3aa69Urh5Shk48KME40l1lyOfUwCwYJKoZIhvcNAQEL
+MDAxLjAsBgNVBAMMJXRlc3Qtb2lkLWVlLWNhYmZvcnVtLW9pZC1pbnQtcGF0aC1p
+bnQwIhgPMjAxNDExMjcwMDAwMDBaGA8yMDE3MDIwNDAwMDAwMFowLzEtMCsGA1UE
+AwwkdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWVlMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4Gj
+MIGgMF0GCCsGAQUFBwEBBFEwTzBNBggrBgEFBQcwAYZBaHR0cDovL3d3dy5leGFt
+cGxlLmNvbTo4ODg4L3Rlc3Qtb2lkLWVlLWNhYmZvcnVtLW9pZC1pbnQtcGF0aC1l
+ZS8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYIT
+ZXYtdGVzdC5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAEiOoHZL1d5NODXn
+DYqH0JJ+ic1/XeJrlPQZ6f8u77kpvfQlHnUV6HzOFsKrVkL1AZBxf+2JqfZHjA8Z
+BvU5RVLQpYtXyi5J68tUigxlbwkHCJrMpWerT703P5VYNHcizA1vdggzN0U91eob
+yZXJ7Iqm1JUI0Rs/9BiSwmv7n0LmFdpPpIhIJcb8L9q2a2NKc3MYggYoaFfQRf5N
+84a65mGd1h9t4FdzPYdvJc/Q9Qhq5ytBwMVbDiYkH0UN+WNRBzslDjUN8Y/qKdWZ
+f8jpCMwtcZvYvlkwfA7Ynadmfgtbm4radEc/nRGf/FYcd+PNJCre3EMh9C5sc5Bb
+iEugyKY=
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-oid-ee-cabforum-oid-int-path-int
+subject:test-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkygAwIBAgIUY+HUS2XgWmoBZvgR3+yOq1uMEvowCwYJKoZIhvcNAQEL
+MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
+MDAwMDAwWjAwMS4wLAYDVQQDDCV0ZXN0LW9pZC1lZS1jYWJmb3J1bS1vaWQtaW50
+LXBhdGgtaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo4GSMIGPMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEG
+MF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAYZCaHR0cDovL3d3dy5leGFtcGxl
+LmNvbTo4ODg4L3Rlc3Qtb2lkLWVlLWNhYmZvcnVtLW9pZC1pbnQtcGF0aC1pbnQv
+MBIGA1UdIAQLMAkwBwYFZ4EMAQEwCwYJKoZIhvcNAQELA4IBAQAVaZl+AtTPAT/W
+ApdXikIXRPxkz3JQJLwLuWjCj8xMuhieqk9dERJHcT3l0HMSMakLGqQeXwHS2Yci
+ZESyLUhOthIWyAT2zDtnW6cGEb4Q4ZpIsRC3MJNlNENd9/idYKpnO4S+C3dGuC4l
+6KlzKdbX+OE8+5CiAhvrqbxn8I1Jlc7wawrNBEo6/56e1t05eBnCS9pHnRd81etj
+y5uEuuZQ1QX/zYCpHL+PQJBnqNi9BhLD4gzHdYGjBLsKr/yMG4g6BTQ8XJNiRdlP
+42UXYmqL+NLNpa7h8tfmcneM6Wb4K+AjpuNNqE/5mLmE16SV6qYmf5/5eVt1OJZM
+DePzb7cw
+-----END CERTIFICATE-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
