summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/chains/scenarios
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
commit0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d (patch)
treea31f07c9bcca9d56ce61e9a1ffd30ef350d513aa /security/nss/tests/chains/scenarios
parentInitial commit. (diff)
downloadfirefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.tar.xz
firefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.zip
Adding upstream version 115.8.0esr.upstream/115.8.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/tests/chains/scenarios')
-rw-r--r--security/nss/tests/chains/scenarios/aia.cfg35
-rw-r--r--security/nss/tests/chains/scenarios/anypolicy.cfg77
-rw-r--r--security/nss/tests/chains/scenarios/anypolicywithlevel.cfg399
-rw-r--r--security/nss/tests/chains/scenarios/bridge.cfg106
-rw-r--r--security/nss/tests/chains/scenarios/bridgewithaia.cfg54
-rw-r--r--security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg89
-rw-r--r--security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg187
-rw-r--r--security/nss/tests/chains/scenarios/crldp.cfg105
-rw-r--r--security/nss/tests/chains/scenarios/dsa.cfg72
-rw-r--r--security/nss/tests/chains/scenarios/explicitPolicy.cfg78
-rw-r--r--security/nss/tests/chains/scenarios/extension.cfg102
-rw-r--r--security/nss/tests/chains/scenarios/extension2.cfg140
-rw-r--r--security/nss/tests/chains/scenarios/ipsec.cfg149
-rw-r--r--security/nss/tests/chains/scenarios/mapping.cfg63
-rw-r--r--security/nss/tests/chains/scenarios/mapping2.cfg71
-rw-r--r--security/nss/tests/chains/scenarios/megabridge_3_2.cfg130
-rw-r--r--security/nss/tests/chains/scenarios/method.cfg25
-rw-r--r--security/nss/tests/chains/scenarios/nameconstraints.cfg178
-rw-r--r--security/nss/tests/chains/scenarios/ocsp.cfg177
-rw-r--r--security/nss/tests/chains/scenarios/ocspd.cfg172
-rw-r--r--security/nss/tests/chains/scenarios/realcerts.cfg30
-rw-r--r--security/nss/tests/chains/scenarios/revoc.cfg86
-rw-r--r--security/nss/tests/chains/scenarios/scenarios25
-rw-r--r--security/nss/tests/chains/scenarios/trustanchors.cfg114
24 files changed, 2664 insertions, 0 deletions
diff --git a/security/nss/tests/chains/scenarios/aia.cfg b/security/nss/tests/chains/scenarios/aia.cfg
new file mode 100644
index 0000000000..df3b1ef028
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/aia.cfg
@@ -0,0 +1,35 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AIA
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ aia CA1:Root
+
+entity User
+ type EE
+ issuer CA2
+
+testdb User
+
+verify User:CA2
+ cert CA2:CA1
+ trust Root:
+ result fail
+
+verify User:CA2
+ cert CA2:CA1
+ trust Root:
+ fetch
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/anypolicy.cfg b/security/nss/tests/chains/scenarios/anypolicy.cfg
new file mode 100644
index 0000000000..fd647ad238
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/anypolicy.cfg
@@ -0,0 +1,77 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AnyPolicy
+
+entity RootCA
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer RootCA
+ policy any
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+ inhibit 0
+
+entity CA3
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+
+entity User1
+ type EE
+ issuer CA2
+ policy OID.1.0
+
+entity User2
+ type EE
+ issuer CA2
+ policy any
+
+entity User3
+ type EE
+ issuer CA3
+ policy any
+
+db All
+
+import RootCA::
+import CA1:RootCA:
+import CA2:CA1:
+import CA3:CA1:
+
+verify User1:CA2
+ trust RootCA
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust RootCA
+ policy OID.2.0
+ result fail
+
+verify User2:CA2
+ trust RootCA
+ policy OID.1.0
+ result fail
+
+verify User2:CA2
+ trust RootCA
+ policy OID.2.0
+ result fail
+
+verify User3:CA3
+ trust RootCA
+ policy OID.1.0
+ result pass
+
+verify User3:CA3
+ trust RootCA
+ policy OID.2.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg
new file mode 100644
index 0000000000..9dd84a7974
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/anypolicywithlevel.cfg
@@ -0,0 +1,399 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario AnyPolicyWithLevel
+
+entity RootCA
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer RootCA
+ policy any
+ inhibit 1
+
+entity CA12
+ type Intermediate
+ issuer CA1
+ policy any
+
+entity CA13
+ type Intermediate
+ issuer CA12
+ policy OID.1.0
+
+entity EE1
+ type EE
+ issuer CA13
+ policy OID.1.0
+
+entity CA22
+ type Intermediate
+ issuer CA1
+ policy any
+
+entity CA23
+ type Intermediate
+ issuer CA22
+ policy any
+
+entity EE2
+ type EE
+ issuer CA23
+ policy OID.1.0
+
+entity CA32
+ type Intermediate
+ issuer CA1
+ policy any
+ inhibit 1
+
+entity CA33
+ type Intermediate
+ issuer CA32
+ policy any
+
+entity EE3
+ type EE
+ issuer CA33
+ policy OID.1.0
+
+entity CA42
+ type Intermediate
+ issuer CA1
+ policy any
+ policy OID.1.0
+
+entity CA43
+ type Intermediate
+ issuer CA42
+ policy any
+ policy OID.1.0
+
+entity EE4
+ type EE
+ issuer CA43
+ policy OID.1.0
+
+entity CA52
+ type Intermediate
+ issuer CA1
+ policy any
+ policy OID.1.0
+
+entity CA53
+ type Intermediate
+ issuer CA52
+ policy any
+
+entity EE5
+ type EE
+ issuer CA53
+ policy OID.1.0
+
+entity CA61
+ type Intermediate
+ issuer RootCA
+ policy any
+ inhibit 5
+
+entity CA62
+ type Intermediate
+ issuer CA61
+ policy any
+
+entity EE62
+ type EE
+ issuer CA62
+ policy OID.1.0
+
+entity CA63
+ type Intermediate
+ issuer CA62
+ policy any
+
+entity EE63
+ type EE
+ issuer CA63
+ policy OID.1.0
+
+entity CA64
+ type Intermediate
+ issuer CA63
+ policy any
+
+entity EE64
+ type EE
+ issuer CA64
+ policy OID.1.0
+
+entity CA65
+ type Intermediate
+ issuer CA64
+ policy any
+
+entity EE65
+ type EE
+ issuer CA65
+ policy OID.1.0
+
+entity CA66
+ type Intermediate
+ issuer CA65
+ policy any
+
+entity EE66
+ type EE
+ issuer CA66
+ policy OID.1.0
+
+entity CA67
+ type Intermediate
+ issuer CA66
+ policy any
+
+entity EE67
+ type EE
+ issuer CA67
+ policy OID.1.0
+
+db All
+
+verify EE1:CA13
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA12:CA1
+ cert CA13:CA12
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE1:CA13
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA12:CA1
+ cert CA13:CA12
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE1:CA13
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA12:CA1
+ cert CA13:CA12
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result pass
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result fail
+
+verify EE2:CA23
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA22:CA1
+ cert CA23:CA22
+ trust RootCA:
+ result pass
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result fail
+
+verify EE3:CA33
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA32:CA1
+ cert CA33:CA32
+ trust RootCA:
+ result pass
+
+verify EE4:CA43
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA42:CA1
+ cert CA43:CA42
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE4:CA43
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA42:CA1
+ cert CA43:CA42
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE4:CA43
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA42:CA1
+ cert CA43:CA42
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result pass
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ policy OID.2.0
+ result fail
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ policy OID.2.5.29.32.0
+ result fail
+
+verify EE5:CA53
+ cert RootCA:
+ cert CA1:RootCA
+ cert CA52:CA1
+ cert CA53:CA52
+ trust RootCA:
+ result pass
+
+verify EE62:CA62
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE63:CA63
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE64:CA64
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE65:CA65
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE66:CA66
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result pass
+
+verify EE67:CA67
+ cert RootCA:
+ cert CA61:RootCA
+ cert CA62:CA61
+ cert CA63:CA62
+ cert CA64:CA63
+ cert CA65:CA64
+ cert CA66:CA65
+ cert CA67:CA66
+ trust RootCA:
+ policy OID.1.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/bridge.cfg b/security/nss/tests/chains/scenarios/bridge.cfg
new file mode 100644
index 0000000000..14dba6adcf
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridge.cfg
@@ -0,0 +1,106 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Bridge
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity Bridge
+ type Bridge
+ issuer Army
+ issuer Navy
+
+entity User
+ type EE
+ issuer Bridge
+
+db All
+
+import Army::
+import Navy::
+
+verify User:Bridge
+ cert Bridge:Navy
+ trust Navy
+ result pass
+
+verify User:Bridge
+ cert Bridge:Army
+ trust Army
+ result pass
+
+verify User:Bridge
+ cert Bridge:Navy
+ trust Army
+ result fail
+
+import Bridge:Army:
+import Bridge:Navy:
+
+verify User:Bridge
+ trust Army
+ result pass
+
+verify User:Bridge
+ trust Navy
+ result pass
+
+db ArmyOnly
+
+import Army::C,,
+
+verify User:Bridge
+ result fail
+
+verify User:Bridge
+ cert Bridge:Navy
+ result fail
+
+verify User:Bridge
+ cert Bridge:Navy
+ cert Navy:
+ result fail
+
+verify User:Bridge
+ cert Bridge:Navy
+ cert Navy:
+ trust Navy:
+ result pass
+
+verify User:Bridge
+ cert Bridge:Navy
+ trust Navy:
+ result pass
+
+db NavyOnly
+
+import Navy::C,,
+
+verify User:Bridge
+ result fail
+
+verify User:Bridge
+ cert Bridge:Army
+ result fail
+
+verify User:Bridge
+ cert Bridge:Army
+ cert Army:
+ result fail
+
+verify User:Bridge
+ cert Bridge:Army
+ cert Army:
+ trust Army:
+ result pass
+
+verify User:Bridge
+ cert Bridge:Army
+ trust Army:
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithaia.cfg b/security/nss/tests/chains/scenarios/bridgewithaia.cfg
new file mode 100644
index 0000000000..640edb87a3
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithaia.cfg
@@ -0,0 +1,54 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithAIA
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity Bridge
+ type Bridge
+ issuer Army
+ issuer Navy
+
+entity CA1
+ type Intermediate
+ issuer Bridge
+ aia Bridge
+
+entity EE1
+ type EE
+ issuer CA1
+
+testdb EE1
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ fetch
+# should pass, bug 435314
+# temporary result - test fails only with dbm cert db
+ result dbm:fail all:pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Navy:
+ fetch
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:Army
+ trust Navy:
+ fetch
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg
new file mode 100644
index 0000000000..914828ea19
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithhalfaia.cfg
@@ -0,0 +1,89 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithHalfAIA
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity Bridge
+ type Bridge
+ issuer Army
+ issuer Navy
+
+entity CA1
+ type Intermediate
+ issuer Bridge
+ aia Bridge
+
+entity EE1
+ type EE
+ issuer CA1
+
+entity CA2
+ type Intermediate
+ issuer Bridge
+ aia Bridge:Navy
+
+entity EE2
+ type EE
+ issuer CA2
+
+testdb EE1
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Army:
+ fetch
+# should pass, bug 435314
+# temporary result - test fails only with dbm cert db
+ result dbm:fail all:pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ trust Navy:
+ fetch
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:Army
+ trust Navy:
+ fetch
+ result pass
+
+verify EE2:CA2
+ cert Bridge:Army
+ trust Army:
+ fetch
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:Army
+ trust Army:
+ fetch
+ result pass
+
+verify EE2:CA2
+ cert CA2:Bridge
+ trust Navy:
+ fetch
+ result pass
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:Army
+ trust Navy:
+ fetch
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg
new file mode 100644
index 0000000000..f7554cabc6
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/bridgewithpolicyextensionandmapping.cfg
@@ -0,0 +1,187 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario BridgeWithPolicyExtensionAndMapping
+
+entity Army
+ type Root
+
+entity Navy
+ type Root
+
+entity CAArmy
+ type Intermediate
+ issuer Army
+ policy OID.1.0
+ policy OID.1.1
+
+entity CANavy
+ type Intermediate
+ issuer Navy
+ policy OID.2.0
+ policy OID.2.1
+
+entity Bridge
+ type Bridge
+ issuer CAArmy
+ policy OID.1.0
+ policy OID.1.1
+ mapping OID.1.1:OID.2.1
+ issuer CANavy
+ policy OID.2.0
+ policy OID.2.1
+ mapping OID.2.1:OID.1.1
+
+entity CA1
+ type Intermediate
+ issuer Bridge
+ policy OID.1.1
+ policy OID.2.1
+
+entity CA2
+ type Intermediate
+ issuer Bridge
+ policy OID.1.0
+ policy OID.2.0
+
+entity EE1
+ type EE
+ issuer CA1
+ policy OID.2.1
+
+entity EE2
+ type EE
+ issuer CA2
+ policy OID.2.0
+
+testdb
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.1
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.1
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.1
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.0
+ result fail
+
+verify EE1:CA1
+ cert CA1:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.0
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.1.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.0
+ result pass
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CANavy
+ cert CANavy:Navy
+ trust Navy:
+ policy OID.2.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.0
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.1.1
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.0
+ result fail
+
+verify EE2:CA2
+ cert CA2:Bridge
+ cert Bridge:CAArmy
+ cert CAArmy:Army
+ trust Army:
+ policy OID.2.1
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/crldp.cfg b/security/nss/tests/chains/scenarios/crldp.cfg
new file mode 100644
index 0000000000..a9949ae404
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/crldp.cfg
@@ -0,0 +1,105 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario CRLDP
+
+entity Root
+ type Root
+
+entity CA0
+ type Intermediate
+ issuer Root
+
+entity CA1
+ type Intermediate
+ crldp CA0
+ issuer CA0
+ serial 10
+ aia CA0:Root
+
+entity EE11
+ type EE
+ crldp CA0
+ issuer CA1
+
+entity CA2
+ type Intermediate
+ crldp CA0
+ issuer CA0
+ serial 20
+ aia CA0:Root
+
+entity EE21
+ type EE
+ issuer CA2
+
+entity EE1
+ type EE
+ crldp CA0
+ issuer CA0
+ serial 30
+ aia CA0:Root
+
+entity EE2
+ type EE
+ crldp CA0
+ issuer CA0
+ serial 40
+ aia CA0:Root
+
+crl Root
+crl CA0
+crl CA1
+crl CA2
+
+revoke CA0
+ serial 20
+
+revoke CA0
+ serial 40
+
+copycrl CA0
+
+db All
+
+import Root::CTu,CTu,CTu
+
+# intermediate CA - OK, EE - OK
+verify EE11:CA1
+ cert CA1:CA0
+ trust Root:
+ fetch
+ rev_type chain
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result pass
+
+# intermediate CA - revoked, EE - OK
+verify EE21:CA2
+ cert CA2:CA0
+ trust Root:
+ fetch
+ rev_type chain
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result fail
+
+# direct EE - OK
+verify EE1:CA0
+ trust Root:
+ fetch
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result pass
+
+# direct EE - revoked
+verify EE2:CA0
+ trust Root:
+ fetch
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype crl
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/dsa.cfg b/security/nss/tests/chains/scenarios/dsa.cfg
new file mode 100644
index 0000000000..896e455fe1
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/dsa.cfg
@@ -0,0 +1,72 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario DSA
+
+entity Root
+ type Root
+ ctype dsa
+
+entity CA1
+ type Intermediate
+ issuer Root
+ ctype dsa
+
+entity EE1
+ type EE
+ issuer CA1
+ ctype dsa
+
+entity CA2
+ type Intermediate
+ issuer Root
+ ctype dsa
+
+entity EE2
+ type EE
+ issuer CA2
+ ctype rsa
+
+entity CA3
+ type Intermediate
+ issuer Root
+ ctype rsa
+
+entity EE3
+ type EE
+ issuer CA3
+ ctype dsa
+
+entity CA4
+ type Intermediate
+ issuer Root
+ ctype rsa
+
+entity EE4
+ type EE
+ issuer CA4
+ ctype rsa
+
+db All
+
+verify EE1:CA1
+ cert CA1:Root
+ trust Root:
+ result pass
+
+verify EE2:CA2
+ cert CA2:Root
+ trust Root:
+ result pass
+
+verify EE3:CA3
+ cert CA3:Root
+ trust Root:
+ result pass
+
+verify EE4:CA4
+ cert CA4:Root
+ trust Root:
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/explicitPolicy.cfg b/security/nss/tests/chains/scenarios/explicitPolicy.cfg
new file mode 100644
index 0000000000..20f79c45b6
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/explicitPolicy.cfg
@@ -0,0 +1,78 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario explicitPolicy
+
+entity Root
+ type Root
+
+entity nonEVCA
+ type Intermediate
+ issuer Root
+
+entity EVCA
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+
+entity otherEVCA
+ type Intermediate
+ issuer Root
+ policy OID.2.0
+
+entity validEV
+ type EE
+ issuer EVCA
+ policy OID.1.0
+
+entity invalidEV
+ type EE
+ issuer nonEVCA
+ policy OID.1.0
+
+entity wrongEVOID
+ type EE
+ issuer otherEVCA
+ policy OID.1.0
+
+db All
+
+verify validEV:EVCA
+ cert EVCA:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result pass
+
+verify invalidEV:nonEVCA
+ cert nonEVCA:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result fail
+
+verify wrongEVOID:otherEVCA
+ cert otherEVCA:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result fail
+
+import Root::C,C,C
+
+verify validEV:EVCA
+ cert EVCA:Root
+ policy OID.1.0
+ result pass
+
+verify invalidEV:nonEVCA
+ cert nonEVCA:Root
+ policy OID.1.0
+ result fail
+
+verify wrongEVOID:otherEVCA
+ cert otherEVCA:Root
+ policy OID.1.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/extension.cfg b/security/nss/tests/chains/scenarios/extension.cfg
new file mode 100644
index 0000000000..fd1c3a0da7
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/extension.cfg
@@ -0,0 +1,102 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Extension
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+
+entity User
+ type EE
+ issuer CA2
+ policy OID.1.0
+
+db All
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.2.0
+ result fail
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User:CA2
+ trust Root
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ trust Root
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ trust CA1
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ trust CA1
+ policy OID.2.0
+ result fail
+
+verify User:CA2
+ trust CA2
+ policy OID.1.0
+ result pass
+
+verify User:CA2
+ trust CA2
+ policy OID.2.0
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/extension2.cfg b/security/nss/tests/chains/scenarios/extension2.cfg
new file mode 100644
index 0000000000..9a6a7cd2df
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/extension2.cfg
@@ -0,0 +1,140 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Extension2
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+ policy OID.2.0
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+ policy OID.2.0
+
+entity User1
+ type EE
+ issuer CA2
+ policy OID.1.0
+
+entity User2
+ type EE
+ issuer CA2
+ policy OID.1.0
+ policy OID.2.0
+
+db All
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ cert Root:
+ trust Root:
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ cert CA2:CA1
+ cert CA1:Root
+ trust CA1:Root
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ cert CA2:CA1
+ trust CA2:CA1
+ policy OID.2.0
+ result fail
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User1:CA2
+ trust Root
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust Root
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ trust CA1
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust CA1
+ policy OID.2.0
+ result fail
+
+verify User1:CA2
+ trust CA2
+ policy OID.1.0
+ result pass
+
+verify User1:CA2
+ trust CA2
+ policy OID.2.0
+ result fail
+
+verify User2:CA2
+ trust Root
+ policy OID.1.0
+ result pass
+
+verify User2:CA2
+ trust Root
+ policy OID.2.0
+ result pass
+
+verify User2:CA2
+ trust CA1
+ policy OID.1.0
+ result pass
+
+verify User2:CA2
+ trust CA1
+ policy OID.2.0
+ result pass
+
+verify User2:CA2
+ trust CA2
+ policy OID.1.0
+ result pass
+
+verify User2:CA2
+ trust CA2
+ policy OID.2.0
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/ipsec.cfg b/security/nss/tests/chains/scenarios/ipsec.cfg
new file mode 100644
index 0000000000..8c1ef3994d
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ipsec.cfg
@@ -0,0 +1,149 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario IPsec
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+
+entity NoKU
+ type EE
+ issuer CA1
+
+entity DigSig
+ type EE
+ issuer CA1
+ ku digitalSignature
+
+entity NonRep
+ type EE
+ issuer CA1
+ ku nonRepudiation
+
+entity DigSigNonRepAndExtra
+ type EE
+ issuer CA1
+ ku digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+
+entity NoMatch
+ type EE
+ issuer CA1
+ ku keyEncipherment,dataEncipherment,keyAgreement
+
+entity NonCriticalServerAuthEKU
+ type EE
+ issuer CA1
+ eku serverAuth
+
+entity NonIPSECEKU
+ type EE
+ issuer CA1
+ eku codeSigning
+
+entity CriticalServerAuthEKU
+ type EE
+ issuer CA1
+ ku digitalSignature
+ eku critical,serverAuth
+
+entity EKUIPsecIKE
+ type EE
+ issuer CA1
+ ku digitalSignature
+ eku critical,ipsecIKE
+
+entity EKUIPsecIKEEnd
+ type EE
+ issuer CA1
+ ku digitalSignature
+ eku ipsecIKEEnd
+
+entity EKUIPsecIKEIntermediate
+ type EE
+ issuer CA1
+ ku digitalSignature
+ eku codeSigning,serverAuth,ipsecIKEIntermediate
+
+entity EKUAny
+ type EE
+ issuer CA1
+ ku digitalSignature
+ eku x509Any
+
+entity EKUEmail
+ type EE
+ issuer CA1
+ ku digitalSignature
+ eku emailProtection
+
+entity EKUIPsecUser
+ type EE
+ issuer CA1
+ ku digitalSignature
+ eku ipsecUser
+
+db All
+
+import Root::C,,
+import CA1:Root:
+
+verify NoKU:CA1
+ usage 12
+ result pass
+
+verify DigSig:CA1
+ usage 12
+ result pass
+
+verify NonRep:CA1
+ usage 12
+ result pass
+
+verify DigSigNonRepAndExtra:CA1
+ usage 12
+ result pass
+
+verify NoMatch:CA1
+ usage 12
+ result fail
+
+verify NonIPSECEKU:CA1
+ usage 12
+ result fail
+
+verify NonCriticalServerAuthEKU:CA1
+ usage 12
+ result pass
+
+verify CriticalServerAuthEKU:CA1
+ usage 12
+ result pass
+
+verify EKUIPsecIKE:CA1
+ usage 12
+ result pass
+
+verify EKUIPsecIKEEnd:CA1
+ usage 12
+ result pass
+
+verify EKUIPsecIKEIntermediate:CA1
+ usage 12
+ result pass
+
+verify EKUAny:CA1
+ usage 12
+ result pass
+
+verify EKUEmail:CA1
+ usage 12
+ result pass
+
+verify EKUIPsecUser:CA1
+ usage 12
+ result pass
diff --git a/security/nss/tests/chains/scenarios/mapping.cfg b/security/nss/tests/chains/scenarios/mapping.cfg
new file mode 100644
index 0000000000..d4e4a296db
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/mapping.cfg
@@ -0,0 +1,63 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Mapping
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+ mapping OID.1.0:OID.1.1
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.1
+
+entity User
+ type EE
+ issuer CA2
+ policy OID.1.1
+
+db All
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+
+verify User:CA2
+ trust Root
+ policy OID.1.0
+# should fail, bug 430859
+ result pass
+
+verify User:CA2
+ trust Root
+ policy OID.1.1
+# should pass, bug 430859
+ result fail
+
+verify User:CA2
+ trust CA1
+ policy OID.1.0
+ result fail
+
+verify User:CA2
+ trust CA1
+ policy OID.1.1
+ result pass
+
+verify User:CA2
+ trust CA2
+ policy OID.1.0
+ result fail
+
+verify User:CA2
+ trust CA2
+ policy OID.1.1
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/mapping2.cfg b/security/nss/tests/chains/scenarios/mapping2.cfg
new file mode 100644
index 0000000000..cae1daf070
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/mapping2.cfg
@@ -0,0 +1,71 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Mapping2
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+ policy OID.1.0
+
+entity CA2
+ type Intermediate
+ issuer CA1
+ policy OID.1.0
+ mapping OID.1.0:OID.1.1
+
+entity CA3
+ type Intermediate
+ issuer CA2
+ policy OID.1.1
+
+entity User
+ type EE
+ issuer CA3
+ policy OID.1.1
+
+db All
+
+import Root::
+import CA1:Root:
+import CA2:CA1:
+import CA3:CA2:
+
+verify User:CA3
+ trust Root
+ policy OID.1.0
+# should fail, bug 430859
+ result pass
+
+verify User:CA3
+ trust Root
+ policy OID.1.1
+# should pass, bug 430859
+ result fail
+
+verify User:CA3
+ trust CA1
+ policy OID.1.0
+# should fail, bug 430859
+ result pass
+
+verify User:CA3
+ trust CA1
+ policy OID.1.1
+# should pass, bug 430859
+ result fail
+
+verify User:CA3
+ trust CA2
+ policy OID.1.0
+ result fail
+
+verify User:CA3
+ trust CA2
+ policy OID.1.1
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/megabridge_3_2.cfg b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg
new file mode 100644
index 0000000000..f1d4545fc6
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/megabridge_3_2.cfg
@@ -0,0 +1,130 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario MegaBridge_3_2
+
+entity Root1
+ type Root
+
+entity Root2
+ type Root
+
+entity Root3
+ type Root
+
+entity Root4
+ type Root
+
+entity Root5
+ type Root
+
+entity Root6
+ type Root
+
+entity Root7
+ type Root
+
+entity Root8
+ type Root
+
+entity Root9
+ type Root
+
+entity Bridge11
+ type Bridge
+ issuer Root1
+ issuer Root2
+ issuer Root3
+
+entity Bridge12
+ type Bridge
+ issuer Root4
+ issuer Root5
+ issuer Root6
+
+entity Bridge13
+ type Bridge
+ issuer Root7
+ issuer Root8
+ issuer Root9
+
+entity Bridge21
+ type Bridge
+ issuer Bridge11
+ issuer Bridge12
+ issuer Bridge13
+
+entity CA1
+ type Intermediate
+ issuer Bridge21
+
+entity EE1
+ type EE
+ issuer CA1
+
+testdb EE1
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge11
+ cert Bridge11:Root1
+ trust Root1:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge11
+ cert Bridge11:Root2
+ trust Root2:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge11
+ cert Bridge11:Root3
+ trust Root3:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge12
+ cert Bridge12:Root4
+ trust Root4:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge12
+ cert Bridge12:Root5
+ trust Root5:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge12
+ cert Bridge12:Root6
+ trust Root6:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge13
+ cert Bridge13:Root7
+ trust Root7:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge13
+ cert Bridge13:Root8
+ trust Root8:
+ result pass
+
+verify EE1:CA1
+ cert CA1:Bridge21
+ cert Bridge21:Bridge13
+ cert Bridge13:Root9
+ trust Root9:
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/method.cfg b/security/nss/tests/chains/scenarios/method.cfg
new file mode 100644
index 0000000000..4223c39cc4
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/method.cfg
@@ -0,0 +1,25 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Method
+
+check_ocsp OCSPEE11OCSPCA1:d
+
+testdb ../OCSPD/Client
+
+#EE - OK, CA - OK
+verify OCSPEE11OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result pass
+
+#EE - revoked, CA - OK
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
diff --git a/security/nss/tests/chains/scenarios/nameconstraints.cfg b/security/nss/tests/chains/scenarios/nameconstraints.cfg
new file mode 100644
index 0000000000..a2de4be446
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg
@@ -0,0 +1,178 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+db trustanchors
+
+import NameConstraints.ca:x:CT,C,C
+# Name Constrained CA: Name constrained to permited DNSName ".example"
+import NameConstraints.ncca:x:CT,C,C
+import NameConstraints.dcisscopy:x:CT,C,C
+import NameConstraints.ipaca:x:CT,C,C
+
+# Intermediate 1: Name constrained to permited DNSName ".example"
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server1:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server3:x
+ cert NameConstraints.intermediate:x
+ result pass
+
+# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server4:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server5:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server6:x
+ cert NameConstraints.intermediate2:x
+ cert NameConstraints.intermediate:x
+ result pass
+
+# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
+# Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
+# and a permitted DNSName of "foo.example"
+
+# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
+# No name constraints present
+# Signed by Intermediate 3 (inherits name constraints)
+
+# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
+verify NameConstraints.server7:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
+verify NameConstraints.server8:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
+# Fail: ST is missing in the DirectoryName, thus not matching name constraints
+verify NameConstraints.server9:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
+# Fail: CN not in name constraints
+verify NameConstraints.server10:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
+# altDNS:foo.example
+# Pass: Ignores CN constraint name violation because SAN is present
+verify NameConstraints.server11:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
+# Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
+verify NameConstraints.server12:x
+ cert NameConstraints.intermediate4:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
+# No name constraints present
+# Signed by Intermediate 3.
+# Intermediate 5's subject is not in Intermediate 3's permitted
+# names, so all certs issued by it are invalid.
+
+# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
+# Fail: Org matches Intermediate 5's name constraints, but does not match
+# Intermediate 3' name constraints
+verify NameConstraints.server13:x
+ cert NameConstraints.intermediate5:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
+# Fail: Matches Intermediate 5's name constraints, but fails because
+# Intermediate 5 does not match Intermediate 3's name constraints
+verify NameConstraints.server14:x
+ cert NameConstraints.intermediate5:x
+ cert NameConstraints.intermediate3:x
+ result fail
+
+# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
+# No name constraints present
+# Signed by Named Constrained CA (inherits root name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
+# altDNS: testfoo.invalid
+# Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server15:x
+ cert NameConstraints.intermediate6:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
+# Fail: CN not in name constraints
+verify NameConstraints.server16:x
+ cert NameConstraints.intermediate6:x
+ result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
+# altDNS: test4.example
+verify NameConstraints.server17:x
+ cert NameConstraints.intermediate6:x
+ result pass
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
+verify NameConstraints.dcissblocked:x
+ result fail
+
+# Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
+verify NameConstraints.dcissallowed:x
+ result pass
+
+# Subject: "O = IPA.LOCAL 20200120, CN = OCSP and IPSEC"
+# EKUs: OCSPSigning,ipsecUser
+#
+# This tests that a non server certificate (i.e. id-kp-serverAuth
+# not present in EKU) does *NOT* have CN treated as dnsName for
+# purposes of Name Constraints validation (certificateUsageStatusResponder)
+# https://hg.mozilla.org/projects/nss/rev/0b30eb1c3650
+verify NameConstraints.ocsp1:x
+ usage 10
+ result pass
+
+# This tests that a non server certificate (i.e. id-kp-serverAuth
+# not present in EKU) does *NOT* have CN treated as dnsName for
+# purposes of Name Constraints validation (certificateUsageIPsec)
+verify NameConstraints.ocsp1:x
+ usage 12
+ result pass
diff --git a/security/nss/tests/chains/scenarios/ocsp.cfg b/security/nss/tests/chains/scenarios/ocsp.cfg
new file mode 100644
index 0000000000..cdfff89fec
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ocsp.cfg
@@ -0,0 +1,177 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario OCSP
+
+check_ocsp OCSPEE11OCSPCA1:d
+
+db OCSPRoot
+import OCSPRoot:d:CT,C,C
+
+db OCSPCA1
+import_key OCSPCA1
+
+crl OCSPCA1
+
+revoke OCSPCA1
+ serial 3
+
+revoke OCSPCA1
+ serial 4
+
+testdb OCSPRoot
+
+#EE - OK, CA - OK
+verify OCSPEE11OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result pass
+
+#EE - revoked, CA - OK
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - unknown
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+#EE - unknown, requireFreshInfo
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - OK, CA - revoked, leaf, no fresh info
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+#EE - OK, CA - revoked, leaf, requireFreshInfo
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - OK, CA - revoked, chain, requireFreshInfo
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - OK, CA - unknown
+verify OCSPEE31OCSPCA3:d
+ cert OCSPCA3OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
+#EE - OK, CA - unknown, requireFreshInfo
+verify OCSPEE31OCSPCA3:d
+ cert OCSPCA3OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_flags requireFreshInfo
+ rev_mtype ocsp
+ result fail
+
+#EE - revoked, doNotUse
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags doNotUse
+ result pass
+
+#EE - revoked, forbidFetching
+verify OCSPEE12OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags forbidFetching
+ result pass
+
+#EE - unknown status, failIfNoInfo
+verify OCSPEE15OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags failIfNoInfo
+ result fail
+
+#EE - OK, CA - revoked, leaf, failIfNoInfo
+verify OCSPEE21OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type leaf
+ rev_mtype ocsp
+ rev_mflags failIfNoInfo
+ result fail
+
+testdb OCSPCA1
+
+#EE - OK on OCSP, revoked locally - should fail ??
+# two things about this test: crl is not imported into the db and
+# cert 13 is not revoked by crl.
+verify OCSPEE13OCSPCA1:d
+ cert OCSPCA1OCSPRoot:d
+ trust OCSPCA1
+ rev_type leaf
+ rev_flags testLocalInfoFirst
+ rev_mtype ocsp
+ result pass
+
+db OCSPRoot1
+import OCSPRoot:d:CT,C,C
+
+verify OCSPEE23OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_mtype ocsp
+ rev_type leaf
+ rev_mtype ocsp
+ result fail
+
+db OCSPRoot2
+import OCSPRoot:d:T,,
+
+# bug 527438
+# expected result of this test is FAIL
+verify OCSPEE23OCSPCA2:d
+ cert OCSPCA2OCSPRoot:d
+ trust OCSPRoot
+ rev_type chain
+ rev_mtype ocsp
+ rev_type leaf
+ rev_mtype ocsp
+ result pass
+
diff --git a/security/nss/tests/chains/scenarios/ocspd.cfg b/security/nss/tests/chains/scenarios/ocspd.cfg
new file mode 100644
index 0000000000..e48f9068ea
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ocspd.cfg
@@ -0,0 +1,172 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario OCSPD
+
+#root CA
+entity OCSPRoot
+ type Root
+ export_key
+
+#CA - OK
+entity OCSPCA1
+ type Intermediate
+ issuer OCSPRoot
+ serial 1
+ ocsp online
+ export_key
+
+#CA - revoked
+entity OCSPCA2
+ type Intermediate
+ issuer OCSPRoot
+ serial 2
+ ocsp online
+ export_key
+
+#CA - unknown status
+entity OCSPCA3
+ type Intermediate
+ issuer OCSPRoot
+ serial 3
+ ocsp offline
+ export_key
+
+#EE - OK
+entity OCSPEE11
+ type EE
+ issuer OCSPCA1
+ serial 1
+ ocsp online
+
+#EE - revoked on OCSP
+entity OCSPEE12
+ type EE
+ issuer OCSPCA1
+ serial 2
+ ocsp online
+
+#EE - revoked on CRL
+entity OCSPEE13
+ type EE
+ issuer OCSPCA1
+ serial 3
+ ocsp online
+
+#EE - revoked on OCSP and CRL
+entity OCSPEE14
+ type EE
+ issuer OCSPCA1
+ serial 4
+ ocsp online
+
+#EE - unknown status
+entity OCSPEE15
+ type EE
+ issuer OCSPCA1
+ serial 5
+ ocsp offline
+
+#EE - valid EE, revoked CA
+entity OCSPEE21
+ type EE
+ issuer OCSPCA2
+ serial 1
+ ocsp online
+
+#EE - revoked EE, revoked CA
+entity OCSPEE22
+ type EE
+ issuer OCSPCA2
+ serial 2
+ ocsp online
+
+#EE - revoked EE, CA pointing to invalid OCSP
+entity OCSPEE23
+ type EE
+ issuer OCSPCA2
+ serial 3
+ ocsp offline
+
+#EE - valid EE, CA pointing to invalid OCSP
+entity OCSPEE31
+ type EE
+ issuer OCSPCA3
+ serial 1
+ ocsp online
+
+#EE - revoked EE, CA pointing to invalid OCSP
+entity OCSPEE32
+ type EE
+ issuer OCSPCA3
+ serial 2
+ ocsp online
+
+#EE - EE pointing to invalid OCSP, CA pointing to invalid OCSP
+entity OCSPEE33
+ type EE
+ issuer OCSPCA3
+ serial 3
+ ocsp offline
+
+crl OCSPRoot
+
+revoke OCSPRoot
+ serial 2
+
+crl OCSPCA1
+
+revoke OCSPCA1
+ serial 2
+
+revoke OCSPCA1
+ serial 4
+
+crl OCSPCA2
+
+revoke OCSPCA2
+ serial 2
+
+revoke OCSPCA2
+ serial 3
+
+crl OCSPCA3
+
+revoke OCSPCA3
+ serial 2
+
+revoke OCSPCA3
+ serial 3
+
+# Used for running a single OCSP server (httpserv) instance that can
+# handle multiple CAs, e.g.:
+# httpserv -p 8641 -d . -f dbpasswd \
+# -A OCSPRoot -C OCSPRoot.crl -A OCSPCA1 -C OCSPCA1.crl \
+# -A OCSPCA2 -C OCSPCA2.crl -A OCSPCA3 -C OCSPCA3.crl
+db Server
+import OCSPRoot::CT,C,C
+import_key OCSPRoot
+import_key OCSPCA1
+import_key OCSPCA2
+import_key OCSPCA3
+
+# A DB containing all certs, but no keys.
+# Useful for manual OCSP client testing, e.g.:
+# ocspclnt -d . -S OCSPEE12OCSPCA1 -u s
+db Client
+import OCSPRoot::CT,C,C
+import OCSPCA1OCSPRoot::
+import OCSPCA2OCSPRoot::
+import OCSPCA3OCSPRoot::
+import OCSPEE11OCSPCA1::
+import OCSPEE12OCSPCA1::
+import OCSPEE13OCSPCA1::
+import OCSPEE14OCSPCA1::
+import OCSPEE15OCSPCA1::
+import OCSPEE21OCSPCA2::
+import OCSPEE22OCSPCA2::
+import OCSPEE23OCSPCA2::
+import OCSPEE31OCSPCA3::
+import OCSPEE32OCSPCA3::
+import OCSPEE33OCSPCA3::
diff --git a/security/nss/tests/chains/scenarios/realcerts.cfg b/security/nss/tests/chains/scenarios/realcerts.cfg
new file mode 100644
index 0000000000..f8b0fc4525
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/realcerts.cfg
@@ -0,0 +1,30 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario RealCerts
+
+db All
+
+import TestCA.ca:x:CT,C,C
+import TestUser50:x:
+import TestUser51:x:
+import PayPalRootCA:x:CT,C,C
+import PayPalICA:x:
+import PayPalEE:x:
+import BrAirWaysBadSig:x:
+
+verify TestUser50:x
+ result pass
+
+verify TestUser51:x
+ result pass
+
+verify PayPalEE:x
+ policy OID.2.16.840.1.114412.2.1
+ at_time 2201010000Z
+ result pass
+
+verify BrAirWaysBadSig:x
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/revoc.cfg b/security/nss/tests/chains/scenarios/revoc.cfg
new file mode 100644
index 0000000000..a4ec78622b
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/revoc.cfg
@@ -0,0 +1,86 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario Revocation
+
+entity Root
+ type Root
+ serial 10
+
+entity CA0
+ type Intermediate
+ issuer Root
+ serial 11
+
+entity CA1
+ type Intermediate
+ issuer CA0
+ serial 12
+
+entity EE11
+ type EE
+ issuer CA1
+ serial 13
+
+entity EE12
+ type EE
+ issuer CA1
+ serial 14
+
+entity CA2
+ type Intermediate
+ issuer CA0
+ serial 15
+
+entity EE21
+ type EE
+ issuer CA2
+ serial 16
+
+crl Root
+crl CA0
+crl CA1
+crl CA2
+
+revoke CA1
+ serial 14
+
+revoke CA0
+ serial 15
+
+db All
+
+import Root::CTu,CTu,CTu
+import CA0:Root:
+import CA1:CA0:
+import CA2:CA0:
+
+# EE11 - not revoked
+verify EE11:CA1
+ trust Root:
+ rev_type leaf
+ rev_mtype crl
+ result pass
+
+# EE12 - revoked
+verify EE12:CA1
+ trust Root:
+ rev_type leaf
+ rev_mtype crl
+ result fail
+
+# EE11 - CA1 not revoked
+verify EE11:CA1
+ trust Root:
+ rev_type chain
+ rev_mtype crl
+ result pass
+
+# EE21 - CA2 revoked
+verify EE21:CA2
+ trust Root:
+ rev_type chain
+ rev_mtype crl
+ result fail
+
diff --git a/security/nss/tests/chains/scenarios/scenarios b/security/nss/tests/chains/scenarios/scenarios
new file mode 100644
index 0000000000..4eafd9c8d0
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/scenarios
@@ -0,0 +1,25 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+bridge.cfg
+megabridge_3_2.cfg
+extension.cfg
+extension2.cfg
+anypolicy.cfg
+anypolicywithlevel.cfg
+explicitPolicy.cfg
+mapping.cfg
+mapping2.cfg
+aia.cfg
+bridgewithaia.cfg
+bridgewithhalfaia.cfg
+bridgewithpolicyextensionandmapping.cfg
+realcerts.cfg
+dsa.cfg
+revoc.cfg
+ocsp.cfg
+crldp.cfg
+trustanchors.cfg
+nameconstraints.cfg
+ipsec.cfg
diff --git a/security/nss/tests/chains/scenarios/trustanchors.cfg b/security/nss/tests/chains/scenarios/trustanchors.cfg
new file mode 100644
index 0000000000..db18990ac6
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/trustanchors.cfg
@@ -0,0 +1,114 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+entity RootCA
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer RootCA
+
+entity CA2
+ type Intermediate
+ issuer CA1
+
+entity EE1
+ type EE
+ issuer CA2
+
+entity OtherRoot
+ type Root
+
+entity OtherIntermediate
+ type Intermediate
+ issuer OtherRoot
+
+entity EE2
+ type EE
+ issuer OtherIntermediate
+
+# Scenarios where trust only comes from the DB
+db DBOnly
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Simple chaining - no trust anchors
+verify EE1:CA2
+ cert CA2:CA1
+ result pass
+
+# Simple trust anchors - ignore the Cert DB
+verify EE1:CA2
+ trust CA2:CA1
+ result pass
+
+# Redundant trust - trust anchor and DB
+verify EE1:CA2
+ cert CA2:CA1
+ trust RootCA
+ result pass
+
+
+# Scenarios where trust only comes from trust anchors
+db TrustOnly
+
+# Simple checking - direct trust anchor
+verify EE1:CA2
+ cert CA2:CA1
+ cert CA1:RootCA:
+ trust RootCA:
+ result pass
+
+# Partial chain (not self-signed), with a trust anchor
+verify EE1:CA2
+ trust CA2:CA1
+ result pass
+
+
+# Scenarios where trust comes from both trust anchors and the DB
+db TrustAndDB
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Check that trust in the DB works
+verify EE1:CA2
+ cert CA2:CA1
+ result pass
+
+# Check that trust anchors work
+verify EE2:OtherIntermediate
+ cert OtherIntermediate:OtherRoot
+ trust OtherRoot:
+ result pass
+
+# Check that specifying a trust anchor still allows searching the cert DB
+verify EE1:CA2
+ trust_and_db
+ cert CA2:CA1
+ trust OtherIntermediate:OtherRoot
+ trust OtherRoot:
+ result pass
+
+# Scenarios where the trust DB has explicitly distrusted one or more certs,
+# even when the trust anchors indicate trust
+db ExplicitDistrust
+
+import RootCA::CT,C,C
+import CA1:RootCA:p,p,p
+import OtherRoot::p,p,p
+
+# Verify that a distrusted intermediate, but trusted root, is rejected.
+verify EE1:CA2
+ cert CA2:CA1
+ trust CA1:RootCA
+ result fail
+
+# Verify that a trusted intermediate, but distrusted root, is accepted.
+verify EE2:OtherIntermediate
+ trust OtherIntermediate:OtherRoot
+ result pass