summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/tests/unit')
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/default-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem17
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ev-test.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/evroot.key28
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/evroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expired-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expiredINT.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key16
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem17
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/md5signature.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem17
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mitm.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/noValidNames.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValid.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem19
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-test-ca.key28
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem21
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem21
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/selfsigned.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/test-int.pem18
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem22
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem20
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/v1Cert.pem17
-rw-r--r--security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/corrupted_crlite_helper.js103
-rwxr-xr-xsecurity/manager/ssl/tests/unit/crlite_enrollment_id.py33
-rwxr-xr-xsecurity/manager/ssl/tests/unit/crlite_key.py58
-rw-r--r--security/manager/ssl/tests/unit/head_psm.js1187
-rw-r--r--security/manager/ssl/tests/unit/moz.build10
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem20
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem20
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key28
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key16
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem15
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-int.pem18
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem19
-rw-r--r--security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/pkcs11testmodule/moz.build20
-rw-r--r--security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp597
-rw-r--r--security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols1
-rw-r--r--security/manager/ssl/tests/unit/requirements.txt6
-rwxr-xr-xsecurity/manager/ssl/tests/unit/sign_app.py426
-rw-r--r--security/manager/ssl/tests/unit/test_add_preexisting_cert.js46
-rw-r--r--security/manager/ssl/tests/unit/test_allow_all_cert_errors.js25
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js78
-rw-r--r--security/manager/ssl/tests/unit/test_blocklist_onecrl.js182
-rw-r--r--security/manager/ssl/tests/unit/test_broken_fips.js61
-rw-r--r--security/manager/ssl/tests/unit/test_broken_fips/key4.dbbin0 -> 36864 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt5
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js56
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js117
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import.js217
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfxbin0 -> 2041 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfxbin0 -> 2068 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfxbin0 -> 2068 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12bin0 -> 3239 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js126
-rw-r--r--security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js148
-rw-r--r--security/manager/ssl/tests/unit/test_cert_chains.js394
-rw-r--r--security/manager/ssl/tests/unit/test_cert_dbKey.js263
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku.js189
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null.js54
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_expiration_canary.js40
-rw-r--r--security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js89
-rw-r--r--security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js143
-rw-r--r--security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert9.dbbin0 -> 28672 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key4.dbbin0 -> 36864 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage.js76
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_override_read.js207
-rw-r--r--security/manager/ssl/tests/unit/test_cert_overrides.js734
-rw-r--r--security/manager/ssl/tests/unit/test_cert_overrides_read_only.js94
-rw-r--r--security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.dbbin0 -> 28672 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.dbbin0 -> 36864 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1.js53
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures.js140
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem11
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem11
-rw-r--r--security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage.js258
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_broken_db.js72
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct.js417
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem27
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem41
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlitebin0 -> 15244 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem27
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem34
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting.js48
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdbbin0 -> 45056 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.binbin0 -> 122 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdbbin0 -> 8192 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js83
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coveragebin0 -> 97 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment1
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filterbin0 -> 15244 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.binbin0 -> 1607775 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust.js324
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/int.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_utf8.js79
-rw-r--r--security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem24
-rw-r--r--security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version.js304
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec2
-rwxr-xr-xsecurity/manager/ssl/tests/unit/test_cert_version/generate.py93
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_constructX509FromBase64.js90
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing.js431
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem14
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem14
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/pysign.py36
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/test.txt1
-rw-r--r--security/manager/ssl/tests/unit/test_content_signing/test.txt.signature1
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash1
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filterbin0 -> 1 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment2
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage2
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coveragebin0 -> 48 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coveragebin0 -> 36 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coveragebin0 -> 49 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollmentbin0 -> 33 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_coverage_missing.js17
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js17
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js19
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js19
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_coverage_version.js17
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js19
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_enrollment_version.js17
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js21
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters.js880
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filterbin0 -> 62 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stashbin0 -> 36632 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stashbin0 -> 57737 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem28
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem27
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem33
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem38
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem36
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem36
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem42
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_filters/valid.pem39
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_preexisting.js208
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coveragebin0 -> 97 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment1
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stashbin0 -> 209843 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js91
-rw-r--r--security/manager/ssl/tests/unit/test_ct.js72
-rw-r--r--security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem28
-rw-r--r--security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem34
-rw-r--r--security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ct/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_ct/default-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ct/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_db_format_pref_new.js30
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials.js91
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key5
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem16
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key6
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_der.js355
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello.js101
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js32
-rw-r--r--security/manager/ssl/tests/unit/test_enterprise_roots.js82
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs.js310
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem23
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/evroot.key28
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/evroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem23
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key28
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/default-ee.key5
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem14
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem14
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key5
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/test-int.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js119
-rw-r--r--security/manager/ssl/tests/unit/test_hash_algorithms.js158
-rw-r--r--security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js5
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js138
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads.js528
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize.js204
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem15
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem11
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem11
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem12
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem12
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem13
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem14
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem11
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem12
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem12
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem9
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem10
-rw-r--r--security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev.js169
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec8
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key28
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key28
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key28
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/evroot.key28
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_logoutAndTeardown.js195
-rw-r--r--security/manager/ssl/tests/unit/test_missing_intermediate.js92
-rw-r--r--security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints.js71
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/dciss.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_nonascii_path.js52
-rw-r--r--security/manager/ssl/tests/unit/test_nsCertType.js32
-rw-r--r--security/manager/ssl/tests/unit/test_nsIX509CertValidity.js25
-rw-r--r--security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js96
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_caching.js479
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js146
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_must_staple.js160
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js58
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_private_caching.js115
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_required.js95
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_stapling.js393
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js317
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js48
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_timeout.js100
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url.js122
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/int.key28
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/int.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec2
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt41
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_osclientcerts_module.js63
-rw-r--r--security/manager/ssl/tests/unit/test_oskeystore.js413
-rw-r--r--security/manager/ssl/tests/unit/test_osreauthenticator.js27
-rw-r--r--security/manager/ssl/tests/unit/test_password_prompt.js87
-rw-r--r--security/manager/ssl/tests/unit/test_pinning.js311
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_module.js58
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js46
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js58
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_slot.js161
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_token.js149
-rw-r--r--security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem38
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/default-ee.key28
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/default-ee.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem19
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem22
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem23
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js95
-rw-r--r--security/manager/ssl/tests/unit/test_sdr.js272
-rw-r--r--security/manager/ssl/tests/unit/test_sdr_preexisting.js79
-rw-r--r--security/manager/ssl/tests/unit/test_sdr_preexisting/key4.dbbin0 -> 36864 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js135
-rw-r--r--security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.dbbin0 -> 36864 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs.js69
-rw-r--r--security/manager/ssl/tests/unit/test_self_signed_certs/cert9.dbbin0 -> 45056 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_session_resumption.js291
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps.js1038
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app/README1
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app/data/image.pngbin0 -> 534 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json5
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest10
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sigbin0 -> 655 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README2
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.pngbin0 -> 534 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json5
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zipbin0 -> 2678 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zipbin0 -> 2341 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zipbin0 -> 2362 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zipbin0 -> 2624 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zipbin0 -> 2288 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zipbin0 -> 2309 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zipbin0 -> 2643 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zipbin0 -> 2307 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zipbin0 -> 2327 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zipbin0 -> 2562 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zipbin0 -> 2226 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zipbin0 -> 2247 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zipbin0 -> 2513 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zipbin0 -> 2174 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zipbin0 -> 2196 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zipbin0 -> 2526 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zipbin0 -> 2192 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zipbin0 -> 2210 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zipbin0 -> 2601 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zipbin0 -> 2264 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zipbin0 -> 2287 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zipbin0 -> 2549 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zipbin0 -> 2213 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zipbin0 -> 2234 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zipbin0 -> 2567 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zipbin0 -> 2232 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zipbin0 -> 2251 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zipbin0 -> 459148 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zipbin0 -> 459984 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zipbin0 -> 458382 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zipbin0 -> 459272 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zipbin0 -> 459192 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zipbin0 -> 460028 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zipbin0 -> 458426 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zipbin0 -> 459315 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zipbin0 -> 8107 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zipbin0 -> 2698 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zipbin0 -> 4046 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zipbin0 -> 3942 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zipbin0 -> 3400 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zipbin0 -> 3379 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zipbin0 -> 1890 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zipbin0 -> 31397 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/moz.build78
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zipbin0 -> 2107 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zipbin0 -> 1563 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zipbin0 -> 2256 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zipbin0 -> 510 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zipbin0 -> 3394 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zipbin0 -> 3393 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.derbin0 -> 794 bytes
-rw-r--r--security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec6
-rw-r--r--security/manager/ssl/tests/unit/test_ssl_status.js75
-rw-r--r--security/manager/ssl/tests/unit/test_sss_enumerate.js79
-rw-r--r--security/manager/ssl/tests/unit/test_sss_eviction.js88
-rw-r--r--security/manager/ssl/tests/unit/test_sss_originAttributes.js99
-rw-r--r--security/manager/ssl/tests/unit/test_sss_readstate.js123
-rw-r--r--security/manager/ssl/tests/unit/test_sss_readstate_empty.js50
-rw-r--r--security/manager/ssl/tests/unit/test_sss_readstate_garbage.js95
-rw-r--r--security/manager/ssl/tests/unit/test_sss_readstate_huge.js80
-rw-r--r--security/manager/ssl/tests/unit/test_sss_resetState.js62
-rw-r--r--security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js69
-rw-r--r--security/manager/ssl/tests/unit/test_sss_savestate.js126
-rw-r--r--security/manager/ssl/tests/unit/test_sts_fqdn.js40
-rw-r--r--security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js55
-rw-r--r--security/manager/ssl/tests/unit/test_sts_parser.js123
-rw-r--r--security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js266
-rw-r--r--security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js22
-rw-r--r--security/manager/ssl/tests/unit/test_validity.js106
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem21
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec5
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key28
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem20
-rw-r--r--security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec8
-rw-r--r--security/manager/ssl/tests/unit/test_validity/evroot.key28
-rw-r--r--security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec1
-rw-r--r--security/manager/ssl/tests/unit/test_validity/evroot.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec7
-rw-r--r--security/manager/ssl/tests/unit/test_x509.js142
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp141
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp142
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp178
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp206
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp168
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp153
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp87
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/moz.build45
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/default-ee.der3
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp204
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h66
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp694
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h93
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/lib/moz.build50
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/moz.build8
-rw-r--r--security/manager/ssl/tests/unit/xpcshell-smartcards.ini17
-rw-r--r--security/manager/ssl/tests/unit/xpcshell.ini242
1006 files changed, 31059 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem
new file mode 100644
index 0000000000..0887f60558
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgIUAyI54Ss40HvhJFymYwne7lBQZJ8wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAmMSQwIgYDVQQDDBtFRSB3aXRoIGJhZCBzdWJqZWN0QWx0TmFt
+ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjHjAcMBoGA1UdEQQTMBGCDyouKi5leGFtcGxlLmNvbTANBgkqhkiG
+9w0BAQsFAAOCAQEAMOjSTR1Tmp4baReRr6pvdH+HucpdIf5ZtH7Vn3h5e+Iuq9OO
+Ugq9qquo3sR1IAIAsCxWA/HHZMQOU5X1BxmC5+CXMfHmC/+1vLsxjZozhizKzpMh
+vtuJ33lgrwL30aTkF2IAPmqwu4akPFRdFGUtCL2LHeNGrO5UWQLDv7eDI8btkkm7
+AjV4u9y2/1W5um4KTQHWFzyl0iz1P5x/2MymBeiM4khRbQbfl8DmW6COLbhvPDEg
+YPL4ibjmMwOuOUgZ6bCw5Ck/cR7Yz7vVIOMC21d7elqJKfQ5tg62ZGs3r7L+Ir5o
+461gJUgzKhxT4MUQsLSCtKzSab9Rjg3pwfmHvQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec
new file mode 100644
index 0000000000..1b368c26f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:EE with bad subjectAltNames
+extension:subjectAlternativeName:*.*.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem
new file mode 100644
index 0000000000..9faffde6d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKzCCAhOgAwIBAgIUPU/rVUoMybyCeEAWx++fMAuZ6k0wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8xOTQ2MDIxNDAwMDAwMFoYDzIwMzEw
+MTAxMDAwMDAwWjAsMSowKAYDVQQDDCFCZWZvcmUgVU5JWCBFcG9jaCBUZXN0IEVu
+ZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W
+1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq
+ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx
+0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV
+t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo
+4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx
+1QOs2hgKNe2NAgMBAAGjWzBZMCMGA1UdEQQcMBqCGGJlZm9yZS1lcG9jaC5leGFt
+cGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2Nh
+bGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBALocgfctX/9NDtkQ7zAkGl14
+UXkXBCq7vn5fKss2bCG7D6M/+Q4ZJ64/QXGK96tKqdJctiyIN3KArnk4/pWfYCQG
+DgIHXFAgbKUQU0uiGmPwbPQnYq8la6VEarMrzWnGhqVPG1wsqiO1cnecycvm2W7W
+9n7qvw3s2Gf0WZIQKqpNmuhouboeiK1xFxryLWiNaG087WPHb71e1C+1enVb/hJN
+E1KD7dBtBh0sOC6bOFdc4BzhDHnDzPSznSqouotHf5U8YniKoPcDCml544msKwP8
+LCj3tG1VdMxL+p83ETDHG6GLUY20R0E6WJJfvfZ3hdxRUKgaAs+diT3xYXXYqTA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec
new file mode 100644
index 0000000000..ac97b2231a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Before UNIX Epoch Test End-entity
+validity:19460214-20310101
+extension:subjectAlternativeName:before-epoch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem
new file mode 100644
index 0000000000..6cdfa86a25
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUL5tQyA2FR4V3eMcfGyWTxS4vmp0wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8xOTQ2MDIxNDAwMDAwMFoYDzIwMzEw
+MTAxMDAwMDAwWjAuMSwwKgYDVQQDDCNCZWZvcmUgVU5JWCBFcG9jaCBUZXN0IElu
+dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBAGDlMbdxc1BHrn6l1svyskkHx68lSeTGVucIpClu
+mJIT3rsTR5swYuyvrWe/gqkVqGRv2gIpMUYAJoHWjF4fRyWkIjJz5JnSP5qxFKKk
+NFrjXFpGSqxJGtuMUNNGk7P30RLje5aE00bqrZHokfrokzChC3G3QJPOwvJtP1Gk
+wldQ8AeoHu/u3oEB3caoC1QpFfgF5kunNETSIxX5bTmsjTSSJnJjnf46FQdbOWUh
+P5Qkr6ZNK4ZAOIm+PRRyJ44JiHab+up/cEs17/T5dNcnHCy4TYXquNKwOe35qakm
+iexwhKycaAEM0TcTI1OA5K4tCwFvaiOr4eTzxN28Cemd89E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec
new file mode 100644
index 0000000000..835e63f2b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Before UNIX Epoch Test Intermediate
+validity:19460214-20310101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem
new file mode 100644
index 0000000000..3c00353a49
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWjCCAkKgAwIBAgIUGeo1nKP85zWT0JhJqZ5K3WQBKx0wDQYJKoZIhvcNAQEL
+BQAwLjEsMCoGA1UEAwwjQmVmb3JlIFVOSVggRXBvY2ggVGVzdCBJbnRlcm1lZGlh
+dGUwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowODE2MDQGA1UE
+AwwtVGVzdCBFbmQtZW50aXR5IHdpdGggQmVmb3JlIFVOSVggRXBvY2ggaXNzdWVy
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABo2IwYDAqBgNVHREEIzAhgh9iZWZvcmUtZXBvY2gtaXNzdWVyLmV4YW1w
+bGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2Fs
+aG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAb3Nv1Hxi4XlvI6yMMgFGEKiU
+gWk9TLQgIkjXbVlyfxhNrJs8WcY1V56sIC8EoBaCsMEgh3htvAhkVJ9v6HEZqgP8
+lwtUpta8sniuMRogVPehIIU53HB0Fp2LzoEQB0UzS7mD0LNCubK0BPMsNdT+LwSQ
+1sA7df8nQVdmLbcoFchQ1CaaSzyf8aFEWNuBiUF46j9BvcQykG8BhpDJ3+lV/Wl7
+wEXaFsW+/cEb0XBLQS/N+2B43+7EZQ9ZVOr1834V+d5jAFOHpyYfjVCySBd+VrRi
+NXq0j86M0RrhKYUzYNQ+bj5NIqHVG+TNYFc7TX6sqGW8S5HJ0v4/bYe33SuTdw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec
new file mode 100644
index 0000000000..9aabe21628
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Before UNIX Epoch Test Intermediate
+subject:Test End-entity with Before UNIX Epoch issuer
+extension:subjectAlternativeName:before-epoch-issuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem
new file mode 100644
index 0000000000..69972591d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUCfV2HIsCkOeqHcXdhZf6ejBahIswDQYJKoZIhvcNAQEL
+BQAwODE2MDQGA1UEAwwtU2VsZi1TaWduZWQgQmVmb3JlIFVOSVggRXBvY2ggVGVz
+dCBFbmQtRW50aXR5MCIYDzE5NDYwMjE0MDAwMDAwWhgPMjAzMTAxMDEwMDAwMDBa
+MDgxNjA0BgNVBAMMLVNlbGYtU2lnbmVkIEJlZm9yZSBVTklYIEVwb2NoIFRlc3Qg
+RW5kLUVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMzMDEwLwYDVR0RBCgwJoIkYmVmb3JlLWVwb2NoLXNl
+bGYtc2lnbmVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBCrP9yopCm
+BJSG6MIq3olV8meoQ2wIrCm2i1Ob2BI3JXW9CSjtnklmQaXzyEY6EnH7K/qzHMbz
+prbtiM+e0GjwwYNDAe3Ad1kUjDUSVnMAYmtTJOYxhmGYztkmM2xkz9Tvn+M4U35A
+GXimG82MDslBvDINDCPvwWsjst8oMwDAezpxZP2zZ/BrXbyUvOfCqyWQrRTNfSmF
+Aub2UQBdjSCgwY5RpzJ2ib5IWmVm3vPQmhM69FwI3WzWsbOb6MYdyPpnVnlN626l
+AwLjoaSP3F/lSgPzDqVKgx6rjqkYANPGaLLXdRH3ynJlxuW9JlamyuEypPIA0+Ml
+rvaprkFh5rXU
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec
new file mode 100644
index 0000000000..579e85e496
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Self-Signed Before UNIX Epoch Test End-Entity
+subject:Self-Signed Before UNIX Epoch Test End-Entity
+validity:19460214-20310101
+extension:subjectAlternativeName:before-epoch-self-signed.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem
new file mode 100644
index 0000000000..354741fc50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUAywOkzxiH/uWcwxb85Yy3OI46WgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IEludGVybWVkaWF0ZSB1c2VkIGFz
+IEVuZC1FbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjcjBwMAwGA1UdEwQFMAMBAf8wMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMCwGA1UdEQQl
+MCOCIWNhLXVzZWQtYXMtZW5kLWVudGl0eS5leGFtcGxlLmNvbTANBgkqhkiG9w0B
+AQsFAAOCAQEAN+g9N3uhls8y70fGORVEyYVjBmMCFeQz3DQw3u1J7+aHe6efygSP
+OKPXW3SbHSxlPFIsicVSHO3sso3zUGoedMw0KSyni4tR4yQ9jllrqijVCWorqRbU
+tlseF5hfw7DsKcl6jGA5UN0Aiq9SwKArdkRL+0Ykk0a/rxMEiOjf/Ao3ImfJnsCa
+frDKqziMWOmQtxrVTabpgRqCd1gtTg4cCsy7Yto8v4Gn1N/EL8FAXGWOieWDQ2Iv
+UFd9p0eTReBbRNC/QuZa7nEEAh4JO+JCAW4rHI6+beSPCT+lFQbF8sAJYSMGf0lb
+LAwyUGAPPLRx+SweIClb4EO+iVAFuR0Tug==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec
new file mode 100644
index 0000000000..8e16705b50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate used as End-Entity
+extension:basicConstraints:cA,
+extension:authorityInformationAccess:http://localhost:8888/
+extension:subjectAlternativeName:ca-used-as-end-entity.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.key b/security/manager/ssl/tests/unit/bad_certs/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem
new file mode 100644
index 0000000000..5dc7cf4ef8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti
+AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym
+qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc
+5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm
+lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo
+Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem
new file mode 100644
index 0000000000..729808a76c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUI58z0zygvl7soKf2Z7nS20tb80cwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUTWlzc2luZyBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcw
+MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowJzElMCMGA1UEAwwcZWUtZnJvbS1taXNz
+aW5nLWludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMnMCUwIwYDVR0RBBwwGoIJbG9jYWxob3N0
+gg0qLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAIik8evPkL8v8lNHey
+GnsO5D21ZoBASKz5RQSiVrIUznEBnRpWSBUDbgIZWQCiP1TZBBpa9F2B6rA9VLM7
+HyetiyL2vEra2t9jH0zrHp0L+azwy1Keog2vFcuBmLEI9zOKvSyCLCAeQ0OlI6iS
+wlNbbauU+UaPVffNk7g8yjM0SScktdA1Ve4/Dwu8OqJZ2XX+gb9pRlowFz4btCBL
+Fo//5sz9CcagJN7c+Rpk2kOvomHe1pgnioNHYQmj6viGXN8AS7dPDXi8z08uxgJ/
+kCSUZeoZLVwRReEGCjhDOiLgCRx+/2mzs/xjuM+43g1hWfj7cce6iR4nfMRWAhsZ
+3WRx
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec
new file mode 100644
index 0000000000..48bb1c6e4a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Missing Intermediate
+subject:ee-from-missing-intermediate
+extension:subjectAlternativeName:localhost,*.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem
new file mode 100644
index 0000000000..141c88fe42
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUDUVlzgTWxF+qWP8tpQ3tfmThWikwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjArMSkwJwYDVQQDEyBJbW1pbmVudGx5IERpc3RydXN0ZWQgRW5k
+IEVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaNvMG0wNwYDVR0RBDAwLoIJbG9jYWxob3N0giFpbW1pbmVu
+dGx5LWRpc3RydXN0ZWQuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsG
+AQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IB
+AQAA9rWfwMwc5IIktzvNVAv67CAKcvNoxxuik5vnQk51qglv/k+buamFEpW5nPxS
+Rp8g6TL6Bqppgk4txyLa6+ffbNYoTrMNs29Tj8TjTohvrahYGN4rusXEAmAz7dNj
+hY3nPDVOXG3u90iYHIJOwr/5xlSfjUFFVRBEO0ypt2qaTtbXBbP8JbNiYDFkRVbc
+QGlnq5QiZCzaAQPDG7bOZp4U2ZObu0Vc2jrKfHL1K4Z1tlZdeYJ5M810dEO9GAyj
+TwSRtbiSosWfRjxTH7AyfMn7OGTjoTPukYilLusCmpXy7NI+DOFLDicrNZP4uZ+B
+pG67V1YevJXG5D0nKoAFKNOX
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec
new file mode 100644
index 0000000000..dd8c6707ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:printableString/CN=Imminently Distrusted End Entity
+extension:subjectAlternativeName:localhost,imminently-distrusted.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem
new file mode 100644
index 0000000000..04c4f9f167
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJTCCAg2gAwIBAgIUY+eX/gQmQBSMBZI1NjyBEpmUFYEwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMB4xHDAaBgNVBAMME0VFIElzc3VlZCBieSBub24t
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjWzBZMCMGA1UdEQQcMBqCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNv
+bTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6
+ODg4OC8wDQYJKoZIhvcNAQELBQADggEBAGG1ldwhUiaY+jVOyDZyQxN2tFCN3TOh
+14tkKxzbx7o2awiLgNtOHAXMyb/6qwT+ktHwxtdA97wJGTYXMcAqAsD7ZtigINe3
+f63d/7uC7Ns7gnw++IFxGbjX7/cJSZMaqg35xMxcWtgt7pb7epXttz7hi2AD2LWu
+jXwCQEVdoPmdOqMVvE4yg6VweKqepOKUoK4hrv8JUWRVT3mhGU53MZhCKNkQ+MiR
+p/ECWX2XGtDKxp5KPYpmInYS2GN5XOpC/KhRAbssT4az0dgRNk1kFHsHUDd1xzq6
+BYhw+Bz+5poWVcf0IUsqjtYt/lOc+1LxXWF6vg443ARf1FXP6TEvLHs=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec
new file mode 100644
index 0000000000..63c36d34b3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test End-entity
+subject:EE Issued by non-CA
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem
new file mode 100644
index 0000000000..b1eedea530
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCAdKgAwIBAgIUM7VyNhRBbWRLG2FoCiuqSMtzfOowDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVjEgQ2VydDAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRFRSBJc3N1ZWQgYnkgVjEgQ2VydDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaMnMCUwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMA0GCSqG
+SIb3DQEBCwUAA4IBAQAXC7B3o4sVsRB3uopTCMVOxj/Doueqkh0u0QGSzB5JaA1L
+ncJd8RNqfKpkwsSGF10ljmqYVU8yS2qWmswAIVU6tpGLMwqBgjqdpHtVUn/SLA3u
+p67uFwvkj+k0nM9g/y1Uy5P2wnsq0FzAklApWVM2ePsCtDPEQ2M5tVggGYeHicEy
+olOOWo28j1otCzACCJc11kBw80WmfGYl+/WUKWqHF3Mv4cBVJ53BRNm+ZTvzwBmK
+wMulP4DX0NMNeS8vQkL3GBlBpGXDsz5yOkYizib/M+U1zalW7WYoSdmUT477iSFu
+0NmUMXeRal7v+izGEVftwHFIRw2U80y9sCz7855c
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec
new file mode 100644
index 0000000000..9ed9b33db7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec
@@ -0,0 +1,3 @@
+issuer:V1 Cert
+subject:EE Issued by V1 Cert
+extension:subjectAlternativeName:localhost,*.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem
new file mode 100644
index 0000000000..da9948c82e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUB4Wp0b3lv9F9ib3AeTvgSe1ehCIwDQYJKoZIhvcNAQEL
+BQAwADAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAtMSswKQYD
+VQQDDCJFbmQgZW50aXR5IHNpZ25lZCBieSBlbXB0eSBuYW1lIENBMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyow
+KDAmBgNVHREEHzAdghtlbXB0eWlzc3Vlcm5hbWUuZXhhbXBsZS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAG7JkRGPBAyJMbMMYaHXWDUUxiJOc4yIPC7ykNhhHGpjD+Y5
+zTwxsasl1bmwfu7CY0Lv0dAwGLUkZvoEvKV/PH4NtFN8XVauT/Yq0Zc3ZaADUUFV
+w2+HfFDIotGhLY1AFKqf4OCLzam5raYseTk5ogUu68ImPtxCC5HgE+EUpbfQurB7
+GQnxvXgfDPoBVYM8DKGAhkNJrhtO3naOH3181Au8fnYmaqvQeC7uXMPqph4pUZgl
+i2wUpg1z5XeAEAZhs5qBfR7YvKrDh13cud94rSeoEEr7hSIOUfkXuxX4dLMDmjci
+FqXlePARPBXNCbmdivysrKCZXocOS1aQiCOQHBo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec
new file mode 100644
index 0000000000..a99d84b79e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec
@@ -0,0 +1,3 @@
+issuer:
+subject:End entity signed by empty name CA
+extension:subjectAlternativeName:emptyissuername.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem
new file mode 100644
index 0000000000..7d4afb1d35
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwTCCAamgAwIBAgIUfQaeKSLdERUr8AYc1REkbyViS6QwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
+BjANBgkqhkiG9w0BAQsFAAOCAQEAnOQhNmRo+447vTeC4BzE03fSjmfV7RegozrU
+ZHYOJzetUmNeOYZ2hJfgRA6ZBWbI67iCKfazjVP7aWg0yAOD/0Zua6jkkXB4plAi
+O23XuUj3ZHMIRw//cuol7Aaiv4zkBQYCt6xJqnT/aXby6EANPqbMeO8GpemeZvfv
+Q5VIeDN+1gTiinDQO84HELHqmefZkrSuafNzdWn9AlgciWPviAqhSdTpdjlKAHHJ
+DP7dZ+vr94Z6stGkd74H6OqeGAAu4CXmlC4d2J+mBmbL6uVB4N7IXy4V0FSB9E+g
+DlL4oJVqRs8f797Ks7o+nJHrl3/kkyYKbwL+A/tjke/OV5ST7A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec
new file mode 100644
index 0000000000..0a7cfdfd84
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem
new file mode 100644
index 0000000000..b72b8bf238
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOzCCAiOgAwIBAgIUUTQl0w6xynABX6J3RLxwd5dmb6cwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMB8xHTAbBgNVBAMMFGV2LXRlc3QtaW50ZXJtZWRpYXRlMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+o3kwdzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBHBggrBgEFBQcBAQQ7MDkw
+NwYIKwYBBQUHMAGGK2h0dHA6Ly9sb2NhbGhvc3Q6ODg4OC9ldi10ZXN0LWludGVy
+bWVkaWF0ZS8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBCwUAA4IBAQAd
+YtclCaPr3EvDHKCLyZq0UiH8AIOdFC4Ii8t6+N1kn49R/yDVH2vQVzGAUGeZ8wNF
+x6WqNWOhzNuaWx3D+iOcg6wTM8l3HPphsxfltjaTccWCS+VU3DfLWK+BStdf2SwT
+zZYzaOtqphaCjD+zCmpEq/CipM5htDsj+ijfpGMbgm7pQroOj4RfS03Y27uy6bLW
+lNQ/LvmMnN9vOH4ahTdSf4TP6a7Q2rQqgwX4hSjLWqd2OJerVjrGc5xlwmh6FhQn
+ykhoFJsfuz4d/3N5aSugct03S1iLNVeA9RbeVokNfKB5AMJgZwhmCC2GSxhDIHPb
+V6NmrlAx9nedbGwRopc9
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec
new file mode 100644
index 0000000000..d5b5859672
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:ev-test-intermediate
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://localhost:8888/ev-test-intermediate/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test.pem b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem
new file mode 100644
index 0000000000..4bf9681537
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAiqgAwIBAgIUL2uvkW2WStYLtuliwgT2ffxO85UwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUZXYtdGVzdC1pbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcw
+MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowEjEQMA4GA1UEAwwHZXYtdGVzdDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaN/MH0wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvZXYtdGVzdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0
+CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF
+AAOCAQEArR4O8KOT7AloCUSNOW7fCdaXfTOPjnCfXb+lA3UdnMOJYodXRGevmn9D
++A0/M84FzUyc+CqOww7Qv4VG203P1Km6JAajtN5E8WUf67uh0onYdtNquaQsTJ9+
+adib+uYK3b/8XSHk3m6CUz8dbuVAdM/VPv7wnbPk2iQe23CE6BO/vHwV2nBqbIa/
+veucNZF4W5Loelb8wwvx15ozXIWScZHuF9IYjQdXsweZ96h++d3QY+iLp8JGMhKN
+Qtpfwo/XkvVbUeUhCpnUlx/oWzT/RjIRg8NoHUvX5rjQv8utRRTxju/yjnHh1HHM
+NavCexSqWF0hX69JoniwAVZb6sGIHA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec
new file mode 100644
index 0000000000..10f8022585
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev-test-intermediate
+subject:ev-test
+extension:authorityInformationAccess:http://localhost:8888/ev-test/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.key b/security/manager/ssl/tests/unit/bad_certs/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.pem b/security/manager/ssl/tests/unit/bad_certs/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem
new file mode 100644
index 0000000000..a7d657a970
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAgSgAwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQw
+MTAxMDAwMDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJlZC5leGFtcGxlLmNvbTAyBggrBgEF
+BQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJ
+KoZIhvcNAQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzf
+T+ow5WVsxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7IAMO1CEr5FVdCOVTma5h
+mu/81rkJLmZ8RQDWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3
+L9zJ2JqNc60+hB8l297ZaSl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74V
+kQyNobaFzDZ+Zr3QmfbejEsY2EYnq8XuENgIO4DuYrm80/p6bMO6laB0Uv5W6uXZ
+gBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFwWwtnoK7I=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec
new file mode 100644
index 0000000000..0a03bc36f4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Expired Test End-entity
+validity:20130101-20140101
+extension:subjectAlternativeName:expired.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem
new file mode 100644
index 0000000000..e03d862761
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUY9VlD+O8GH3DRfxtYTip4pS6eBYwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoYDzIwMTMw
+MTAxMDAwMDAwWjAkMSIwIAYDVQQDDBlFeHBpcmVkIFRlc3QgSW50ZXJtZWRpYXRl
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
+AQsFAAOCAQEANf+C+WsnAgYfISDS37prll2DOGYWKajcVZNzkScDzNGkK2s0c/td
+Mb+HXehqvYz20hT4wEwQZnPt9qMWH7bBEWiJfw85OINbKmG/i0gjZZDgbFMMdHvc
+j6BXJoxL0gAy8fOQyTDuMNX0NBJzSmWhzBsL99BHAWdG6XXQTzSyumiekc8ip4GG
+EhJvArbZwgIBigzdpbc/lQI0dR2qER0BUXamWU8fi2RuvQqtEi2ANjJHrWOillXU
+PR3j0F2LyvoiYlhiNhE1g3JH4VYZ+3eboRCrjel4J3rZHksN17r6+Fla1/YZdz2l
+nAGA5McLBKXYBVcARV4adXlBe1z79TiDeQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec
new file mode 100644
index 0000000000..38a0abd8a4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Expired Test Intermediate
+validity:20110101-20130101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem
new file mode 100644
index 0000000000..b9d08b9795
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIUI8ozCyw0+PlX8kSh6xCqm1S+kZwwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZRXhwaXJlZCBUZXN0IEludGVybWVkaWF0ZTAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAuMSwwKgYDVQQDDCNUZXN0IEVu
+ZC1lbnRpdHkgd2l0aCBleHBpcmVkIGlzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNcMFowJAYDVR0RBB0w
+G4IZZXhwaXJlZGlzc3Vlci5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQAD
+ggEBADc3mhtwi4RO49fA5MWYiSDzLur0n6uvJFvLwrCFan5zb0GWCyJcvawUzxH3
+BpgNK7FmKeGPOE+mcjd35O3AgVeReWxy9RFXRAZsBThHZUGjEKi/D4kenNplg9I/
+x2DIjHlmjG9sDR2ibNo6pEOqWi2z+l3NcPpCvljJwz8FWms13AR4ns8c5mdjvBv2
+I3nvO/pezyaYVaAAV0h5EN/hQcTn1AuG/EAesigPAAg/ngm0QEJMfzvSX5z5M8Hg
+s1wUbkPXIcNCkuQ/tibM4xBeOmd6+pcXyhWywl8Z0SbVHfLlRHb72t8YWgvwZjLY
+YwAw1B7ii5wR+4I3ppmcdiKABok=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec
new file mode 100644
index 0000000000..855f454221
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Expired Test Intermediate
+subject:Test End-entity with expired issuer
+extension:subjectAlternativeName:expiredissuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem
new file mode 100644
index 0000000000..d9af1411c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIUB1U85Lv+0j+a0CDGRThLAhFWSv0wDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOVW5rbm93biBJc3N1ZXIwIhgPMjAyMTExMjcwMDAwMDBa
+GA8yMDI0MDIwNTAwMDAwMFowGjEYMBYGA1UEAwwPSUROIENlcnRpZmljYXRlMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABozgwNjA0BgNVHREELTArgilidWc0MTM5MDkueG4tLWh4YWpiaGVnMmF6M2Fs
+LnhuLS1qeGFscGRscDANBgkqhkiG9w0BAQsFAAOCAQEAM0ukmmrbeVbEPB3KwnP2
+R1jHeTyVbRoQjQubHClDsoTQSD1evz3PWksfUE1D5e+jXC4DkQ8r9bgkYG1Hoy3A
+g7i5hvROwGmp99vYP/xXX8n0EXn2aQXXyGWImAIiGiu9Obn+K86Cc53jGOOQMjIo
+4cwvRdmVfxsPWupsbcW2RrZdyN1m+19SBAcGOH5jCwGfrEklUmmjxoMBYfFgBEiA
+39RJKN/H8mHaaG/pVBObJtgimGMigYJU8E44fY8YloFc6NSfzgwwlVuwfnj9PSFU
+/w2nZHpEwOZBdU4iUPydtAqUSEWZ8/GDzC2xg6SIzmQveFBp6BAQHg6udCTtZdSW
+tQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec
new file mode 100644
index 0000000000..b3d840fbd3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Unknown Issuer
+subject:IDN Certificate
+extension:subjectAlternativeName:bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key
new file mode 100644
index 0000000000..d43495f851
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICcAIBADANBgkqhkiG9w0BAQEFAASCAlowggJWAgEAAoGAANKbsS+4T93NKbOl
+GctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZ
+BX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvmnZoIMTbh
+WvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAQJ/PEllBwvzkMJR1aLFJ3xbX9C97oXK
+1/4rJ5grsoURSlBwBANq4c+K5Usl5Ns5IVq9fpA/YYwtiy8IzGzRLbzNciBeSUW2
+s984nl5D3goUi7LITiQx/b5ZILBEuycvRez/ByG337YDl/xhOp6jXCIwBTDK6PkV
+nFNN878JEJUZAQJAD58XWXyFuAUbnGmvtV71dsmW29CQR9DM3ludYOpcZ/5PrGe+
+gD9LasWj8FD3a5ZvsU9c8QV2HlrebdlgsYO6VQJADXtjcRLOYaVRaMD5yThvsnmr
+QMug1Ukza7plJ3JjqseCYRosgdm2Nc94xAAYhZ4BjF6QBtEuPS7m80bnn6QzaQJA
+Cf1smj6m6RrjIHD5/BwhD/k1L5e+XR7rlRuzloHp3FtnKlMiIbPYkAyanZm50KTh
+AtxFDKG4ewsTid5lFsCuDQJAAUG4MkkbfdSoMwiSACTHnK5kvUR9+IO7TFZyqWur
+SLcSOzTyYyRFLNzrF/IeVw40fL4v1MLY+ZEOrCy22JW4yQJABFjdau4YyIsvm4Hx
+vDB1riDcH5lz0gck8gsGBD1hR8h4nUoHroi8gshDjIk+AXsTlH9i4LGJWKMetmSx
+nmTT4A==
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec
new file mode 100644
index 0000000000..21ed73d60b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec
@@ -0,0 +1 @@
+rsa1016
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem
new file mode 100644
index 0000000000..6725f9e566
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtzCCAZ+gAwIBAgIUIREXOabfdCGvGyDuQgOBkzu20zEwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowKTEnMCUGA1UEAwweSW5hZGVxdWF0ZSBLZXkg
+U2l6ZSBFbmQtRW50aXR5MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgADSm7Ev
+uE/dzSmzpRnLZsQ7jY+L5UW6eThM5mPtA991mRYA65IHkNJTDOzlRNuZpx8FiWo+
+0gcWVTSqmQV+R8R+O8ga2m+h4S43JotQRqVSaPna18y0hdgaLhnVDU8LaFSsr217
+5p2aCDE24Vr6j1PByMhPxgdyed0OVdc2mlvdAgMBAAGjZTBjMC0GA1UdEQQmMCSC
+ImluYWRlcXVhdGUta2V5LXNpemUtZWUuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3
+DQEBCwUAA4IBAQA0rIC1XkHz6blfEbgKH79ausj4LhJtZHWVSoV1bAHfeSHoc97S
+Q1UMai44eoJVBNdSpzZKr5yIu4xXFGkHUxG8JQ+TWpfaABs9V3ZpfCNjHkgn9fM1
+aBX0+cnyKE/e9k3FkQaIXBEBzXC/FM+F8eOXCucPWAWJIml31/TIteh3FE0P4zUP
+kK8oqiRdG0flBxXoc4ZL4lekpq6SmZTKSrCxNZbFGUkANgxmtfRMhHZKpA35BqCv
+JhSqU4VuYlBNq6c37yNK/5XD1QV0UpmhofKVRscqBl7bPJP/vqskogU0U1/6EQcf
+MadiPI0GKVvPEwaBKl10jxhFaCtvRSyLTQBB
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec
new file mode 100644
index 0000000000..02b595dc9a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test Intermediate
+subject:Inadequate Key Size End-Entity
+subjectKey:rsa1016
+extension:subjectAlternativeName:inadequate-key-size-ee.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem
new file mode 100644
index 0000000000..8374c1399b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgIUN1pxcl/u0+W9JsxKsrvr8nDaWdEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRJbmFkZXF1YXRlIEtleSBVc2FnZSBUZXN0
+IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjbjBsMAsGA1UdDwQEAwIBAjApBgNVHREEIjAggh5p
+bmFkZXF1YXRla2V5dXNhZ2UuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIG
+CCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUA
+A4IBAQBWJJ77vwC6xBIh2ANYJ+kthp/f4Hz9YxZko5W0TSoeTwNNnQ5SorZ5h8nQ
+9fr471N4RvK1knH2dCR8fqlyJmf3sW8QQuHpKHHq6AaDbxXABRIGKC/k+Ykc5xdG
+G6bI/+AlUmjN6fiRCL5ffL5WNXVq4b3edkOvfeKUxiCwoamOy7F4/fMBf+SB/D0+
+05n9tPJcnhll0ah2J0Cw8jiMOpks7nvzU31biKx06gLFwFwAIKTt/xih/nQZAhbq
+m8UP9q1l3UwGxnHZ2r1K+zpO7sYwXk6TAK+9lKcJTheuy4aK1GE/czU/9BrP9WR+
+N/9WVK3KTS8r4EtrybjHMKUaS00V
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec
new file mode 100644
index 0000000000..4d553890b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Inadequate Key Usage Test End-entity
+extension:keyUsage:cRLSign
+extension:subjectAlternativeName:inadequatekeyusage.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem
new file mode 100644
index 0000000000..2269f4676e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0DCCAbigAwIBAgIUPT3TDbFEvyL6hxMsXXAnhbUEvXAwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGDAWMBQGA1Ud
+EQQNMAuCCTEyNy4wLjAuMTANBgkqhkiG9w0BAQsFAAOCAQEArvYJZIHcejci3ZW9
+BhYUPn3jv/byMmAvSzPHxy9AJk9ZEITGceiEAB/G5MUaG86/tuSmK2x50kTjezll
++KF4PWKjdzgUHUbQD3tgG4gc74the675k6xWAH9cCn9e1ZYX9vi7zEUPxFlKQnAa
+SsnQQRobrLNoZsqJQ6tqui6lPvZ66jpKFDSFLE7FMfTYKLJJhhTsROCX4OY4YkUb
+zXmozzMk1yK0Gy91x1IoqWl8Eua42TeM5klGrt4r+U6pwA8JsMXMusdmvZXwZYJS
+1LFqRQsSLFxDqFicpJDvXp6TT9Z7TG/z2gdFPH+e+G+pdNQmVnm66SHmfRpf5JiO
+F9rdOA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec
new file mode 100644
index 0000000000..7662338470
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:127.0.0.1
+extension:subjectAlternativeName:127.0.0.1
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem
new file mode 100644
index 0000000000..3f373d09f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAh6gAwIBAgIUGUp8qIucVUZ0D+cPoEILDVfteu8wDQYJKoZIhvcNAQEE
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoYDzIwMTMw
+MTAxMDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IE1ENVNpZ25hdHVyZS1FeHBpcmVk
+IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjYzBhMCsGA1UdEQQkMCKCIG1kNXNpZ25hdHVyZS1l
+eHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQQFAAOCAQEAYMtZZk0A
+c3xvnK0PSwNxsWidAdOEY5uOKJTPT1LZFUQsNHw/2f7csfDneTeLNoCNKH7LPF3t
+J+zwUMzq1Ut0vIRSs5r84P7LK7KaBRrSwWPSnTP90X4VX3IVIQ7dbwTkrlUaRzfs
+B4Pqa/p2GVuvrLmbtmd2SDw+52GubJYVOF6u2s4KKgUGhHWtegzQOsVKTFEOoqBr
+X3yDEJhK7M82NMiGtq3Fr5F0sLD6DuGL0Mm7ei9junSLS4sH0M+Hac2BVmXwYNTS
+ekKzyjmZ1TYRlo2sCgYyYfCLcTOswG7uVHLU+ie0+Dbaik2NcolUgFNnC7Uk3E+t
+DhSRNeOtKglSxw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec
new file mode 100644
index 0000000000..e4c2b7008d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Test CA
+subject:Test MD5Signature-Expired End-entity
+validity:20110101-20130101
+signature:md5WithRSAEncryption
+extension:subjectAlternativeName:md5signature-expired.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature.pem b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem
new file mode 100644
index 0000000000..c71d1b4c02
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDLDCCAhSgAwIBAgIUF9VdXuc6cyMkwLE5QkiaA5XGPGgwDQYJKoZIhvcNAQEE
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAtMSswKQYDVQQDDCJUZXN0IEVuZC1lbnRpdHkgd2l0aCBNRDUg
+c2lnbmF0dXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAaghhtZDVzaWduYXR1cmUuZXhh
+bXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9j
+YWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBBAUAA4IBAQAKDmz3Jd/rFPskUruCHHHb
+GnWoyquul7YYH69Mxro9u8kfB0apfPzTUjdaXNVPmJn201NsMZQsooR3w7WvKw+O
+WwZULevf5OBDuUUltHES6YDHZbUSPyzG9TDEruQUtFdhmAe+r0xrdacdkI391Pzv
+ORdY3x2v3esRJY3DwbTdufKcqmQ0cmiMPRLGJsMBFjmvQdBFBB+iRtp9Jf+3shM2
+M2ZgKMw+gepEX23KXpJcdXI/s8SZhpO1xIzxwcH8sXM+JV7OpfecPfmrylTkA7BX
+PgeD0Aj/BEtEQk4K+HgHZvriHNiukhCwGf/Hh7r5b+zothSAqAGD0iIwnXpja25B
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec
new file mode 100644
index 0000000000..02742d910e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test End-entity with MD5 signature
+signature:md5WithRSAEncryption
+extension:subjectAlternativeName:md5signature.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem
new file mode 100644
index 0000000000..d5782da2cd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKTCCAhGgAwIBAgIUXWNmi3NOMsq8iBKvohtG0kX2YFIwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQw
+MTAxMDAwMDAwWjArMSkwJwYDVQQDDCBNaXNtYXRjaC1FeHBpcmVkIFRlc3QgRW5k
+LWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXZG9lc250bWF0Y2guZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCt7JzZlMgD/ZHZobiGxcfE/EPQ
+/V405Xu7DGdTJh5cTiFF1h3sQl06BfrCEAo0yhOrpPyMtmhTI+rMyF7PvFWZMQ89
+bk9y4cZ7jG1NEd6B+jlYfD4mFbLR3AbMEbf6QVjYDK29+XnjnhvczT5NPPl8g7rF
+6y1FhFcFMTGiGZCOyhCz0nXbG/LpP/alH+WucXRdpMLUQbEXEDzWOq5WJ1ZPS556
+2Ouurfr1mkydAlXCGc5RYPVLRY48CwX2z+kfHRnF4TCb3ck5oOlqabP+bc+HD7EE
+UgEEdnE6zpUs1D7s8C8Mp89LUcXx+s51/ZUQvGE4btBMML0lNImwwbqxbv02
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec
new file mode 100644
index 0000000000..262f08d6be
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Mismatch-Expired Test End-entity
+validity:20130101-20140101
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem
new file mode 100644
index 0000000000..b70a632693
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDLzCCAhegAwIBAgIUcYUtGOYg2nrx/OAYr+cxTZVbv34wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMzMDEwMTAwMDAwMFoYDzIwMzQw
+MTAxMDAwMDAwWjAxMS8wLQYDVQQDDCZNaXNtYXRjaC1Ob3QgWWV0IFZhbGlkIFRl
+c3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXZG9lc250bWF0Y2gu
+ZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8v
+bG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCu5v5Saw0htF59xmKf
+CQJ7YI4M/TvuNJjhVdwq5phvEw3k+qweEdpLHERGu4nrzyDTMKqN8kXO6tXUspnh
+LpXCvmaDLNxx/UyYofWslqYqFwM4vQ4l5QEUriR1ndMN256ELRSx2cEpWCi9xHMb
+1cqB12ulLMCpitmK+NXpflViZy7HliTQOCdwhLPDNWRKsRF85EHOuFzcx4uqfWdw
+5zwA0zVOYG21fyY51bhy4oy7HjTWUOrGi/klwzz2TEDTUX6nRHYagrFxO7C1GMlg
+pe32InUfLU0rR8G9lP/tSug8HawSH/TCE+63jo2BGWaIYGSd+k11QzU+CsT15+A2
+tbAC
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec
new file mode 100644
index 0000000000..947eb7d678
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Mismatch-Not Yet Valid Test End-entity
+validity:20330101-20340101
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem
new file mode 100644
index 0000000000..4902855da5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOTCCAiGgAwIBAgIUO1bWrdrsbGfiDSe6i14vOA3vWsIwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoY
+DzIwMTMwMTAxMDAwMDAwWjA1MTMwMQYDVQQDDCpNaXNtYXRjaC1VbnRydXN0ZWQt
+RXhwaXJlZCBUZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjWjBYMCIGA1UdEQQbMBmCF2Rv
+ZXNudG1hdGNoLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAlTFY
+rHGARngEHz3XEngdY1E3hf2GdITTHssgVRvpW3IvNmUJDhk3zVqvjb2hIVDmxFRv
+ad7yCKK7FQum2A1MKZh/Pl7ylWv6vkdtB8HSg9F5qYifyUD/XEjYp3uSrfAXW7Pp
+XHZHgBR6nlOB1EpAqrLtpEjxMX6F0fcXClOlWf0UsPLv1M6JvPNns/4tbHBnrhfm
+e0DqBMfZIJV7x633eZhpLQmOIA27rZtpElWZsA6Gtenl3szr8mpOgy3hxuEs9oFn
+cigHg2ECzaOKM5ayTP0dc2OVbVgUX/2doF8pGHiIKdsThYNLNEOioBZjJhQlreZE
+K67bzkMDhLQmMBUMtw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec
new file mode 100644
index 0000000000..adc8ebaf8b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Other test CA
+subject:Mismatch-Untrusted-Expired Test End-entity
+validity:20110101-20130101
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem
new file mode 100644
index 0000000000..bdbd0003c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMTCCAhmgAwIBAgIUI0pSyZahDeLfI4OrlVIzuliNY6owDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAtMSswKQYDVQQDDCJNaXNtYXRjaC1VbnRydXN0ZWQg
+VGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABo1owWDAiBgNVHREEGzAZghdkb2VzbnRtYXRj
+aC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6
+Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBABwg1CM4xUgHVS5v
+VuYG6xH6YskAdK2L2G2E+M+4pp1+1vGt377o2B8PIhIpJ2lyf37PMn2DjpsgvB2T
+lsl2IJpCa0WD0c6Wh+PzVF3B0rP7QtSdHGLIVbHYjRS6RtrC0tvleQaJF9KBTV2O
+3mUSs5o4LW9brR2aFnoWBY6iENwdme/bttHZxivMnOXHK8nCC0LUVEO4lEqYPojo
+oqFzGPHIdWNHF82u67zys6uZ4aVDZgPFeiOG/B62rhHivAv5am7FXWWpIJv1SKTR
+SW6LElRNpgMxvjvjOfDfbGIpUw2H1QRIpWvygr7fdEYWr27x21UdaEwlZHE2yBeN
+4OsHD8E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec
new file mode 100644
index 0000000000..91c5f548b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Other test CA
+subject:Mismatch-Untrusted Test End-entity
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem
new file mode 100644
index 0000000000..fe0a029e2b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIUQ8LmhXEMu/AAMhyTo605M/H4j2YwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhNaXNtYXRjaCBUZXN0IEVuZC1lbnRpdHkw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjeTB3MEEGA1UdEQQ6MDiCF2RvZXNudG1hdGNoLmV4YW1wbGUuY29tgh0q
+LmFsc29kb2VzbnRtYXRjaC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQAD
+ggEBAEsOUlth9scSnOZ6d4h1kkf4G2bYfkStM+DHB45DYrAYr3a8l1oHfnPcXhvN
+XMnT53sQ+BkTbx18OSlqo4ZSCbPPaJmHGNsqwqMMeCHDtE2do5uwimkT75Pwy9W+
+1LlTYOoRb5Ys4kY8ObpkhG8YM2W/mnQD6A70iusXaMyCiiP1fXdAPW8m2ltEeVne
+mz8PxwI+opq8/9m+IBcX/cXyoec062cUU+FibhpoKXxPtSGSVEbxw2k8gbndHIj5
+DIbcyZwJvzb08dkYWKjwQ0tgGOUzzgvXTa8gEp179LaWQPsyxGRQdSmv/6WVijpR
+7okOenn54XranHx+ObMSdNwKC24=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec
new file mode 100644
index 0000000000..b93599fc88
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Mismatch Test End-entity
+extension:subjectAlternativeName:doesntmatch.example.com,*.alsodoesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem
new file mode 100644
index 0000000000..2be28b8a9f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAgIUaRjrHyGMBM67Q2Yf0pUNtNJYgHAwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdkb2VzbnRtYXRjaC5leGFtcGxlLmNvbTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAd0ZB7G4WhIDaiyYcP2quL3AoqbudHoo8
+0gHA9vAnoGDaOdjlcornKAXyyA0qrUNxmxKS3WavOZnyeCeu+2//nHJOOORRqUC9
+5b+8neKnuRFcTYGW4iS7+cTbHWWYdLH5Mmef/xfcEiGWsV/+pxNdCGVBf4eOK+mk
+0UqqcaOaO4HlC0mUyP39GR/WBYNMbtswAwqryAyXcBuAI5sq9vh4u9n+s+RMWUmD
+3/bBtz9Bff/9ClWTJJMZt8CQoZ4CoA7zowTbqLvf5NpQ96bzbX2Z5qTEh7sCb5zA
+mebrXm/pOBI9zTFYxqUMIwtGAbRZRfwHQBkQhMO3m3gKXu6tbWX2sA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec
new file mode 100644
index 0000000000..86ef45b7ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec
@@ -0,0 +1,2 @@
+issuer:Test CA
+subject:doesntmatch.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/mitm.pem b/security/manager/ssl/tests/unit/bad_certs/mitm.pem
new file mode 100644
index 0000000000..29181ab095
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mitm.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIUU4/FdNL/Ag71+mAHWRYV1h6cRF8wDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOVGVzdCBNSVRNIFJvb3QwIhgPMjAyMTExMjcwMDAwMDBa
+GA8yMDI0MDIwNTAwMDAwMFowMDEuMCwGA1UEAwwlVGVzdCBlbmQtZW50aXR5IGlz
+c3VlZCBmcm9tIE1JVE0gUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMfMB0wGwYDVR0RBBQwEoIQbWl0bS5l
+eGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEABA5ake5/3963f88QiBP87rs/
+2jnsI8uly83Jk7tw9xvAR7H6OAdcj/FCiTvYwlPPUcUKdEZVwrRk4YJnklAqtCiR
+9Li+i1g9ZbP2m+bIjJhg6vxQkKM3UeM17xERM7RdZ9o7axGozAmMl09gBGvSUVbD
+H2DsimUcD3iRjGyA9PH/IAOvCPK2Y5e6KyrrtqDgpgY4uMPMZq7P5spqf7DkLrW3
+TckaoxbyEiTy/EhwVmWS3AWHA7PJmD7BTUs6+m9AXnnHy4NjPQfAMALBhn6lCHe0
+QbxomBFUE/VvCk1mz9aPJvYRIl4zscMgCXTEbVqhnXck8b/GAs1xsrmvSUiVtw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec
new file mode 100644
index 0000000000..1439391f1b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test MITM Root
+subject:Test end-entity issued from MITM Root
+extension:subjectAlternativeName:mitm.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem
new file mode 100644
index 0000000000..daba5ce3c2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUe4uQBKpHl7C9PFr1wsXlC3MT1N4wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjApMScwJQYDVQQDDB5FbmQtZW50aXR5IHdpdGggbm8gdmFsaWQg
+bmFtZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjNjA0MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0
+cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAe1q3Kik/TDQW
+xhdRwHXBY+H5vwT6oWRNHj3KPH/fOwjNpSy5yEO0UIKDPzGzwb8yso7HDk+W+SrO
+n4Y+O6nRJbA+qU2ntCyzD5FfAuRqSuT0v6dVnzzgCOFtqwctr3W6CYAxMBm05shl
+kJcvW0mU7sDvVTQLWU41AAHN7UBHHK57rJIqJEvBIJN2hGm3yhEfj/XceAuFx33a
+fiZ4hUtYBlkrrbl/lVw3AwB0DDGIkngOShK+eSRmXtXd8anKtzKkMHAVDhn9/dFh
+FNI0R/FLdKo8Jb7DSXdBCufRwnHeZjeyzm4hWIofI2x+ibByQDYTOphv0YcDDoR5
+zlyArDIhog==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec
new file mode 100644
index 0000000000..87088e87e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:End-entity with no valid names
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem
new file mode 100644
index 0000000000..79cc10aa68
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJjCCAg6gAwIBAgIUH+AmYB0Pf6g+gBjtVqu94DStb3UwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMxMDEwMTAwMDAwMFoYDzIwMzIw
+MTAxMDAwMDAwWjAoMSYwJAYDVQQDDB1Ob3QgWWV0IFZhbGlkIFRlc3QgRW5kLWVu
+dGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXbm90eWV0dmFsaWQuZXhhbXBsZS5j
+b20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0
+Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB1xgChilLhS38NJG3FU3vyD8LN3uGV
+wgzFB33egzO4s4GkPK5zjGpkyQG0ofYFmlbP8NpVrjKykbhbgusdvsZOknuPBBAJ
+jgHDrt5fdT4ah7xlRr+o4KC8RpYOZ8pGy6eoheCZZdNvhV3cDVxYWrkFZbdbtvw9
+YqqgpgiFx/j85ZqFudq/ApdMwcueZWPjmc47Y2fsTtrqO7rVVtX9FrG4O3BWcrVH
+5RJpwN5mBsC//zNhhuvaGNWZB3XGNH0wgxEweI+cpfufWHnshJFKoEESJBrdHywz
++kuH3ha9W3JwyorON9M7uduDBdUBsjwjwLpYLd+Saie6X+XjROrGYe8f
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec
new file mode 100644
index 0000000000..5b60c29ebe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Not Yet Valid Test End-entity
+validity:20310101-20320101
+extension:subjectAlternativeName:notyetvalid.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem
new file mode 100644
index 0000000000..0a111582bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAdOgAwIBAgIUW7kXNYkW5OLObAOtdMQ9uL8FHUkwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMxMDEwMTAwMDAwMFoYDzIwMzMw
+MTAxMDAwMDAwWjAqMSgwJgYDVQQDDB9Ob3QgWWV0IFZhbGlkIFRlc3QgSW50ZXJt
+ZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB
+/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRx
+CHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMC
+OosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdm
+Wqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGz
+ey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUD
+rNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAJgm8BvVnIEy9uGjgTxLcNnIoOZeLgQ9CPrNir6RHzGIK
+1hIHcNCDdC2mDc9DvyQ8MQPzJvAiMAOvo1v8yHDijC/mmYi6hTGuC6hDxF2YHKXu
+8VZZOSMdaE9pkKUQ8sckzKMS+Oxw8EJOV7VeW/WZsSLKSpba0qAioae7wEBMg0QS
+0Mp72+l4nMMUG5T/gzea6gy/nGTb0ghV97K1r5jekFNuy1pZZbKun9lLd9KJNmEs
+XiJCn2M7Ce3nEhJfaJcDmz9sde4HOlJ/BVLV9ljkOL2cQ3TxdEkLT9/Unp9dmcLo
+1sdvWkwimWiKT3XAs6Df64uM4GYl3PqPH5tQmUyPFg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec
new file mode 100644
index 0000000000..8a00f2ee23
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Not Yet Valid Test Intermediate
+validity:20310101-20330101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem
new file mode 100644
index 0000000000..1fb6797b43
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUDCCAjigAwIBAgIUfcJn/g+oQNFi8fCskf4b5iUfOVQwDQYJKoZIhvcNAQEL
+BQAwKjEoMCYGA1UEAwwfTm90IFlldCBWYWxpZCBUZXN0IEludGVybWVkaWF0ZTAi
+GA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA0MTIwMAYDVQQDDClU
+ZXN0IEVuZC1lbnRpdHkgd2l0aCBub3QgeWV0IHZhbGlkIGlzc3VlcjCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNg
+MF4wKAYDVR0RBCEwH4Idbm90eWV0dmFsaWRpc3N1ZXIuZXhhbXBsZS5jb20wMgYI
+KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgv
+MA0GCSqGSIb3DQEBCwUAA4IBAQCBdqR1GuJPvGxqGIJ1LxBnXfO7hd7uwJhPavoD
+8I9x+c7xy3avQat3GgC+IeWUTp7yr5VVNf/XXfi0nDo1RCiD10QsPVJ4FIXJi9VS
+pIorZQBorqAYmpEzV57wTvoIAJGFZLqBrgLZjQQU9x3TmnH0rm30ZMKWNxQTflSt
+PdqIw9twMtJ1SvYEFpaGHakCWng6bdwC31E4b8+6MD90vsA/8/p7T3HQ3CmDRa0c
+3jTKZZ2QF+bqYzSxw3M190UE2hJVj61WHnFodkWUF0Zye/e3EsVlIt9nPmjPQVSS
+BSMXf8JdX88ozxwbgDyzdBpKY+c7IEpow1EOwbTyG907vkFs
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec
new file mode 100644
index 0000000000..d8420898e7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Not Yet Valid Test Intermediate
+subject:Test End-entity with not yet valid issuer
+extension:subjectAlternativeName:notyetvalidissuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem
new file mode 100644
index 0000000000..4f3dba1d61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUX1ns5qA13/2mu4/kkB99AW7E32MwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNuc0NlcnRUeXBlIENyaXRpY2FsMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+oz0wOzAjBgNVHREEHDAagglsb2NhbGhvc3SCDSouZXhhbXBsZS5jb20wFAYJYIZI
+AYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBCwUAA4IBAQAzZtCyx0wSezpVnRYF
+stt0iAJyTPXPQNppz30cACWIEGPf88CvlYN/4LLFVRZ1Q1IuRghChDIYSv66qGt5
+D9RZRPzMhJ9FyQbh7UQ8pgSa6MoyaALLydACO7yZQgl3VCFEOzTsYwgasrJ0xK5I
+670hkVIPEDlfUxs+afvq0uzdJnuFpI3BdlSmAs9+EK4t5Dh+1msuYmdjl2D+7BRS
+SW7UTLB7EskZtWTNBGmhsIC7sUOamDlUYVbjV3Dt3Q/845sl/a9lsNZawzxzEn6X
+oPorbWHwvplhtx8Z4xa/d7PgyN/11x0HB/wT/oNLfWkDuas73ObfiPS3ud0NuyTz
+1VYg
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec
new file mode 100644
index 0000000000..b236bdea47
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:nsCertType Critical
+extension:subjectAlternativeName:localhost,*.example.com
+extension:nsCertType[critical]:sslServer
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem
new file mode 100644
index 0000000000..58271b08ee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCAhigAwIBAgIUd+v+QT/3riqABXPmtHDCRIIxatYwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRuc0NlcnRUeXBlIENyaXRpY2FsIFdpdGgg
+ZXh0S2V5VXNhZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjXTBbMCMGA1UdEQQcMBqCCWxvY2FsaG9zdIINKi5l
+eGFtcGxlLmNvbTAUBglghkgBhvhCAQEBAf8EBAMCBkAwCQYDVR0TBAIwADATBgNV
+HSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAKVajR2vlz1QcIzlK
+B23stAjqBtcf+DJI0bwSNWjfJ02fugSDo2H1tTQlNjzA2ayqkMLKdB7Ku7GFrz3U
+VX2Xx0iMeaCumQdETIdEz2MhtlStPQcTZ22t4Pb9sMFZQmyeTMH6cU831myosyGa
+LvGDYQMHIpml9XIi4gqLzyLQI9rshlsgvKN8vp0nyAERQYjw26x3U9Od6jYZzeOm
+73E8KJ2zLOMRbxzz0HjeEkxCMcSjW+AdXL15w/d0B7+Uw2ZdFRMOGtxnwf6F9bgM
+l5uCj5D3hsdfhoAF6sPHZDKGK+TbO0ZGjpOXRAZsTEN/jsR5evRN0lIE0vJ6dSHA
+N1uLVw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec
new file mode 100644
index 0000000000..0ae63e20f2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Test CA
+subject:nsCertType Critical With extKeyUsage
+extension:subjectAlternativeName:localhost,*.example.com
+extension:nsCertType[critical]:sslServer
+extension:basicConstraints:,
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem
new file mode 100644
index 0000000000..3aa7d7c6c1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDADCCAeigAwIBAgIUCQTyCes+6a+Y+69OlFxl12IzBpswDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAiMSAwHgYDVQQDDBduc0NlcnRUeXBlIE5vdCBDcml0aWNhbDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaM6MDgwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMBEG
+CWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQsFAAOCAQEAqYcAU8y2+5/Wfl3F
+ERZGxefQeivQXfa4pZg67fiN2Y0rNWodmTmOVlqFyBVwTO3q2Y63SBI/FyIB7dzV
+wUPW0GHk3WaGO7mOXB5H2URqlrdXJh/Tn7hXUHq+85tr3TgysWsJJZ/2CCve2OtX
+Jr1F3XiPvtHnHyKz8vONQrkIx93l+uSh/Jjr1M4Y+96XOgRLe3UBQ0KzWZVjeyP5
+i3yS4bZbNUyjk2uYvniY0nlJo0pSpD9tXLMiTrc0rSAj/0uvxI216YI0CptvypHY
+/G/U2ZTvk96bmL/9zily1tmmjZT+tznnzTnsTSszPBzkU4gpJ3avWnbBxoC76JAN
+bf9Uig==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec
new file mode 100644
index 0000000000..a44a1feeef
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:nsCertType Not Critical
+extension:subjectAlternativeName:localhost,*.example.com
+extension:nsCertType:sslServer
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem
new file mode 100644
index 0000000000..f4ee143e74
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIUUTjaq6eT9McB+Ix6ki/STTQfzwgwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAnMSUwIwYDVQQDDBxXcm9uZyBDQSBQaW4gVGVzdCBF
+bmQtRW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJ
+n3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYCl
+HDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzS
+pss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2
+mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq
+0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZV
+Lx0eGR1xIWjTuwIDAQABo4GtMIGqMHQGA1UdEQRtMGuCKCouaW5jbHVkZS1zdWJk
+b21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5z
+LnBpbm5pbmcuZXhhbXBsZS5jb22CFSoucGlubmluZy5leGFtcGxlLmNvbTAyBggr
+BgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8w
+DQYJKoZIhvcNAQELBQADggEBACq2BJPXiEEa2S95CPlJuTxEZMyzrrWWhdEHsLHP
+raOfY3Ct/XziwlYO3CJ7NrVGfrHmrBbROLqenbXLD0HwQp/WxY61fOIQeALVZmCU
+sxsDYiLhdFTyT7K/vd33SW+Mq2+L6yWr8B6ElSidNCnQdExcnROkwy8mjPEitq3o
+2iEDBeCfVG3aOo5AxW/JJFeusyRU6+Jo6voM2mpzpTVjEx22SoJBORon4knQsw42
+OjyD8SeU2n7Rwq5biDHQP+y8Gx7bZt5UFIaE/nLP7Hn+8NQau8bJihrK2yCdKJCK
+VKx9rPxi9I6txANEx33WCzlxq5Bi8PZHH6aduLGofTFFNR8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec
new file mode 100644
index 0000000000..a905a66ac2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Other test CA
+subject:Wrong CA Pin Test End-Entity
+issuerKey:alternate
+subjectKey:alternate
+extension:subjectAlternativeName:*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com,*.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key
new file mode 100644
index 0000000000..abde350c28
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBdcZSZgmfdwgq
+Z5HxuHbDf1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBIC
+RMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzH
+BuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZm
+JUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW
+8YfN1U6DKzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4Z
+HXEhaNO7AgMBAAECggEAfj9tfLg572auXX3ZL/VBC7NB3BRyjTkDRXDho3B5DzDw
+aBNV//QeKtTpqdn86/vRJ736uMAK/7Hzzqcyfq1HqhYh8qwe4UygLwSzsnhgF5gL
+GBpEnQOwPmnRErg1ceVUNPASBWV10oMu1nMdznmeN8g/bVHFWrcetYAVrwXhrxXH
+R2A+9/J9A6b/BJ2Wu/hUweTlDvWwWND7CBgOCsf3vo8v8Wc9l/yeVduoOAd7v4p8
+/ylihXeFJpzZ1brStXRp5K/NM8TKLS9pnxHnyPvc1ITwjY77ijy4qXLrJL7Zcu+q
+5LtxIJPkj+lKRutimodQeMQCGposk8mnA5Dp0KVEAQKBgQDmP8clprp2klp/+MtZ
+xPVt1+yD/oW/H1PhHKyagSWLz8CugZB3sPLRR3qvho3mqOy+r3uyKxlvKprYLTKG
+8NDMKd5xnl8r6OUJtyhNWWPt02L5J4h6TEqJeZ00DVGzAax2AasnF5Ak/KrdOL9l
+Iq9j6xZGHsAqfyewb+Cd3afAoQKBgQDXGLH+n4+Z8A6DKuH73G/iqyfzTgScSYAQ
++g63CEhSGCNGCDtclsPu5VksAUpBDGuTCxZcE7XCaqMurG58klqFUcJRNPL0pyxk
+IfGacxSKDt+rpdOmiIs1y6GMAP047lqvC1RXMdcgdhu8ze50SlLKQV6Y5N4Bzf52
+TBlns+jK2wKBgAHlrKJmyUqI0i4TwrkuokcRbGV6B2gXvf0w20s6nTCVuaS2dJZH
+4vhOenhPx4OLCMhZcc96A2+jDjuRw8TQ3yePgMG26FnYRWrbE33vqp8fCsW6yakY
+T9TqJ51yLqYm8WDXiq17yDhFzLKd8RXIP2G3YiuZvUOcYJtXkKY8WVGBAoGBAIDM
+RdENJITuDRKX/Ae/gLO+/0Yeon4fOPNxeJw69mtKDt0hksIneR208cd64ka/NC8x
+hWsPVlgbWKlbETHAxTltsqjDxvOeouM2vCBa5qKgs2hp/KmMu6czzwExmm+bsmt8
+oj0wF/xVHNjaiv3Rf2+i4w00hoeYHNYjTVcekLffAoGAb3fAwfKuesFpVhzKSZxS
+vfvgTN3M29wSrsWoVpHoWUt+4pkI8w57lqpiVLgO1K7sm5k3gr38ebadjVjGiHD6
+S+G8DDUnKIxcgrtK668V7f8RBAP8eOas5qgoJ79C8M+nUeUHZRxWONuTk90j3R9r
+KVFR3kS3f+Vaew3yceGaZcA=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec
new file mode 100644
index 0000000000..cbd5f309c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec
@@ -0,0 +1 @@
+alternate
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem
new file mode 100644
index 0000000000..a2e264030a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIURym6o+VN9xgZXT/QLrvN/nv1ZN4wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoY
+DzIwMjUwMTAxMDAwMDAwWjAYMRYwFAYDVQQDDA1PdGhlciB0ZXN0IENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5Tiw
+bErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROM
+AQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5Aql
+kdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFC
+IGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMP
+dLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAtXplrvls6HSbbibpzfGxOPmSuh2TH05bE4vQk+d7Kz6EOAFvgTiZbLwTxbrQ
+gfrM05t+67C2nAeiwAtW34nUnu6S8MYA6mJjURWICbl7cAvCHuNjg1atVr6f1Y+9
+VFFG6aUibw3bzKneREmDEVcxlEWUaMvv/JjfyMA5veSyX6iTJYkIBrEiVV5Alzg5
+yVHBi6+tpuJDO/YLlG8kmfzkYeJkTyAGx1EJ2yQHim7R232638yb0KrhS4zKsfFU
+egHhM4c+MpiCLc9q2EgblbYGx5GM+2leuzXunj1KPClHFrnmkRRm3rcESG2pK9RN
+/48Nd38VNofRojEbzDSCdOFmow==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec
new file mode 100644
index 0000000000..3bc975aa22
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec
@@ -0,0 +1,7 @@
+issuer:Other test CA
+subject:Other test CA
+issuerKey:alternate
+subjectKey:alternate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem
new file mode 100644
index 0000000000..312d57f83f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeTCCAmGgAwIBAgIUO0qfW1Ku2EK6yQlpOYG16M3C88MwDQYJKoZIhvcNAQEL
+BQAwMzExMC8GA1UEAwwoVGVzdCBTZWxmLXNpZ25lZCBFbmQtZW50aXR5IHdpdGgg
+Q0EgdHJ1ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAzMTEw
+LwYDVQQDDChUZXN0IFNlbGYtc2lnbmVkIEVuZC1lbnRpdHkgd2l0aCBDQSB0cnVl
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABo4GAMH4wDAYDVR0TBAUwAwEB/zAyBggrBgEFBQcBAQQmMCQwIgYIKwYB
+BQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wOgYDVR0RBDMwMYIvc2VsZi1z
+aWduZWQtZW5kLWVudGl0eS13aXRoLWNBLXRydWUuZXhhbXBsZS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAKHo7nO705MnFJrD51zJX5feNUmVlItGBRK67CO777vGRqYA
+YxBpKuugPxWvBVI7+P3SRvAQAL6vg9fUlf3OHkT4WISyQ06ru9V3kQXbJhS62fe8
+qKfom/iyDErkLEGojXqCoE13gsuQEXCbEKj1sLdKU1gpKA2iSooMkKvlJbhmlNjF
+Hy77/zZ7AeOmUblRMfhm8wF/AeoXSB+/JonOZ5MBCsKrjjK8vzDWBXICR2t/Uwce
+McvUFs5EiPJlveJ7POdUSQmQxnj0F9jdWF67tMLmktmMynEdSUv+9D++uUSSCbuS
+KU3Y4z6ntndjkhiyTQim9vETxcB92sfkIp4fZC4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec
new file mode 100644
index 0000000000..0ca92d7fd1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test Self-signed End-entity with CA true
+subject:Test Self-signed End-entity with CA true
+extension:basicConstraints:cA,
+extension:authorityInformationAccess:http://localhost:8888/
+extension:subjectAlternativeName:self-signed-end-entity-with-cA-true.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem
new file mode 100644
index 0000000000..2ab5904543
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIUdTEF+B9EJBrvwu6jqdZB5MXb5ogwDQYJKoZIhvcNAQEL
+BQAwNTEzMDEGA1UEAwwqU2VsZi1zaWduZWQgSW5hZGVxdWF0ZSBFS1UgVGVzdCBF
+bmQtZW50aXR5MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMDUx
+MzAxBgNVBAMMKlNlbGYtc2lnbmVkIEluYWRlcXVhdGUgRUtVIFRlc3QgRW5kLWVu
+dGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaOBijCBhzALBgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwEwLwYDVR0RBCgwJoIkc2VsZnNpZ25lZC1pbmFkZXF1YXRlRUtVLmV4YW1wbGUu
+Y29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9z
+dDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAats49K5yDWP8zxxbODXI9VItMfOG
+j2E8QdcFPYRVgkIcmM6chajB3IX0K9cua1fIyXaiFK4ZukXY5IClrNa3K4mchyrW
+t/sL0hd1JNcSiFpYRXuKlmmTh/29PUP3sFo29p4fmXTlEGNmZG10r+RMlnh1/iWz
+H0MmLqE7iabjD91IxR79bRNnaewvmB7p4ccVc/Oh2iJSdd1JhrHljYBL4vTBz8Jb
+1+1zHqgCIf0+Bd9sTHnuu6+iB8hAqcoQVs9RqCjdisgx0+hzjGTmPummdF7xxDdt
+meUKn8pbzUadJuna5SyRN0bXIRVicqi4/dw+gYgb80uA7BUYgqiXhzJnmQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec
new file mode 100644
index 0000000000..477b90ce14
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Self-signed Inadequate EKU Test End-entity
+subject:Self-signed Inadequate EKU Test End-entity
+extension:keyUsage:keyEncipherment,dataEncipherment
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:selfsigned-inadequateEKU.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem
new file mode 100644
index 0000000000..a949efa150
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh+gAwIBAgIUQx4TWJqQt0JuIih8qLKCOJxOUMkwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbU2VsZi1zaWduZWQgVGVzdCBFbmQtZW50aXR5MCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCYxJDAiBgNVBAMMG1NlbGYt
+c2lnbmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNZMFcwIQYDVR0RBBowGIIWc2Vs
+ZnNpZ25lZC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGG
+Fmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBAA8/4PSt
+7wsHx00uSCMH+mDAwnI6YqmwoWQWg2qq6Ul4mXvupDqaGjXCi3LA+7wP+YXlzXz3
+GJzQopXQ0XObiXNK34GNlTL+8Sk3rvOO88y5hmRpqNxXNCqj0UNaTfqDApYhydET
+/EoowMbObWWKUknQxxH4XxOgXfr11XBLOgmCWUF1ZUZRRxzhDNfeR7GIInw7Z+bP
+a/ghCqgSqaqupQUky21bx6tT6Vte/NEGZSE0NptiatOwkdB3pTaN9ix3firArKhx
+phEkGr2JxWcCAQY14+4Qg/gII2YRY0AMV3ruHjayItpe0SOTxPvJLa//InmUcsof
+eNBIC56EPJcm2U8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec
new file mode 100644
index 0000000000..99a814be17
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Self-signed Test End-entity
+subject:Self-signed Test End-entity
+extension:subjectAlternativeName:selfsigned.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-ca.pem b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem
new file mode 100644
index 0000000000..67e7ca56e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUP5NBbozOXrtwcuQwu3pzUXbOl7owDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEABBSMkSBFq/bK
+LpntIx6QJdqPtmnjdjwTpCbQyKKfQjjrazCfru5SheZq7ACtQ0uWFokUOQhB+Xvv
+sqy9HqJhK4UN0zfNPjtkHOSbNefWXOseEzA6XxuaCzQXWOp1WNNPnfdtYZizy6hT
+fKuKjhniKLmIQD61KNl7Ev1hWUhWC7R8U+IFztXusYYFUUmqqaZ/v7lNfY1sHu4k
+zHQFp+xqeaXvkoRpTXhoSdwDQ7ldquwqMM0NIQXlhtcmg7IYwZBGlJgzoejN4k2H
+2WycvxPW70I10NeAAhtie1+K4JHwr6/SLLwCCnJDoRMMpMhM9/853Ye/4PTDGhuK
+fqhEoHH9Ig==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec
new file mode 100644
index 0000000000..5d2435d7bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test CA
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-int.pem b/security/manager/ssl/tests/unit/bad_certs/test-int.pem
new file mode 100644
index 0000000000..08249b863e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw
+MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd
+MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB
+AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00
+Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM
+8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA
+IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3
+B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk
+rGFLvocT/kym6r8galxCJUo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec
new file mode 100644
index 0000000000..33b42c2f41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem
new file mode 100644
index 0000000000..30143bb1ba
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIUP5JozopIN1u1syfEtUDb+7eHSs0wDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbVGVzdCBJbnRlcm1lZGlhdGUgdG8gZGVsZXRlMCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMC4xLDAqBgNVBAMMI1Rlc3Qg
+RW5kLWVudGl0eSBmcm9tIHVua25vd24gaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HCMIG/MIGIBgNV
+HREEgYAwfoIZdW5rbm93bmlzc3Vlci5leGFtcGxlLmNvbYI0dW5rbm93bmlzc3Vl
+ci5pbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbYIrdW5rbm93
+bmlzc3Vlci50ZXN0LW1vZGUucGlubmluZy5leGFtcGxlLmNvbTAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAI2lkdtGlY+mEsp+k/1OMPP14sB/Rn3OY6Y0FNKKIrugQXa4
+V53aA0Uiopb5O+dCp9t6O6qX8hmiZkqO/24FnpJyT9HKGZWCA95gBAduVK27+LKz
+9a4HEnj5QuhtZw8oProRIukhgOr6AjJvzg1KNh0oJ67IIoqqwzZFFfOGNjoT3Rgu
+Z8WyMFPMI+ZTP7cHriMSPhAOz7v0d4zfRHmSBS+j3nyOkzFBSrjk8i2ODDXjsxjP
+RyCOAFXJRcoHUhY1E7WJ0qGGT3ckOD4gQ0NSJ8yGDtGqSCmoiQiGts9V7NVmnTfN
+RD9Q8KYGkyiZ6LpnQIN08aNZkkuflirZnl5zP4k=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec
new file mode 100644
index 0000000000..a735c730ca
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate to delete
+subject:Test End-entity from unknown issuer
+extension:subjectAlternativeName:unknownissuer.example.com,unknownissuer.include-subdomains.pinning.example.com,unknownissuer.test-mode.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem
new file mode 100644
index 0000000000..921d14583f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAh6gAwIBAgIUGTh5myT/JfbNsso9a1ZhGr8B11gwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoY
+DzIwMTMwMTAxMDAwMDAwWjAsMSowKAYDVQQDDCFVbnRydXN0ZWQtRXhwaXJlZCBU
+ZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAGjYDBeMCgGA1UdEQQhMB+CHXVudHJ1c3RlZC1l
+eHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAMktkDNyd
+MHFk4K4dcOfi0McOkxvdZW6/Nqts51scx8A3q8sT5pdW3ftBjvN7O+3c1cNGoThG
+9SA6uLDV2NT2EQp65yxMZe8j1OHX3qybqZ/RVY5r7VHF4JDsPHHXsgew5+CRGraj
+MTIFUqmgAYLMcv74vB0OLIt3JL4XnHVP7atULMLJrOP8QUmkUhZ49MDqyslN0i6w
+X7KwhdM00+JKadqUFqOAfhacMHsH5ErsQ3LXrQRMJiFoaVbElMy9e/jJmY7rg4pw
+0EMnkt+Vj650FkWsCnLndBia+6z+81L4EZ7uwBeeks2fYhXt85qqkuzmZq2T2diu
+ArcEblKIbUYlVg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec
new file mode 100644
index 0000000000..3efd1ce677
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Other test CA
+subject:Untrusted-Expired Test End-entity
+validity:20110101-20130101
+extension:subjectAlternativeName:untrusted-expired.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem
new file mode 100644
index 0000000000..44466870b7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgIUFTheHxum5x5zarr+9tuaXVyal6kwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVUZXN0IEVuZC1lbnRpdHkgd2l0
+aCB1bnRydXN0ZWQgaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo14wXDAmBgNVHREEHzAdght1bnRydXN0
+ZWRpc3N1ZXIuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB
+hhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQA4nTja
+7NV7jYhyX3eDGfoWyCHVM2PRIglZrHN1JsmzUOfyrw9T4jF2Jnuvl9lF0SyuBm+N
+X1lXJK4z8VYfM3t1SlGe2qwl+nXiYwoCFl0mfbBuihQNxa3eLWAmjz5ZghStjFwz
+QGwkgrsCaP8gKcU2j94KVhWaAXJJzBe1OPVJUhrjQjG4Q7mhon7qRrRYJaDR4GOe
+bLhJvrZO14Embo81DejBzoIHYeONhz9RqrTjcH15qpxwU8mX/DAZfkPlR85LY3F9
+FTBy7wEGuvoPZbWjtQEZMTeMdyJ1DZyi7TNFkJksf8b5oXtCGzftOv3cJeZIUYQs
+ZmUfzPtaDC9YkAeP
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec
new file mode 100644
index 0000000000..5ba0bc2535
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Other test CA
+subject:Test End-entity with untrusted issuer
+extension:subjectAlternativeName:untrustedissuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem
new file mode 100644
index 0000000000..8c24bc3d0b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAZcCFE8qjyl3WPAoW1Gpnx3TBAEyJJU6MA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEjEQMA4GA1UEAwwHVjEgQ2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEAqUwUJ06FNvZWgq5++nr3wKmfEW/hOI2Mr3+xjDbuvYm8/Z+H+TtIDgqJ+Ryf
+pxTL5/tGFmriX20DC9b+ZtZyEYVZFHbM/WmhKZlp6zfzxODErmX1JuPg+Ue0zCoz
+zQXTda4jB1j39LT88Ci5CLSnNrWFcbHxEp5nmikC6N76Whcw/4OflP0ui/MPeAu7
+wH5Ql7PzL3+m4HtCgri9Jgd/6LWkSeK2mN8AmnLUbV2szXi63eTrYxQ0KcxjTcuN
+4M2PuIXiI3c7V0jjfhIHc09lGUnLeh5pIQSQ17EMVMuh6sUjY26Gczj9CuWGZ+gS
+6B5LY90vNcK+MYRMF2jyXEt1Lg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec
new file mode 100644
index 0000000000..7824630bbc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:V1 Cert
+version:1
diff --git a/security/manager/ssl/tests/unit/corrupted_crlite_helper.js b/security/manager/ssl/tests/unit/corrupted_crlite_helper.js
new file mode 100644
index 0000000000..2587c5dad9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/corrupted_crlite_helper.js
@@ -0,0 +1,103 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Helper file for tests that initialize CRLite with corrupted `security_state`
+// files.
+//
+// Usage:
+// Define nsILocalFile variables for the `crlite.filter`, `crlite.coverage`,
+// and `crlite.enrollment` files that should be copied to the new profile, and
+// then load this file. The variables should be called `filter`, `coverage`,
+// and `enrollment`, respectively. To omit a file, leave the corresponding
+// variable `undefined`.
+//
+// Example:
+// let filter = do_get_file("some_test_dir/crlite.filter");
+// let coverage = undefined;
+// let enrollment = do_get_file("some_test_dir/crlite.enrollment");
+// load("./corrupted_crlite_helper.js");
+//
+// Note:
+// The cert_storage library only attempts to read security_state once. So
+// this task can only be included once per test file.
+
+"use strict";
+
+/* eslint-disable no-undef */
+
+add_task(async function test_crlite_corrupted() {
+ let securityStateDirectory = do_get_profile();
+ securityStateDirectory.append("security_state");
+
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+
+ if (coverage != undefined) {
+ coverage.copyTo(securityStateDirectory, "crlite.coverage");
+ }
+ if (enrollment != undefined) {
+ enrollment.copyTo(securityStateDirectory, "crlite.enrollment");
+ }
+ if (filter != undefined) {
+ filter.copyTo(securityStateDirectory, "crlite.filter");
+ }
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+
+ // This certificate is revoked according to `test_crlite_filters/20201017-0-filter`.
+ // Its issuer is enrolled according to `test_crlite_preexisting/crlite.enrollment`,
+ // and it is covered according to `test_crlite_preexisting/crlite.coverage`.
+ let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+
+ // The issuer's certificate needs to be available for path building.
+ let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem");
+ ok(issuerCert, "issuer certificate should decode successfully");
+
+ // If we copied a corrupted file to security_state, then CRLite should not be
+ // initialized, and we should fall back to OCSP. By setting
+ // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY here we skip the OCSP test, so there's no
+ // revocation checking, and the revoked certificate should pass inspection.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ undefined,
+ "us-datarecovery.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // We should not have a filter or a stash.
+ let hasFilter = await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL,
+ (rv, result) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(result);
+ }
+ );
+ });
+ Assert.equal(hasFilter, false, "CRLite should not have a filter");
+
+ let hasStash = await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL,
+ (rv, result) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(result);
+ }
+ );
+ });
+ Assert.equal(hasStash, false, "CRLite should not have a stash");
+});
diff --git a/security/manager/ssl/tests/unit/crlite_enrollment_id.py b/security/manager/ssl/tests/unit/crlite_enrollment_id.py
new file mode 100755
index 0000000000..2deb5ad379
--- /dev/null
+++ b/security/manager/ssl/tests/unit/crlite_enrollment_id.py
@@ -0,0 +1,33 @@
+#!/usr/bin/python
+
+# Given a PEM encoded X.509 certificate, outputs
+# base64(SHA256(subject || spki))
+# where `subject` is the RFC 5280 RDNSequence encoding
+# the certificate's subject, and `spki` is the RFC 5280
+# SubjectPublicKeyInfo field encoding the certificate's
+# public key.
+
+import sys
+import base64
+
+from cryptography import x509
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives import hashes
+
+if len(sys.argv) != 2:
+ print(f"Usage: {sys.argv[0]} <path to pem cert>")
+ sys.exit(1)
+
+with open(sys.argv[1], "r") as f:
+ cert = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None)
+
+subj = cert.subject.public_bytes()
+spki = cert.public_key().public_bytes(
+ format=serialization.PublicFormat.SubjectPublicKeyInfo,
+ encoding=serialization.Encoding.DER,
+)
+
+digest = hashes.Hash(hashes.SHA256(), backend=None)
+digest.update(subj)
+digest.update(spki)
+print(base64.b64encode(digest.finalize()).decode("utf-8"))
diff --git a/security/manager/ssl/tests/unit/crlite_key.py b/security/manager/ssl/tests/unit/crlite_key.py
new file mode 100755
index 0000000000..53d2b2aeaf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/crlite_key.py
@@ -0,0 +1,58 @@
+#!/usr/bin/python
+
+# Given PEM encoded X.509 certificates Issuer and Subscriber,
+# outputs the urlsafe base64 encoding of the SHA256 hash of
+# the Issuer's SubjectPublicKeyInfo, and the ascii hex encoding
+# of the Subscriber's serial number.
+
+import sys
+import base64
+
+from cryptography import x509
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives import hashes
+
+
+def uint_to_serial_bytes(a):
+ # Encode the non-negative integer |a| as a DER integer without the leading
+ # tag and length prefix. The DER encoding of |a| is the shortest octet
+ # string that encodes |a| in big endian two's complement form.
+ assert a >= 0
+
+ # Since |a| is non-negative, the shortest bit string that encodes it in
+ # big-endian two's complement form has a leading 0 bit. Positive python
+ # integers have a `bit_length` method that gives the index of the leading 1
+ # bit. The minimal two's complement bit length is one more than this.
+ #
+ # NB: Python defines |int(0).bit_length() == 0|. The other cases are more
+ # intuitive; for integers x and k with x >= 0 and k > 0 with 2**k > x we
+ # have |int(2**k + x).bit_length() == k+1|.
+ bit_len = 1 + a.bit_length()
+ byte_len = (bit_len + 7) // 8
+ return a.to_bytes(byte_len, byteorder="big", signed=False)
+
+
+if len(sys.argv) != 3:
+ print(f"Usage: {sys.argv[0]} <path to issuer cert> <path to subscriber cert>")
+ sys.exit(1)
+
+with open(sys.argv[1], "r") as f:
+ issuer = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None)
+
+with open(sys.argv[2], "r") as f:
+ subscriber = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None)
+
+assert issuer.subject.public_bytes() == subscriber.issuer.public_bytes()
+
+issuer_spki = issuer.public_key().public_bytes(
+ format=serialization.PublicFormat.SubjectPublicKeyInfo,
+ encoding=serialization.Encoding.DER,
+)
+hasher = hashes.Hash(hashes.SHA256(), backend=None)
+hasher.update(issuer_spki)
+issuer_spki_hash = hasher.finalize()
+
+subscriber_serial = uint_to_serial_bytes(int(subscriber.serial_number))
+
+print(base64.urlsafe_b64encode(issuer_spki_hash).decode("utf-8"))
+print(subscriber_serial.hex())
diff --git a/security/manager/ssl/tests/unit/head_psm.js b/security/manager/ssl/tests/unit/head_psm.js
new file mode 100644
index 0000000000..17f58ce62c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -0,0 +1,1187 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+"use strict";
+
+const { AppConstants } = ChromeUtils.importESModule(
+ "resource://gre/modules/AppConstants.sys.mjs"
+);
+const { ctypes } = ChromeUtils.import("resource://gre/modules/ctypes.jsm");
+const { FileUtils } = ChromeUtils.importESModule(
+ "resource://gre/modules/FileUtils.sys.mjs"
+);
+const { HttpServer } = ChromeUtils.import("resource://testing-common/httpd.js");
+const { MockRegistrar } = ChromeUtils.importESModule(
+ "resource://testing-common/MockRegistrar.sys.mjs"
+);
+const { NetUtil } = ChromeUtils.import("resource://gre/modules/NetUtil.jsm");
+const { PromiseUtils } = ChromeUtils.importESModule(
+ "resource://gre/modules/PromiseUtils.sys.mjs"
+);
+const { XPCOMUtils } = ChromeUtils.importESModule(
+ "resource://gre/modules/XPCOMUtils.sys.mjs"
+);
+
+const { X509 } = ChromeUtils.import("resource://gre/modules/psm/X509.jsm");
+
+const isDebugBuild = Cc["@mozilla.org/xpcom/debug;1"].getService(Ci.nsIDebug2)
+ .isDebugBuild;
+
+// The test EV roots are only enabled in debug builds as a security measure.
+const gEVExpected = isDebugBuild;
+
+const CLIENT_AUTH_FILE_NAME = "ClientAuthRememberList.txt";
+const SSS_STATE_FILE_NAME = "SiteSecurityServiceState.txt";
+const CERT_OVERRIDE_FILE_NAME = "cert_override.txt";
+
+const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE;
+const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
+const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
+
+// This isn't really a valid PRErrorCode, but is useful for signalling that
+// a test is expected to succeed.
+const PRErrorCodeSuccess = 0;
+
+// Sort in numerical order
+const SEC_ERROR_INVALID_TIME = SEC_ERROR_BASE + 8;
+const SEC_ERROR_BAD_DER = SEC_ERROR_BASE + 9;
+const SEC_ERROR_BAD_SIGNATURE = SEC_ERROR_BASE + 10;
+const SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11;
+const SEC_ERROR_REVOKED_CERTIFICATE = SEC_ERROR_BASE + 12;
+const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13;
+const SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20;
+const SEC_ERROR_UNTRUSTED_CERT = SEC_ERROR_BASE + 21;
+const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = SEC_ERROR_BASE + 30;
+const SEC_ERROR_CA_CERT_INVALID = SEC_ERROR_BASE + 36;
+const SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION = SEC_ERROR_BASE + 41;
+const SEC_ERROR_PKCS7_BAD_SIGNATURE = SEC_ERROR_BASE + 47;
+const SEC_ERROR_INADEQUATE_KEY_USAGE = SEC_ERROR_BASE + 90;
+const SEC_ERROR_INADEQUATE_CERT_TYPE = SEC_ERROR_BASE + 91;
+const SEC_ERROR_CERT_NOT_IN_NAME_SPACE = SEC_ERROR_BASE + 112;
+const SEC_ERROR_CERT_BAD_ACCESS_LOCATION = SEC_ERROR_BASE + 117;
+const SEC_ERROR_OCSP_MALFORMED_REQUEST = SEC_ERROR_BASE + 120;
+const SEC_ERROR_OCSP_SERVER_ERROR = SEC_ERROR_BASE + 121;
+const SEC_ERROR_OCSP_TRY_SERVER_LATER = SEC_ERROR_BASE + 122;
+const SEC_ERROR_OCSP_REQUEST_NEEDS_SIG = SEC_ERROR_BASE + 123;
+const SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST = SEC_ERROR_BASE + 124;
+const SEC_ERROR_OCSP_UNKNOWN_CERT = SEC_ERROR_BASE + 126;
+const SEC_ERROR_OCSP_MALFORMED_RESPONSE = SEC_ERROR_BASE + 129;
+const SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE = SEC_ERROR_BASE + 130;
+const SEC_ERROR_OCSP_OLD_RESPONSE = SEC_ERROR_BASE + 132;
+const SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE = SEC_ERROR_BASE + 141;
+const SEC_ERROR_OCSP_INVALID_SIGNING_CERT = SEC_ERROR_BASE + 144;
+const SEC_ERROR_POLICY_VALIDATION_FAILED = SEC_ERROR_BASE + 160;
+const SEC_ERROR_OCSP_BAD_SIGNATURE = SEC_ERROR_BASE + 157;
+const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = SEC_ERROR_BASE + 176;
+
+const SSL_ERROR_NO_CYPHER_OVERLAP = SSL_ERROR_BASE + 2;
+const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12;
+const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
+const SSL_ERROR_WEAK_SERVER_CERT_KEY = SSL_ERROR_BASE + 132;
+const SSL_ERROR_DC_INVALID_KEY_USAGE = SSL_ERROR_BASE + 184;
+
+const SSL_ERROR_ECH_RETRY_WITH_ECH = SSL_ERROR_BASE + 188;
+const SSL_ERROR_ECH_RETRY_WITHOUT_ECH = SSL_ERROR_BASE + 189;
+const SSL_ERROR_ECH_FAILED = SSL_ERROR_BASE + 190;
+const SSL_ERROR_ECH_REQUIRED_ALERT = SSL_ERROR_BASE + 191;
+
+const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0;
+const MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY =
+ MOZILLA_PKIX_ERROR_BASE + 1;
+const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = MOZILLA_PKIX_ERROR_BASE + 2;
+const MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = MOZILLA_PKIX_ERROR_BASE + 3;
+const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE =
+ MOZILLA_PKIX_ERROR_BASE + 5;
+const MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE =
+ MOZILLA_PKIX_ERROR_BASE + 6;
+const MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING =
+ MOZILLA_PKIX_ERROR_BASE + 8;
+const MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING =
+ MOZILLA_PKIX_ERROR_BASE + 10;
+const MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = MOZILLA_PKIX_ERROR_BASE + 12;
+const MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED =
+ MOZILLA_PKIX_ERROR_BASE + 13;
+const MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = MOZILLA_PKIX_ERROR_BASE + 14;
+const MOZILLA_PKIX_ERROR_MITM_DETECTED = MOZILLA_PKIX_ERROR_BASE + 15;
+
+// Supported Certificate Usages
+const certificateUsageSSLClient = 0x0001;
+const certificateUsageSSLServer = 0x0002;
+const certificateUsageSSLCA = 0x0008;
+const certificateUsageEmailSigner = 0x0010;
+const certificateUsageEmailRecipient = 0x0020;
+
+// A map from the name of a certificate usage to the value of the usage.
+// Useful for printing debugging information and for enumerating all supported
+// usages.
+const allCertificateUsages = {
+ certificateUsageSSLClient,
+ certificateUsageSSLServer,
+ certificateUsageSSLCA,
+ certificateUsageEmailSigner,
+ certificateUsageEmailRecipient,
+};
+
+const NO_FLAGS = 0;
+
+const CRLiteModeDisabledPrefValue = 0;
+const CRLiteModeTelemetryOnlyPrefValue = 1;
+const CRLiteModeEnforcePrefValue = 2;
+const CRLiteModeConfirmRevocationsValue = 3;
+
+// Convert a string to an array of bytes consisting of the char code at each
+// index.
+function stringToArray(s) {
+ let a = [];
+ for (let i = 0; i < s.length; i++) {
+ a.push(s.charCodeAt(i));
+ }
+ return a;
+}
+
+// Converts an array of bytes to a JS string using fromCharCode on each byte.
+function arrayToString(a) {
+ let s = "";
+ for (let b of a) {
+ s += String.fromCharCode(b);
+ }
+ return s;
+}
+
+// Commonly certificates are represented as PEM. The format is roughly as
+// follows:
+//
+// -----BEGIN CERTIFICATE-----
+// [some lines of base64, each typically 64 characters long]
+// -----END CERTIFICATE-----
+//
+// However, nsIX509CertDB.constructX509FromBase64 and related functions do not
+// handle input of this form. Instead, they require a single string of base64
+// with no newlines or BEGIN/END headers. This is a helper function to convert
+// PEM to the format that nsIX509CertDB requires.
+function pemToBase64(pem) {
+ return pem
+ .replace(/-----BEGIN CERTIFICATE-----/, "")
+ .replace(/-----END CERTIFICATE-----/, "")
+ .replace(/[\r\n]/g, "");
+}
+
+function build_cert_chain(certNames, testDirectory = "bad_certs") {
+ let certList = [];
+ certNames.forEach(function(certName) {
+ let cert = constructCertFromFile(`${testDirectory}/${certName}.pem`);
+ certList.push(cert);
+ });
+ return certList;
+}
+
+function areCertsEqual(certA, certB) {
+ let derA = certA.getRawDER();
+ let derB = certB.getRawDER();
+ if (derA.length != derB.length) {
+ return false;
+ }
+ for (let i = 0; i < derA.length; i++) {
+ if (derA[i] != derB[i]) {
+ return false;
+ }
+ }
+ return true;
+}
+
+function areCertArraysEqual(certArrayA, certArrayB) {
+ if (certArrayA.length != certArrayB.length) {
+ return false;
+ }
+
+ for (let i = 0; i < certArrayA.length; i++) {
+ const certA = certArrayA[i];
+ const certB = certArrayB[i];
+ if (!areCertsEqual(certA, certB)) {
+ return false;
+ }
+ }
+ return true;
+}
+
+function readFile(file) {
+ let fstream = Cc["@mozilla.org/network/file-input-stream;1"].createInstance(
+ Ci.nsIFileInputStream
+ );
+ fstream.init(file, -1, 0, 0);
+ let available = fstream.available();
+ let data =
+ available > 0 ? NetUtil.readInputStreamToString(fstream, available) : "";
+ fstream.close();
+ return data;
+}
+
+function addCertFromFile(certdb, filename, trustString) {
+ let certFile = do_get_file(filename, false);
+ let certBytes = readFile(certFile);
+ try {
+ return certdb.addCert(certBytes, trustString);
+ } catch (e) {}
+ // It might be PEM instead of DER.
+ return certdb.addCertFromBase64(pemToBase64(certBytes), trustString);
+}
+
+function constructCertFromFile(filename) {
+ let certFile = do_get_file(filename, false);
+ let certBytes = readFile(certFile);
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ try {
+ return certdb.constructX509(stringToArray(certBytes));
+ } catch (e) {}
+ // It might be PEM instead of DER.
+ return certdb.constructX509FromBase64(pemToBase64(certBytes));
+}
+
+function setCertTrust(cert, trustString) {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ certdb.setCertTrustFromString(cert, trustString);
+}
+
+function getXPCOMStatusFromNSS(statusNSS) {
+ let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"].getService(
+ Ci.nsINSSErrorsService
+ );
+ return nssErrorsService.getXPCOMFromNSSError(statusNSS);
+}
+
+// Helper for checkCertErrorGenericAtTime
+class CertVerificationExpectedErrorResult {
+ constructor(certName, expectedError, expectedEVStatus, resolve) {
+ this.certName = certName;
+ this.expectedError = expectedError;
+ this.expectedEVStatus = expectedEVStatus;
+ this.resolve = resolve;
+ }
+
+ verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) {
+ equal(
+ aPRErrorCode,
+ this.expectedError,
+ `verifying ${this.certName}: should get error ${this.expectedError}`
+ );
+ if (this.expectedEVStatus != undefined) {
+ equal(
+ aHasEVPolicy,
+ this.expectedEVStatus,
+ `verifying ${this.certName}: ` +
+ `should ${this.expectedEVStatus ? "be" : "not be"} EV`
+ );
+ }
+ this.resolve();
+ }
+}
+
+// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation.
+// In particular, hostname is optional.
+function checkCertErrorGenericAtTime(
+ certdb,
+ cert,
+ expectedError,
+ usage,
+ time,
+ /* optional */ isEVExpected,
+ /* optional */ hostname,
+ /* optional */ flags = NO_FLAGS
+) {
+ return new Promise((resolve, reject) => {
+ let result = new CertVerificationExpectedErrorResult(
+ cert.commonName,
+ expectedError,
+ isEVExpected,
+ resolve
+ );
+ certdb.asyncVerifyCertAtTime(cert, usage, flags, hostname, time, result);
+ });
+}
+
+// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation.
+// In particular, hostname is optional.
+function checkCertErrorGeneric(
+ certdb,
+ cert,
+ expectedError,
+ usage,
+ /* optional */ isEVExpected,
+ /* optional */ hostname
+) {
+ let now = new Date().getTime() / 1000;
+ return checkCertErrorGenericAtTime(
+ certdb,
+ cert,
+ expectedError,
+ usage,
+ now,
+ isEVExpected,
+ hostname
+ );
+}
+
+function checkEVStatus(certDB, cert, usage, isEVExpected) {
+ return checkCertErrorGeneric(
+ certDB,
+ cert,
+ PRErrorCodeSuccess,
+ usage,
+ isEVExpected
+ );
+}
+
+function _getLibraryFunctionWithNoArguments(
+ functionName,
+ libraryName,
+ returnType
+) {
+ // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js
+ let path = ctypes.libraryName(libraryName);
+
+ // XXX really want to be able to pass specific dlopen flags here.
+ let nsslib;
+ try {
+ nsslib = ctypes.open(path);
+ } catch (e) {
+ // In case opening the library without a full path fails,
+ // try again with a full path.
+ let file = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+ file.append(path);
+ nsslib = ctypes.open(file.path);
+ }
+
+ let SECStatus = ctypes.int;
+ let func = nsslib.declare(
+ functionName,
+ ctypes.default_abi,
+ returnType || SECStatus
+ );
+ return func;
+}
+
+function clearOCSPCache() {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ certdb.clearOCSPCache();
+}
+
+function clearSessionCache() {
+ let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
+ nssComponent.clearSSLExternalAndInternalSessionCache();
+}
+
+function getSSLStatistics() {
+ let SSL3Statistics = new ctypes.StructType("SSL3Statistics", [
+ { sch_sid_cache_hits: ctypes.long },
+ { sch_sid_cache_misses: ctypes.long },
+ { sch_sid_cache_not_ok: ctypes.long },
+ { hsh_sid_cache_hits: ctypes.long },
+ { hsh_sid_cache_misses: ctypes.long },
+ { hsh_sid_cache_not_ok: ctypes.long },
+ { hch_sid_cache_hits: ctypes.long },
+ { hch_sid_cache_misses: ctypes.long },
+ { hch_sid_cache_not_ok: ctypes.long },
+ { sch_sid_stateless_resumes: ctypes.long },
+ { hsh_sid_stateless_resumes: ctypes.long },
+ { hch_sid_stateless_resumes: ctypes.long },
+ { hch_sid_ticket_parse_failures: ctypes.long },
+ ]);
+ let SSL3StatisticsPtr = new ctypes.PointerType(SSL3Statistics);
+ let SSL_GetStatistics = null;
+ try {
+ SSL_GetStatistics = _getLibraryFunctionWithNoArguments(
+ "SSL_GetStatistics",
+ "ssl3",
+ SSL3StatisticsPtr
+ );
+ } catch (e) {
+ // On Windows, this is actually in the nss3 library.
+ SSL_GetStatistics = _getLibraryFunctionWithNoArguments(
+ "SSL_GetStatistics",
+ "nss3",
+ SSL3StatisticsPtr
+ );
+ }
+ if (!SSL_GetStatistics) {
+ throw new Error("Failed to get SSL statistics");
+ }
+ return SSL_GetStatistics();
+}
+
+// Set up a TLS testing environment that has a TLS server running and
+// ready to accept connections. This async function starts the server and
+// waits for the server to indicate that it is ready.
+//
+// Each test should have its own subdomain of example.com, for example
+// my-first-connection-test.example.com. The server can use the server
+// name (passed through the SNI TLS extension) to determine what behavior
+// the server side of the text should exhibit. See TLSServer.h for more
+// information on how to write the server side of tests.
+//
+// Create a new source file for your new server executable in
+// security/manager/ssl/tests/unit/tlsserver/cmd similar to the other ones in
+// that directory, and add a reference to it to the sources variable in that
+// directory's moz.build.
+//
+// Modify TEST_HARNESS_BINS in
+// testing/mochitest/Makefile.in and NO_PKG_FILES in
+// toolkit/mozapps/installer/packager.mk to make sure the new executable
+// gets included in the packages used for shipping the tests to the test
+// runners in our build/test farm. (Things will work fine locally without
+// these changes but will break on TBPL.)
+//
+// Your test script should look something like this:
+/*
+
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// <documentation on your test>
+
+function run_test() {
+ do_get_profile();
+ add_tls_server_setup("<test-server-name>", "<path-to-certificate-directory>");
+
+ add_connection_test("<test-name-1>.example.com",
+ SEC_ERROR_xxx,
+ function() { ... },
+ function(aTransportSecurityInfo) { ... },
+ function(aTransport) { ... });
+ [...]
+ add_connection_test("<test-name-n>.example.com", PRErrorCodeSuccess);
+
+ run_next_test();
+}
+*/
+
+function add_tls_server_setup(serverBinName, certsPath, addDefaultRoot = true) {
+ add_test(function() {
+ _setupTLSServerTest(serverBinName, certsPath, addDefaultRoot);
+ });
+}
+
+/**
+ * Add a TLS connection test case.
+ *
+ * @param {string} aHost
+ * The hostname to pass in the SNI TLS extension; this should unambiguously
+ * identify which test is being run.
+ * @param {PRErrorCode} aExpectedResult
+ * The expected result of the connection. If an error is not expected, pass
+ * in PRErrorCodeSuccess.
+ * @param {Function} aBeforeConnect
+ * A callback function that takes no arguments that will be called before the
+ * connection is attempted.
+ * @param {Function} aWithSecurityInfo
+ * A callback function that takes an nsITransportSecurityInfo, which is called
+ * after the TLS handshake succeeds.
+ * @param {Function} aAfterStreamOpen
+ * A callback function that is called with the nsISocketTransport once the
+ * output stream is ready.
+ * @param {OriginAttributes} aOriginAttributes (optional)
+ * The origin attributes that the socket transport will have. This parameter
+ * affects OCSP because OCSP cache is double-keyed by origin attributes' first
+ * party domain.
+ *
+ * @param {OriginAttributes} aEchConfig (optional)
+ * A Base64-encoded ECHConfig. If non-empty, it will be configured to the client
+ * socket resulting in an Encrypted Client Hello extension being sent. The client
+ * keypair is ephermeral and generated within NSS.
+ */
+function add_connection_test(
+ aHost,
+ aExpectedResult,
+ aBeforeConnect,
+ aWithSecurityInfo,
+ aAfterStreamOpen,
+ /* optional */ aOriginAttributes,
+ /* optional */ aEchConfig
+) {
+ add_test(function() {
+ if (aBeforeConnect) {
+ aBeforeConnect();
+ }
+ asyncConnectTo(
+ aHost,
+ aExpectedResult,
+ aWithSecurityInfo,
+ aAfterStreamOpen,
+ aOriginAttributes,
+ aEchConfig
+ ).then(run_next_test);
+ });
+}
+
+async function asyncConnectTo(
+ aHost,
+ aExpectedResult,
+ /* optional */ aWithSecurityInfo = undefined,
+ /* optional */ aAfterStreamOpen = undefined,
+ /* optional */ aOriginAttributes = undefined,
+ /* optional */ aEchConfig = undefined
+) {
+ const REMOTE_PORT = 8443;
+
+ function Connection(host) {
+ this.host = host;
+ this.thread = Services.tm.currentThread;
+ this.defer = PromiseUtils.defer();
+ let sts = Cc["@mozilla.org/network/socket-transport-service;1"].getService(
+ Ci.nsISocketTransportService
+ );
+ this.transport = sts.createTransport(
+ ["ssl"],
+ host,
+ REMOTE_PORT,
+ null,
+ null
+ );
+ if (aEchConfig) {
+ this.transport.setEchConfig(atob(aEchConfig));
+ }
+ // See bug 1129771 - attempting to connect to [::1] when the server is
+ // listening on 127.0.0.1 causes frequent failures on OS X 10.10.
+ this.transport.connectionFlags |= Ci.nsISocketTransport.DISABLE_IPV6;
+ this.transport.setEventSink(this, this.thread);
+ if (aOriginAttributes) {
+ this.transport.originAttributes = aOriginAttributes;
+ }
+ this.inputStream = null;
+ this.outputStream = null;
+ this.connected = false;
+ }
+
+ Connection.prototype = {
+ // nsITransportEventSink
+ onTransportStatus(aTransport, aStatus, aProgress, aProgressMax) {
+ if (
+ !this.connected &&
+ aStatus == Ci.nsISocketTransport.STATUS_CONNECTED_TO
+ ) {
+ this.connected = true;
+ this.outputStream.asyncWait(this, 0, 0, this.thread);
+ }
+ },
+
+ // nsIInputStreamCallback
+ onInputStreamReady(aStream) {
+ try {
+ // this will throw if the stream has been closed by an error
+ let str = NetUtil.readInputStreamToString(aStream, aStream.available());
+ Assert.equal(str, "0", "Should have received ASCII '0' from server");
+ this.inputStream.close();
+ this.outputStream.close();
+ this.result = Cr.NS_OK;
+ } catch (e) {
+ this.result = e.result;
+ }
+ this.defer.resolve(this);
+ },
+
+ // nsIOutputStreamCallback
+ onOutputStreamReady(aStream) {
+ if (aAfterStreamOpen) {
+ aAfterStreamOpen(this.transport);
+ }
+ this.outputStream.write("0", 1);
+ let inStream = this.transport
+ .openInputStream(0, 0, 0)
+ .QueryInterface(Ci.nsIAsyncInputStream);
+ this.inputStream = inStream;
+ this.inputStream.asyncWait(this, 0, 0, this.thread);
+ },
+
+ go() {
+ this.outputStream = this.transport
+ .openOutputStream(0, 0, 0)
+ .QueryInterface(Ci.nsIAsyncOutputStream);
+ return this.defer.promise;
+ },
+ };
+
+ /* Returns a promise to connect to host that resolves to the result of that
+ * connection */
+ function connectTo(host) {
+ Services.prefs.setCharPref("network.dns.localDomains", host);
+ let connection = new Connection(host);
+ return connection.go();
+ }
+
+ return connectTo(aHost).then(async function(conn) {
+ info("handling " + aHost);
+ let expectedNSResult =
+ aExpectedResult == PRErrorCodeSuccess
+ ? Cr.NS_OK
+ : getXPCOMStatusFromNSS(aExpectedResult);
+ Assert.equal(
+ conn.result,
+ expectedNSResult,
+ "Actual and expected connection result should match"
+ );
+ if (aWithSecurityInfo) {
+ aWithSecurityInfo(
+ await conn.transport.tlsSocketControl.asyncGetSecurityInfo()
+ );
+ }
+ });
+}
+
+function _getBinaryUtil(binaryUtilName) {
+ let utilBin = Services.dirsvc.get("GreD", Ci.nsIFile);
+ // On macOS, GreD is .../Contents/Resources, and most binary utilities
+ // are located there, but certutil is in GreBinD (or .../Contents/MacOS),
+ // so we have to change the path accordingly.
+ if (binaryUtilName === "certutil") {
+ utilBin = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+ }
+ utilBin.append(binaryUtilName + mozinfo.bin_suffix);
+ // If we're testing locally, the above works. If not, the server executable
+ // is in another location.
+ if (!utilBin.exists()) {
+ utilBin = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ while (utilBin.path.includes("xpcshell")) {
+ utilBin = utilBin.parent;
+ }
+ utilBin.append("bin");
+ utilBin.append(binaryUtilName + mozinfo.bin_suffix);
+ }
+ // But maybe we're on Android, where binaries are in /data/local/xpcb.
+ if (!utilBin.exists()) {
+ utilBin.initWithPath("/data/local/xpcb/");
+ utilBin.append(binaryUtilName);
+ }
+ Assert.ok(utilBin.exists(), `Binary util ${binaryUtilName} should exist`);
+ return utilBin;
+}
+
+// Do not call this directly; use add_tls_server_setup
+function _setupTLSServerTest(serverBinName, certsPath, addDefaultRoot) {
+ asyncStartTLSTestServer(serverBinName, certsPath, addDefaultRoot).then(
+ run_next_test
+ );
+}
+
+async function asyncStartTLSTestServer(
+ serverBinName,
+ certsPath,
+ addDefaultRoot
+) {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ // The trusted CA that is typically used for "good" certificates.
+ if (addDefaultRoot) {
+ addCertFromFile(certdb, `${certsPath}/test-ca.pem`, "CTu,u,u");
+ }
+
+ const CALLBACK_PORT = 8444;
+
+ let greBinDir = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+ Services.env.set("DYLD_LIBRARY_PATH", greBinDir.path);
+ // TODO(bug 1107794): Android libraries are in /data/local/xpcb, but "GreBinD"
+ // does not return this path on Android, so hard code it here.
+ Services.env.set("LD_LIBRARY_PATH", greBinDir.path + ":/data/local/xpcb");
+ Services.env.set("MOZ_TLS_SERVER_DEBUG_LEVEL", "3");
+ Services.env.set("MOZ_TLS_SERVER_CALLBACK_PORT", CALLBACK_PORT);
+
+ let httpServer = new HttpServer();
+ let serverReady = new Promise(resolve => {
+ httpServer.registerPathHandler("/", function handleServerCallback(
+ aRequest,
+ aResponse
+ ) {
+ aResponse.setStatusLine(aRequest.httpVersion, 200, "OK");
+ aResponse.setHeader("Content-Type", "text/plain");
+ let responseBody = "OK!";
+ aResponse.bodyOutputStream.write(responseBody, responseBody.length);
+ executeSoon(function() {
+ httpServer.stop(resolve);
+ });
+ });
+ httpServer.start(CALLBACK_PORT);
+ });
+
+ let serverBin = _getBinaryUtil(serverBinName);
+ let process = Cc["@mozilla.org/process/util;1"].createInstance(Ci.nsIProcess);
+ process.init(serverBin);
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append(`${certsPath}`);
+ Assert.ok(certDir.exists(), `certificate folder (${certsPath}) should exist`);
+ // Using "sql:" causes the SQL DB to be used so we can run tests on Android.
+ process.run(false, ["sql:" + certDir.path, Services.appinfo.processID], 2);
+
+ registerCleanupFunction(function() {
+ process.kill();
+ });
+
+ await serverReady;
+}
+
+// Returns an Array of OCSP responses for a given ocspRespArray and a location
+// for a nssDB where the certs and public keys are prepopulated.
+// ocspRespArray is an array of arrays like:
+// [ [typeOfResponse, certnick, extracertnick, thisUpdateSkew]...]
+function generateOCSPResponses(ocspRespArray, nssDBlocation) {
+ let utilBinName = "GenerateOCSPResponse";
+ let ocspGenBin = _getBinaryUtil(utilBinName);
+ let retArray = [];
+
+ for (let i = 0; i < ocspRespArray.length; i++) {
+ let argArray = [];
+ let ocspFilepre = do_get_file(i.toString() + ".ocsp", true);
+ let filename = ocspFilepre.path;
+ // Using "sql:" causes the SQL DB to be used so we can run tests on Android.
+ argArray.push("sql:" + nssDBlocation);
+ argArray.push(ocspRespArray[i][0]); // ocsRespType;
+ argArray.push(ocspRespArray[i][1]); // nick;
+ argArray.push(ocspRespArray[i][2]); // extranickname
+ argArray.push(ocspRespArray[i][3]); // thisUpdate skew
+ argArray.push(filename);
+ info("argArray = " + argArray);
+
+ let process = Cc["@mozilla.org/process/util;1"].createInstance(
+ Ci.nsIProcess
+ );
+ process.init(ocspGenBin);
+ process.run(true, argArray, argArray.length);
+ Assert.equal(0, process.exitValue, "Process exit value should be 0");
+ let ocspFile = do_get_file(i.toString() + ".ocsp", false);
+ retArray.push(readFile(ocspFile));
+ ocspFile.remove(false);
+ }
+ return retArray;
+}
+
+// Starts and returns an http responder that will cause a test failure if it is
+// queried. The server identities are given by a non-empty array
+// serverIdentities.
+function getFailingHttpServer(serverPort, serverIdentities) {
+ let httpServer = new HttpServer();
+ httpServer.registerPrefixHandler("/", function(request, response) {
+ Assert.ok(false, "HTTP responder should not have been queried");
+ });
+ httpServer.identity.setPrimary("http", serverIdentities.shift(), serverPort);
+ serverIdentities.forEach(function(identity) {
+ httpServer.identity.add("http", identity, serverPort);
+ });
+ httpServer.start(serverPort);
+ return httpServer;
+}
+
+// Starts an http OCSP responder that serves good OCSP responses and
+// returns an object with a method stop that should be called to stop
+// the http server.
+// NB: Because generating OCSP responses inside the HTTP request
+// handler can cause timeouts, the expected responses are pre-generated
+// all at once before starting the server. This means that their producedAt
+// times will all be the same. If a test depends on this not being the case,
+// perhaps calling startOCSPResponder twice (at different times) will be
+// necessary.
+//
+// serverPort is the port of the http OCSP responder
+// identity is the http hostname that will answer the OCSP requests
+// nssDBLocation is the location of the NSS database from where the OCSP
+// responses will be generated (assumes appropiate keys are present)
+// expectedCertNames is an array of nicks of the certs to be responsed
+// expectedBasePaths is an optional array that is used to indicate
+// what is the expected base path of the OCSP request.
+// expectedMethods is an optional array of methods ("GET" or "POST") indicating
+// by which HTTP method the server is expected to be queried.
+// expectedResponseTypes is an optional array of OCSP response types to use (see
+// GenerateOCSPResponse.cpp).
+// responseHeaderPairs is an optional array of HTTP header (name, value) pairs
+// to set in each response.
+function startOCSPResponder(
+ serverPort,
+ identity,
+ nssDBLocation,
+ expectedCertNames,
+ expectedBasePaths,
+ expectedMethods,
+ expectedResponseTypes,
+ responseHeaderPairs = []
+) {
+ let ocspResponseGenerationArgs = expectedCertNames.map(function(
+ expectedNick
+ ) {
+ let responseType = "good";
+ if (expectedResponseTypes && expectedResponseTypes.length >= 1) {
+ responseType = expectedResponseTypes.shift();
+ }
+ return [responseType, expectedNick, "unused", 0];
+ });
+ let ocspResponses = generateOCSPResponses(
+ ocspResponseGenerationArgs,
+ nssDBLocation
+ );
+ let httpServer = new HttpServer();
+ httpServer.registerPrefixHandler("/", function handleServerCallback(
+ aRequest,
+ aResponse
+ ) {
+ info("got request for: " + aRequest.path);
+ let basePath = aRequest.path.slice(1).split("/")[0];
+ if (expectedBasePaths.length >= 1) {
+ Assert.equal(
+ basePath,
+ expectedBasePaths.shift(),
+ "Actual and expected base path should match"
+ );
+ }
+ Assert.ok(
+ expectedCertNames.length >= 1,
+ "expectedCertNames should contain >= 1 entries"
+ );
+ if (expectedMethods && expectedMethods.length >= 1) {
+ Assert.equal(
+ aRequest.method,
+ expectedMethods.shift(),
+ "Actual and expected fetch method should match"
+ );
+ }
+ aResponse.setStatusLine(aRequest.httpVersion, 200, "OK");
+ aResponse.setHeader("Content-Type", "application/ocsp-response");
+ for (let headerPair of responseHeaderPairs) {
+ aResponse.setHeader(headerPair[0], headerPair[1]);
+ }
+ aResponse.write(ocspResponses.shift());
+ });
+ httpServer.identity.setPrimary("http", identity, serverPort);
+ httpServer.start(serverPort);
+ return {
+ stop(callback) {
+ // make sure we consumed each expected response
+ Assert.equal(
+ ocspResponses.length,
+ 0,
+ "Should have 0 remaining expected OCSP responses"
+ );
+ if (expectedMethods) {
+ Assert.equal(
+ expectedMethods.length,
+ 0,
+ "Should have 0 remaining expected fetch methods"
+ );
+ }
+ if (expectedBasePaths) {
+ Assert.equal(
+ expectedBasePaths.length,
+ 0,
+ "Should have 0 remaining expected base paths"
+ );
+ }
+ if (expectedResponseTypes) {
+ Assert.equal(
+ expectedResponseTypes.length,
+ 0,
+ "Should have 0 remaining expected response types"
+ );
+ }
+ httpServer.stop(callback);
+ },
+ };
+}
+
+// Given an OCSP responder (see startOCSPResponder), returns a promise that
+// resolves when the responder has successfully stopped.
+function stopOCSPResponder(responder) {
+ return new Promise((resolve, reject) => {
+ responder.stop(resolve);
+ });
+}
+
+// Utility functions for adding tests relating to certificate error overrides
+
+// Helper function for add_cert_override_test. Probably doesn't need to be
+// called directly.
+function add_cert_override(aHost, aSecurityInfo) {
+ let cert = aSecurityInfo.serverCert;
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, true);
+}
+
+// Given a host and an expected error code, tests that an initial connection to
+// the host fails with the expected error and that adding an override results
+// in a subsequent connection succeeding.
+function add_cert_override_test(aHost, aExpectedError) {
+ add_connection_test(
+ aHost,
+ aExpectedError,
+ null,
+ add_cert_override.bind(this, aHost)
+ );
+ add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => {
+ Assert.ok(
+ aSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+ "Cert override flag should be set on the security state"
+ );
+ });
+}
+
+// Helper function for add_prevented_cert_override_test. This is much like
+// add_cert_override except it may not be the case that the connection has an
+// SecInfo set on it. In this case, the error was not overridable anyway, so
+// we consider it a success.
+function attempt_adding_cert_override(aHost, aSecurityInfo) {
+ if (aSecurityInfo.serverCert) {
+ let cert = aSecurityInfo.serverCert;
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, true);
+ }
+}
+
+// Given a host and an expected error code, tests that an initial connection to
+// the host fails with the expected error and that adding an override does not
+// result in a subsequent connection succeeding (i.e. the same error code is
+// encountered).
+// The idea here is that for HSTS hosts or hosts with key pins, no error is
+// overridable, even if an entry is added to the override service.
+function add_prevented_cert_override_test(aHost, aExpectedError) {
+ add_connection_test(
+ aHost,
+ aExpectedError,
+ null,
+ attempt_adding_cert_override.bind(this, aHost)
+ );
+ add_connection_test(aHost, aExpectedError);
+}
+
+// Helper for asyncTestCertificateUsages.
+class CertVerificationResult {
+ constructor(certName, usageString, successExpected, resolve) {
+ this.certName = certName;
+ this.usageString = usageString;
+ this.successExpected = successExpected;
+ this.resolve = resolve;
+ }
+
+ verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) {
+ if (this.successExpected) {
+ equal(
+ aPRErrorCode,
+ PRErrorCodeSuccess,
+ `verifying ${this.certName} for ${this.usageString} should succeed`
+ );
+ } else {
+ notEqual(
+ aPRErrorCode,
+ PRErrorCodeSuccess,
+ `verifying ${this.certName} for ${this.usageString} should fail`
+ );
+ }
+ this.resolve();
+ }
+}
+
+/**
+ * Asynchronously attempts to verify the given certificate for all supported
+ * usages (see allCertificateUsages). Verifies that the results match the
+ * expected successful usages. Returns a promise that will resolve when all
+ * verifications have been performed.
+ * Verification happens "now" with no specified flags or hostname.
+ *
+ * @param {nsIX509CertDB} certdb
+ * The certificate database to use to verify the certificate.
+ * @param {nsIX509Cert} cert
+ * The certificate to be verified.
+ * @param {number[]} expectedUsages
+ * A list of usages (as their integer values) that are expected to verify
+ * successfully.
+ * @returns {Promise}
+ * A promise that will resolve with no value when all asynchronous operations
+ * have completed.
+ */
+function asyncTestCertificateUsages(certdb, cert, expectedUsages) {
+ let now = new Date().getTime() / 1000;
+ let promises = [];
+ Object.keys(allCertificateUsages).forEach(usageString => {
+ let promise = new Promise((resolve, reject) => {
+ let usage = allCertificateUsages[usageString];
+ let successExpected = expectedUsages.includes(usage);
+ let result = new CertVerificationResult(
+ cert.commonName,
+ usageString,
+ successExpected,
+ resolve
+ );
+ let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY;
+ certdb.asyncVerifyCertAtTime(cert, usage, flags, null, now, result);
+ });
+ promises.push(promise);
+ });
+ return Promise.all(promises);
+}
+
+/**
+ * Loads the pkcs11testmodule.cpp test PKCS #11 module, and registers a cleanup
+ * function that unloads it once the calling test completes.
+ *
+ * @param {nsIFile} libraryFile
+ * The dynamic library file that implements the module to
+ * load.
+ * @param {string} moduleName
+ * What to call the module.
+ * @param {boolean} expectModuleUnloadToFail
+ * Should be set to true for tests that manually unload the
+ * test module, so the attempt to auto unload the test module
+ * doesn't cause a test failure. Should be set to false
+ * otherwise, so failure to automatically unload the test
+ * module gets reported.
+ */
+function loadPKCS11Module(libraryFile, moduleName, expectModuleUnloadToFail) {
+ ok(libraryFile.exists(), "The PKCS11 module file should exist");
+
+ let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ registerCleanupFunction(() => {
+ try {
+ pkcs11ModuleDB.deleteModule(moduleName);
+ } catch (e) {
+ Assert.ok(
+ expectModuleUnloadToFail,
+ `Module unload should suceed only when expected: ${e}`
+ );
+ }
+ });
+ pkcs11ModuleDB.addModule(moduleName, libraryFile.path, 0, 0);
+}
+
+/**
+ * @param {string} data
+ * @returns {string}
+ */
+function hexify(data) {
+ // |slice(-2)| chomps off the last two characters of a string.
+ // Therefore, if the Unicode value is < 0x10, we have a single-character hex
+ // string when we want one that's two characters, and unconditionally
+ // prepending a "0" solves the problem.
+ return Array.from(data, (c, i) =>
+ ("0" + data.charCodeAt(i).toString(16)).slice(-2)
+ ).join("");
+}
+
+/**
+ * @param {string[]} lines
+ * Lines to write. Each line automatically has "\n" appended to it when
+ * being written.
+ * @param {nsIFileOutputStream} outputStream
+ */
+function writeLinesAndClose(lines, outputStream) {
+ for (let line of lines) {
+ line += "\n";
+ outputStream.write(line, line.length);
+ }
+ outputStream.close();
+}
+
+/**
+ * @param {string} moduleName
+ * The name of the module that should not be loaded.
+ * @param {string} libraryName
+ * A unique substring of name of the dynamic library file of the module
+ * that should not be loaded.
+ */
+function checkPKCS11ModuleNotPresent(moduleName, libraryName) {
+ let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ let modules = moduleDB.listModules();
+ ok(
+ modules.hasMoreElements(),
+ "One or more modules should be present with test module not present"
+ );
+ for (let module of modules) {
+ notEqual(
+ module.name,
+ moduleName,
+ `Non-test module name shouldn't equal '${moduleName}'`
+ );
+ ok(
+ !(module.libName && module.libName.includes(libraryName)),
+ `Non-test module lib name should not include '${libraryName}'`
+ );
+ }
+}
+
+/**
+ * Checks that the test module exists in the module list.
+ * Also checks various attributes of the test module for correctness.
+ *
+ * @param {string} moduleName
+ * The name of the module that should be present.
+ * @param {string} libraryName
+ * A unique substring of the name of the dynamic library file
+ * of the module that should be loaded.
+ * @returns {nsIPKCS11Module}
+ * The test module.
+ */
+function checkPKCS11ModuleExists(moduleName, libraryName) {
+ let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ let modules = moduleDB.listModules();
+ ok(
+ modules.hasMoreElements(),
+ "One or more modules should be present with test module present"
+ );
+ let testModule = null;
+ for (let module of modules) {
+ if (module.name == moduleName) {
+ testModule = module;
+ break;
+ }
+ }
+ notEqual(testModule, null, "Test module should have been found");
+ notEqual(testModule.libName, null, "Test module lib name should not be null");
+ ok(
+ testModule.libName.includes(ctypes.libraryName(libraryName)),
+ `Test module lib name should include lib name of '${libraryName}'`
+ );
+
+ return testModule;
+}
+
+// Given an nsIX509Cert, return the bytes of its subject DN (as a JS string) and
+// the sha-256 hash of its subject public key info, base64-encoded.
+function getSubjectAndSPKIHash(nsCert) {
+ let certBytes = nsCert.getRawDER();
+ let cert = new X509.Certificate();
+ cert.parse(certBytes);
+ let subject = cert.tbsCertificate.subject._der._bytes;
+ let subjectString = arrayToString(subject);
+ let spkiHashString = nsCert.sha256SubjectPublicKeyInfoDigest;
+ return { subjectString, spkiHashString };
+}
+
+function run_certutil_on_directory(directory, args, expectSuccess = true) {
+ let greBinDir = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+ Services.env.set("DYLD_LIBRARY_PATH", greBinDir.path);
+ // TODO(bug 1107794): Android libraries are in /data/local/xpcb, but "GreBinD"
+ // does not return this path on Android, so hard code it here.
+ Services.env.set("LD_LIBRARY_PATH", greBinDir.path + ":/data/local/xpcb");
+ let certutilBin = _getBinaryUtil("certutil");
+ let process = Cc["@mozilla.org/process/util;1"].createInstance(Ci.nsIProcess);
+ process.init(certutilBin);
+ args.push("-d");
+ args.push(`sql:${directory}`);
+ process.run(true, args, args.length);
+ if (expectSuccess) {
+ Assert.equal(process.exitValue, 0, "certutil should succeed");
+ }
+}
diff --git a/security/manager/ssl/tests/unit/moz.build b/security/manager/ssl/tests/unit/moz.build
new file mode 100644
index 0000000000..561502dd51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/moz.build
@@ -0,0 +1,10 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DIRS += ["tlsserver", "test_signed_apps"]
+
+if not CONFIG["MOZ_NO_SMART_CARDS"]:
+ DIRS += ["pkcs11testmodule"]
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem
new file mode 100644
index 0000000000..354741fc50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUAywOkzxiH/uWcwxb85Yy3OI46WgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IEludGVybWVkaWF0ZSB1c2VkIGFz
+IEVuZC1FbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjcjBwMAwGA1UdEwQFMAMBAf8wMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMCwGA1UdEQQl
+MCOCIWNhLXVzZWQtYXMtZW5kLWVudGl0eS5leGFtcGxlLmNvbTANBgkqhkiG9w0B
+AQsFAAOCAQEAN+g9N3uhls8y70fGORVEyYVjBmMCFeQz3DQw3u1J7+aHe6efygSP
+OKPXW3SbHSxlPFIsicVSHO3sso3zUGoedMw0KSyni4tR4yQ9jllrqijVCWorqRbU
+tlseF5hfw7DsKcl6jGA5UN0Aiq9SwKArdkRL+0Ykk0a/rxMEiOjf/Ao3ImfJnsCa
+frDKqziMWOmQtxrVTabpgRqCd1gtTg4cCsy7Yto8v4Gn1N/EL8FAXGWOieWDQ2Iv
+UFd9p0eTReBbRNC/QuZa7nEEAh4JO+JCAW4rHI6+beSPCT+lFQbF8sAJYSMGf0lb
+LAwyUGAPPLRx+SweIClb4EO+iVAFuR0Tug==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec
new file mode 100644
index 0000000000..8e16705b50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate used as End-Entity
+extension:basicConstraints:cA,
+extension:authorityInformationAccess:http://localhost:8888/
+extension:subjectAlternativeName:ca-used-as-end-entity.example.com
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem
new file mode 100644
index 0000000000..5dc7cf4ef8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti
+AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym
+qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc
+5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm
+lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo
+Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem
new file mode 100644
index 0000000000..f4fdae14e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAcugAwIBAgIUKXbCwsfJrBWAUYFNDXaeg/nfIPswDQYJKoZIhvcNAQEF
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAoMSYwJAYDVQQDDB1UZXN0IFNIQTEgRGVsZWdhdGVkIFJlc3Bv
+bmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpn
+kfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJE
+xYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG
+680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYl
+R5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbx
+h83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkd
+cSFo07sCAwEAAaMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF
+BQADggEBAJuSur2pt9LuJ+4USQAyLvqDma1oSdkBaXbB/fjkCF/grTsJRZ4ibOaW
+QN06nCHoqhML1Ygdief7unpXtIj9XQS2r7PT08tT3Dxr+2vJdJ4WQV6bb/hAorSp
+K3ow3irQVUmcRFq6ef0SJuluddll4jlxfc0gfd7SLQSFF5QwXEwAeXs3iy0W51Kr
+F47M/VMoTCFSa18x5omLBFx8SyGi4Ufmd+Pk2UW5vTP1S9RydAmZlzNT+v0IaRWD
+SQikynGTO1HA0ev8+RRmjtpZH7S8yJgbbF2BQ0FvDRMvhetn+Au+wn/WAsAf5vBF
+5/QwEp6OjNkmPPqOOyuQwMPrBhetPFM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec
new file mode 100644
index 0000000000..bdf3e2ee4d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test SHA1 Delegated Responder
+subjectKey:alternate
+signature:sha1WithRSAEncryption
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem
new file mode 100644
index 0000000000..5be9b76540
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3jCCAcagAwIBAgIUAewwnrqZ1D+uII39v6YmAKyJvBkwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhUZXN0IERlbGVnYXRlZCBSZXNwb25kZXIw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbD
+f1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRI
+MwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDs
+mMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJp
+CIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6D
+KzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7
+AgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IB
+AQBXSzxBevwLvKO1eCAbuJrNNXXY4Z816s/+Hlf8Ike2M5Zx9XuGmMRjimDksuip
+Jq/iWpwPOAWtQSzdyHYtQT8eY9KAGxzdZL78P+VTLhQVOVdTxoPd/W3yBoHofnNF
+xmJy2MS/3aRO8s8fIh3B/RwXrh18nFVc9zSwwHOjGeu3r3cbdgr2TuabDaxB7EFu
+e2P6NEiAhbK3GzXrxx2P3SoAf08AznoU1ByQ2FxM9xLdSvvM0zLilDuMu1E/VPcB
+7Qf7yLjlYJ/zj1rXGlJeNpDxUJS1hHUmv3csLPiYVPBIgDlnMPbZbEgZMByCLKvr
+EYnk3LpYcUin64yag3fy8ND5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec
new file mode 100644
index 0000000000..19971eeb4d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test Delegated Responder
+subjectKey:alternate
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem
new file mode 100644
index 0000000000..82e866fb1d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAjCCAeqgAwIBAgIUTdVj/pzuxlxEfL7vEQpILaExEJowDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowPTE7MDkGA1UEAwwyVGVzdCBJbnZhbGlkIERl
+bGVnYXRlZCBSZXNwb25kZXIgRnJvbSBJbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbDf1zlOLBsSs0iscvU
+b6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRIMwXlE4wBBs8IvpqG
+J2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDsmMzkCqWR1ylaf3HF
+vmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJpCIgIEUIgaZiKQ/7k
+jOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6DKzW4kw90upCqi8dh
+ZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7AgMBAAGjFzAVMBMG
+A1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQBsAeKHkIwoG0QZ
+yLFd+txRTVP7Qetuipuvlk+n1/L1Nf1oGKrW66aJXgtdIerHnvLsODNqHHyhCY8e
+2wI9sMcWQXMi+ceFZc8iqp+qE0GmDs9XLh26tW1GMLWb/BjEzHD+sOGaKNT61fhY
+Y9FD19LU4P3ORbafT97TfkjGH+YublvdGVOtvRETnSrPfJgGeMYACVMFLaFFxzsg
+JX2AH4zUIa4usme2gCOTgs7SjHXCOV/tAmoG672kvsaFswpd+CJUYf84CAqm3gvh
+YWFoBO19lK40Je/eUYU3WvAUTKsnRh2xY29r7Pp91aspZFgTdGRttUl0s7WfutTc
+HQlKG3tJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec
new file mode 100644
index 0000000000..be0d3e9e5f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate
+subject:Test Invalid Delegated Responder From Intermediate
+subjectKey:alternate
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem
new file mode 100644
index 0000000000..c0356e01ec
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgIUMy0wGcubgpwZ35tXDgLmzbETHSEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjA/MT0wOwYDVQQDDDRUZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl
+c3BvbmRlciBrZXlVc2FnZSBjcmxTaWduaW5nMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHI
+wkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNv
+I8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7I
+SURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIram
+nNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIU
+DRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQABow8wDTALBgNVHQ8EBAMC
+AQIwDQYJKoZIhvcNAQELBQADggEBAA3bDvQitwX8KjvlT11SuggsrbQvwWN4QMFr
+Rqre+0XQexGsVPxBbo44T71AYSYOQHIaOje5yETj23Uw6aiH8eNYdt61mspkRQ68
+v6laay/+txJZFqByGpbK24saFVThj21WIVc9s7HCvVpeSoYWidfWtLIKlmsQ8qLi
+XzBRqsbaRtfxDRrAW2WmmUfX34gL19ztHKOa84hnFyTahMIPFt9XVixWa1Tdg8Ny
+bGGb8SpPNPXuDoBbnHRvlEWjANs5qKPzH2X3HzEkfQIG0o3+WwgXqZ+wzdruO+SP
+LYcNF2gBvXBTfxN25r3G8DfHuaaPxfDLpc0E6+yWQzvIIsFSVqY=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec
new file mode 100644
index 0000000000..2833ed9b52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test Invalid Delegated Responder keyUsage crlSigning
+subjectKey:alternate
+extension:keyUsage:cRLSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem
new file mode 100644
index 0000000000..197aac8ba1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcSgAwIBAgIUR5DeATqHByZLzUBs0J6D5tz7veEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjA6MTgwNgYDVQQDDC9UZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl
+c3BvbmRlciBObyBleHRLZXlVc2FnZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSj
+s8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMT
+ud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvF
+o+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UT
+H5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4
+xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
+XrKScU1DSiU4Wyk+16PPc8LW3nboaHG+GYOY615veGXsKwVx7OV3aaOvscU57Qng
+2HFPJl8J7wX18aYqAwkIcE5yVtlzygGhVQoEZLo5VsTuJI5BNJ2hY0OgOI2J2yHR
+IGgUp3ypjYxl3QvGKJ41l8lCtZbsvm5tc5uyek0hLqi1SNbMBqPMLlUj5jDYVfmw
+CnqI4fGJ/Abhmv5RF9AfQTGSUNcHuHVmOkbJjRLXymdf2ugmxaDc/ub5TzecW0Bk
+QM5tkGp8gylULaBG1arfGYiiBsHyB5g8aXkbPCF3JpdLw77KEaaecAodLADpolFl
+ivwFQr1BpNeNOTML58CAbg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec
new file mode 100644
index 0000000000..92444c94ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:Test Invalid Delegated Responder No extKeyUsage
+subjectKey:alternate
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem
new file mode 100644
index 0000000000..0aeb81e4f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+DCCAeCgAwIBAgIUTYsUyQ3d/zW8mtQDOm0FSHaNj9owDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjA9MTswOQYDVQQDDDJUZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl
+c3BvbmRlciBXcm9uZyBleHRLZXlVc2FnZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJ
+isSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF
+2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElE
+WQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzS
+g3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0Y
+xMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMXMBUwEwYDVR0lBAwwCgYI
+KwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAHpiUjR7ajUbQR7xFFMgOQ07scjM
+nPo7lDUwtnbM7jFVtEAuSCeSkifDj4/ProqoQSU5fcLfKDScTbD1boxspjnoJXtQ
+tHMwzQB+bldObBAgmolWGqPbTBAhCMajlOZrXBVMVZPRefP8+1OqnNLp9ZZMUyNk
+thRWcRXaGbhJliVaynxxtNE4PBW7PxKgQ/apmXFyuqRPSJZ1E0VOX6z0VgXPdMX9
+BguPjLQP6k3LGZBWKdyHM6PgGcMmplvaE/96KeFat4fZ+75VstEuym1JffQe3iQ6
+uYyilCfdEAKyF87AlmB0EejnxyDNYXLR8QtAoCtdPJptUfbbESKPPnl8H/0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec
new file mode 100644
index 0000000000..bc704fbd41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test Invalid Delegated Responder Wrong extKeyUsage
+subjectKey:alternate
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem
new file mode 100644
index 0000000000..4ff3d7f896
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAgygAwIBAgIUP/7EjIlvsUJM2IjufQuGIZ0rkqUwDQYJKoZIhvcNAQEL
+BQAwNzE1MDMGA1UEAwwsVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdWx0aXBsZSBU
+TFMgRmVhdHVyZXMwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFow
+LDEqMCgGA1UEAwwhTXVsdGkgVExTIEZlYXR1cmUgVGVzdCBFbmQtRW50aXR5MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABoy8wLTAYBgNVHREEETAPgg0qLmV4YW1wbGUuY29tMBEGCCsGAQUFBwEYBAUw
+AwIBBTANBgkqhkiG9w0BAQsFAAOCAQEAt0ShK8cvzeMbCn9QkZMRzjYIWGXDSOr8
+05nKaKmumAGSp3ZYmVa3ux1TkVSJZ2TQuxiomUdv7tQabswMI8tW33QwjUsNv8zD
+/6+3PyLyFJKsStn3wYxoL/3DAimkxGwBoruS1UD89oZrkkFJCk0RQ5cJPh32mgvh
+p9vAB85TC1xRdr/VPkDoTFj1wIZrzwkcx9ReG1engf7fluaKy/duXP4WDDmiGP93
+ulBYr8HbvhAXbnaVSo4FcIe22lIqUoizzL3yoFLLqmu2IaQm9Oxt/+6rcLsOBTwD
+lQtXGg3nayKap5GPXEkhN7PRAqQ5HwKMsdlQ9MEjDvjzvci0pJ2JAg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec
new file mode 100644
index 0000000000..3fa2793b30
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate With Multiple TLS Features
+subject:Multi TLS Feature Test End-Entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem
new file mode 100644
index 0000000000..470d99a725
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIUXSCXXXLmmsba5ku37x7zJJ4isEEwDQYJKoZIhvcNAQEL
+BQAwNzE1MDMGA1UEAwwsVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdWx0aXBsZSBU
+TFMgRmVhdHVyZXMwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFow
+LDEqMCgGA1UEAwwhTXVsdGkgVExTIEZlYXR1cmUgVGVzdCBFbmQtRW50aXR5MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABozIwMDAYBgNVHREEETAPgg0qLmV4YW1wbGUuY29tMBQGCCsGAQUFBwEYBAgw
+BgIBBQIBBjANBgkqhkiG9w0BAQsFAAOCAQEAo5Z4o5AYQSGGGaTVTlbbthu9zFwg
+Zvf9kqcEnq1HjAfs0zaOwX1M4VMbrzzfyiqqKVxTOmtwcW2yKVPE1ik3CKH8BVCj
+o3VwRTrPMkBqBGjrOg15NTSwbNxknYB7HyokfNdH4ANQnCs0DYDZVBAt157rIG3K
+oMYyK3aSlEDG2+GIX/fhDBXmkII2b8t7QS9ZT2lwzLxNXz+bKJ+HpAKYcgs7vMGt
+ykZSsRuPEfq/5WnbKpjIc6E2/l1kkpFsR54582kjYPjSA1Y579IoYgbPsk5VHhSV
+7Qg8SJopYa2yo69dFevXsDU2Tv2n4HcX0Cl3c6yermBS6wQUoN4Ek88IuQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec
new file mode 100644
index 0000000000..7a8dd223d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate With Multiple TLS Features
+subject:Multi TLS Feature Test End-Entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple,6
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem
new file mode 100644
index 0000000000..353301df55
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCDCCAfCgAwIBAgIUExI7fUz3GmcjMScLiiOCQIkXurQwDQYJKoZIhvcNAQEL
+BQAwLTErMCkGA1UEAwwiVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdXN0LVN0YXBs
+ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQD
+DA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAtMBgGA1UdEQQRMA+CDSouZXhhbXBs
+ZS5jb20wEQYIKwYBBQUHARgEBTADAgEFMA0GCSqGSIb3DQEBCwUAA4IBAQAZLyDW
+Mx2MhSfaOkL1LUymUrWbyB97LRlg/6gj/V9KX0+lu1uKGCpAVkie70JY1kCmDZGY
+PraE+08mqS2dakJAG8fF3G39nHBKOIHV6pgC1oFwdIQNji6Gfng+bW7wY2V/CvpF
+kxvDti4zNqxWFeulyqVY+9HElVqUHaU6cwU3Jyp6F1JY9IXKmp/Qn9/qpc/jVYtg
+hIzXC0ek4Idoun/g0xyPdvGSqV1xOqNQLln6VrDGVgTHY8MvhERdpobaGeCjcIr4
+dHy2QRXOZ9teBu99hjrUs5orw0cU3VrYqquZmkT5hlHzB88uCzCL9yanRiRu7sT6
+AT1rIoY65dulzXxu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec
new file mode 100644
index 0000000000..352a60675d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate With Must-Staple
+subject:Test End-entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem
new file mode 100644
index 0000000000..9ef0a6cd32
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDITCCAgmgAwIBAgIUQTtN9ShJt1pBjl2mkQLi2h6ZarAwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjYzBh
+MBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wEQYIKwYBBQUHARgEBTADAgEFMDIG
+CCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4
+LzANBgkqhkiG9w0BAQsFAAOCAQEAOGWQ8cQnxcL3TyI+iGwT1QaoQKWZ73wNAfKM
+5jOslqRAWYXa5wvSWs4U5EnNhL5BxTGQJodJX9nSTwLnG3UnFAORu/zong8A31tj
+mEuKfsOr2AyLcldaIPGhSSbHkIh3lTOmsGavpBKCiOgTdZDJ0m9XmIWZQquPAUU5
+YrYpdYmE3uyduhz3yRJPpbMGjqUVBJ2JxNlJZKBe6rOksfbDqZOnAeFCDwMPmu5u
+qKGU1ZdPftOd9kUjgDUL8VdfyJYQTalsCEOnwbfeeXVj3uQM+K7GKkIXpM65odyN
+A2ixTwF+4F+O0Ud5gbsv6SRL2NuQ9QS8AWck5sFgNeXCp7lpxQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec
new file mode 100644
index 0000000000..43edfff0d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem
new file mode 100644
index 0000000000..5224806264
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9TCCAd2gAwIBAgIUBTqttZK9tUuSoydawQZiIsRJzMgwDQYJKoZIhvcNAQEL
+BQAwLTErMCkGA1UEAwwiVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdXN0LVN0YXBs
+ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQD
+DA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHDAaMBgGA1UdEQQRMA+CDSouZXhhbXBs
+ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAGSfCLtcdh40aAmR7FuDlsEFNB6WCFiA
+KZqgmPKAgwUxz06fzjRD6WKaUIu9EWc2EWOm33mT0ZxDCKveNH7PWaWncqiD+39e
+ufBp/9wchIYRL20RnCjSyWgoY0q2GQcpce4VkKEMsvqVX9PawPHDtDtN83j26Bpt
+ss+WaxmMPMr10M2mXiA4p7YxtyvMUC7mM0uz4oLMVy0zr6u+aYES24wFbMHtDSuv
+luxEdukhgft60ZWRQ87WlLBXthPbF51DOQuMdJkaT9xgWXOQYAHSe9B9mJuHHgne
+ldtJmEHhMY56HZnq5lCfH88HLQ3hjdkvW2C/s/cUTzmOg9K2v9dxehs=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec
new file mode 100644
index 0000000000..8e4a6ac0c5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate With Must-Staple
+subject:Test End-entity
+extension:subjectAlternativeName:*.example.com
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem
new file mode 100644
index 0000000000..eeba74d122
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUa3IIjkCGtQbW1mfI5/tlV15JkwYwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhVGVzdCBFbmQtZW50aXR5
+IHdpdGggSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAagglsb2NhbGhv
+c3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo
+dHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBQdbi6gS1G
+Dcd5PlWuNRCK9xO4hKNZWsLVtjomtwkGJ2rLlQzdjyOAOMMLBPAHwXr4/sL4XMfz
+g4yw99gpcHViVXr1LZ/ARsatRU2EiGm9At3c2BeES9dxuY7E8TNOyh/JzD4aeBHB
+IHji5+BfqWBNtX9KiuzKI1/rk9jNkqX43vlH+g0NDgRR+qzFZ7d+4cI9RCAjIn+l
+tDq+SXHeE6qNVhgPVrusCJ2BCUYdTurQJlN6SexScXADVduOH/A6Wgn6wqBk590B
+Pyo2uwGOQqPUdmZjuOZT3uEP3S/HZvU1CWhTolTngRU6hYYRUs/bOfa07YvnWfN+
+/pXB66XSWvAu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec
new file mode 100644
index 0000000000..ae3a51565a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate
+subject:Test End-entity with Intermediate
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem
new file mode 100644
index 0000000000..ecba24b47e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFDCCAfygAwIBAgIUZfBhvLmi3hqAmDxDC+6crWnZTTYwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAVMRMwEQYDVQQDDApPdGhlciBDZXJ0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNV
+HREEHDAagglsb2NhbGhvc3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAk
+MCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEB
+CwUAA4IBAQCLXvngvubhkgVriBewAl1S6mx6VygmmNBglPAXKZMn9z46bmdFmoAZ
+oz6yV3/w0xO07EauQwZCdZesVpkLZYDmIgJdJT0qhXoke6hhBb05Lv9ybqPsNyWA
+1ezX8ZevXX19GOBZCuasCQhLrzn838OIfD9VPPHYhPEjjbuHDzK9vCkJXdRtb8QL
+jJxRQ2zrhyQAW83JdGhKKcERU+lcrwohKxEGnIMbjeaHkBhHAQqeQ/ZXS1ZXQREf
+sU9w5OMAkmcHPbjQqsrBfW4JBZE17oan+dkDlLDD7tpKwDVtnTgcU4bn9l2Tkn8M
+FE8s5Z7aVz2HVz5OeEkSs2tMubzFn8LO
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec
new file mode 100644
index 0000000000..5756f6ab5f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Other Cert
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key
new file mode 100644
index 0000000000..abde350c28
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBdcZSZgmfdwgq
+Z5HxuHbDf1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBIC
+RMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzH
+BuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZm
+JUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW
+8YfN1U6DKzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4Z
+HXEhaNO7AgMBAAECggEAfj9tfLg572auXX3ZL/VBC7NB3BRyjTkDRXDho3B5DzDw
+aBNV//QeKtTpqdn86/vRJ736uMAK/7Hzzqcyfq1HqhYh8qwe4UygLwSzsnhgF5gL
+GBpEnQOwPmnRErg1ceVUNPASBWV10oMu1nMdznmeN8g/bVHFWrcetYAVrwXhrxXH
+R2A+9/J9A6b/BJ2Wu/hUweTlDvWwWND7CBgOCsf3vo8v8Wc9l/yeVduoOAd7v4p8
+/ylihXeFJpzZ1brStXRp5K/NM8TKLS9pnxHnyPvc1ITwjY77ijy4qXLrJL7Zcu+q
+5LtxIJPkj+lKRutimodQeMQCGposk8mnA5Dp0KVEAQKBgQDmP8clprp2klp/+MtZ
+xPVt1+yD/oW/H1PhHKyagSWLz8CugZB3sPLRR3qvho3mqOy+r3uyKxlvKprYLTKG
+8NDMKd5xnl8r6OUJtyhNWWPt02L5J4h6TEqJeZ00DVGzAax2AasnF5Ak/KrdOL9l
+Iq9j6xZGHsAqfyewb+Cd3afAoQKBgQDXGLH+n4+Z8A6DKuH73G/iqyfzTgScSYAQ
++g63CEhSGCNGCDtclsPu5VksAUpBDGuTCxZcE7XCaqMurG58klqFUcJRNPL0pyxk
+IfGacxSKDt+rpdOmiIs1y6GMAP047lqvC1RXMdcgdhu8ze50SlLKQV6Y5N4Bzf52
+TBlns+jK2wKBgAHlrKJmyUqI0i4TwrkuokcRbGV6B2gXvf0w20s6nTCVuaS2dJZH
+4vhOenhPx4OLCMhZcc96A2+jDjuRw8TQ3yePgMG26FnYRWrbE33vqp8fCsW6yakY
+T9TqJ51yLqYm8WDXiq17yDhFzLKd8RXIP2G3YiuZvUOcYJtXkKY8WVGBAoGBAIDM
+RdENJITuDRKX/Ae/gLO+/0Yeon4fOPNxeJw69mtKDt0hksIneR208cd64ka/NC8x
+hWsPVlgbWKlbETHAxTltsqjDxvOeouM2vCBa5qKgs2hp/KmMu6czzwExmm+bsmt8
+oj0wF/xVHNjaiv3Rf2+i4w00hoeYHNYjTVcekLffAoGAb3fAwfKuesFpVhzKSZxS
+vfvgTN3M29wSrsWoVpHoWUt+4pkI8w57lqpiVLgO1K7sm5k3gr38ebadjVjGiHD6
+S+G8DDUnKIxcgrtK668V7f8RBAP8eOas5qgoJ79C8M+nUeUHZRxWONuTk90j3R9r
+KVFR3kS3f+Vaew3yceGaZcA=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec
new file mode 100644
index 0000000000..cbd5f309c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec
@@ -0,0 +1 @@
+alternate
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem
new file mode 100644
index 0000000000..a2e264030a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIURym6o+VN9xgZXT/QLrvN/nv1ZN4wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoY
+DzIwMjUwMTAxMDAwMDAwWjAYMRYwFAYDVQQDDA1PdGhlciB0ZXN0IENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5Tiw
+bErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROM
+AQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5Aql
+kdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFC
+IGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMP
+dLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAtXplrvls6HSbbibpzfGxOPmSuh2TH05bE4vQk+d7Kz6EOAFvgTiZbLwTxbrQ
+gfrM05t+67C2nAeiwAtW34nUnu6S8MYA6mJjURWICbl7cAvCHuNjg1atVr6f1Y+9
+VFFG6aUibw3bzKneREmDEVcxlEWUaMvv/JjfyMA5veSyX6iTJYkIBrEiVV5Alzg5
+yVHBi6+tpuJDO/YLlG8kmfzkYeJkTyAGx1EJ2yQHim7R232638yb0KrhS4zKsfFU
+egHhM4c+MpiCLc9q2EgblbYGx5GM+2leuzXunj1KPClHFrnmkRRm3rcESG2pK9RN
+/48Nd38VNofRojEbzDSCdOFmow==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec
new file mode 100644
index 0000000000..3bc975aa22
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec
@@ -0,0 +1,7 @@
+issuer:Other test CA
+subject:Other test CA
+issuerKey:alternate
+subjectKey:alternate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key
new file mode 100644
index 0000000000..d43495f851
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICcAIBADANBgkqhkiG9w0BAQEFAASCAlowggJWAgEAAoGAANKbsS+4T93NKbOl
+GctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZ
+BX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvmnZoIMTbh
+WvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAQJ/PEllBwvzkMJR1aLFJ3xbX9C97oXK
+1/4rJ5grsoURSlBwBANq4c+K5Usl5Ns5IVq9fpA/YYwtiy8IzGzRLbzNciBeSUW2
+s984nl5D3goUi7LITiQx/b5ZILBEuycvRez/ByG337YDl/xhOp6jXCIwBTDK6PkV
+nFNN878JEJUZAQJAD58XWXyFuAUbnGmvtV71dsmW29CQR9DM3ludYOpcZ/5PrGe+
+gD9LasWj8FD3a5ZvsU9c8QV2HlrebdlgsYO6VQJADXtjcRLOYaVRaMD5yThvsnmr
+QMug1Ukza7plJ3JjqseCYRosgdm2Nc94xAAYhZ4BjF6QBtEuPS7m80bnn6QzaQJA
+Cf1smj6m6RrjIHD5/BwhD/k1L5e+XR7rlRuzloHp3FtnKlMiIbPYkAyanZm50KTh
+AtxFDKG4ewsTid5lFsCuDQJAAUG4MkkbfdSoMwiSACTHnK5kvUR9+IO7TFZyqWur
+SLcSOzTyYyRFLNzrF/IeVw40fL4v1MLY+ZEOrCy22JW4yQJABFjdau4YyIsvm4Hx
+vDB1riDcH5lz0gck8gsGBD1hR8h4nUoHroi8gshDjIk+AXsTlH9i4LGJWKMetmSx
+nmTT4A==
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec
new file mode 100644
index 0000000000..21ed73d60b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec
@@ -0,0 +1 @@
+rsa1016
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem
new file mode 100644
index 0000000000..b454679f59
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICazCCAVOgAwIBAgIUeyDBOS9mtFv5N72V2YIHiWmPZdIwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjA1MTMwMQYDVQQDDCpSU0EgMTAxNiBLZXkgU2l6ZSBUZXN0IERl
+bGVnYXRlZCBSZXNwb25kZXIwgZ4wDQYJKoZIhvcNAQEBBQADgYwAMIGIAoGAANKb
+sS+4T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJ
+aj7SBxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyv
+bXvmnZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAaMXMBUwEwYDVR0lBAww
+CgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEBAINTMoS5aPwzfldv/8/emhhg
+PWe+KWFgeyO1el82X0EsrazazEKLk1dtARBDYWCL5BnksnLGpWYZgW4/yqf0CUq+
+MQSxid5YA1/wNhleZV4j2zz+ztdjDMzp2bltPBJjczdck5k9BHBcJcYJ/lnysW+b
+6w1ezHDbv2UfdCIch+W+W1NotJDR7DpZ6oXt9+q/sM7pmRPBaAsKWogXYbSPvPca
+fqSgYlgkk3QCm1I4wjlGX4O9mIGwKPkdqpCKyQFkiK2nS1RX2TBzx+iRJhVFUXRF
+OmVG+yNaEYHgD/SJWWmM6aN7sKSn4Ijr5IniPlhJkE2B+wSyikeEMBrRso8eoF0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec
new file mode 100644
index 0000000000..05f73368a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:RSA 1016 Key Size Test Delegated Responder
+subjectKey:rsa1016
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem
new file mode 100644
index 0000000000..67e7ca56e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUP5NBbozOXrtwcuQwu3pzUXbOl7owDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEABBSMkSBFq/bK
+LpntIx6QJdqPtmnjdjwTpCbQyKKfQjjrazCfru5SheZq7ACtQ0uWFokUOQhB+Xvv
+sqy9HqJhK4UN0zfNPjtkHOSbNefWXOseEzA6XxuaCzQXWOp1WNNPnfdtYZizy6hT
+fKuKjhniKLmIQD61KNl7Ev1hWUhWC7R8U+IFztXusYYFUUmqqaZ/v7lNfY1sHu4k
+zHQFp+xqeaXvkoRpTXhoSdwDQ7ldquwqMM0NIQXlhtcmg7IYwZBGlJgzoejN4k2H
+2WycvxPW70I10NeAAhtie1+K4JHwr6/SLLwCCnJDoRMMpMhM9/853Ye/4PTDGhuK
+fqhEoHH9Ig==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec
new file mode 100644
index 0000000000..5d2435d7bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test CA
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem
new file mode 100644
index 0000000000..08249b863e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw
+MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd
+MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB
+AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00
+Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM
+8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA
+IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3
+B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk
+rGFLvocT/kym6r8galxCJUo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec
new file mode 100644
index 0000000000..33b42c2f41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem
new file mode 100644
index 0000000000..1dc63c35df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAfagAwIBAgIURRwvssJseXcmi8J+DidsPsKTfhEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjA3MTUwMwYDVQQDDCxUZXN0IEludGVybWVkaWF0ZSBXaXRoIE11
+bHRpcGxlIFRMUyBGZWF0dXJlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMzMDEwDAYDVR0TBAUwAwEB/zALBgNV
+HQ8EBAMCAQYwFAYIKwYBBQUHARgECDAGAgEFAgEGMA0GCSqGSIb3DQEBCwUAA4IB
+AQARO+X9UxpurzrcJYzIVlqj5EB2i8Z3NFXat159KiOjX6AK58VtIAAWl8d+q1FU
+s40sJ7wFks7h2f/WW9/Yu51nrrtUPIwy/G/gFU09Y9k4eRKLaE+Mi7pIkmp1txvd
+DoZZ1tnxF48zer8jOWCQkuj3P0G0IGs2brHAapWoGlGvIec0jw864f6rj/5YCioi
+BAAy8uRJUmrIq5F2vxl5DjbOzTvNVuG59vTGzFYVMYOWG4QppJVL2rh7zv4jf0z1
+PQj1yFceL34Xghpq9ZlKI6QuQepJDYZlQTiHHAvBl+cIqr59qXiIL0BV/0f4I3+E
+Y7drz37LNNez8NejKWP0gArr
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec
new file mode 100644
index 0000000000..3f0e925aae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate With Multiple TLS Features
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:TLSFeature:OCSPMustStaple,6
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem
new file mode 100644
index 0000000000..38f4fffd53
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDATCCAemgAwIBAgIUG5VJbCoDE3nEodUerxQAr2DeaFswDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAtMSswKQYDVQQDDCJUZXN0IEludGVybWVkaWF0ZSBXaXRoIE11
+c3QtU3RhcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABozAwLjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAR
+BggrBgEFBQcBGAQFMAMCAQUwDQYJKoZIhvcNAQELBQADggEBAAxbb8Gv/Uq2Hz87
+midUQPnDCNSoBdHrZQfKDe9thI3K+U6sRleKFXHr/c3ZMNYIDKAx0viokFzBnGzS
+sAdW+So5bFaL2TZWoW9dfxpKVk0bzesKYlovD+BCbSkIM+YLBSL47yGox2n1dgca
+b293XtdBglEZcMaDhSGLt846OdFG6UdIWvO/VYd8cW+Ozqey/Boq6ZFihQkGKhqv
+ifDOsvsCU1W75lhqz5kcdfB+iS7pwo9S5tXkguYlIKEQe71Wi6YXrux8D75o3Nbi
+xwdp0yyuaKl58iKb3WntO0IquEhQzwpSURXEP+NNE1TacfKwvTSyD95tfFosfp1F
+d6sL4wc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec
new file mode 100644
index 0000000000..7c29aa0ad1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate With Must-Staple
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:TLSFeature:OCSPMustStaple
diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build b/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build
new file mode 100644
index 0000000000..0eef91b076
--- /dev/null
+++ b/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build
@@ -0,0 +1,20 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+FINAL_TARGET = "_tests/xpcshell/security/manager/ssl/tests/unit/pkcs11testmodule"
+
+UNIFIED_SOURCES += [
+ "pkcs11testmodule.cpp",
+]
+
+SharedLibrary("pkcs11testmodule")
+
+# C_GetFunctionList needs to be exported. As it turns out, it's much easier to
+# just export all the symbols.
+NoVisibilityFlags()
+SYMBOLS_FILE = "pkcs11testmodule.symbols"
+
+NO_PGO = True
diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp
new file mode 100644
index 0000000000..74c5620eb2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp
@@ -0,0 +1,597 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a testing PKCS #11 module that simulates a token being inserted and
+// removed from a slot every 50ms. This is achieved mainly in
+// Test_C_WaitForSlotEvent. If the application that loaded this module calls
+// C_WaitForSlotEvent, this module waits for 50ms and returns, having changed
+// its internal state to report that the token has either been inserted or
+// removed, as appropriate.
+// This module also provides an alternate token that is always present for tests
+// that don't want the cyclic behavior described above.
+
+#include <assert.h>
+#include <atomic>
+#include <string.h>
+
+#if defined(WIN32)
+# include <windows.h> // for Sleep
+#else
+# include <unistd.h> // for usleep
+#endif
+
+#include "pkcs11.h"
+
+CK_RV Test_C_Initialize(CK_VOID_PTR) { return CKR_OK; }
+
+CK_RV Test_C_Finalize(CK_VOID_PTR) { return CKR_OK; }
+
+static const CK_VERSION CryptokiVersion = {2, 2};
+static const CK_VERSION TestLibraryVersion = {0, 0};
+static const char TestLibraryDescription[] = "Test PKCS11 Library";
+static const char TestManufacturerID[] = "Test PKCS11 Manufacturer ID";
+
+/* The dest buffer is one in the CK_INFO or CK_TOKEN_INFO structs.
+ * Those buffers are padded with spaces. DestSize corresponds to the declared
+ * size for those buffers (e.g. 32 for `char foo[32]`).
+ * The src buffer is a string literal. SrcSize includes the string
+ * termination character (e.g. 4 for `const char foo[] = "foo"` */
+template <size_t DestSize, size_t SrcSize>
+void CopyString(unsigned char (&dest)[DestSize], const char (&src)[SrcSize]) {
+ static_assert(DestSize >= SrcSize - 1, "DestSize >= SrcSize - 1");
+ memcpy(dest, src, SrcSize - 1);
+ memset(dest + SrcSize - 1, ' ', DestSize - SrcSize + 1);
+}
+
+CK_RV Test_C_GetInfo(CK_INFO_PTR pInfo) {
+ if (!pInfo) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ pInfo->cryptokiVersion = CryptokiVersion;
+ CopyString(pInfo->manufacturerID, TestManufacturerID);
+ pInfo->flags = 0; // must be 0
+ CopyString(pInfo->libraryDescription, TestLibraryDescription);
+ pInfo->libraryVersion = TestLibraryVersion;
+ return CKR_OK;
+}
+
+CK_RV Test_C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR) { return CKR_OK; }
+
+static int tokenPresent = 0;
+
+CK_RV Test_C_GetSlotList(CK_BBOOL limitToTokensPresent,
+ CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
+ if (!pulCount) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ // We always return slot 2
+ CK_ULONG slotCount = 1;
+ if (!limitToTokensPresent) {
+ // If we want empty slots, we also return slots 1 and 3
+ slotCount += 2;
+ } else if (tokenPresent) {
+ // If we don't want empty slots, but token 1 is present, return that (but
+ // not slot 3)
+ slotCount++;
+ }
+
+ if (pSlotList) {
+ if (*pulCount < slotCount) {
+ return CKR_BUFFER_TOO_SMALL;
+ }
+ // apparently CK_SLOT_IDs are integers [1,N] because
+ // who likes counting from 0 all the time?
+ switch (slotCount) {
+ case 1:
+ pSlotList[0] = 2;
+ break;
+ case 2:
+ if (tokenPresent) {
+ pSlotList[0] = 1;
+ pSlotList[1] = 2;
+ } else {
+ pSlotList[0] = 2;
+ pSlotList[1] = 3;
+ }
+ break;
+ case 3:
+ pSlotList[0] = 1;
+ pSlotList[1] = 2;
+ pSlotList[2] = 3;
+ break;
+ default:
+ assert("Unexpected slot count in Test_C_GetSlotList" == NULL);
+ return CKR_GENERAL_ERROR;
+ }
+ }
+
+ *pulCount = slotCount;
+ return CKR_OK;
+}
+
+static const char TestSlotDescription[] = "Test PKCS11 Slot";
+static const char TestSlot2Description[] = "Test PKCS11 Slot 二";
+static const char TestSlot3Description[] = "Empty PKCS11 Slot";
+
+CK_RV Test_C_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
+ if (!pInfo) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ switch (slotID) {
+ case 1:
+ CopyString(pInfo->slotDescription, TestSlotDescription);
+ pInfo->flags =
+ (tokenPresent ? CKF_TOKEN_PRESENT : 0) | CKF_REMOVABLE_DEVICE;
+ break;
+ case 2:
+ CopyString(pInfo->slotDescription, TestSlot2Description);
+ pInfo->flags = CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE;
+ break;
+ case 3:
+ CopyString(pInfo->slotDescription, TestSlot3Description);
+ pInfo->flags = CKF_REMOVABLE_DEVICE;
+ break;
+ default:
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ CopyString(pInfo->manufacturerID, TestManufacturerID);
+ pInfo->hardwareVersion = TestLibraryVersion;
+ pInfo->firmwareVersion = TestLibraryVersion;
+ return CKR_OK;
+}
+
+// Deliberately include énye to ensure we're handling encoding correctly.
+// The PKCS #11 base specification v2.20 specifies that strings be encoded
+// as UTF-8.
+static const char TestTokenLabel[] = "Test PKCS11 Tokeñ Label";
+static const char TestToken2Label[] = "Test PKCS11 Tokeñ 2 Label";
+static const char TestTokenModel[] = "Test Model";
+
+std::atomic<bool> sLoggedIn = false;
+
+CK_RV Test_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) {
+ if (!pInfo) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ switch (slotID) {
+ case 1:
+ CopyString(pInfo->label, TestTokenLabel);
+ break;
+ case 2:
+ CopyString(pInfo->label, TestToken2Label);
+ break;
+ default:
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ CopyString(pInfo->manufacturerID, TestManufacturerID);
+ CopyString(pInfo->model, TestTokenModel);
+ memset(pInfo->serialNumber, 0, sizeof(pInfo->serialNumber));
+ pInfo->flags = CKF_TOKEN_INITIALIZED;
+ if (slotID == 2) {
+ pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH |
+ CKF_USER_PIN_INITIALIZED | CKF_LOGIN_REQUIRED;
+ }
+ pInfo->ulMaxSessionCount = 1;
+ pInfo->ulSessionCount = 0;
+ pInfo->ulMaxRwSessionCount = 1;
+ pInfo->ulRwSessionCount = 0;
+ pInfo->ulMaxPinLen = 4;
+ pInfo->ulMinPinLen = 4;
+ pInfo->ulTotalPublicMemory = 1024;
+ pInfo->ulFreePublicMemory = 1024;
+ pInfo->ulTotalPrivateMemory = 1024;
+ pInfo->ulFreePrivateMemory = 1024;
+ pInfo->hardwareVersion = TestLibraryVersion;
+ pInfo->firmwareVersion = TestLibraryVersion;
+ memset(pInfo->utcTime, 0, sizeof(pInfo->utcTime));
+
+ return CKR_OK;
+}
+
+CK_RV Test_C_GetMechanismList(CK_SLOT_ID, CK_MECHANISM_TYPE_PTR,
+ CK_ULONG_PTR pulCount) {
+ if (!pulCount) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ *pulCount = 0;
+ return CKR_OK;
+}
+
+CK_RV Test_C_GetMechanismInfo(CK_SLOT_ID, CK_MECHANISM_TYPE,
+ CK_MECHANISM_INFO_PTR) {
+ return CKR_OK;
+}
+
+CK_RV Test_C_InitToken(CK_SLOT_ID, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR) {
+ return CKR_OK;
+}
+
+CK_RV Test_C_InitPIN(CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SetPIN(CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG,
+ CK_UTF8CHAR_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY,
+ CK_SESSION_HANDLE_PTR phSession) {
+ switch (slotID) {
+ case 1:
+ *phSession = 1;
+ break;
+ case 2:
+ *phSession = 2;
+ break;
+ default:
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ return CKR_OK;
+}
+
+CK_RV Test_C_CloseSession(CK_SESSION_HANDLE) { return CKR_OK; }
+
+CK_RV Test_C_CloseAllSessions(CK_SLOT_ID) { return CKR_OK; }
+
+CK_RV Test_C_GetSessionInfo(CK_SESSION_HANDLE hSession,
+ CK_SESSION_INFO_PTR pInfo) {
+ if (!pInfo) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ switch (hSession) {
+ case 1:
+ pInfo->slotID = 1;
+ pInfo->state = CKS_RO_PUBLIC_SESSION;
+ break;
+ case 2:
+ pInfo->slotID = 2;
+ pInfo->state = sLoggedIn ? CKS_RO_USER_FUNCTIONS : CKS_RO_PUBLIC_SESSION;
+ break;
+ default:
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ pInfo->flags = CKF_SERIAL_SESSION;
+
+ return CKR_OK;
+}
+
+CK_RV Test_C_GetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_OBJECT_HANDLE, CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Login(CK_SESSION_HANDLE, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG) {
+ // Sleep for 3 seconds to simulate the user using a protected auth path.
+#ifdef WIN32
+ Sleep(3000); // Sleep takes the duration argument as milliseconds
+#else
+ usleep(3000000); // usleep takes the duration argument as microseconds
+#endif
+ sLoggedIn = true;
+ return CKR_OK;
+}
+
+CK_RV Test_C_Logout(CK_SESSION_HANDLE) {
+ sLoggedIn = false;
+ return CKR_OK;
+}
+
+CK_RV Test_C_CreateObject(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG,
+ CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_CopyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR,
+ CK_ULONG, CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DestroyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GetObjectSize(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
+ CK_ATTRIBUTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
+ CK_ATTRIBUTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_FindObjectsInit(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG) {
+ return CKR_OK;
+}
+
+CK_RV Test_C_FindObjects(CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG,
+ CK_ULONG_PTR pulObjectCount) {
+ *pulObjectCount = 0;
+ return CKR_OK;
+}
+
+CK_RV Test_C_FindObjectsFinal(CK_SESSION_HANDLE) { return CKR_OK; }
+
+CK_RV Test_C_EncryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+ CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Encrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_EncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_EncryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+ CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Decrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Digest(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestKey(CK_SESSION_HANDLE, CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Sign(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+ CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Verify(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+ CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+ CK_OBJECT_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptDigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptVerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+ CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GenerateKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR,
+ CK_ULONG, CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GenerateKeyPair(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+ CK_ATTRIBUTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR,
+ CK_ULONG, CK_OBJECT_HANDLE_PTR,
+ CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_WrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+ CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_UnwrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+ CK_BYTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG,
+ CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DeriveKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+ CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SeedRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GenerateRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GetFunctionStatus(CK_SESSION_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_CancelFunction(CK_SESSION_HANDLE) {
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_WaitForSlotEvent(CK_FLAGS, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR) {
+#ifdef WIN32
+ Sleep(50); // Sleep takes the duration argument as milliseconds
+#else
+ usleep(50000); // usleep takes the duration argument as microseconds
+#endif
+ *pSlot = 1;
+ tokenPresent = !tokenPresent;
+ return CKR_OK;
+}
+
+static CK_FUNCTION_LIST FunctionList = {{2, 2},
+ Test_C_Initialize,
+ Test_C_Finalize,
+ Test_C_GetInfo,
+ Test_C_GetFunctionList,
+ Test_C_GetSlotList,
+ Test_C_GetSlotInfo,
+ Test_C_GetTokenInfo,
+ Test_C_GetMechanismList,
+ Test_C_GetMechanismInfo,
+ Test_C_InitToken,
+ Test_C_InitPIN,
+ Test_C_SetPIN,
+ Test_C_OpenSession,
+ Test_C_CloseSession,
+ Test_C_CloseAllSessions,
+ Test_C_GetSessionInfo,
+ Test_C_GetOperationState,
+ Test_C_SetOperationState,
+ Test_C_Login,
+ Test_C_Logout,
+ Test_C_CreateObject,
+ Test_C_CopyObject,
+ Test_C_DestroyObject,
+ Test_C_GetObjectSize,
+ Test_C_GetAttributeValue,
+ Test_C_SetAttributeValue,
+ Test_C_FindObjectsInit,
+ Test_C_FindObjects,
+ Test_C_FindObjectsFinal,
+ Test_C_EncryptInit,
+ Test_C_Encrypt,
+ Test_C_EncryptUpdate,
+ Test_C_EncryptFinal,
+ Test_C_DecryptInit,
+ Test_C_Decrypt,
+ Test_C_DecryptUpdate,
+ Test_C_DecryptFinal,
+ Test_C_DigestInit,
+ Test_C_Digest,
+ Test_C_DigestUpdate,
+ Test_C_DigestKey,
+ Test_C_DigestFinal,
+ Test_C_SignInit,
+ Test_C_Sign,
+ Test_C_SignUpdate,
+ Test_C_SignFinal,
+ Test_C_SignRecoverInit,
+ Test_C_SignRecover,
+ Test_C_VerifyInit,
+ Test_C_Verify,
+ Test_C_VerifyUpdate,
+ Test_C_VerifyFinal,
+ Test_C_VerifyRecoverInit,
+ Test_C_VerifyRecover,
+ Test_C_DigestEncryptUpdate,
+ Test_C_DecryptDigestUpdate,
+ Test_C_SignEncryptUpdate,
+ Test_C_DecryptVerifyUpdate,
+ Test_C_GenerateKey,
+ Test_C_GenerateKeyPair,
+ Test_C_WrapKey,
+ Test_C_UnwrapKey,
+ Test_C_DeriveKey,
+ Test_C_SeedRandom,
+ Test_C_GenerateRandom,
+ Test_C_GetFunctionStatus,
+ Test_C_CancelFunction,
+ Test_C_WaitForSlotEvent};
+
+CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
+ *ppFunctionList = &FunctionList;
+ return CKR_OK;
+}
diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols
new file mode 100644
index 0000000000..562ecea21d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols
@@ -0,0 +1 @@
+C_GetFunctionList
diff --git a/security/manager/ssl/tests/unit/requirements.txt b/security/manager/ssl/tests/unit/requirements.txt
new file mode 100644
index 0000000000..095fcb04fc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/requirements.txt
@@ -0,0 +1,6 @@
+lxml
+pyasn1 == 0.3.7
+pyasn1_modules == 0.1.5
+ecc
+mock
+rsa
diff --git a/security/manager/ssl/tests/unit/sign_app.py b/security/manager/ssl/tests/unit/sign_app.py
new file mode 100755
index 0000000000..a2767c54eb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/sign_app.py
@@ -0,0 +1,426 @@
+#!/usr/bin/env python3
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Given a directory of files, packages them up and signs the
+resulting zip file. Mainly for creating test inputs to the
+nsIX509CertDB.openSignedAppFileAsync API.
+"""
+from base64 import b64encode
+from cbor2 import dumps
+from cbor2.types import CBORTag
+from hashlib import sha1, sha256
+import argparse
+from io import StringIO
+import os
+import re
+import six
+import sys
+import zipfile
+
+# These libraries moved to security/manager/tools/ in bug 1699294.
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "tools"))
+import pycert
+import pycms
+import pykey
+
+ES256 = -7
+ES384 = -35
+ES512 = -36
+KID = 4
+ALG = 1
+COSE_Sign = 98
+
+
+def coseAlgorithmToPykeyHash(algorithm):
+ """Helper function that takes one of (ES256, ES384, ES512)
+ and returns the corresponding pykey.HASH_* identifier."""
+ if algorithm == ES256:
+ return pykey.HASH_SHA256
+ if algorithm == ES384:
+ return pykey.HASH_SHA384
+ if algorithm == ES512:
+ return pykey.HASH_SHA512
+ raise UnknownCOSEAlgorithmError(algorithm)
+
+
+# COSE_Signature = [
+# protected : serialized_map,
+# unprotected : {},
+# signature : bstr
+# ]
+
+
+def coseSignature(payload, algorithm, signingKey, signingCertificate, bodyProtected):
+ """Returns a COSE_Signature structure.
+ payload is a string representing the data to be signed
+ algorithm is one of (ES256, ES384, ES512)
+ signingKey is a pykey.ECKey to sign the data with
+ signingCertificate is a byte string
+ bodyProtected is the serialized byte string of the protected body header
+ """
+ protected = {ALG: algorithm, KID: signingCertificate}
+ protectedEncoded = dumps(protected)
+ # Sig_structure = [
+ # context : "Signature"
+ # body_protected : bodyProtected
+ # sign_protected : protectedEncoded
+ # external_aad : nil
+ # payload : bstr
+ # ]
+ sigStructure = [u"Signature", bodyProtected, protectedEncoded, None, payload]
+ sigStructureEncoded = dumps(sigStructure)
+ pykeyHash = coseAlgorithmToPykeyHash(algorithm)
+ signature = signingKey.signRaw(sigStructureEncoded, pykeyHash)
+ return [protectedEncoded, {}, signature]
+
+
+# COSE_Sign = [
+# protected : serialized_map,
+# unprotected : {},
+# payload : nil,
+# signatures : [+ COSE_Signature]
+# ]
+
+
+def coseSig(payload, intermediates, signatures):
+ """Returns the entire (tagged) COSE_Sign structure.
+ payload is a string representing the data to be signed
+ intermediates is an array of byte strings
+ signatures is an array of (algorithm, signingKey,
+ signingCertificate) triplets to be passed to
+ coseSignature
+ """
+ protected = {KID: intermediates}
+ protectedEncoded = dumps(protected)
+ coseSignatures = []
+ for (algorithm, signingKey, signingCertificate) in signatures:
+ coseSignatures.append(
+ coseSignature(
+ payload, algorithm, signingKey, signingCertificate, protectedEncoded
+ )
+ )
+ tagged = CBORTag(COSE_Sign, [protectedEncoded, {}, None, coseSignatures])
+ return dumps(tagged)
+
+
+def walkDirectory(directory):
+ """Given a relative path to a directory, enumerates the
+ files in the tree rooted at that location. Returns a list
+ of pairs of paths to those files. The first in each pair
+ is the full path to the file. The second in each pair is
+ the path to the file relative to the directory itself."""
+ paths = []
+ for path, _dirs, files in os.walk(directory):
+ for f in files:
+ fullPath = os.path.join(path, f)
+ internalPath = re.sub(r"^/", "", fullPath.replace(directory, ""))
+ paths.append((fullPath, internalPath))
+ return paths
+
+
+def addManifestEntry(filename, hashes, contents, entries):
+ """Helper function to fill out a manifest entry.
+ Takes the filename, a list of (hash function, hash function name)
+ pairs to use, the contents of the file, and the current list
+ of manifest entries."""
+ entry = "Name: %s\n" % filename
+ for (hashFunc, name) in hashes:
+ base64hash = b64encode(hashFunc(contents).digest()).decode("ascii")
+ entry += "%s-Digest: %s\n" % (name, base64hash)
+ entries.append(entry)
+
+
+def getCert(subject, keyName, issuerName, ee, issuerKey="", validity=""):
+ """Helper function to create an X509 cert from a specification.
+ Takes the subject, the subject key name to use, the issuer name,
+ a bool whether this is an EE cert or not, and optionally an issuer key
+ name."""
+ certSpecification = (
+ "issuer:%s\n" % issuerName
+ + "subject:"
+ + subject
+ + "\n"
+ + "subjectKey:%s\n" % keyName
+ )
+ if ee:
+ certSpecification += "extension:keyUsage:digitalSignature"
+ else:
+ certSpecification += (
+ "extension:basicConstraints:cA,\n"
+ + "extension:keyUsage:cRLSign,keyCertSign"
+ )
+ if issuerKey:
+ certSpecification += "\nissuerKey:%s" % issuerKey
+ if validity:
+ certSpecification += "\nvalidity:%s" % validity
+ certSpecificationStream = StringIO()
+ print(certSpecification, file=certSpecificationStream)
+ certSpecificationStream.seek(0)
+ return pycert.Certificate(certSpecificationStream)
+
+
+def coseAlgorithmToSignatureParams(coseAlgorithm, issuerName, certValidity):
+ """Given a COSE algorithm ('ES256', 'ES384', 'ES512') and an issuer
+ name, returns a (algorithm id, pykey.ECCKey, encoded certificate)
+ triplet for use with coseSig.
+ """
+ if coseAlgorithm == "ES256":
+ keyName = "secp256r1"
+ algId = ES256
+ elif coseAlgorithm == "ES384":
+ keyName = "secp384r1"
+ algId = ES384
+ elif coseAlgorithm == "ES512":
+ keyName = "secp521r1" # COSE uses the hash algorithm; this is the curve
+ algId = ES512
+ else:
+ raise UnknownCOSEAlgorithmError(coseAlgorithm)
+ key = pykey.ECCKey(keyName)
+ # The subject must differ to avoid errors when importing into NSS later.
+ ee = getCert(
+ "xpcshell signed app test signer " + keyName,
+ keyName,
+ issuerName,
+ True,
+ "default",
+ certValidity,
+ )
+ return (algId, key, ee.toDER())
+
+
+def signZip(
+ appDirectory,
+ outputFile,
+ issuerName,
+ rootName,
+ certValidity,
+ manifestHashes,
+ signatureHashes,
+ pkcs7Hashes,
+ coseAlgorithms,
+ emptySignerInfos,
+ headerPaddingFactor,
+):
+ """Given a directory containing the files to package up,
+ an output filename to write to, the name of the issuer of
+ the signing certificate, the name of trust anchor, a list of hash algorithms
+ to use in the manifest file, a similar list for the signature file,
+ a similar list for the pkcs#7 signature, a list of COSE signature algorithms
+ to include, whether the pkcs#7 signer info should be kept empty, and how
+ many MB to pad the manifests by (to test handling large manifest files),
+ packages up the files in the directory and creates the output as
+ appropriate."""
+ # The header of each manifest starts with the magic string
+ # 'Manifest-Version: 1.0' and ends with a blank line. There can be
+ # essentially anything after the first line before the blank line.
+ mfEntries = ["Manifest-Version: 1.0"]
+ if headerPaddingFactor > 0:
+ # In this format, each line can only be 72 bytes long. We make
+ # our padding 50 bytes per line (49 of content and one newline)
+ # so the math is easy.
+ singleLinePadding = "a" * 49
+ # 1000000 / 50 = 20000
+ allPadding = [singleLinePadding] * (headerPaddingFactor * 20000)
+ mfEntries.extend(allPadding)
+ # Append the blank line.
+ mfEntries.append("")
+
+ with zipfile.ZipFile(outputFile, "w", zipfile.ZIP_DEFLATED) as outZip:
+ for (fullPath, internalPath) in walkDirectory(appDirectory):
+ with open(fullPath, "rb") as inputFile:
+ contents = inputFile.read()
+ outZip.writestr(internalPath, contents)
+
+ # Add the entry to the manifest we're building
+ addManifestEntry(internalPath, manifestHashes, contents, mfEntries)
+
+ if len(coseAlgorithms) > 0:
+ coseManifest = "\n".join(mfEntries)
+ outZip.writestr("META-INF/cose.manifest", coseManifest)
+ coseManifest = six.ensure_binary(coseManifest)
+ addManifestEntry(
+ "META-INF/cose.manifest", manifestHashes, coseManifest, mfEntries
+ )
+ intermediates = []
+ coseIssuerName = issuerName
+ if rootName:
+ coseIssuerName = "xpcshell signed app test issuer"
+ intermediate = getCert(
+ coseIssuerName,
+ "default",
+ rootName,
+ False,
+ "",
+ certValidity,
+ )
+ intermediate = intermediate.toDER()
+ intermediates.append(intermediate)
+ signatures = [
+ coseAlgorithmToSignatureParams(
+ coseAlgorithm,
+ coseIssuerName,
+ certValidity,
+ )
+ for coseAlgorithm in coseAlgorithms
+ ]
+ coseSignatureBytes = coseSig(coseManifest, intermediates, signatures)
+ outZip.writestr("META-INF/cose.sig", coseSignatureBytes)
+ addManifestEntry(
+ "META-INF/cose.sig", manifestHashes, coseSignatureBytes, mfEntries
+ )
+
+ if len(pkcs7Hashes) != 0 or emptySignerInfos:
+ mfContents = "\n".join(mfEntries)
+ sfContents = "Signature-Version: 1.0\n"
+ for (hashFunc, name) in signatureHashes:
+ hashed = hashFunc(six.ensure_binary(mfContents)).digest()
+ base64hash = b64encode(hashed).decode("ascii")
+ sfContents += "%s-Digest-Manifest: %s\n" % (name, base64hash)
+
+ cmsSpecification = ""
+ for name in pkcs7Hashes:
+ hashFunc, _ = hashNameToFunctionAndIdentifier(name)
+ cmsSpecification += "%s:%s\n" % (
+ name,
+ hashFunc(six.ensure_binary(sfContents)).hexdigest(),
+ )
+ cmsSpecification += (
+ "signer:\n"
+ + "issuer:%s\n" % issuerName
+ + "subject:xpcshell signed app test signer\n"
+ + "extension:keyUsage:digitalSignature"
+ )
+ if certValidity:
+ cmsSpecification += "\nvalidity:%s" % certValidity
+ cmsSpecificationStream = StringIO()
+ print(cmsSpecification, file=cmsSpecificationStream)
+ cmsSpecificationStream.seek(0)
+ cms = pycms.CMS(cmsSpecificationStream)
+ p7 = cms.toDER()
+ outZip.writestr("META-INF/A.RSA", p7)
+ outZip.writestr("META-INF/A.SF", sfContents)
+ outZip.writestr("META-INF/MANIFEST.MF", mfContents)
+
+
+class Error(Exception):
+ """Base class for exceptions in this module."""
+
+ pass
+
+
+class UnknownHashAlgorithmError(Error):
+ """Helper exception type to handle unknown hash algorithms."""
+
+ def __init__(self, name):
+ super(UnknownHashAlgorithmError, self).__init__()
+ self.name = name
+
+ def __str__(self):
+ return "Unknown hash algorithm %s" % repr(self.name)
+
+
+class UnknownCOSEAlgorithmError(Error):
+ """Helper exception type to handle unknown COSE algorithms."""
+
+ def __init__(self, name):
+ super(UnknownCOSEAlgorithmError, self).__init__()
+ self.name = name
+
+ def __str__(self):
+ return "Unknown COSE algorithm %s" % repr(self.name)
+
+
+def hashNameToFunctionAndIdentifier(name):
+ if name == "sha1":
+ return (sha1, "SHA1")
+ if name == "sha256":
+ return (sha256, "SHA256")
+ raise UnknownHashAlgorithmError(name)
+
+
+def main(outputFile, appPath, *args):
+ """Main entrypoint. Given an already-opened file-like
+ object, a path to the app directory to sign, and some
+ optional arguments, signs the contents of the directory and
+ writes the resulting package to the 'file'."""
+ parser = argparse.ArgumentParser(description="Sign an app.")
+ parser.add_argument(
+ "-i",
+ "--issuer",
+ action="store",
+ help="Issuer name",
+ default="xpcshell signed apps test root",
+ )
+ parser.add_argument("-r", "--root", action="store", help="Root name", default="")
+ parser.add_argument(
+ "--cert-validity",
+ action="store",
+ help="Certificate validity; YYYYMMDD-YYYYMMDD or duration in days",
+ default="",
+ )
+ parser.add_argument(
+ "-m",
+ "--manifest-hash",
+ action="append",
+ help="Hash algorithms to use in manifest",
+ default=[],
+ )
+ parser.add_argument(
+ "-s",
+ "--signature-hash",
+ action="append",
+ help="Hash algorithms to use in signature file",
+ default=[],
+ )
+ parser.add_argument(
+ "-c",
+ "--cose-sign",
+ action="append",
+ help="Append a COSE signature with the given "
+ + "algorithms (out of ES256, ES384, and ES512)",
+ default=[],
+ )
+ parser.add_argument(
+ "-z",
+ "--pad-headers",
+ action="store",
+ default=0,
+ help="Pad the header sections of the manifests "
+ + "with X MB of repetitive data",
+ )
+ group = parser.add_mutually_exclusive_group()
+ group.add_argument(
+ "-p",
+ "--pkcs7-hash",
+ action="append",
+ help="Hash algorithms to use in PKCS#7 signature",
+ default=[],
+ )
+ group.add_argument(
+ "-e",
+ "--empty-signerInfos",
+ action="store_true",
+ help="Emit pkcs#7 SignedData with empty signerInfos",
+ )
+ parsed = parser.parse_args(args)
+ if len(parsed.manifest_hash) == 0:
+ parsed.manifest_hash.append("sha256")
+ if len(parsed.signature_hash) == 0:
+ parsed.signature_hash.append("sha256")
+ signZip(
+ appPath,
+ outputFile,
+ parsed.issuer,
+ parsed.root,
+ parsed.cert_validity,
+ [hashNameToFunctionAndIdentifier(h) for h in parsed.manifest_hash],
+ [hashNameToFunctionAndIdentifier(h) for h in parsed.signature_hash],
+ parsed.pkcs7_hash,
+ parsed.cose_sign,
+ parsed.empty_signerInfos,
+ int(parsed.pad_headers),
+ )
diff --git a/security/manager/ssl/tests/unit/test_add_preexisting_cert.js b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
new file mode 100644
index 0000000000..1f1a7825f2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
@@ -0,0 +1,46 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests that adding a certificate already present in the certificate database
+// with different trust bits than those stored in the database does not result
+// in the new trust bits being ignored.
+
+do_get_profile();
+var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function load_cert(cert, trust) {
+ let file = "test_intermediate_basic_usage_constraints/" + cert + ".pem";
+ return addCertFromFile(certDB, file, trust);
+}
+
+add_task(async function() {
+ load_cert("ca", "CTu,CTu,CTu");
+ let int_cert = load_cert("int-limited-depth", "CTu,CTu,CTu");
+ let file =
+ "test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem";
+ let cert_pem = readFile(do_get_file(file));
+ let ee = certDB.constructX509FromBase64(pemToBase64(cert_pem));
+ await checkCertErrorGeneric(
+ certDB,
+ ee,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ // Change the already existing intermediate certificate's trust using
+ // addCertFromBase64().
+ notEqual(int_cert, null, "Intermediate cert should be in the cert DB");
+ let base64_cert = int_cert.getBase64DERString();
+ let returnedEE = certDB.addCertFromBase64(base64_cert, "p,p,p");
+ notEqual(returnedEE, null, "addCertFromBase64 should return a certificate");
+ await checkCertErrorGeneric(
+ certDB,
+ ee,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js b/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js
new file mode 100644
index 0000000000..e9f1b6c9db
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js
@@ -0,0 +1,25 @@
+/* -*- tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+"use strict";
+
+function run_test() {
+ do_get_profile();
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
+ true
+ );
+
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+ add_connection_test("expired.example.com", PRErrorCodeSuccess);
+ add_test(function() {
+ certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
+ false
+ );
+ run_next_test();
+ });
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem
new file mode 100644
index 0000000000..161ce88377
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUXwklABFZn09Yj1azSdQ4kpuizxYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCdpP06UqpAnAAak/i4+LShrIG/
+DdjHLQ8qLChBdPkT6Gxx1XVoNfG3GJsIGCoOf6isORMfBlBXiR5kmLFTE3kJhA/I
+pDxDGYDqt9DNb0fxeMpOJxwQ+mBMZIKLPu+nk4jTqUrOX8bLwDMiXTbFeY91SUr8
+4b43YzXVorVQSlYOfcsmrnEfmfJNauHBrzak5BQhsEXHqAI7qV9TCQA1+cGwH8jb
+Aw2SyVu1usAyHkM2wCisHXeidf3qR6PxmfLMAgHKXBLz3DsXY30xDI4jJS9MySu9
+lhrs1IJf5PdJk5z5viYqZQemuv0R+R7ItbpCHpreUXh2GutiAY4Xsgrhfcer
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec
new file mode 100644
index 0000000000..9c21e7adcf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:ca
+validity:20100101-20500101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem
new file mode 100644
index 0000000000..a13b0cbcd1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUS00fexo4Y4FagP1oiKQiGCJKd/swDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAGjMx1NAs2guKp3wRRAWdiAw9NCeX+qCsxxkr4jUdgQ14wZwU2fZ/2rK
+7Z/StpwlWN+G4dWwCRCjibKvjauQs+XLT9wMO3U/1VBcQda36duX70ss2SAF9crs
+dmZdISevFItTn+W6JNyr1Wt2sSiD4buXpW1UzNwuxnWGpo/a++bMEYaM8KDdz73t
+KA9VShYNbcrUZgf70bvCbc8BR3vYUwyIp3fP7TngD/dRLYJyv5ayo9VXVJxOzYU7
+/aRrBvAdAL2w8eQzzYm6uyHlOE+imWYix2QOGNFJIiRXFRTii9Rr0o4geW7x2wZJ
++TzO4XPVlax1h6KDPRLsmwhbJDAMuUU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec
new file mode 100644
index 0000000000..7a34d0758f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:example.com
+validity:20160724-20160924
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem
new file mode 100644
index 0000000000..f2bb8c97d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUZ3gdKZRvWFYArMRStT2zAGE6JDQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBABERZmWOEZAI2dQHbpXo7BJFw8eigDs8xWGtnu5UbNFs7zGnXzta0L8T
+RBoaWeEbsaVpuGQ648eorgQRGwNdL3JkJb0qHtaSl5/raAOvv+YqmGzZhFWcj3ib
+WUOWODdFlY3oUzpPjA+IeRzULya6//s8DhEKfVi2mJXc/sS6fE9J234IhKBysyr1
+cRIApw6OCr0V78TbHzEPh1z0QuMKY8hH0lz3JvQqGD59oTEdSJ5VVbmDLxqqmVtA
+/i4j2lYkDos2HvHGP7a/LC20FI0lOcSqazSeKc+y2Mand9tDXCU/dEEYMj1IW5rM
+z2+96XzCbJBesYFEEfWXG6XysP3UtE0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec
new file mode 100644
index 0000000000..aa682a7afd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:example.com
+validity:20150724-20160924
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem
new file mode 100644
index 0000000000..7ac56a0689
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUWxGwhSb8roUQoLNpJajl0X8jk10wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAKxEoWUrHht8zENUlC/3tj/KbDSeaIy5nVE49aJRqHwuSczG5PTDn7sD
+rjl6Qq2rx3Z3ftZxJNIdpS3BUeUJ+FsQ2fK3ckDyeWkzxADlWp2l2bgKDtnW5Xjw
+lfzFt1Z/4PUmz0JyNGqijvpT/YYM9uM5OOKmKvy6C/6HiIMI2f5pVHM2bFWLuHLI
+p9yqp056EKPWCEQbkqseXLS0O8ZyxAyW4kHezUQzn1KFq9IGZu5sBZ8Imop0xnal
+2wXCuEisuAIOQNb1l9t+hf/P53+oRLjPbJzuzLZGSNA5PzoTbmZOqOdJS+kCNGCX
+IahLlU3dPILDlvl8DLFhk+lz9mA8x90=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec
new file mode 100644
index 0000000000..e38478165c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:example.com
+validity:20160824-20160924
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem
new file mode 100644
index 0000000000..ba11dcc152
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUOWkKeR6blD0zzhElEnCm4eSqLTAwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl
+MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B
+AQsFAAOCAQEACPZ4Ed3iONrIIKtg3865taT5TUj4Ts3tnYn4riFqojr6h/CHEDPR
+LStAJ4yYGQoTTzQzaxYjEZXHIEI/bCZ1VpGNpZt8DXWsJWwJgt8QUNeYT0eFFE2M
+CjrLJC1OIQRvlR89WEbk/q45KBQC0faeizqkAn+YUSG8mjHHbmSO8PWbh4z0YYlg
+BjwhTRFWUmWfQKC+mHyWblbYyFKlsFWf6cGOd4qE8N/hIz7oPzI4IPN1EQ/IfaQy
+WOOyxPZeu+J5VPlPE10nV5afoRcPLh/6vTwH85tPGzxWU4Jo4NDtFOtZAZR/S7sO
+OB/ST8Dbvs7qQFfRtgCtpEMicG7kxO1F+Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec
new file mode 100644
index 0000000000..41817bde75
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:example.com
+validity:20160724-20160924
+extension:subjectAlternativeName:/O=Example Organization
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem
new file mode 100644
index 0000000000..6882ba0554
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUG1q3+RCKIizPHadkamCYLL7cp2swDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl
+MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B
+AQsFAAOCAQEAqa/ayP8zXODUJJmuZLTJsdT2VaqbOh2WWk2bC2A82feGvCevLuL0
+0gPk+001Zx49Y1erMmt2M1cKtf2Lob8SGLNGUlJf2K7SNJTk7nyog+4UIlK4Hsxo
+CQ9sqKGJjkwHTDK1rB9gSW4e27Taj6tudnsUfgKWVzERxipebtLsCvz8Jfa0YLRI
+bGr6L4LoWiN2RNiK7/IOycfJ8VLDlBRouHD2Xfu0pFcvymMvfOC7GG4oBAacCKGn
+muUfoODgKw2yCIOSe7jsJOQ9yOp03sRipISfO0TALFzJX0V5+7CYDLZYR8vs/F/4
+0cIqkhwyCfUWYsGI4gPPR/nVxNvTRZhiFw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec
new file mode 100644
index 0000000000..65acf0b024
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:example.com
+validity:20150724-20160924
+extension:subjectAlternativeName:/O=Example Organization
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem
new file mode 100644
index 0000000000..cd87acfe48
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUD1kNqQ0aKQ2TJjGUYztUh8I7j4AwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl
+MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B
+AQsFAAOCAQEAU9n5I/Hdfod2fPBYWHZA/5/SabHkOBUHfrg6UUQYeHagVbqmoTQD
+M5F/DcDna+w6nHagIC/GRHBHkgY3Syh8QK5LnL3zi5tC0u4dzysDUjWtEAEgIcWA
+/pYtp6qZwJzxvn68PTnYnFDL61+LDLxlUBa2iRieRkCUOokCLL4ce3jsSTuJ+mGk
+XoaRrRREgtG5loYK8hFXM1RDkzyCa82DF/qD+iYgUJS9LMXrsksIRHP7Lqzhnwba
+Q4N8rgsBDFkNTEAmGcnTLMTlfO+SyKdHZI4n9VHdUQ1n38qFn70jj1YjcqEOFKXb
+wldSrYMedEOFVWyXaVWmxMwMTiDIKWMoxg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec
new file mode 100644
index 0000000000..140c201434
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:example.com
+validity:20160824-20160924
+extension:subjectAlternativeName:/O=Example Organization
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
new file mode 100644
index 0000000000..d33ad8b275
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
@@ -0,0 +1,78 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function certFromFile(certName) {
+ return constructCertFromFile(`test_baseline_requirements/${certName}.pem`);
+}
+
+function loadCertWithTrust(certName, trustString) {
+ addCertFromFile(
+ gCertDB,
+ `test_baseline_requirements/${certName}.pem`,
+ trustString
+ );
+}
+
+function checkCertOn25August2016(cert, expectedResult) {
+ // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
+ const VALIDATION_TIME = 1472083200;
+ return checkCertErrorGenericAtTime(
+ gCertDB,
+ cert,
+ expectedResult,
+ certificateUsageSSLServer,
+ VALIDATION_TIME,
+ false,
+ "example.com"
+ );
+}
+
+add_task(async function() {
+ registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
+ });
+
+ Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
+
+ loadCertWithTrust("ca", "CTu,,");
+
+ // At one time there was a preference security.pki.name_matching_mode that
+ // controlled whether or not mozilla::pkix would fall back to using a
+ // certificate's subject common name during name matching. This no longer
+ // exists, and certificates that previously required the fallback should fail
+ // to verify.
+
+ await checkCertOn25August2016(
+ certFromFile("no-san-recent"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ await checkCertOn25August2016(
+ certFromFile("no-san-old"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ await checkCertOn25August2016(
+ certFromFile("no-san-older"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ await checkCertOn25August2016(
+ certFromFile("san-contains-no-hostnames-recent"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ await checkCertOn25August2016(
+ certFromFile("san-contains-no-hostnames-old"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ await checkCertOn25August2016(
+ certFromFile("san-contains-no-hostnames-older"),
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_blocklist_onecrl.js b/security/manager/ssl/tests/unit/test_blocklist_onecrl.js
new file mode 100644
index 0000000000..618964c46b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_blocklist_onecrl.js
@@ -0,0 +1,182 @@
+"use strict";
+
+do_get_profile();
+
+const { Utils } = ChromeUtils.import("resource://services-settings/Utils.jsm");
+const { RemoteSettings } = ChromeUtils.import(
+ "resource://services-settings/remote-settings.js"
+);
+const { RemoteSecuritySettings } = ChromeUtils.import(
+ "resource://gre/modules/psm/RemoteSecuritySettings.jsm"
+);
+const { OneCRLBlocklistClient } = RemoteSecuritySettings.init();
+
+add_task(async function test_uses_a_custom_signer() {
+ Assert.notEqual(
+ OneCRLBlocklistClient.signerName,
+ RemoteSettings("not-specified").signerName
+ );
+});
+
+add_task(async function test_has_initial_dump() {
+ Assert.ok(
+ await Utils.hasLocalDump(
+ OneCRLBlocklistClient.bucketName,
+ OneCRLBlocklistClient.collectionName
+ )
+ );
+});
+
+add_task(async function test_default_jexl_filter_is_used() {
+ Assert.deepEqual(
+ OneCRLBlocklistClient.filterFunc,
+ RemoteSettings("not-specified").filterFunc
+ );
+});
+
+add_task(
+ async function test_revocations_are_updated_on_sync_with_cert_storage() {
+ const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ const has_revocations = () =>
+ new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_REVOCATION,
+ (rv, hasPriorData) => {
+ if (rv == Cr.NS_OK) {
+ return resolve(hasPriorData);
+ }
+ return resolve(false);
+ }
+ );
+ });
+
+ Assert.ok(!(await has_revocations()));
+
+ await OneCRLBlocklistClient.emit("sync", {
+ data: {
+ current: [],
+ created: [
+ {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+ },
+ ],
+ updated: [],
+ deleted: [],
+ },
+ });
+
+ Assert.ok(await has_revocations());
+ }
+);
+
+add_task(async function test_updated_entry() {
+ // Revoke a particular issuer/serial number.
+ await OneCRLBlocklistClient.emit("sync", {
+ data: {
+ current: [],
+ created: [
+ {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+ },
+ ],
+ updated: [],
+ deleted: [],
+ },
+ });
+ const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ let issuerArray = [
+ 0x30,
+ 0x12,
+ 0x31,
+ 0x10,
+ 0x30,
+ 0xe,
+ 0x6,
+ 0x3,
+ 0x55,
+ 0x4,
+ 0x3,
+ 0xc,
+ 0x7,
+ 0x54,
+ 0x65,
+ 0x73,
+ 0x74,
+ 0x20,
+ 0x43,
+ 0x41,
+ ];
+ let serialArray = [
+ 0x6b,
+ 0x45,
+ 0xfb,
+ 0xff,
+ 0xb0,
+ 0xe5,
+ 0x4d,
+ 0xa7,
+ 0x9d,
+ 0xa6,
+ 0xa,
+ 0xc8,
+ 0x26,
+ 0xd,
+ 0xb9,
+ 0x88,
+ 0x13,
+ 0xce,
+ 0x90,
+ 0x83,
+ ];
+ let revocationState = certStorage.getRevocationState(
+ issuerArray,
+ serialArray,
+ [],
+ []
+ );
+ Assert.equal(revocationState, Ci.nsICertStorage.STATE_ENFORCE);
+
+ // Update the revocation to be a different serial number; the original
+ // (issuer, serial) pair should now not be revoked.
+ await OneCRLBlocklistClient.emit("sync", {
+ data: {
+ current: [],
+ created: [],
+ updated: [
+ {
+ old: {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+ },
+ new: {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "ALtF+/+w5U0=",
+ },
+ },
+ ],
+ deleted: [],
+ },
+ });
+ let oldRevocationState = certStorage.getRevocationState(
+ issuerArray,
+ serialArray,
+ [],
+ []
+ );
+ Assert.equal(oldRevocationState, Ci.nsICertStorage.STATE_UNSET);
+
+ let newSerialArray = [0x00, 0xbb, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d];
+ let newRevocationState = certStorage.getRevocationState(
+ issuerArray,
+ newSerialArray,
+ [],
+ []
+ );
+ Assert.equal(newRevocationState, Ci.nsICertStorage.STATE_ENFORCE);
+});
diff --git a/security/manager/ssl/tests/unit/test_broken_fips.js b/security/manager/ssl/tests/unit/test_broken_fips.js
new file mode 100644
index 0000000000..2aac2496f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_broken_fips.js
@@ -0,0 +1,61 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that if Firefox attempts and fails to load a PKCS#11 module DB that was
+// in FIPS mode, Firefox can still make use of keys in the key database.
+// secomd.db can be created via `certutil -N -d <dir>`. Putting it in FIPS mode
+// involves running `modutil -fips true -dbdir <dir>`. key4.db is from
+// test_sdr_preexisting/key4.db.
+
+function run_test() {
+ // Append a single quote and non-ASCII characters to the profile path.
+ let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR");
+ let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
+ file.initWithPath(profd);
+ file.append("'÷1");
+ Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path);
+
+ let profile = do_get_profile(); // must be called before getting nsIX509CertDB
+ Assert.ok(
+ /[^\x20-\x7f]/.test(profile.path),
+ "the profile path should contain a non-ASCII character"
+ );
+
+ let keyDBName = "key4.db";
+ let keyDBFile = do_get_file(`test_broken_fips/${keyDBName}`);
+ keyDBFile.copyTo(profile, keyDBName);
+
+ let pkcs11modDBName = "pkcs11.txt";
+ let pkcs11modDBFile = do_get_file(`test_broken_fips/${pkcs11modDBName}`);
+ pkcs11modDBFile.copyTo(profile, pkcs11modDBName);
+
+ let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ ok(!moduleDB.isFIPSEnabled, "FIPS should not be enabled");
+
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ const encrypted =
+ "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d";
+ const expectedResult = "password";
+ let decrypted = sdr.decryptString(encrypted);
+ equal(
+ decrypted,
+ expectedResult,
+ "decrypted ciphertext should match expected plaintext"
+ );
+
+ let pkcs11modDBFileFIPS = do_get_profile();
+ pkcs11modDBFileFIPS.append(`${pkcs11modDBName}.fips`);
+ ok(
+ pkcs11modDBFileFIPS.exists(),
+ "backed-up PKCS#11 module db should now exist"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_broken_fips/key4.db b/security/manager/ssl/tests/unit/test_broken_fips/key4.db
new file mode 100644
index 0000000000..8f320dfdbd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_broken_fips/key4.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt
new file mode 100644
index 0000000000..78a11f5fa7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal FIPS PKCS #11 Module
+parameters=configdir='.' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM ] } Flags=internal,FIPS,critical
+
diff --git a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js
new file mode 100644
index 0000000000..04fa1c655c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js
@@ -0,0 +1,56 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests exporting a certificate and key as a PKCS#12 blob and importing it
+// again with a new password set.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx";
+const CERT_COMMON_NAME = "test_cert_from_windows";
+const TEST_CERT_PASSWORD = "é»’ã„";
+
+function findCertByCommonName(commonName) {
+ for (let cert of gCertDB.getCerts()) {
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+function run_test() {
+ // Import the certificate and key so we have something to export.
+ let cert = findCertByCommonName(CERT_COMMON_NAME);
+ equal(cert, null, "cert should not be found before import");
+ let certFile = do_get_file(PKCS12_FILE);
+ ok(certFile, `${PKCS12_FILE} should exist`);
+ let errorCode = gCertDB.importPKCS12File(certFile, TEST_CERT_PASSWORD);
+ equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be imported");
+ cert = findCertByCommonName(CERT_COMMON_NAME);
+ notEqual(cert, null, "cert should be found now");
+
+ // Export the certificate and key.
+ let output = do_get_tempdir();
+ output.append("output.p12");
+ ok(!output.exists(), "output shouldn't exist before exporting PKCS12 file");
+ errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD);
+ equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be exported");
+ ok(output.exists(), "output should exist after exporting PKCS12 file");
+
+ // We should be able to import the exported blob again using the new password.
+ errorCode = gCertDB.importPKCS12File(output, TEST_CERT_PASSWORD);
+ equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be imported");
+ output.remove(false /* not a directory; recursive doesn't apply */);
+
+ // Ideally there would be some way to confirm that this actually did anything.
+ // Unfortunately, since deleting a certificate currently doesn't actually do
+ // anything until the platform is restarted, we can't confirm that we
+ // successfully re-imported the certificate.
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js
new file mode 100644
index 0000000000..25f4ab58bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js
@@ -0,0 +1,117 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests exporting a certificate and key as a PKCS#12 blob if the user has a
+// primary password set.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx";
+const CERT_COMMON_NAME = "test_cert_from_windows";
+const TEST_CERT_PASSWORD = "é»’ã„";
+
+var gPrompt = {
+ password: "password",
+ clickOk: true,
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+
+ // This intentionally does not use arrow function syntax to avoid an issue
+ // where in the context of the arrow function, |this != gPrompt| due to
+ // how objects get wrapped when going across xpcom boundaries.
+ alert(title, text) {
+ info(`alert('${text}')`);
+ ok(false, "not expecting alert() to be called");
+ },
+
+ promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+ equal(
+ text,
+ "Please enter your Primary Password.",
+ "password prompt text should be as expected"
+ );
+ equal(checkMsg, null, "checkMsg should be null");
+ password.value = this.password;
+ return this.clickOk;
+ },
+};
+
+const gPromptFactory = {
+ QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]),
+ getPrompt: (aWindow, aIID) => gPrompt,
+};
+
+function findCertByCommonName(commonName) {
+ for (let cert of gCertDB.getCerts()) {
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+function run_test() {
+ let promptFactoryCID = MockRegistrar.register(
+ "@mozilla.org/prompter;1",
+ gPromptFactory
+ );
+
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(promptFactoryCID);
+ });
+
+ // Set a primary password.
+ let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+ let token = tokenDB.getInternalKeyToken();
+ token.initPassword("password");
+ token.logoutSimple();
+
+ // Import the certificate and key so we have something to export.
+ let cert = findCertByCommonName(CERT_COMMON_NAME);
+ equal(cert, null, "cert should not be found before import");
+ let certFile = do_get_file(PKCS12_FILE);
+ ok(certFile, `${PKCS12_FILE} should exist`);
+ let errorCode = gCertDB.importPKCS12File(certFile, TEST_CERT_PASSWORD);
+ equal(errorCode, Ci.nsIX509CertDB.Success, "cert should import");
+ cert = findCertByCommonName(CERT_COMMON_NAME);
+ notEqual(cert, null, "cert should be found now");
+
+ // Log out so we're prompted for the password.
+ token.logoutSimple();
+
+ // Export the certificate and key (and don't cancel the password request
+ // dialog).
+ let output = do_get_tempdir();
+ output.append("output.p12");
+ ok(!output.exists(), "output shouldn't exist before exporting PKCS12 file");
+ errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD);
+ equal(errorCode, Ci.nsIX509CertDB.Success, "cert should export");
+ ok(output.exists(), "output should exist after exporting PKCS12 file");
+ output.remove(false /* not a directory; recursive doesn't apply */);
+
+ // Log out again so we're prompted for the password.
+ token.logoutSimple();
+
+ // Attempt to export the certificate and key, but this time cancel the
+ // password request dialog. The export operation should also be canceled.
+ gPrompt.clickOk = false;
+ let output2 = do_get_tempdir();
+ output2.append("output2.p12");
+ ok(!output2.exists(), "output2 shouldn't exist before exporting PKCS12 file");
+ errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD);
+ equal(
+ errorCode,
+ Ci.nsIX509CertDB.ERROR_PKCS12_BACKUP_FAILED,
+ "cert should not export"
+ );
+
+ ok(!output2.exists(), "output2 shouldn't exist after failing to export");
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_import.js b/security/manager/ssl/tests/unit/test_certDB_import.js
new file mode 100644
index 0000000000..76bf968970
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import.js
@@ -0,0 +1,217 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the various nsIX509CertDB import methods.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const CA_CERT_COMMON_NAME = "importedCA";
+const TEST_EMAIL_ADDRESS = "test@example.com";
+
+let gCACertImportDialogCount = 0;
+
+// Mock implementation of nsICertificateDialogs.
+const gCertificateDialogs = {
+ confirmDownloadCACert: (ctx, cert, trust) => {
+ gCACertImportDialogCount++;
+ equal(
+ cert.commonName,
+ CA_CERT_COMMON_NAME,
+ "CA cert to import should have the correct CN"
+ );
+ trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL;
+ return true;
+ },
+ setPKCS12FilePassword: (ctx, password) => {
+ // This is only relevant to exporting.
+ ok(false, "setPKCS12FilePassword() should not have been called");
+ },
+ getPKCS12FilePassword: (ctx, password) => {
+ // We don't test anything that calls this method yet.
+ ok(false, "getPKCS12FilePassword() should not have been called");
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]),
+};
+
+// Implements nsIInterfaceRequestor. Mostly serves to mock nsIPrompt.
+const gInterfaceRequestor = {
+ alert: (title, text) => {
+ // We don't test anything that calls this method yet.
+ ok(false, `alert() should not have been called: ${text}`);
+ },
+
+ getInterface: iid => {
+ if (iid.equals(Ci.nsIPrompt)) {
+ return this;
+ }
+
+ throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE);
+ },
+};
+
+function getCertAsByteArray(certPath) {
+ let certFile = do_get_file(certPath, false);
+ let certBytes = readFile(certFile);
+
+ let byteArray = [];
+ for (let i = 0; i < certBytes.length; i++) {
+ byteArray.push(certBytes.charCodeAt(i));
+ }
+
+ return byteArray;
+}
+
+function commonFindCertBy(propertyName, value) {
+ for (let cert of gCertDB.getCerts()) {
+ if (cert[propertyName] == value) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+function findCertByCommonName(commonName) {
+ return commonFindCertBy("commonName", commonName);
+}
+
+function findCertByEmailAddress(emailAddress) {
+ return commonFindCertBy("emailAddress", emailAddress);
+}
+
+function testImportCACert() {
+ // Sanity check the CA cert is missing.
+ equal(
+ findCertByCommonName(CA_CERT_COMMON_NAME),
+ null,
+ "CA cert should not be in the database before import"
+ );
+
+ // Import and check for success.
+ let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem");
+ gCertDB.importCertificates(
+ caArray,
+ caArray.length,
+ Ci.nsIX509Cert.CA_CERT,
+ gInterfaceRequestor
+ );
+ equal(
+ gCACertImportDialogCount,
+ 1,
+ "Confirmation dialog for the CA cert should only be shown once"
+ );
+
+ let caCert = findCertByCommonName(CA_CERT_COMMON_NAME);
+ notEqual(caCert, null, "CA cert should now be found in the database");
+ ok(
+ gCertDB.isCertTrusted(
+ caCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_EMAIL
+ ),
+ "CA cert should be trusted for e-mail"
+ );
+}
+
+function testImportEmptyCertPackage() {
+ // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown.
+ let byteArray = [
+ 0x30,
+ 0x0f,
+ 0x06,
+ 0x09,
+ 0x60,
+ 0x86,
+ 0x48,
+ 0x01,
+ 0x86,
+ 0xf8,
+ 0x42,
+ 0x02,
+ 0x05,
+ 0xa0,
+ 0x02,
+ 0x30,
+ 0x00,
+ ];
+ gCertDB.importCertificates(
+ byteArray,
+ byteArray.length,
+ Ci.nsIX509Cert.CA_CERT,
+ gInterfaceRequestor
+ );
+}
+
+function testImportEmptyUserCert() {
+ // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown.
+ let byteArray = [
+ 0x30,
+ 0x0f,
+ 0x06,
+ 0x09,
+ 0x60,
+ 0x86,
+ 0x48,
+ 0x01,
+ 0x86,
+ 0xf8,
+ 0x42,
+ 0x02,
+ 0x05,
+ 0xa0,
+ 0x02,
+ 0x30,
+ 0x00,
+ ];
+ gCertDB.importUserCertificate(
+ byteArray,
+ byteArray.length,
+ gInterfaceRequestor
+ );
+}
+
+function run_test() {
+ let certificateDialogsCID = MockRegistrar.register(
+ "@mozilla.org/nsCertificateDialogs;1",
+ gCertificateDialogs
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(certificateDialogsCID);
+ });
+
+ // Sanity check the e-mail cert is missing.
+ equal(
+ findCertByEmailAddress(TEST_EMAIL_ADDRESS),
+ null,
+ "E-mail cert should not be in the database before import"
+ );
+
+ // Import the CA cert so that the e-mail import succeeds.
+ testImportCACert();
+ testImportEmptyCertPackage();
+ testImportEmptyUserCert();
+
+ // Import the e-mail cert and check for success.
+ let emailArray = getCertAsByteArray("test_certDB_import/emailEE.pem");
+ gCertDB.importEmailCertificate(
+ emailArray,
+ emailArray.length,
+ gInterfaceRequestor
+ );
+ let emailCert = findCertByEmailAddress(TEST_EMAIL_ADDRESS);
+ notEqual(emailCert, null, "E-mail cert should now be found in the database");
+ let bundle = Services.strings.createBundle(
+ "chrome://pipnss/locale/pipnss.properties"
+ );
+ equal(
+ emailCert.tokenName,
+ bundle.GetStringFromName("PrivateTokenDescription"),
+ "cert's tokenName should be the expected localized value"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx
new file mode 100644
index 0000000000..e969d672d7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx
new file mode 100644
index 0000000000..879d424b85
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx
new file mode 100644
index 0000000000..7dcd668121
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem
new file mode 100644
index 0000000000..a3e58933f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUO3XveEEK2bu0gx8Lu8vi1NxEGdIwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAhMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAnhH0WY14SMcVDXj6OvvxHuaRRO8lA
+A6vDrn/AmWg0gN7e0aQgvonedXY4OgefAj17X345yZj8VpPFgOjUIb7PYErMxdeB
+biKGv/psCB1uDk68Gn1KrFMZ2BtlLeYRWRejgSo53GYH1PBpZZ6owjicqIKKo9cW
+Y/EFyauQCQGhWub+tshNFbucSrNDk1Q0uu1Ogs8QFve3x+YbdceAwK835XzLROvS
+pWBeWDK1Eqvqun1yWUHVn6aAbZZgKn9yUG7kZqWoBc1InRwaZcImttQF//OJw08y
+b0KVWoM5qo2c20qaxNW66GW/tpWnDfUvSTIHZuaDiar4mlSK/0O2aGa8
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec
new file mode 100644
index 0000000000..0528bc624a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec
@@ -0,0 +1,2 @@
+issuer:importedCA
+subject:/emailAddress=test@example.com
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12 b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12
new file mode 100644
index 0000000000..105f918782
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem
new file mode 100644
index 0000000000..e45812f786
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICzDCCAbSgAwIBAgIUd0wCxJoXOgEeMrd0+AIGybyqYgEwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDAppbXBvcnRlZENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5N5HCphrUqEmwLj+1graV
+zneZbDyL2nb1ooITiJj+i+NaOg383Sr/lvWyhw+51o5qx1hnBu8JZ/HlBhFsz/OH
+mujJmot+jVg/MRpaTdxZNfpxVZqfroyx1qzr7TC8wgHggxI/DWeCifQmEgNdKIgI
+JL0BvVLasGOMhmprRRK3DabjzOjW5xMbY1B3+msbtQtxB6eCXa4byNIZ7vAUdg8L
+x2+TovO4c1cs8AzLdpgECImdcHaBFyOYd5sK7f6gcJHtiEx+7JkIF+53wHbFIFlp
+s7zkbDA4v97bm5oYMmaW4JEZ8rW07a62ILrNOezvEZCccOnfo+miHcr1AwuJSx9z
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec
new file mode 100644
index 0000000000..b168253544
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:importedCA
+subject:importedCA
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js
new file mode 100644
index 0000000000..9ddba36c4e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js
@@ -0,0 +1,126 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests import PKCS12 file by nsIX509CertDB.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx";
+const PKCS12_FILE_EMPTY_PASS =
+ "test_certDB_import/cert_from_windows_emptypass.pfx";
+const PKCS12_FILE_NO_PASS = "test_certDB_import/cert_from_windows_nopass.pfx";
+const CERT_COMMON_NAME = "test_cert_from_windows";
+const TEST_CERT_PASSWORD = "é»’ã„";
+
+let gTestcases = [
+ // Test that importing a PKCS12 file with the wrong password fails.
+ {
+ name: "import using incorrect password",
+ filename: PKCS12_FILE,
+ passwordToUse: "this is the wrong password",
+ successExpected: false,
+ errorCode: Ci.nsIX509CertDB.ERROR_BAD_PASSWORD,
+ checkCertExist: true,
+ certCommonName: CERT_COMMON_NAME,
+ },
+ // Test that importing something that isn't a PKCS12 file fails.
+ {
+ name: "import non-PKCS12 file",
+ filename: "test_certDB_import_pkcs12.js",
+ passwordToUse: TEST_CERT_PASSWORD,
+ successExpected: false,
+ errorCode: Ci.nsIX509CertDB.ERROR_DECODE_ERROR,
+ checkCertExist: true,
+ certCommonName: CERT_COMMON_NAME,
+ },
+ // Test that importing a PKCS12 file with the correct password succeeds.
+ // This needs to be last because currently there isn't a way to delete the
+ // imported certificate (and thus reset the test state) that doesn't depend on
+ // the garbage collector running.
+ {
+ name: "import PKCS12 file",
+ filename: PKCS12_FILE,
+ passwordToUse: TEST_CERT_PASSWORD,
+ successExpected: true,
+ errorCode: Ci.nsIX509CertDB.Success,
+ checkCertExist: true,
+ certCommonName: CERT_COMMON_NAME,
+ },
+ // Same cert file protected with empty string password
+ {
+ name: "import PKCS12 file empty password",
+ filename: PKCS12_FILE_EMPTY_PASS,
+ passwordToUse: "",
+ successExpected: true,
+ errorCode: Ci.nsIX509CertDB.Success,
+ checkCertExist: false,
+ certCommonName: CERT_COMMON_NAME,
+ },
+ // Same cert file protected with no password
+ {
+ name: "import PKCS12 file no password",
+ filename: PKCS12_FILE_NO_PASS,
+ passwordToUse: null,
+ successExpected: true,
+ errorCode: Ci.nsIX509CertDB.Success,
+ checkCertExist: false,
+ certCommonName: CERT_COMMON_NAME,
+ },
+ // Test a PKCS12 file encrypted using AES
+ {
+ name: "import PKCS12 file using AES",
+ filename: "test_certDB_import/encrypted_with_aes.p12",
+ passwordToUse: "password",
+ successExpected: true,
+ errorCode: Ci.nsIX509CertDB.Success,
+ checkCertExist: true,
+ certCommonName: "John Doe",
+ },
+];
+
+function doesCertExist(commonName) {
+ let allCerts = gCertDB.getCerts();
+ for (let cert of allCerts) {
+ if (cert.isBuiltInRoot) {
+ continue;
+ }
+ if (cert.commonName == commonName) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+function runOneTestcase(testcase) {
+ info(`running ${testcase.name}`);
+ if (testcase.checkCertExist) {
+ ok(
+ !doesCertExist(testcase.certCommonName),
+ "cert should not be in the database before import"
+ );
+ }
+
+ // Import and check for failure.
+ let certFile = do_get_file(testcase.filename);
+ ok(certFile, `${testcase.filename} should exist`);
+ let errorCode = gCertDB.importPKCS12File(certFile, testcase.passwordToUse);
+ equal(errorCode, testcase.errorCode, `verifying error code`);
+ equal(
+ doesCertExist(testcase.certCommonName),
+ testcase.successExpected,
+ `cert should${testcase.successExpected ? "" : " not"} be found now`
+ );
+}
+
+function run_test() {
+ for (let testcase of gTestcases) {
+ runOneTestcase(testcase);
+ }
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js
new file mode 100644
index 0000000000..ab1ad36fd2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js
@@ -0,0 +1,148 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that a CA certificate can still be imported if the user has a primary
+// password set.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const CA_CERT_COMMON_NAME = "importedCA";
+
+let gCACertImportDialogCount = 0;
+
+// Mock implementation of nsICertificateDialogs.
+const gCertificateDialogs = {
+ confirmDownloadCACert: (ctx, cert, trust) => {
+ gCACertImportDialogCount++;
+ equal(
+ cert.commonName,
+ CA_CERT_COMMON_NAME,
+ "CA cert to import should have the correct CN"
+ );
+ trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL;
+ return true;
+ },
+ setPKCS12FilePassword: (ctx, password) => {
+ // This is only relevant to exporting.
+ ok(false, "setPKCS12FilePassword() should not have been called");
+ },
+ getPKCS12FilePassword: (ctx, password) => {
+ // We don't test anything that calls this method yet.
+ ok(false, "getPKCS12FilePassword() should not have been called");
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]),
+};
+
+var gMockPrompter = {
+ passwordToTry: "password",
+ numPrompts: 0,
+
+ // This intentionally does not use arrow function syntax to avoid an issue
+ // where in the context of the arrow function, |this != gMockPrompter| due to
+ // how objects get wrapped when going across xpcom boundaries.
+ promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+ this.numPrompts++;
+ if (this.numPrompts > 1) {
+ // don't keep retrying a bad password
+ return false;
+ }
+ equal(
+ text,
+ "Please enter your Primary Password.",
+ "password prompt text should be as expected"
+ );
+ equal(checkMsg, null, "checkMsg should be null");
+ ok(this.passwordToTry, "passwordToTry should be non-null");
+ password.value = this.passwordToTry;
+ return true;
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+
+ // Again with the arrow function issue.
+ getInterface(iid) {
+ if (iid.equals(Ci.nsIPrompt)) {
+ return this;
+ }
+
+ throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE);
+ },
+};
+
+function getCertAsByteArray(certPath) {
+ let certFile = do_get_file(certPath, false);
+ let certBytes = readFile(certFile);
+
+ let byteArray = [];
+ for (let i = 0; i < certBytes.length; i++) {
+ byteArray.push(certBytes.charCodeAt(i));
+ }
+
+ return byteArray;
+}
+
+function findCertByCommonName(commonName) {
+ for (let cert of gCertDB.getCerts()) {
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+function run_test() {
+ let certificateDialogsCID = MockRegistrar.register(
+ "@mozilla.org/nsCertificateDialogs;1",
+ gCertificateDialogs
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(certificateDialogsCID);
+ });
+
+ // Set a primary password.
+ let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+ let token = tokenDB.getInternalKeyToken();
+ token.initPassword("password");
+ token.logoutSimple();
+
+ // Sanity check the CA cert is missing.
+ equal(
+ findCertByCommonName(CA_CERT_COMMON_NAME),
+ null,
+ "CA cert should not be in the database before import"
+ );
+
+ // Import and check for success.
+ let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem");
+ gCertDB.importCertificates(
+ caArray,
+ caArray.length,
+ Ci.nsIX509Cert.CA_CERT,
+ gMockPrompter
+ );
+ equal(
+ gCACertImportDialogCount,
+ 1,
+ "Confirmation dialog for the CA cert should only be shown once"
+ );
+
+ let caCert = findCertByCommonName(CA_CERT_COMMON_NAME);
+ notEqual(caCert, null, "CA cert should now be found in the database");
+ ok(
+ gCertDB.isCertTrusted(
+ caCert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_EMAIL
+ ),
+ "CA cert should be trusted for e-mail"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_chains.js b/security/manager/ssl/tests/unit/test_cert_chains.js
new file mode 100644
index 0000000000..fbbe85245d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_chains.js
@@ -0,0 +1,394 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// We hard-code the following certificates for the pkcs7 export tests so that we
+// don't have to change the test data when the certificates change each year.
+// Luckily these tests don't depend on the certificates being valid, so it's ok
+// to let them expire.
+const gDefaultEEPEM = `-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6TIyPRSIwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvlaob
+K2YRb4OGMxySIKuQ80N0XlO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4s
+v0swx/+oUxCfLb0VIl/kdUqLkbGYrAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU
++aL9QOuvT/j3rXoimcdo6X3TK1SN2/64fGMyG/pwas+JXehbReUf4n1ewk84ADtb
++ew8tRAKf/uxzKUj5t/UgqDsnTWq5wUc5IJKwoHT41sQnNqPg12x4+WGWiAsWCpR
+/hKYHFGr7rb4JTGEPAJpWcv9WtZYAvwT78a2xpHp5XNglj16IjWEukvJuU1W
+-----END CERTIFICATE-----`;
+
+const gTestCAPEM = `-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUKaFwIwCwHXUgKRuOhAX4pjYsmbgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAw
+MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIMgnywHFbPzJ
+BEcbpx/aWQOI2tUFlo7MUoPSoACHzoI/HOUTx25eKHlpNK2jSljLufhUd//eCCXg
++OQt4f2N/tRw8gumbs3YDF7+t3ZNGt+iQxZTwN7MKsGIZy+6R523XHw8lpzFX5iz
+XgIS+0APlX+XyZk7MRCcBWh6PSaSqEOOvUXVp6Omh3it034kBWnm809TEWmwiVw3
+ssPDmpUCArdDNMMdvQehzaH96cdjcSsguqpX9NcMDUmmiG7HLQ2iy+WSzek9S46S
+bKKDLw8Ebevfkl6PEpg+GDulq+EPXayN3AsFXkF8MaFLgfeprkENjN1g4jM+WSyN
+6DC7vCkj7A==
+-----END CERTIFICATE-----`;
+
+const gUnknownIssuerPEM = `
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIUMRiJ9TrwqTOoVFU+j5FDWDWS1X8wDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbVGVzdCBJbnRlcm1lZGlhdGUgdG8gZGVsZXRlMCIYDzIw
+MTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMC4xLDAqBgNVBAMMI1Rlc3Qg
+RW5kLWVudGl0eSBmcm9tIHVua25vd24gaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HCMIG/MIGIBgNV
+HREEgYAwfoIZdW5rbm93bmlzc3Vlci5leGFtcGxlLmNvbYI0dW5rbm93bmlzc3Vl
+ci5pbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbYIrdW5rbm93
+bmlzc3Vlci50ZXN0LW1vZGUucGlubmluZy5leGFtcGxlLmNvbTAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALAnJjBJ+MOc7kMRzmESYZRSxKak7A1K67xBXWzWmK3t3WXv
+e/RLjV/RhbyTN20h2ZjSVcuDzgNYC/RJ/z3Xd5Q9QEGoi1ly84HeaeHw/3kUSHxv
+J3JnbPu2lk96U5y7tXEVfbEVZYpx4Us72fuURPWriVldILH2lgrEg+iKZWbY/wcT
+vfu1j/flMkGEOpc1HytlmR9fkCDnqzFfcmv7Eh3X1BiSBOIemGnUHxONwlthSE68
+IItE5l3c82G8oQGmve6r0N9h7t6opIjH1koFWMck/pzDA01FmWey4ASdlmjE8NSJ
+Al1zsF8EiLOZeI1rvurcXwVOd0Olk9/QT5hwTkk=
+-----END CERTIFICATE-----`;
+
+const gOCSPEEWithIntermediatePEM = `
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUZ67hS7lHVnCQtXx7oXFlzihqh0cwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAxNzExMjcwMDAw
+MDBaGA8yMDIwMDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhVGVzdCBFbmQtZW50aXR5
+IHdpdGggSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAagglsb2NhbGhv
+c3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo
+dHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQAo043hM4Gi
+UtoXKOQB2v0C8nF4Yyzpf+i0LlxQCFZkiLYu9pIuQu16I3TbLQRBwhCC0ml7TqJB
+AbryzILTorCQP8A1WQa1kt6cb30jCyXLcWnDA/ULPexn9cYm6I0YyLFlnkcVzMGL
+Fc+LyWTAPEW5rMauu5iOOp/6L5rBF0M9bg5yXSGNDv8gk3Jc+opJbBDTrAuKDNLp
+JSEp4rqovNFnirzlJWDS+ScAsWHtoLcrH6gnQRPsEV1WFQnYr3HkAakYQok9xs5A
+ikBS6mgz4/cFBts8bSGSuXxctkN2Ss7Y5l3YmTYKCxPz6retVfrhi/islH4W3z9H
+pu3ZqyACO6Lb
+-----END CERTIFICATE-----`;
+
+const gTestIntPEM = `
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw
+MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd
+MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB
+AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00
+Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM
+8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA
+IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3
+B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk
+rGFLvocT/kym6r8galxCJUo=
+-----END CERTIFICATE-----`;
+
+function build_cert_list_from_pem_list(pemList) {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let certList = [];
+ for (let pem of pemList) {
+ let cert = certdb.constructX509FromBase64(pemToBase64(pem));
+ certList.push(cert);
+ }
+ return certList;
+}
+
+function test_cert_pkcs7_export() {
+ // This was generated by running BadCertAndPinningServer locally on the bad_certs
+ // directory and visiting:
+ // https://good.include-subdomains.pinning.example.com:8443/
+ // and then viewing the certificate chain presented (in the page info dialog)
+ // and exporting it.
+ // (NB: test-ca must be imported and trusted for the connection to succeed)
+ const expectedPKCS7ForDefaultEE =
+ "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCBmQwggLTMIIBu6ADAgE" +
+ "CAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZX" +
+ "N0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB" +
+ "1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI" +
+ "BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xz" +
+ "VJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCy" +
+ "uwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW" +
+ "7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE" +
+ "LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8" +
+ "wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1Q" +
+ "WWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMX" +
+ "v63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKo" +
+ "Q469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf" +
+ "01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoU" +
+ "uB96muQQ2M3WDiMz5ZLI3oMLu8KSPsMIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6T" +
+ "IyPRSIwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAw" +
+ "MDAwMFoYDzIwMjAwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggE" +
+ "iMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNU" +
+ "q07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0" +
+ "DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ" +
+ "sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJH" +
+ "dtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFz" +
+ "G4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob" +
+ "3N0gg0qLmV4YW1wbGUuY29tghUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1z" +
+ "dWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnB" +
+ "pbm5pbmcuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi" +
+ "8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvl" +
+ "aobK2YRb4OGMxySIKuQ80N0XlO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4sv0sw" +
+ "x/+oUxCfLb0VIl/kdUqLkbGYrAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU+aL9QOuvT/j" +
+ "3rXoimcdo6X3TK1SN2/64fGMyG/pwas+JXehbReUf4n1ewk84ADtb+ew8tRAKf/uxzKUj5t" +
+ "/UgqDsnTWq5wUc5IJKwoHT41sQnNqPg12x4+WGWiAsWCpR/hKYHFGr7rb4JTGEPAJpWcv9W" +
+ "tZYAvwT78a2xpHp5XNglj16IjWEukvJuU1WMQAAAAAAAAA=";
+ let certListDefaultEE = build_cert_list_from_pem_list([
+ gDefaultEEPEM,
+ gTestCAPEM,
+ ]);
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let pkcs7DefaultEE = certdb.asPKCS7Blob(certListDefaultEE);
+
+ equal(
+ btoa(pkcs7DefaultEE),
+ expectedPKCS7ForDefaultEE,
+ "PKCS7 export should work as expected for default-ee chain"
+ );
+
+ // This was generated by running BadCertAndPinningServer locally on the bad_certs
+ // directory and visiting:
+ // https://unknownissuer.example.com:8443/
+ // and then viewing the certificate presented (in the add certificate
+ // exception dialog) and exporting it.
+ const expectedPKCS7ForUnknownIssuer =
+ "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCA60wggOpMIICkaADAgE" +
+ "CAhQxGIn1OvCpM6hUVT6PkUNYNZLVfzANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtUZX" +
+ "N0IEludGVybWVkaWF0ZSB0byBkZWxldGUwIhgPMjAxNzExMjcwMDAwMDBaGA8yMDIwMDIwN" +
+ "TAwMDAwMFowLjEsMCoGA1UEAwwjVGVzdCBFbmQtZW50aXR5IGZyb20gdW5rbm93biBpc3N1" +
+ "ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTw" +
+ "T2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs" +
+ "1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkf" +
+ "bmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA" +
+ "dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/" +
+ "l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcIwgb8wgYgGA1UdEQSBgDB+ghl1bm" +
+ "tub3duaXNzdWVyLmV4YW1wbGUuY29tgjR1bmtub3duaXNzdWVyLmluY2x1ZGUtc3ViZG9tY" +
+ "Wlucy5waW5uaW5nLmV4YW1wbGUuY29tgit1bmtub3duaXNzdWVyLnRlc3QtbW9kZS5waW5u" +
+ "aW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2x" +
+ "vY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAsCcmMEn4w5zuQxHOYRJhlFLEpq" +
+ "TsDUrrvEFdbNaYre3dZe979EuNX9GFvJM3bSHZmNJVy4POA1gL9En/Pdd3lD1AQaiLWXLzg" +
+ "d5p4fD/eRRIfG8ncmds+7aWT3pTnLu1cRV9sRVlinHhSzvZ+5RE9auJWV0gsfaWCsSD6Ipl" +
+ "Ztj/BxO9+7WP9+UyQYQ6lzUfK2WZH1+QIOerMV9ya/sSHdfUGJIE4h6YadQfE43CW2FITrw" +
+ "gi0TmXdzzYbyhAaa97qvQ32Hu3qikiMfWSgVYxyT+nMMDTUWZZ7LgBJ2WaMTw1IkCXXOwXw" +
+ "SIs5l4jWu+6txfBU53Q6WT39BPmHBOSTEAAAAAAAAA";
+ let certListUnknownIssuer = build_cert_list_from_pem_list([
+ gUnknownIssuerPEM,
+ ]);
+ let pkcs7UnknownIssuer = certdb.asPKCS7Blob(certListUnknownIssuer);
+ equal(
+ btoa(pkcs7UnknownIssuer),
+ expectedPKCS7ForUnknownIssuer,
+ "PKCS7 export should work as expected for unknown issuer"
+ );
+
+ // This was generated by running OCSPStaplingServer locally on the ocsp_certs
+ // directory and visiting:
+ // https://ocsp-stapling-with-intermediate.example.com:8443/
+ // and then viewing the certificate chain presented (in the page info dialog)
+ // and exporting it.
+ // (NB: test-ca must be imported and trusted for the connection to succeed)
+ const expectedPKCS7WithIntermediate =
+ "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCCPEwggLTMIIBu6ADAgE" +
+ "CAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZX" +
+ "N0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB" +
+ "1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI" +
+ "BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xz" +
+ "VJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCy" +
+ "uwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW" +
+ "7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE" +
+ "LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8" +
+ "wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1Q" +
+ "WWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMX" +
+ "v63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKo" +
+ "Q469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf" +
+ "01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoU" +
+ "uB96muQQ2M3WDiMz5ZLI3oMLu8KSPsMIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25i" +
+ "BPOkIMwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAw" +
+ "MDAwMFoYDzIwMjUwMTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTC" +
+ "CASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6u" +
+ "Q1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8H" +
+ "mnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh" +
+ "eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaM" +
+ "Mkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5" +
+ "kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EB" +
+ "AMCAQYwDQYJKoZIhvcNAQELBQADggEBAILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC" +
+ "2BQF0kMEEB547p+Ms8zdJY00Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77Tk" +
+ "fmnSnxvPi+0nlA+eM8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22" +
+ "+AIU7w6wyAIbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubji" +
+ "Mr3B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpykrGFL" +
+ "vocT/kym6r8galxCJUowggM1MIICHaADAgECAhRnruFLuUdWcJC1fHuhcWXOKGqHRzANBgk" +
+ "qhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTAiGA8yMDE3MTEyNz" +
+ "AwMDAwMFoYDzIwMjAwMjA1MDAwMDAwWjAsMSowKAYDVQQDDCFUZXN0IEVuZC1lbnRpdHkgd" +
+ "2l0aCBJbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo" +
+ "RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHE" +
+ "IeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7q" +
+ "dw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCAB" +
+ "iTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd" +
+ "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjWzBZMCMGA1U" +
+ "dEQQcMBqCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKw" +
+ "YBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBACjTj" +
+ "eEzgaJS2hco5AHa/QLycXhjLOl/6LQuXFAIVmSIti72ki5C7XojdNstBEHCEILSaXtOokEB" +
+ "uvLMgtOisJA/wDVZBrWS3pxvfSMLJctxacMD9Qs97Gf1xibojRjIsWWeRxXMwYsVz4vJZMA" +
+ "8Rbmsxq67mI46n/ovmsEXQz1uDnJdIY0O/yCTclz6iklsENOsC4oM0uklISniuqi80WeKvO" +
+ "UlYNL5JwCxYe2gtysfqCdBE+wRXVYVCdivceQBqRhCiT3GzkCKQFLqaDPj9wUG2zxtIZK5f" +
+ "Fy2Q3ZKztjmXdiZNgoLE/Pqt61V+uGL+KyUfhbfP0em7dmrIAI7otsxAAAAAAAAAA==";
+ let certListWithIntermediate = build_cert_list_from_pem_list([
+ gOCSPEEWithIntermediatePEM,
+ gTestIntPEM,
+ gTestCAPEM,
+ ]);
+ let pkcs7WithIntermediate = certdb.asPKCS7Blob(certListWithIntermediate);
+ equal(
+ btoa(pkcs7WithIntermediate),
+ expectedPKCS7WithIntermediate,
+ "PKCS7 export should work as expected for chain with intermediate"
+ );
+}
+
+function test_cert_pkcs7_empty_array() {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ throws(
+ () => certdb.asPKCS7Blob([]),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "trying to convert an empty array to pkcs7 should throw"
+ );
+}
+
+function run_test() {
+ do_get_profile();
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+ add_test(function() {
+ test_cert_pkcs7_export();
+ run_next_test();
+ });
+
+ add_test(function() {
+ test_cert_pkcs7_empty_array();
+ run_next_test();
+ });
+
+ // Test successful connection (failedCertChain should be null)
+ add_connection_test(
+ // re-use pinning certs (keeler)
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess,
+ null,
+ function withSecurityInfo(aTransportSecurityInfo) {
+ equal(
+ aTransportSecurityInfo.failedCertChain.length,
+ 0,
+ "failedCertChain for a successful connection should be null"
+ );
+ }
+ );
+
+ // Test overrideable connection failure (failedCertChain should be non-null)
+ add_connection_test(
+ "expired.example.com",
+ SEC_ERROR_EXPIRED_CERTIFICATE,
+ null,
+ function withSecurityInfo(securityInfo) {
+ notEqual(
+ securityInfo.failedCertChain,
+ null,
+ "failedCertChain should not be null for an overrideable" +
+ " connection failure"
+ );
+ let originalCertChain = build_cert_chain(["expired-ee", "test-ca"]);
+ ok(
+ areCertArraysEqual(originalCertChain, securityInfo.failedCertChain),
+ "failedCertChain should equal the original cert chain for an" +
+ " overrideable connection failure"
+ );
+ }
+ );
+
+ // Test overrideable connection failure (failedCertChain should be non-null)
+ add_connection_test(
+ "unknownissuer.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER,
+ null,
+ function withSecurityInfo(securityInfo) {
+ notEqual(
+ securityInfo.failedCertChain,
+ null,
+ "failedCertChain should not be null for an overrideable" +
+ " connection failure"
+ );
+ let originalCertChain = build_cert_chain(["unknownissuer"]);
+ ok(
+ areCertArraysEqual(originalCertChain, securityInfo.failedCertChain),
+ "failedCertChain should equal the original cert chain for an" +
+ " overrideable connection failure"
+ );
+ }
+ );
+
+ // Test non-overrideable error (failedCertChain should be non-null)
+ add_connection_test(
+ "inadequatekeyusage.example.com",
+ SEC_ERROR_INADEQUATE_KEY_USAGE,
+ null,
+ function withSecurityInfo(securityInfo) {
+ notEqual(
+ securityInfo.failedCertChain,
+ null,
+ "failedCertChain should not be null for a non-overrideable" +
+ " connection failure"
+ );
+ let originalCertChain = build_cert_chain([
+ "inadequatekeyusage-ee",
+ "test-ca",
+ ]);
+ ok(
+ areCertArraysEqual(originalCertChain, securityInfo.failedCertChain),
+ "failedCertChain should equal the original cert chain for a" +
+ " non-overrideable connection failure"
+ );
+ }
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_dbKey.js b/security/manager/ssl/tests/unit/test_cert_dbKey.js
new file mode 100644
index 0000000000..78a14b6679
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_dbKey.js
@@ -0,0 +1,263 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// This test tests that the nsIX509Cert.dbKey and nsIX509CertDB.findCertByDBKey
+// APIs work as expected. That is, getting a certificate's dbKey and using it
+// in findCertByDBKey should return the same certificate. Also, for backwards
+// compatibility, findCertByDBKey should ignore any whitespace in its input
+// (even though now nsIX509Cert.dbKey will never have whitespace in it).
+
+function hexStringToBytes(hex) {
+ let bytes = [];
+ for (let hexByteStr of hex.split(":")) {
+ bytes.push(parseInt(hexByteStr, 16));
+ }
+ return bytes;
+}
+
+function encodeCommonNameAsBytes(commonName) {
+ // The encoding will look something like this (in hex):
+ // 30 (SEQUENCE) <length of contents>
+ // 31 (SET) <length of contents>
+ // 30 (SEQUENCE) <length of contents>
+ // 06 (OID) 03 (length)
+ // 55 04 03 (id-at-commonName)
+ // 0C (UTF8String) <length of common name>
+ // <common name bytes>
+ // To make things simple, it would be nice to have the length of each
+ // component be less than 128 bytes (so we can have single-byte lengths).
+ // For this to hold, the maximum length of the contents of the outermost
+ // SEQUENCE must be 127. Everything not in the contents of the common name
+ // will take up 11 bytes, so the value of the common name itself can be at
+ // most 116 bytes.
+ ok(
+ commonName.length <= 116,
+ "test assumption: common name can't be longer than 116 bytes (makes " +
+ "DER encoding easier)"
+ );
+ let commonNameOIDBytes = [0x06, 0x03, 0x55, 0x04, 0x03];
+ let commonNameBytes = [0x0c, commonName.length];
+ for (let i = 0; i < commonName.length; i++) {
+ commonNameBytes.push(commonName.charCodeAt(i));
+ }
+ let bytes = commonNameOIDBytes.concat(commonNameBytes);
+ bytes.unshift(bytes.length);
+ bytes.unshift(0x30); // SEQUENCE
+ bytes.unshift(bytes.length);
+ bytes.unshift(0x31); // SET
+ bytes.unshift(bytes.length);
+ bytes.unshift(0x30); // SEQUENCE
+ return bytes;
+}
+
+function testInvalidDBKey(certDB, dbKey) {
+ throws(
+ () => certDB.findCertByDBKey(dbKey),
+ /NS_ERROR_ILLEGAL_INPUT/,
+ `findCertByDBKey(${dbKey}) should raise NS_ERROR_ILLEGAL_INPUT`
+ );
+}
+
+function testDBKeyForNonexistentCert(certDB, dbKey) {
+ let cert = certDB.findCertByDBKey(dbKey);
+ ok(!cert, "shouldn't find cert for given dbKey");
+}
+
+function byteArrayToByteString(bytes) {
+ let byteString = "";
+ for (let b of bytes) {
+ byteString += String.fromCharCode(b);
+ }
+ return byteString;
+}
+
+function run_test() {
+ do_get_profile();
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let cert = constructCertFromFile("bad_certs/test-ca.pem");
+ equal(
+ cert.issuerName,
+ "CN=" + cert.issuerCommonName,
+ "test assumption: this certificate's issuer distinguished name " +
+ "consists only of a common name"
+ );
+ let issuerBytes = encodeCommonNameAsBytes(cert.issuerCommonName);
+ ok(
+ issuerBytes.length < 256,
+ "test assumption: length of encoded issuer is less than 256 bytes"
+ );
+ let serialNumberBytes = hexStringToBytes(cert.serialNumber);
+ ok(
+ serialNumberBytes.length < 256,
+ "test assumption: length of encoded serial number is less than 256 bytes"
+ );
+ let dbKeyHeader = [
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ serialNumberBytes.length,
+ 0,
+ 0,
+ 0,
+ issuerBytes.length,
+ ];
+ let expectedDbKeyBytes = dbKeyHeader.concat(serialNumberBytes, issuerBytes);
+ let expectedDbKey = btoa(byteArrayToByteString(expectedDbKeyBytes));
+ equal(
+ cert.dbKey,
+ expectedDbKey,
+ "actual and expected dbKey values should match"
+ );
+
+ let certFromDbKey = certDB.findCertByDBKey(expectedDbKey);
+ ok(
+ areCertsEqual(certFromDbKey, cert),
+ "nsIX509CertDB.findCertByDBKey should find the right certificate"
+ );
+
+ ok(
+ expectedDbKey.length > 64,
+ "test assumption: dbKey should be longer than 64 characters"
+ );
+ let expectedDbKeyWithCRLF = expectedDbKey.replace(/(.{64})/, "$1\r\n");
+ ok(
+ expectedDbKeyWithCRLF.indexOf("\r\n") == 64,
+ "test self-check: adding CRLF to dbKey should succeed"
+ );
+ certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithCRLF);
+ ok(
+ areCertsEqual(certFromDbKey, cert),
+ "nsIX509CertDB.findCertByDBKey should work with dbKey with CRLF"
+ );
+
+ let expectedDbKeyWithSpaces = expectedDbKey.replace(/(.{64})/, "$1 ");
+ ok(
+ expectedDbKeyWithSpaces.indexOf(" ") == 64,
+ "test self-check: adding spaces to dbKey should succeed"
+ );
+ certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithSpaces);
+ ok(
+ areCertsEqual(certFromDbKey, cert),
+ "nsIX509CertDB.findCertByDBKey should work with dbKey with spaces"
+ );
+
+ // Test some invalid dbKey values.
+ testInvalidDBKey(certDB, "AAAA"); // Not long enough.
+ // No header.
+ testInvalidDBKey(
+ certDB,
+ btoa(
+ byteArrayToByteString(
+ [0, 0, 0, serialNumberBytes.length, 0, 0, 0, issuerBytes.length].concat(
+ serialNumberBytes,
+ issuerBytes
+ )
+ )
+ )
+ );
+ testInvalidDBKey(
+ certDB,
+ btoa(
+ byteArrayToByteString([
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 255,
+ 255,
+ 255,
+ 255, // serial number length is way too long
+ 255,
+ 255,
+ 255,
+ 255, // issuer length is way too long
+ 0,
+ 0,
+ 0,
+ 0,
+ ])
+ )
+ );
+ // Truncated issuer.
+ testInvalidDBKey(
+ certDB,
+ btoa(
+ byteArrayToByteString([
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 1,
+ 0,
+ 0,
+ 0,
+ 10,
+ 1,
+ 1,
+ 2,
+ 3,
+ ])
+ )
+ );
+ // Issuer doesn't decode to valid common name.
+ testDBKeyForNonexistentCert(
+ certDB,
+ btoa(
+ byteArrayToByteString([
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 1,
+ 0,
+ 0,
+ 0,
+ 3,
+ 1,
+ 1,
+ 2,
+ 3,
+ ])
+ )
+ );
+
+ // zero-length serial number and issuer -> no such certificate
+ testDBKeyForNonexistentCert(
+ certDB,
+ btoa(
+ byteArrayToByteString([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
+ )
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_eku.js b/security/manager/ssl/tests/unit/test_cert_eku.js
new file mode 100644
index 0000000000..d185407243
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku.js
@@ -0,0 +1,189 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that the extended key usage extension is properly processed by the
+// platform when verifying certificates. There are already comprehensive tests
+// in mozilla::pkix itself, but these tests serve as integration tests to ensure
+// that the cases we're particularly concerned about are correctly handled.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function certFromFile(certName) {
+ return constructCertFromFile(`test_cert_eku/${certName}.pem`);
+}
+
+function loadCertWithTrust(certName, trustString) {
+ addCertFromFile(certdb, `test_cert_eku/${certName}.pem`, trustString);
+}
+
+function checkEndEntity(cert, expectedResult) {
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ expectedResult,
+ certificateUsageSSLServer
+ );
+}
+
+function checkCertOn25August2016(cert, expectedResult) {
+ // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
+ const VALIDATION_TIME = 1472083200;
+ return checkCertErrorGenericAtTime(
+ certdb,
+ cert,
+ expectedResult,
+ certificateUsageSSLServer,
+ VALIDATION_TIME
+ );
+}
+
+add_task(async function() {
+ registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
+ });
+ Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
+
+ loadCertWithTrust("ca", "CTu,,");
+ // end-entity has id-kp-serverAuth => success
+ await checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess);
+ // end-entity has id-kp-serverAuth => success
+ await checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess);
+ // end-entity has extended key usage, but id-kp-serverAuth is not present =>
+ // failure
+ await checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+ // end-entity has id-kp-serverAuth => success
+ await checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess);
+
+ // end-entity has extended key usage, but id-kp-serverAuth is not present =>
+ // failure (in particular, Netscape Server Gated Crypto (also known as
+ // Netscape Step Up) is not an acceptable substitute for end-entity
+ // certificates).
+ // Verify this for all Netscape Step Up policy configurations.
+ // 0 = "always accept nsSGC in place of serverAuth for CA certificates"
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
+ await checkEndEntity(
+ certFromFile("ee-nsSGC"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ // 1 = "accept nsSGC before 23 August 2016"
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
+ await checkEndEntity(
+ certFromFile("ee-nsSGC"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ // 2 = "accept nsSGC before 23 August 2015"
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
+ await checkEndEntity(
+ certFromFile("ee-nsSGC"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ // 3 = "never accept nsSGC"
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
+ await checkEndEntity(
+ certFromFile("ee-nsSGC"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+
+ // end-entity has id-kp-OCSPSigning, which is not acceptable for end-entity
+ // certificates being verified as TLS server certificates => failure
+ await checkEndEntity(
+ certFromFile("ee-SA-OCSP"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+
+ // intermediate has id-kp-serverAuth => success
+ loadCertWithTrust("int-SA", ",,");
+ await checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess);
+ // intermediate has id-kp-serverAuth => success
+ loadCertWithTrust("int-SA-CA", ",,");
+ await checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess);
+ // intermediate has extended key usage, but id-kp-serverAuth is not present
+ // => failure
+ loadCertWithTrust("int-CA", ",,");
+ await checkEndEntity(
+ certFromFile("ee-int-CA"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ // intermediate has id-kp-serverAuth => success
+ loadCertWithTrust("int-SA-nsSGC", ",,");
+ await checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess);
+
+ // Intermediate has Netscape Server Gated Crypto. Success will depend on the
+ // Netscape Step Up policy configuration and the notBefore property of the
+ // intermediate.
+ loadCertWithTrust("int-nsSGC-recent", ",,");
+ loadCertWithTrust("int-nsSGC-old", ",,");
+ loadCertWithTrust("int-nsSGC-older", ",,");
+ // 0 = "always accept nsSGC in place of serverAuth for CA certificates"
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
+ info("Netscape Step Up policy: always accept");
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-recent"),
+ PRErrorCodeSuccess
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-old"),
+ PRErrorCodeSuccess
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-older"),
+ PRErrorCodeSuccess
+ );
+ // 1 = "accept nsSGC before 23 August 2016"
+ info("Netscape Step Up policy: accept before 23 August 2016");
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-recent"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-old"),
+ PRErrorCodeSuccess
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-older"),
+ PRErrorCodeSuccess
+ );
+ // 2 = "accept nsSGC before 23 August 2015"
+ info("Netscape Step Up policy: accept before 23 August 2015");
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-recent"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-old"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-older"),
+ PRErrorCodeSuccess
+ );
+ // 3 = "never accept nsSGC"
+ info("Netscape Step Up policy: never accept");
+ Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-recent"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-old"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+ await checkCertOn25August2016(
+ certFromFile("ee-int-nsSGC-older"),
+ SEC_ERROR_INADEQUATE_CERT_TYPE
+ );
+
+ // intermediate has id-kp-OCSPSigning, which is acceptable for CA
+ // certificates => success
+ loadCertWithTrust("int-SA-OCSP", ",,");
+ await checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.pem b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem
new file mode 100644
index 0000000000..790e942fbd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvDCCAaSgAwIBAgIUbYeck7JVOWdVm1AGwsw/DzdRnaYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTAxMDEwMDAwMDBaGA8yMDM1MDEwMTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAI0AO+ZBY1oImSrpifcmQZTE/C4xIu7Uu5GX/A7ApQU7
+8UAXivMgRDbtrjOie1HNH9DIxHBCFY/Y7f0VRXxWmPEmT+5LpHrLoi+YF0h2wh/1
+RuiJV1AfaEdVJyNCVDSQrS8BQG5O3LebBq00gjSJSQ4+DHu7YHWkyMIZk+lbBiO1
+GsD0FWBDlOtiMpL/CQWjyiskiqQjrDCs5m0NayqgzYAMtdlEd+pAKEMNO8Fr8xSI
+tAlcG4frvH0kLJ2scX9ayvKTZrAiAxJz9CjmmnXOyL78yyr/hkJbzYTvk0+1cClg
+J2aGnsFIHgUxEx7sApOqlmG8g1lqL7UPqpi8ItVNl48=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec
new file mode 100644
index 0000000000..c6e443f5d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+validity:20150101-20350101
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem
new file mode 100644
index 0000000000..3cb03da8f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUC03diwvrB4IClE/zsjnrM/hOwWQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEDEOMAwGA1UEAwwFZWUtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsG
+AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAnfkwf3dUtHoAqV8RNSvFz7KJ0RQui
+nIvnUmKUtzbVoIyC4rJQjVbjOPlh+//Qq7UjLdOicvePiu5kK5lzckaKieFcp8Mh
+IYvhiK0awUMH6Xs5sZbjwcUwWkWr1/7LuuZZa1k54vj5M4XwSQ4snrRQkzibUL7X
+kRKaDfIG2GTKQiK3Snl8o0X9nlTdGUVstAT6QtzkvwDRbs/vcjJUPkW0E8RZitkP
+E8n/QuW6+7Lf/zSO9wKUQdCa/m4dFlIzEDwUPGdk+BHbHOkEfd3+al+zmXwayBn0
+apP+bXWRBMPEZ6eXvdSrYx7bYFvJBiZX3WyGXzOQg+aOXnHebQjfDpvo
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec
new file mode 100644
index 0000000000..d49cabaa2f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-CA
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem
new file mode 100644
index 0000000000..ede5b867bd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUSfuClZeHYlvEYfPk7WTIXpRXbM0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEzERMA8GA1UEAwwIZWUtU0EtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjITAfMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAc1UdQZONXBiW
+PHmGb+irQkZK7cET3oPn2iuHlHGgs4rgeXzbZkxFF6/wp84iSf7Svb7pWVmW/FaI
+iigoRROXBwssvrfz2yqYF+5uPrZst7OzyQ5iDEzOc+tXC2051sdPNOXNJDQeE4ac
+sr+e39xBMUwcOVIJE5bMtlcYhQGppTZA9PMfz137aQHdzV4g+1Io0pT851rhPP3p
+EhehyM2GyqwIP7KcHG1p4ncPD6Ninge6ar7nv1WV81vc8SkOUIBfD5JcjRobe80F
+AeSTTqRmlkFVbvOtnLctYdXWCIKg1GRUwk/89Xnhg3DdIANEhCW1jRxKsFwVTM7e
+D2TMbbw0aw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec
new file mode 100644
index 0000000000..5250cc4a84
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA-CA
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem
new file mode 100644
index 0000000000..9c195b89bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIUE6Hbt6pxuVOgduBB/3H+COBki0owDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtU0EtT0NTUDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMhMB8wHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQBR2xe6V/V9
+jEBWS4Vyx9xsi3B9I44I85iQZKVMQARWJg24MBcPw6P0gNnv2n2VUHsA6XED9R0a
+naYxCzXRm/UPHUbJp+GQpX4khsTA4Vf5NfyaUMyvnrmVQnfXEISmVS3aoPZUyDrJ
+F6+v3hqNllT9Ub1VaszCybRjxGvjyMqlGQ9Cc8okeDdw2k0B6w2/61DEkQ8ZEQHQ
+Z+jzGCAeEyVC3UsASL4qSeXQYCkjKHPzwK3co8tyX/YuEZFrRz0wUNvSwx0Byp6t
+2egt51hgnO8mCEzfrEA37vEkzsmv/gFzoSSJvh0WttKLMgHVAIhP4e1K6tkGNTqN
+QXkdhBwi53N4
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec
new file mode 100644
index 0000000000..3b3eff9ae4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA-OCSP
+extension:extKeyUsage:serverAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem
new file mode 100644
index 0000000000..2b3c805a5b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAb+gAwIBAgIUSWceP1hy2YehKHlNAGJTud5AQBEwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtU0EtbnNTR0MwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjIjAgMB4GA1UdJQQX
+MBUGCCsGAQUFBwMBBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQADggEBADR8iLp+
+wdwL+F6xHrZoRZ0twse/VXPZdCtYiII93zZnkT5/Kw9L0jPqSrXkAPECCyRAArFE
+M1sggTtgmDZqSegcihlFIQwwcKmEtvGy47IxgQ8M0r2N+2Tt1LLnQ5lyaxvaRLRk
+P7wRsVJMdzX9lhF9gIo5j+YJPjK68EXxLceDyfz1M9PNQIqjGz3efoAmsVry2HoS
+j10B53rKh/UcwpYv+++qVZwzZrfFK6bRGoRzO4zapDRmsXKWmEJZWL7EFYh85SXO
+J35mFJJDnswKajLpPdNrzc5Dvki/XM/50Yshli96S5uQeEKSfYBIWXS9yKq8VOXJ
+FXCbtkWVe+B8fOQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec
new file mode 100644
index 0000000000..4c51425ce7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA-nsSGC
+extension:extKeyUsage:serverAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem
new file mode 100644
index 0000000000..6975921b9d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIULzA2uHt40mZircmlebIa0o2nR0MwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEDEOMAwGA1UEAwwFZWUtU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCb+rwpPNCs9bg0lFWJLo9YzubV9eM3
+ktSIWubXVwjRnXrd9rwKU7OSpcD8LkJTMLqLHlBhsu32hWd3EEgBwpEpPDTcoHNH
+4zDWAc8I+5gpFdB6IEeM2CIOcpA+52PAo02mafj/WDfIcyKTbtK/DJfKSg+I6TpC
+mwYwwKQYw8CW+BuAIFP39f+000oEuf7rPfAeZIvF4YV3pWnZ9wuXhW+4+SYO0+KD
+B0EI41phP/wOmG7+haKZ1AG/H0j+/SMBS1ErByw9VvW2Y3Wd440wrhBHeXI7Wx2W
+qIrd2k4ksd4pM4m+yojtc4vSS2P+At6rvdWL7NvIKgfhAFzqfqZoAGLQ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec
new file mode 100644
index 0000000000..690f579afa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem
new file mode 100644
index 0000000000..039b1f6f6f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ2gAwIBAgIUdUT/GdLxD1B7t8/7+yrahnifL1MwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLWludC1DQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEAhJfneO1hs5/bpWCTWgYIEzWsjD/hAFaEaokmyM7mvgt2ZGSqWnyE
+qJ4fQ08cdfuHHv1mjTcLs8V77ahdar+9alW8Z5t+rZYhgOiu9LJo8O9BThd64JxO
+1MJ6HSdtdyJcfwSW+OsVWotFZtSRI2fIX7ent0rujJX5GMZpiP32KhCjqxQtcf1x
+HFiTgzro+n7umZDLd3jH1e+Y5dn0EY4Y9vwAQ4YYXsJIFl0lhLACjG+mZj29hMct
+hxO3DYLrKFlfZTUrz+KZtx6etN0I7M0ChBpMWHmPECfXhg/ffkJqFZtl94oCr5hB
+gi6ZhjoAaGyxVKxuujtVpRaYIRT5B9OZXw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec
new file mode 100644
index 0000000000..670973930d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-CA
+subject:ee-int-CA
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem
new file mode 100644
index 0000000000..50c26d7ba3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuzCCAaOgAwIBAgIUB8K+R7AzVbDqn7RA4hMZWP9Kbf8wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJaW50LVNBLUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy
+NDAyMDUwMDAwMDBaMBcxFTATBgNVBAMMDGVlLWludC1TQS1DQTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkq
+hkiG9w0BAQsFAAOCAQEAmiDm0St0AQ9a+RPBC95ycM8cHDsSiY8aRdfIEojLUCwJ
+3BSMAWh65tSSy59YFM/+hZquxW6mFKenKsvcVghBTUVxKONJKr8pnrpJiK1rkZxe
+euN3VOuv+nio4byTol9AQGKOg5GUtDtFsYIXrDH2wd6aUxGbi2cuD8q+YyjLpOr2
+1galNh18R9vXXlec/59Jp3hkSzgMs07RlbS8+G6qGRiSE5T6Yjf3vnv2rqQKE7xn
+Wiw+enu/RjPoZeXq6pzBupSo8FiunxT3dXESvjGxamG38T2w1n0NEz6jNs0E90/V
+R34SITuc+/Hk6AQUy04U9AiOx0Kb7DRNlXXb6/rZdQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec
new file mode 100644
index 0000000000..bd012ab712
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA-CA
+subject:ee-int-SA-CA
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem
new file mode 100644
index 0000000000..68d799dfd4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvzCCAaegAwIBAgIUZQ9IB4KTIRfOUcb3bOGwbFEnUI4wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LVNBLU9DU1AwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowGTEXMBUGA1UEAwwOZWUtaW50LVNBLU9DU1AwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEw
+DQYJKoZIhvcNAQELBQADggEBAHLWWm2bWrApkz4OyZNVTyNNFHgcAGQPsAOAv4BO
+tm6DppAewakqHOEOJ+DBvTmyVvx66tpl48IHW5am2e0zoV3N6VTZhfZ1zzavS2h5
+SF4xMUWeJSjtmkjAxHFnz9JcR53CselhMj2ZRXQVMyr1W6QxBi1AfMtR96hWcY3f
+v4nBtIz/FkIFjTN/GU+vt5Rtc0Gns/kbl21ifuRM0QaXOj8u81gAQ3wEh0NLmy8Z
+ACTcy787xTRspMB3WOCJFHY2GqxrG5t7bS2EeUYu6xq1fnnRCfvemKUEALpCzzZn
+t8zmO7PVgNbBfXta0cXGFn5WNRSpOZGxXiQoBqnYWLStXFI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec
new file mode 100644
index 0000000000..2374d248f6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA-OCSP
+subject:ee-int-SA-OCSP
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem
new file mode 100644
index 0000000000..8722e2f71c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwTCCAamgAwIBAgIUG/gIwkS6ibsfvsd3knsfZ5AkaEswDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LVNBLW5zU0dDMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD2VlLWludC1TQS1uc1NHQzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+ATANBgkqhkiG9w0BAQsFAAOCAQEADKzVNVhzBer5Tt4j61bsP8UL5/bJ6KPL9oHR
+WSgBGoaamfyn1gG9vOFKTI1/GjEzCrbIQPfsJypWj2MAER/msMiuucnzdjD9iUpK
+tkzTPFeO4hwAR9rImy0C4MiEXlY51Z2Ir+GH7DDVqVu5OPSDeuYUEF2mrL8T0Y/Q
+f7UTfbCinecnznWTgvC8EhXCUwMMnPjHqpJGVKwXuPjqVYA83htZ6m5kvg9/MWpZ
+YeRa4HO9A1Ui5OXsWnk4Uzp4cX5cMlc5VhnaMQV0gCPrcYw4x34t75Pu2VZPKlO4
+XmDiy90kfGat0wuOzqOGb9FEPkmvrbRhc6+LLCBHbHSIXlKWLA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec
new file mode 100644
index 0000000000..6c3cb64730
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA-nsSGC
+subject:ee-int-SA-nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem
new file mode 100644
index 0000000000..2af207eed6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ2gAwIBAgIUc1s5H7wRuokI6INDaqXAJUUghNIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LVNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLWludC1TQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEANXVEEPwO3d4e8tBtwYHr78z3X1Fmtrjwb594Zp4xxx79mAUmAXnr
++SHJKfInLgdr0f85Pml5EAR7dlvqC0RMmkoljmlsPOLkEgiRxc/++ohEf2rn1QLL
+6+4tXjuHZ5u1qFa/tgdNqWzNqeGHA1y/+5KAB80mTiytFMBieKgVdv7ijvbClJRg
+V4vybtDD8RZMveGrOd1i+nPR5TLI5OnEmwP8duVLdq5eB/M2CYa+uPg8WgM8BlFP
+B4e9w99MW39z86MAwzw+tpgBT03uSQeV9UxcQVwLm+gjcxaHFPaKhRnqUaVH7A4F
+ZFMb168XWz34MCjJ3AWt4FfP6UwGn8L+nA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec
new file mode 100644
index 0000000000..72ddb78dfd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA
+subject:ee-int-SA
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem
new file mode 100644
index 0000000000..8e8d4c2c04
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwzCCAaugAwIBAgIUB/nCi+kTmIkobMVqQFtJnevhGwEwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNaW50LW5zU0dDLW9sZDAiGA8yMDE2MDcyNDAwMDAwMFoY
+DzIwMTYwOTI0MDAwMDAwWjAbMRkwFwYDVQQDDBBlZS1pbnQtbnNTR0Mtb2xkMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABMA0GCSqGSIb3DQEBCwUAA4IBAQBcxzg5hx9tQ57Jv3wibAhPktjmqapB2suH
+eGE253Xn5haGq+0E3Qkmn7oF1ou6QyLvP+qbElhkx7+eEvhMhzRZFU8XmxzHRqbb
+dZ0/MQw+aLEOc4Utl+1n3pDbVhBjoG3yVxyErndHfyXg+hNPMBEPvtfMYnSkKHX1
+3w3pJSs8HtUNMG3jecwXOJic0kUu6V5npNC0KTeZq4OOzp48WCpEfsQ6W5MzR4PN
+mrCVU2t1GzCKRNA8E8a9unOcxnukz8FaY9RCkeW3cTwRNt0VaFprX32d1C4mz5rV
+vNz/TGA0jy2b4Mg/dpGXrxqyRy1mG3zfs7sDhEoCxLsd/7ytu/bs
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec
new file mode 100644
index 0000000000..a21b49b783
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nsSGC-old
+subject:ee-int-nsSGC-old
+validity:20160724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem
new file mode 100644
index 0000000000..4acdf7b59d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxzCCAa+gAwIBAgIUYfx/2lyIWKMRlK/zS6/kmkp+t/MwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPaW50LW5zU0dDLW9sZGVyMCIYDzIwMTUwNzI0MDAwMDAw
+WhgPMjAxNjA5MjQwMDAwMDBaMB0xGzAZBgNVBAMMEmVlLWludC1uc1NHQy1vbGRl
+cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAbCqK5OcHMj28V1PKiL4CHeN2oTCj
+pObUJrAUqsHJbqS2Q+huzzoSsL+yT4uKeiuDMZnKOm8OIZMtM7M4zQb6b5H1Wqm+
+fM5384kUubmSG+CzUd4adK8NjSwgYhgdvAecbzhPS1GUlai9qDJU+elQVIrNZCL4
+6B634koCQkarYybibdXgoum9zzcla0TRXe9rHjb8VYe+BH7tLAnWGpUqw4x36Buz
+gv605ApVb+QDAB9NH4/EZ1TXuKby6I9I19EkfADHL5XUKHGFH2EE+6Fsqihgu3QG
+NRYMU2GL79bZcwOm2t2v+ZB2fp+UlEs8nykWY7PgwbJ+ObgSauNHhKi5DA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec
new file mode 100644
index 0000000000..93e1831a32
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nsSGC-older
+subject:ee-int-nsSGC-older
+validity:20150724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem
new file mode 100644
index 0000000000..557c8276e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUE/PT07mikR8SeEYcqdLT8IL5vMIwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LW5zU0dDLXJlY2VudDAiGA8yMDE2MDgyNDAwMDAw
+MFoYDzIwMTcwODI0MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1pbnQtbnNTR0MtcmVj
+ZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAKnYtenyuUSykB8EP4IkEeeVPo
+PeZpLKEHHr9CnjIC8b0lHhTsFQhIiNsCWt8xh+JS273QJi/A2rdo1M4KiMZyURne
+RZvTBpFu5F8E+VixDP9xmpAffrgqPqgNRyN+co7tUQZgsJHhb8LSKKMHQTMTBOgW
+nrVlMR+MwXBBQx7Yc7KkVob8DMWmIAAXlv0JY6ID2lRb4haBVS1gsPIj24mVF8XG
+dRJIgtVUvey49/PvErG6FNA32QPDCyv9UOkX9mtpnu9dT+v6mAkbRcSDYAsTTWh2
+seog8fOBA8WoqO+EtTIY2VLiO2G8pTp8MftYVc1Mhd5Kh/ZT+PtdngloPnDM
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec
new file mode 100644
index 0000000000..4a3ad8ec05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nsSGC-recent
+subject:ee-int-nsSGC-recent
+validity:20160824-20170824
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem
new file mode 100644
index 0000000000..10bae6542e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUTe5MT0p0so5MFykddr1kBAMk1J4wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEzERMA8GA1UEAwwIZWUtbnNTR0MwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGDAWMBQGA1UdJQQNMAsG
+CWCGSAGG+EIEATANBgkqhkiG9w0BAQsFAAOCAQEAcGPEiH/hfb1EbEuv66X9c3fD
+g71Pe3qqOJ6QEW5S6Y1qwmVNOA0e7awGKj0i9MCMMb6sw0bWxmPJyR4QTsEG4lbi
+SazRgS2n6FAnaQMyU/qE8jG2epIJRWECEbhuviv88Rci2/w7/N3ED1mu2/f/19Zo
+UPNydVnAU5M1xRiV/lqlo2ZzNJHOw8raezoedrh15jUwcFs1WAqcxAUTearZYjr4
+GMYqOiDY0AzndK9XHHTyuj4rrHd+XgLRbHP/JPfAGzWyTa3Yqwe0fD2mORBtEDT8
+Y+nZIhKzM5Hra+TeeDs5jNFC9JH5ZMQgos4l6N5UeyqB1H+J0owl7VuvqLxrHQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec
new file mode 100644
index 0000000000..43d58ab6d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-nsSGC
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem
new file mode 100644
index 0000000000..2195a06582
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIUYf8P4Z0RmA/uflirA4xHoKNqtHUwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowETEPMA0GA1UEAwwGaW50LUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyUwIzAMBgNVHRMEBTADAQH/
+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQA/izUgZ12n
+DeYVPwvRzgoQ6oZNoZNGwSip5AKfpdC/RtFsDMH5AjaUMrSGvJjSCgcEXSey1fTV
+wdkQs1gYOdDTu935Gg0K13kHZSN0bGEwBA7Gh8gBaOrA/PElx6q8FEG1+qg20GQB
+vN174zjsSy9M6lXu90jApAh4whwgSTOO8JJ4VR9k9jnTzb+5lL5DTvWjFaR0M0zE
++XCDMUr90pGtg/qLzfSiaLaHEBMZu1cpVwtg3lLmMZhQXm067jP/nNZpe0yvPwz5
+HLFA7vrHAZkmtuKg22Le3FLyhtgQRLd6KT92pg33yhD5jqJskI0jq8EGvNvUKLbV
+cZbtU1Px/vOt
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec
new file mode 100644
index 0000000000..e5bc18198c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-CA
+extension:basicConstraints:cA,
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem
new file mode 100644
index 0000000000..3dbec3ad5a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUK2ufphp0ShP+8H3RzpTFrZY/NrQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFDESMBAGA1UEAwwJaW50LVNBLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoy8wLTAMBgNVHRMEBTAD
+AQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsF
+AAOCAQEAOclvzLUjmZihoAVTCzyH04vhIEfzSl3gbZsooUdY1CZ05+i95YhA8IOM
+Q9YDkIYGsLyMaX/X5OV96KKMRsfSldEWNiNMqXJamqHh1ZalfVFtmmI+k5P/pWX9
+hOzCm12CcxGpaklkyrJ1zQ9CE3Upil34X/Wfmzwiz88zUjc+jpfWU7/VQASoGNku
+AiOswyAuuTSWQ89GBzwH06Q6Ty4sICDdD+69RFnY9sBKPCiTDO1W85d/A/QqnCkj
++Be27/lFmpHV64u6vIa6WUdJ5FA8b/ernVvdZJc42jyTPy8Cwh/l7Onphy0cmHe8
+fm5lAou5Gh6pc3UB4haso1ib5hdkVw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec
new file mode 100644
index 0000000000..94e9a42d48
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA-CA
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem
new file mode 100644
index 0000000000..b4642e5e09
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIUHyOa9EUn1y5E6yT4ne+opcI/RbwwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LVNBLU9DU1AwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAtMAwGA1UdEwQF
+MAMBAf8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEB
+CwUAA4IBAQC2VSyElSFe/z7BdCgAot834Eer4HgxBtimrb1YNZgsaZjjU8v9Cv9h
+yBvs4M3J5ZuikyU5AyYiOF+YH9FouWbrsFnJezSpNI1MBqR8QDxdAwBCMqpHPsjT
+7Bw7N0ajkvWHA1PzzphFXthjNTYiIWQHLly6D/MQYHetyv3WvOevNQjl56B9uMdc
+pf5N/JDbxh23euSHuBTGICxMAOg4JkgqXlxVbTAXfQhLVmnvGY6/cjtyhz7tbfEC
+2fL9hnDPOciusR8WIYYi3TF8TWrZL5vhImQZimETuSQBMm5cygsaPFy3J28P2bPe
+lk6ehrv5e8pAHUak+OrbaWtyP4bh3tiK
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec
new file mode 100644
index 0000000000..c38a640b9b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA-OCSP
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem
new file mode 100644
index 0000000000..d0c8b0f89a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUYeEyTSJzsgBm34At1b54YQbcruYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LVNBLW5zU0dDMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozAwLjAMBgNVHRME
+BTADAQH/MB4GA1UdJQQXMBUGCCsGAQUFBwMBBglghkgBhvhCBAEwDQYJKoZIhvcN
+AQELBQADggEBACQdyOExX0WnOgZHDOcJFSxGXQ5B4d7DxdH5EKRYtCgq7zbqolvE
+qzi4fsDxbeRCrzVsCKDYqU69fO4sTAJRhBsEsz5Ybzi1Djfm3awjoCGl/kMJDZ8h
+trRh3pUlmwh6NXbF6IBlNrw2EqRR8TS+w71VDqFbvF0J2AKYSD9Fu44ArwLlPN2q
++nAKZnh1PDEW+jsKrZ6lKoft1A6894bp5g34wx2W5LR6RDk3xRGGoMFQXi//OQG1
+YWthV2tBPOWd8pJ7KJJBkliidsg3/vJzsGZXvd6bzd34LjJxNZfG3UNKP0RfHX4q
+El1zBn59yclrtG7vYKGITSJLbwv7E8vdBLQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec
new file mode 100644
index 0000000000..c84201d874
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA-nsSGC
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem
new file mode 100644
index 0000000000..43e5d861b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIUE7YXyGbnrzogbe8A8yh1856yWAAwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowETEPMA0GA1UEAwwGaW50LVNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyUwIzAMBgNVHRMEBTADAQH/
+MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQAhGBv+d4uZ
+qUeJf7MoPJhW+aN9BzuOpzvo12DbAdQNOTEgzpx/OmpwOQq7+8QTKgusYvn6+O/l
+U4MxwKhXWPD5kZXXIPdYKiGmClxhAszP6jfhpaIyjfw04Bhj50uSv41fAastSygm
+rxUv95dc4K4PbyWxu+Yhz67bZ69wcU/wV6GPrkm4dlRPtTCZy6Y59mdlskfky7g9
+/jpfS0E7zZgjLRRCgk3QGeCvNV9aPHxbGZwVCZ4M7wNkFx+P/rhVDj2x6aAFTSaB
+acAkLEek+eY9tgmfTMEY9iZ80dUZV5XHTaQGRuoQNtSjJEkk0mjGTvG56xV1bP8f
+yv/QLk/RFMfi
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec
new file mode 100644
index 0000000000..74bec2b21c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem
new file mode 100644
index 0000000000..e0deef7c3f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUbXK8dZ2kTHVUtKZ1Uamdr5h27tQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowGDEWMBQGA1UEAwwNaW50LW5zU0dDLW9sZDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMmMCQwDAYDVR0T
+BAUwAwEB/zAUBgNVHSUEDTALBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQADggEB
+AK/99QYaWy5/SG7iKiGwSgJ49hobsVUf4DTN9+4FIesvXNUtXc+vmPVNwgy8S4Kn
+23zOUmp2LaRBQ3VxaiQ0o/RN3ZjULhPhGi3cHsjDTKXH3U0snAloUYONx1JCFOif
+RWwLeiyps1oW9ARfUQrbQRtw87ospU5aJ7JSPoVgbCMXubmEpRSeTMv0SHdOs6g7
+ahSaoT7BBRuHDnCb8+ZR509H9Dc4M2Dv4lQ9vlWGZjXnfM1ImIeUBTWQ0fngyoZW
+neTStGeL5MmCjjMMupJYbjNsenQXd9doD08+voOfmKgaMQDH0fgEACJHjmmt+eQ4
+j8WZP3lRZHZm/s23xNl+6S4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec
new file mode 100644
index 0000000000..35f61671ed
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-nsSGC-old
+extension:basicConstraints:cA,
+extension:extKeyUsage:nsSGC
+validity:20160724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem
new file mode 100644
index 0000000000..dd709c343d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUITNR+z5zrXNAq+3y9u3et1fNp6YwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowGjEYMBYGA1UEAwwPaW50LW5zU0dDLW9sZGVyMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyYwJDAMBgNV
+HRMEBTADAQH/MBQGA1UdJQQNMAsGCWCGSAGG+EIEATANBgkqhkiG9w0BAQsFAAOC
+AQEAtkFQHiG8UeleNMgvJVneYQzIQt8wiZwudAH2FdiyeCtYUp95z19IzPlZeYq0
+FXlMJJ+SOn2wSZ9jHshV5VF8S4Rb3ou0EVJcu+X7cs3jOuLtV/KwFDKXrncWpF7L
+sH1yGVkAUNMQlE52MgPxg7P6yd+lbU9MlqD5rpifsAecrXzctzi8l3qb2UJvkHku
+BLE+ViTnn9RFDQFQ/1AAF9cbSJaUF0rwWznXpB0PAu+v9lBpn9a83/GXZc1SO2mE
+MIdgRpuB1Lr+wZq5ulXHAeBJ+kH8lrG2CIXSQPFQjPfiS2D5hM1cdd7GSEh4BoZv
+AbTKG12NXN9AG7RpG7upSBG4mQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec
new file mode 100644
index 0000000000..f7a870c0f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-nsSGC-older
+extension:basicConstraints:cA,
+extension:extKeyUsage:nsSGC
+validity:20150724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem
new file mode 100644
index 0000000000..c5c8e724c2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUec5AldPAXDY+y1Q7RfO4SfvteiEwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE3MDgyNDAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LW5zU0dDLXJlY2VudDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMmMCQwDAYD
+VR0TBAUwAwEB/zAUBgNVHSUEDTALBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQAD
+ggEBAJO1C5eYEk2/+xvgWsCsUZi7PMoZLhb5Jb2V61JMWREfCozmYepqlamR6IZV
+fn5Q9OClLtAzSybeia40nsW/xb/o+5zJn0rPzk6JIsMToJk07fqp+uG9LbAM82IV
+RnHzmCS4/3n4fl1k1GGL0A/NYBUsilY9oKhVl1zukB/z3ALp9LyProNLsEZmWkl7
+F07+lR9PPMOqA1SuDJmZMyZ4cKDyYYF7NYKGi57xpgpUXGq8IPOKKGq4XlYqQhOQ
+sVSuc+16A+NlPwMogczcgTgy7QD6DF4WNOCDGwuF0YB7uROEbYvh4lkKJfhnAtb7
+1/xnmTVssnCTsbppIiXtKs8zzu0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec
new file mode 100644
index 0000000000..f421ddc1a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-nsSGC-recent
+extension:basicConstraints:cA,
+extension:extKeyUsage:nsSGC
+validity:20160824-20170824
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null.js b/security/manager/ssl/tests/unit/test_cert_embedded_null.js
new file mode 100644
index 0000000000..c1b20c1664
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null.js
@@ -0,0 +1,54 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that a certificate with a clever subject common name like
+// 'www.bank1.com[NUL]www.bad-guy.com' (where [NUL] is a single byte with
+// value 0) will not be treated as valid for www.bank1.com.
+// Includes a similar test case but for the subject alternative name extension.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+async function do_testcase(certname, checkCommonName) {
+ let cert = constructCertFromFile(`test_cert_embedded_null/${certname}.pem`);
+ // Where applicable, check that the testcase is meaningful (i.e. that the
+ // certificate's subject common name has an embedded NUL in it).
+ if (checkCommonName) {
+ equal(
+ cert.commonName,
+ "www.bank1.com\\00www.bad-guy.com",
+ "certificate subject common name should have an embedded NUL byte"
+ );
+ }
+ await checkCertErrorGeneric(
+ certdb,
+ cert,
+ SSL_ERROR_BAD_CERT_DOMAIN,
+ certificateUsageSSLServer,
+ undefined,
+ "www.bank1.com"
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ cert,
+ SSL_ERROR_BAD_CERT_DOMAIN,
+ certificateUsageSSLServer,
+ undefined,
+ "www.bad-guy.com"
+ );
+}
+
+add_task(async function() {
+ addCertFromFile(certdb, "test_cert_embedded_null/ca.pem", "CTu,,");
+
+ await do_testcase("embeddedNull", true);
+ await do_testcase("embeddedNullSAN", false);
+ await do_testcase("embeddedNullCNAndSAN", true);
+ await do_testcase("embeddedNullSAN2", false);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem
new file mode 100644
index 0000000000..91233a79dd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUW0tAkXslaf5AkE2ROwvnEvMo79MwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA/1uiRtJJ6gASZfaGdmjTgHNnG
+OX3VBb8CGbu7yrmlUU0/oiH9BHb9/gq+Gwwcjg++2AEmUWd4damMXKUtRzouP6dV
+Z02jnExdXqq3xLDP71/bY3eneqg/KVIv3wDaHhatmVqWB4oy4itNmvVbbtCjUOyX
+DF3RM5HPQEDjMJO0TjKZMXp5HbyggAvGTbyw6kz+6EVuxxhFqVq1bti1CU4tGBdk
+b6ZOVQhxgJljogn70syXX+CUuUtu9+ufklWQjMtITjBKTSP5cg/NMnKrAL7dF30n
+aUcXz8fpmzjseQjk6uzkDYSFW2HiQtMHKhpCOXAoZ0hGtQ4BXhyhScK2sSB8
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec
new file mode 100644
index 0000000000..6660f5d478
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem
new file mode 100644
index 0000000000..d1e1dc03b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAgIUdfhUzL690DlZ9ozJDIeI+5x3M4cwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowKDEmMCQGA1UEAwwdd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20w
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGL6BtraqvvOT9jKF7MGo6Q36s9ZX1E0
+N8D0PJnsexXKWOrnqGOT1rrp+YN0zgLc783pqH+pOkYHMKk88L9FKDeZeK8zo6j5
+E/X609Bdo+S89EW0qBqEvpWCAsF9I/F/sbuTf49hS8kE9mwMW0dbqcBuQYviCN4Y
+AEQCACkjdrI8KBG54Q4iVzvUP4+Ub+/QGuDEZC6n9yeiYQjw4LnY/uNO22dGKgU1
+wJbTRSsTsT7iXQkhag/3/pCMHURzJ3jWlNZMa+lhvm30Af/AqAqIrcidP1QwdifS
+QcNZlY0cSlqwqYe8By10B3oLKLu9ChutTerw7p0j3H3WDSAbmOiSfQI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec
new file mode 100644
index 0000000000..d1a32349a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem
new file mode 100644
index 0000000000..60672695da
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUFUHbA2Pa/0TJflA2QO7eNc/EC1gwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowKDEmMCQGA1UEAwwdd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20w
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjLDAqMCgGA1UdEQQhMB+CHXd3dy5iYW5rMS5jb20Ad3d3LmJhZC1ndXku
+Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQATiTRzyQxrGnwWmRATYy3TWChqhzFECBSU
+iVrdAZ2bFJxb4FJWRbwPI6d67GK0C6DLtdtNt9q2jWxdfDZCkpR7rFH2hj0sW1hm
+knYaQKmNmd64FS4nH26FMD5YxgykxQAEJzXSCYHUwM0UX72ebLaFn55wdA+onc/g
+JijC3UI62fYYUzEu8TwbAnqfzclevWBHpZJgZxdUK/tk2RRPz4MAWrKOL1R1jX2i
+57CDGXOC3fQtu7pKjMLcZv3T/vkttJNqmSD4YeA6+xd117ig5d0OqLzFxrwA83Ls
+ltkxkS4rsphX9zkgcAb1x0/VgoZbmeLTZM6INyWOkE4W+IXYh7kN
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec
new file mode 100644
index 0000000000..1029d6cdd0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:www.bank1.com\0www.bad-guy.com
+extension:subjectAlternativeName:www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem
new file mode 100644
index 0000000000..fc3b0ad73a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUDzUDem23kK14+ubqJMXuQR5ZhjUwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHjEcMBoGA1UEAwwTZW1iZWRkZWQgTlVMIGluIFNBTjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMsMCow
+KAYDVR0RBCEwH4Idd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAHkWUv8gAyNjRQyOlWm9JetvuBKy6d446LbaSQdEoDZAK6Oa
+WAAQ2ao1d5/dIWJLZPHCJYLUjBWj1EOS/no96FjTK+xg99zdweMPUAyK2uzKmsNS
+lfrwTktv21xT6QamLhFXMspTwPV6VYcIgQpUI8wuhAEN858xPcbO+bLQtQ+XvklP
+ZReejgox6quiKEw5qFbX9jDeZDq713dnnUqwL1FczdFjTm1uP1o3SoUGHsGH3FPJ
+p6LsyKiUfaTBglFNN+iasl50e/MDJZmCIjqVvv/tCVCN2VPpWNYeyP1e2DxPL+yb
+nVqbdSGVqOMWz4sRSjEnb9Xf9Uy1EigO8rb48VA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec
new file mode 100644
index 0000000000..f224888eee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:embedded NUL in SAN
+extension:subjectAlternativeName:www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem
new file mode 100644
index 0000000000..3aea7c6b5c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7jCCAdagAwIBAgIURTMxPbOwfgpUVoSWuyXAKlS8e00wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLYmFkLWd1eS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOTA3MDUGA1UdEQQu
+MCyCC2JhZC1ndXkuY29tgh13d3cuYmFuazEuY29tAHd3dy5iYWQtZ3V5LmNvbTAN
+BgkqhkiG9w0BAQsFAAOCAQEAoMSmJIxxm9N/qNkADdIYDwEByibG4CLYD7EqtclQ
+gTKUW5RWLcF1xkAfqSKsRkfE0965SofgH31J7sGnL02ROEdPK3Tc1/R7INS05yCp
+QHAYLwz9rWhJaF42tfn06cOpaoAVvU/0reOLUwwCg4j+0bDTErkZZyY0QX4i+ou0
+f2I/oGK0HfdkxiKjCExz5qsgdAVfPk8Kp5sJ7S/kJzkKQbQ58qAD9ObiF4zl5wtR
+5KveoFUckVXrznd9haqMlyj/kd3s4hKNl7n/kbXdiaxxvSh57c7K1O+mugREiwCA
+Oa57wZV4F6N2FpJrwlsvYH+J5ejNTCU1VJqWffqJbdPpdg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec
new file mode 100644
index 0000000000..d352d034b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:bad-guy.com
+extension:subjectAlternativeName:bad-guy.com,www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_expiration_canary.js b/security/manager/ssl/tests/unit/test_cert_expiration_canary.js
new file mode 100644
index 0000000000..4519dd3935
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_expiration_canary.js
@@ -0,0 +1,40 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Attempts to verify a certificate for a time a few weeks into the future in
+// the hopes of avoiding mass test failures when the certificates all expire.
+// If this test fails, the certificates probably need to be regenerated.
+// See bug 1525191.
+
+// If this test and only this test fails, do the following:
+// 1. Create a bug for the issue in "Core :: Security: PSM".
+// 2. Write a patch to temporarily disable the test.
+// 3. Land the patch.
+// 4. Write a patch to reenable the test but don't land it.
+// 5. Needinfo the triage owner of Bugzilla's "Core :: Security: PSM" component
+// in the bug.
+// 6. Patches to update certificates get created.
+// 7. Test the patches with a Try push.
+// 8. Land the patches on all trees whose code will still be used when the
+// certificates expire in 3 weeks.
+add_task(async function() {
+ do_get_profile();
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ addCertFromFile(certDB, "bad_certs/test-ca.pem", "CTu,,");
+ let threeWeeksFromNowInSeconds = Date.now() / 1000 + 3 * 7 * 24 * 60 * 60;
+ let ee = constructCertFromFile("bad_certs/default-ee.pem");
+ await checkCertErrorGenericAtTime(
+ certDB,
+ ee,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ threeWeeksFromNowInSeconds,
+ false,
+ "test.example.com"
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js
new file mode 100644
index 0000000000..13ae5e31e2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js
@@ -0,0 +1,89 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that nsIX509Cert.isBuiltInRoot works as expected.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+// This is a certificate that (currently) ships with the platform.
+// It should be considered a built-in root.
+const sNaverBase64 =
+ "" +
+ "MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEM" +
+ "BQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRG" +
+ "T1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0" +
+ "aW9uIEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkx" +
+ "CzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBD" +
+ "b3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBB" +
+ "dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVA" +
+ "iQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gvQnXp2XskWjFlqxcX0TM62RHcQDaH" +
+ "38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtSAuXaMl3Dxeb57hHHi8lE" +
+ "HoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/6imBEtRTkZaz" +
+ "kVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABIqKYP" +
+ "szuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8Obtoq" +
+ "vC8MC3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHf" +
+ "nZ3zVHbOUzoBppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaG" +
+ "YQ5fG8Ir4ozVu53BA0K6lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo" +
+ "0es+nPxdGoMuK8u180SdOqcXYZaicdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3a" +
+ "CJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv8ejyYhbLgGvtPe31HzClrkvJE+2K" +
+ "AQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0IwQDAdBgNVHQ4EFgQU0p+I" +
+ "36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB" +
+ "Af8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7gyKoN" +
+ "qo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatj" +
+ "cu3cvuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm" +
+ "+LUx5vR1yblTmXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCL" +
+ "hr0N8F5OSza7OyAfikJW4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQe" +
+ "lHsIJchxzIdFV4XTnyliIoNRlwAYl3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7" +
+ "p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzyqkn+Zvjp2DXrDige7kgvOtB5CTh8" +
+ "piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmWNcf7I4GOODm4RStDeKLR" +
+ "LBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX" +
+ "5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF4+KO" +
+ "dh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul" +
+ "9XXeifdy";
+
+// This is a certificate that does not ship with the platform.
+// It should not be considered a built-in root.
+const sLetsEncryptBase64 =
+ "" +
+ "MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw" +
+ "PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD" +
+ "Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa" +
+ "MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD" +
+ "ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD" +
+ "ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB" +
+ "BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg" +
+ "PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG" +
+ "dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1" +
+ "gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4" +
+ "4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud" +
+ "EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy" +
+ "BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j" +
+ "b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv" +
+ "ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ" +
+ "MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH" +
+ "AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw" +
+ "MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM" +
+ "LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3" +
+ "pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd" +
+ "v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd" +
+ "ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW" +
+ "ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk" +
+ "6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj" +
+ "f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=";
+
+function run_test() {
+ let builtInCert = certdb.constructX509FromBase64(sNaverBase64);
+ ok(builtInCert, "should be able to decode base-64 of built-in cert");
+ ok(builtInCert.isBuiltInRoot, "cert should be considered built-in");
+
+ let notBuiltInCert = certdb.constructX509FromBase64(sLetsEncryptBase64);
+ ok(notBuiltInCert, "should be able to decode base-64 of built-in cert");
+ ok(!notBuiltInCert.isBuiltInRoot, "cert should not be considered built-in");
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js
new file mode 100644
index 0000000000..deb6ba914a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js
@@ -0,0 +1,143 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that nsIX509Cert.isBuiltInRoot works as expected. Differs from
+// test_cert_isBuiltInRoot.js in that this test uses a preexisting NSS
+// certificate DB that already contains some of the certificates in question.
+//
+// To create the necessary preexisting files, obtain the "NAVER Global Root
+// Certification Authority" certificate and the "Let's Encrypt Authority
+// X1" certificate (copied below for reference) and perform the following steps:
+//
+// `certutil -d . -N` (use an empty password)
+// `certutil -d . -A -n "NAVER Global Root Certification Authority" -t ,, \
+// -a -i naverrc1.pem`
+// `certutil -d . -A -n "Let's Encrypt Authority X1" -t ,, -a \
+// -i LetsEncrypt.pem`
+//
+// This should create the cert9.db and key4.db files.
+//
+// To determine the new DBKey associated to the replacement root,
+// one can print builtInRoot.dbKey in test_cert_isBuiltInRoot.js.
+//
+// (The crucial property of the first certificate is that it is a built-in trust
+// anchor, so any replacement must also have this property. The second
+// certificate is not a built-in trust anchor, so any replacement must not be a
+// built-in trust anchor.)
+//
+//
+// NAVER Global Root Certification Authority:
+// -----BEGIN CERTIFICATE-----
+// MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEM
+// BQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRG
+// T1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0
+// aW9uIEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkx
+// CzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBD
+// b3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBB
+// dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVA
+// iQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gvQnXp2XskWjFlqxcX0TM62RHcQDaH
+// 38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtSAuXaMl3Dxeb57hHHi8lE
+// HoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/6imBEtRTkZaz
+// kVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABIqKYP
+// szuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8Obtoq
+// vC8MC3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHf
+// nZ3zVHbOUzoBppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaG
+// YQ5fG8Ir4ozVu53BA0K6lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo
+// 0es+nPxdGoMuK8u180SdOqcXYZaicdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3a
+// CJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv8ejyYhbLgGvtPe31HzClrkvJE+2K
+// AQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0IwQDAdBgNVHQ4EFgQU0p+I
+// 36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
+// Af8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7gyKoN
+// qo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatj
+// cu3cvuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm
+// +LUx5vR1yblTmXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCL
+// hr0N8F5OSza7OyAfikJW4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQe
+// lHsIJchxzIdFV4XTnyliIoNRlwAYl3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7
+// p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzyqkn+Zvjp2DXrDige7kgvOtB5CTh8
+// piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmWNcf7I4GOODm4RStDeKLR
+// LBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX
+// 5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF4+KO
+// dh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul
+// 9XXeifdy
+// -----END CERTIFICATE-----
+//
+// Let's Encrypt Authority X1:
+// -----BEGIN CERTIFICATE-----
+// MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw
+// PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+// Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa
+// MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+// ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD
+// ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB
+// BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg
+// PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG
+// dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1
+// gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4
+// 4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud
+// EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy
+// BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j
+// b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv
+// ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ
+// MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH
+// AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw
+// MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM
+// LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3
+// pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd
+// v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd
+// ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW
+// ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk
+// 6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj
+// f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=
+// -----END CERTIFICATE-----
+
+"use strict";
+
+function run_test() {
+ const certDBName = "cert9.db";
+ const keyDBName = "key4.db";
+ let profile = do_get_profile();
+ let certDBFile = do_get_file(`test_cert_isBuiltInRoot_reload/${certDBName}`);
+ certDBFile.copyTo(profile, certDBName);
+ let keyDBFile = do_get_file(`test_cert_isBuiltInRoot_reload/${keyDBName}`);
+ keyDBFile.copyTo(profile, keyDBName);
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ // This is a built-in root, but not one that was added to the preexisting
+ // certificate DB.
+ // Verisign Class 1 Public Primary Certification Authority - G3
+ // Certificate fingerprint (SHA1): 204285DCF7EB764195578E136BD4B7D1E98E46A5
+ // https://crt.sh/?id=8984570
+ const veriSignCertDBKey = `AAAAAAAAAAAAAAARAAAAzQCLW3VWhFSFCwDPrzhI
+ zrGkMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdB
+ gNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IF
+ ZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAM
+ TPFZlcmlTaWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB
+ dXRob3JpdHkgLSBHMw==`;
+ let veriSignCert = certdb.findCertByDBKey(veriSignCertDBKey);
+ ok(veriSignCert, "Should be able to find VeriSign root");
+ ok(veriSignCert.isBuiltInRoot, "VeriSign root is a built-in");
+
+ // This is a built-in root. It was added to the preexisting certificate DB. It
+ // should still be considered a built-in.
+ const naverCertDBKey = `AAAAAAAAAAAAAAAUAAAAawGUMB6iC93
+ 1xTMqsUNEcfjWUE0NMGkxCzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVN
+ JTkVTUyBQTEFURk9STSBDb3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3Q
+ gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHk=`;
+ let naverCert = certdb.findCertByDBKey(naverCertDBKey);
+ ok(naverCert, "Should be able to find NAVER root");
+ ok(naverCert.isBuiltInRoot, "NAVER root is a built-in");
+
+ // This is not a built-in root. It was added to the preexisting certificate
+ // DB. It should not be considered a built-in root.
+ const letsEncryptCertDBKey = `AAAAAAAAAAAAAAARAAAAQQCYE
+ /R1E+V1C0PnQx6XHkS9MD8xJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRyd
+ XN0IENvLjEXMBUGA1UEAxMORFNUIFJvb3QgQ0EgWDM=`;
+ let letsEncryptCert = certdb.findCertByDBKey(letsEncryptCertDBKey);
+ ok(letsEncryptCert, "Should be able to find LetsEncrypt root");
+ ok(!letsEncryptCert.isBuiltInRoot, "LetsEncrypt root is not a built-in");
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert9.db b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert9.db
new file mode 100644
index 0000000000..7d48c6b133
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert9.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key4.db b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key4.db
new file mode 100644
index 0000000000..e41477dfd9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key4.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage.js b/security/manager/ssl/tests/unit/test_cert_keyUsage.js
new file mode 100644
index 0000000000..a32be6152d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage.js
@@ -0,0 +1,76 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const caList = [
+ "ca-no-keyUsage-extension",
+ "ca-missing-keyCertSign",
+ "ca-all-usages",
+];
+const eeList = [
+ "ee-no-keyUsage-extension",
+ "ee-keyCertSign-only",
+ "ee-keyEncipherment-only",
+ "ee-keyCertSign-and-keyEncipherment",
+];
+
+const caUsage = [certificateUsageSSLCA];
+const allEEUsages = [
+ certificateUsageSSLClient,
+ certificateUsageSSLServer,
+ certificateUsageEmailSigner,
+ certificateUsageEmailRecipient,
+];
+const serverEEUsages = [
+ certificateUsageSSLServer,
+ certificateUsageEmailRecipient,
+];
+
+const expectedUsagesMap = {
+ "ca-no-keyUsage-extension": caUsage,
+ "ca-missing-keyCertSign": [],
+ "ca-all-usages": caUsage,
+
+ "ee-no-keyUsage-extension-ca-no-keyUsage-extension": allEEUsages,
+ "ee-no-keyUsage-extension-ca-missing-keyCertSign": [],
+ "ee-no-keyUsage-extension-ca-all-usages": allEEUsages,
+
+ "ee-keyCertSign-only-ca-no-keyUsage-extension": [],
+ "ee-keyCertSign-only-ca-missing-keyCertSign": [],
+ "ee-keyCertSign-only-ca-all-usages": [],
+
+ "ee-keyEncipherment-only-ca-no-keyUsage-extension": serverEEUsages,
+ "ee-keyEncipherment-only-ca-missing-keyCertSign": [],
+ "ee-keyEncipherment-only-ca-all-usages": serverEEUsages,
+
+ "ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension": serverEEUsages,
+ "ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign": [],
+ "ee-keyCertSign-and-keyEncipherment-ca-all-usages": serverEEUsages,
+};
+
+add_task(async function() {
+ for (let ca of caList) {
+ addCertFromFile(certdb, "test_cert_keyUsage/" + ca + ".pem", "CTu,CTu,CTu");
+ let caCert = constructCertFromFile("test_cert_keyUsage/" + ca + ".pem");
+ await asyncTestCertificateUsages(certdb, caCert, expectedUsagesMap[ca]);
+ for (let ee of eeList) {
+ let eeFullName = ee + "-" + ca;
+ let eeCert = constructCertFromFile(
+ "test_cert_keyUsage/" + eeFullName + ".pem"
+ );
+ await asyncTestCertificateUsages(
+ certdb,
+ eeCert,
+ expectedUsagesMap[eeFullName]
+ );
+ }
+ }
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem
new file mode 100644
index 0000000000..7ef812e4c9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUE5r8LYaA73SA25Y8MhWmudWklrowDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1jYS1hbGwtdXNhZ2VzMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB/jANBgkqhkiG9w0BAQsFAAOC
+AQEAbfCeYrdUfCn8yN8rtt69olTC8huRW7dWFr8LcRgoU+jQO5myXPvZc6r4Kig7
+SuXueQCvX7IRipDf6lB8t911vHwvvZATTvXB4MJ0QZTSjn2P61bekoAVfexFfM1n
+QE4ONlo/3f/p/RtP6VKJnErdwSFyNzIuEBdSNPUwyJIOgBge3qi5BMM7Lm0oiTIw
+L1E++BcBffAEociBiCaB1nd6jbIUtnTY8jyWIr/trzG5BmIKjZGzzrS8zCI8brq6
+M7lT7oOXwD5Q0aP+OUPrtLPC3norMKVuyo4HJdT1XZVjc/15GbwbSeTI3jiYGxWv
+RY288eAkTXZvXxwQvT7W7q1Owg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..2ca523c74e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-all-usages
+subject:ca-all-usages
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..cb8d04ae3f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUCaFrRP9EdV/s2molg6t0aH4/M9QwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAhMR8wHQYDVQQDDBZjYS1taXNzaW5n
+LWtleUNlcnRTaWduMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
++jANBgkqhkiG9w0BAQsFAAOCAQEAMT30/3FlLT0SRLla9/6nUnhM18/h5te+HEew
+3PwtcRv0JwUBdYXxNK/MVIMDaL9GC/6S9zqlGw4N86tP2E3s8giwbLcNWelou8Zu
+nmnz8BU4MtfW+lkF/0ZNhDRBFXFWTNM7pdKDfVHJhMvzZdk0tEgU2hCZwMu4PGRs
+6oJTrBacjc27s3mVRaxi6NdGZIJQBlfakn7FXI2RcP/+WYgTNNBzvFyRO1pvJdTq
+cGR1fykBoiFZrKOO+MSAWEXke3w/U/lQCM5odDAFngxsHrSftc44XgP2DG08vovH
+wl3MGpr2RDqovYSWKJSv2VeLqSdpeIG/y4ixFBXwmRF/YVUyrQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..26e0158ebe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-missing-keyCertSign
+subject:ca-missing-keyCertSign
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..29a39ee751
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgIUaZMM8r1k443E+DQLRBc1j34OAGYwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGNhLW5vLWtl
+eVVzYWdlLWV4dGVuc2lvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAPBRfUuVZulBelyNkd9A9UP5svL4sM8HjbYfggMGh8wHudlH9
+mghp/up5ZEuqyfrwJ8G2yCRC8pvZv4BcBvtlUngWsuBuGKJ0+8OMFdGk5gLhjiDm
+tVQR99o2MFzG8fCjqpNwB+MfSrt2Mbu5hV66UjSvjar6qVcwjWpdKmDnJGgvs6Ib
+t2mZIyoV1pSJNkDai7o1GtXj2WFL9VwjYhi4EDfdUz5xOuLWdBMMRlnfDq1pDpub
+LZ+8FqHJCbFL6G9q3RXPjRhmWIePc/gZLEkVd9S092ePb18gs62UHxK68n+4DOQp
+BdFdrTMeqehtapMkO5G2RMCa7seL6hStoTsxJQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..d32e6a6496
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ca-no-keyUsage-extension
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem
new file mode 100644
index 0000000000..393380d981
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUGWYB9e9ARnyr9cvrxtuO7gAvALIwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAtMSswKQYDVQQDDCJlZS1rZXlDZXJ0U2lnbi1hbmQt
+a2V5RW5jaXBoZXJtZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAiQwDQYJKoZIhvcN
+AQELBQADggEBADQMLlcZMsXMKfScNpZZ4KSSWr20vhhXerUk9hK6QqCSUjxlD/QH
+Bib9+T3w0qfEL9QBt5ic/BIN9V9Z5bfLW5IuCT1Gq4yL9aQNkRtTNEtXPZjsAyP5
+OBcsWcsqdNvPn7DOCE4DSo7Omqx1QOGGD3F9ico1NykgUZNN/xdK3kstrugY9Gnv
+FpHvrlkpMxFEmKzxx2AKgsdr4ZxiZnzu87Cv0ICWYjRTTOflJmwKkfO+hR6K5XrP
+TWbyoX2AYkWXWlierE5nTDWAG4Z2fi5FFQfGbGBxdBU/febJZwLBghRCLFQRjkYK
+GOThHpemmJV2UPxfbWXX1pqQkEGb+a4Aqis=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..0bb2721a31
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-all-usages
+subject:ee-keyCertSign-and-keyEncipherment
+extension:keyUsage:keyEncipherment,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..6f9425e546
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIULaOT+liPEeD1woYhMEmcCYf8h4IwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAtMSswKQYDVQQDDCJlZS1rZXlDZXJ0
+U2lnbi1hbmQta2V5RW5jaXBoZXJtZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAiQw
+DQYJKoZIhvcNAQELBQADggEBACbwD8VRRCFLZFSp31okFWXBJLTqilYjzZChoQVS
+/rbz6ae8P8ScX8ppi2eGFNB2vVETTtKwpI8bdncmtInk/JtUncnmU5wjqKsG1gmI
+Lzz3ZC+x62R/6ocCRw0FfEa9C87BYHy3oRHa6qpSv+ZjNWMc9Me15WIt9JPFrENs
+SWWTF005OXT6/SN9Db3DL2yOGn9cB6GbwsbNptBd9joBFbhpZNY7XMakkVDKGL/W
+JeKZEzeyiR2EGxFYxOn4lNuJty3DOjClP8++iQFClBO5E6c+9jV0Rsew3aL7Q87y
+JWouTF7sYRjwBf+lWsRJ4sZCe6yEhNkGQKXGBAOiWtxeuUI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..567ab0ce2d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-missing-keyCertSign
+subject:ee-keyCertSign-and-keyEncipherment
+extension:keyUsage:keyEncipherment,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..8344820c66
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIULe9oCGYjHMm9s2kUkeaGeYDfkYowDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMC0xKzApBgNVBAMMImVlLWtleUNl
+cnRTaWduLWFuZC1rZXlFbmNpcGhlcm1lbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQEAwIC
+JDANBgkqhkiG9w0BAQsFAAOCAQEAbvM/6pDn9yYnnEKzEoEC5rSpQVZkgunP2WNc
+dJ9s0zkZeT5HCnPbcntHfjbK217iwja9k/eSg8ukDofstkExjRswRS4F4rCb3ciB
+yEsb5QX2mFAFnFE4b/i3XFDlYSzw2hWOOB2+WXmYNu82eZOvfiM4UvSV2wwFQiOf
+XAYbW5rd7umW5YS8K6heBuFbS1aJLFasDgPb7bHCCYJH/GyLcvDn45e0Y89m3us9
+e2OHLsVN6Mjaq1UO0zXwsSb0GwoYxagHy8h5c3m8tNpe254X6f6jnKbVNUK6SJ2Q
+293EF9vGzv0q1FUZDP/y/qiVlbFJ1QT4cos7Ryzg1KVQSDqL1Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..c48ef66126
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-keyCertSign-and-keyEncipherment
+extension:keyUsage:keyEncipherment,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem
new file mode 100644
index 0000000000..92e5f92177
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAb+gAwIBAgIUCWQJroNopActb60dEoJJYUXC6YQwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1rZXlDZXJ0U2lnbi1vbmx5
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABow8wDTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAGU/zN/j
+eXCJzlYjTcRRZF8/3kDauNwfQMHFD2ftNcdsTDHBZt+8ZN7aGau8038f0tw3//CL
+C2VJNkhy9DvizdzgITO315HIM9wYaITDxpLob+z27/Wb7NPfYFb26Z9mY91l89ku
+umemthFmh4oHRDmEbDa1tUD0bcqmdg5zChemA/LuKV3nw6oZsHEy5NUESXicNhSx
+9zm8F32/SyTur75mJ4a2AHqFr8fbLAgYCtj7RWmAI4sPGgk1C689Aj4oGWkkFkgE
+uifRyiui2GRiTH82wvzWh3UNYyJZEOnKE4jxGljE9I5BjK95vyU13d3IkIvJJ1pH
+tfQSjzOe6SsNvP4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..c495ca6d0e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-all-usages
+subject:ee-keyCertSign-only
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..74a3be06df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUWbCPLRav9EW2uQgTKqbUCxb/sUAwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1rZXlDZXJ0
+U2lnbi1vbmx5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQAD
+ggEBADXuaMRmW0SKcP3hLgeoE5J/Sw7cm+ffo9j192akaHTnI/H/pD+j6JkEOsw/
+2gyrKPQdcKqWNqSIDpZMEcQrCi2LnYgJEZFGRHol7oS7FnQaZ5Bp+cx5wnz37Ig5
+UkYHoBoa2JYD6HmibtsB9d83CG/b9B7ulEE4pYJga+0nRcIRLIbEP87mRFPmMAe9
+i8yvZI1FbzFYILehOYcIBVUT1O4U1Xyt/k1lPGOlKs8VUQ66XY+7+iLu53pxv9ja
+dIgPcFer+dRC7GVtneOnggHQ3aYxrnSBlOFd54Y+O7QfESSZsrXbrZmzhd617UeW
+7spMsdHfI1rsc8aQ6gVFqlXd6mw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..23ddd0eb8a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-missing-keyCertSign
+subject:ee-keyCertSign-only
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..086f2ac5d1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUfcLeIvoPPBJMolgBDz+v3K8mAEEwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMB4xHDAaBgNVBAMME2VlLWtleUNl
+cnRTaWduLW9ubHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsF
+AAOCAQEAq9eg9Xq7glTjKJtItaRt8PPhXeVZIbMoabIuDdHMq7hT4YXS5vWysT8V
+M6oNOsvnSuwAm+9Y1fTsB/mR8l0BpaYadLizagIHSFZ57bPZzzfEQngu2NkGd+v2
+wxQIrp1KkZCHzYRenT6sZGuAxqqX0KVsEnwen0N93UIrOn3D6T2EE1QT5IMI9IPU
+3OX3UtOVYzUOia+IV0VEpQ0r1o8BmZopx1dkMFvsj7rciF4pR9UQQDzkCs8z60iK
+oG1zzqnwW0ZA9PAmB0pAJbHf3gKOka6I137QvYhCWlFUr5LqVKY/A2IACbIeBQJG
+WKib6YiVMFSI0vdEqNgH38F5c+SaFg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..a5a2d62a7d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-keyCertSign-only
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem
new file mode 100644
index 0000000000..321ceca492
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2zCCAcOgAwIBAgIUYfQJjxnw4OD0vXwmpPInpoGAILowDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdlZS1rZXlFbmNpcGhlcm1lbnQt
+b25seTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBCwUAA4IBAQAc
+KoBdffm/erD9x/k7jvpq99n6AYDeWpIfLdAA3FUTLZItlNNjEYZGDaLd2NRYB0ay
+mbJgYnwdnuac0pylWfTxDMQfcC1ztsXeB8DF/H3v3/iWXUoHbtmCFa3OBac6PJQQ
+K4+ssbipWUaCTP+79lT6e0cs7PXnLLxEyLYlLJFxO6t3Y3knsH3/UEu/86ZWJs5F
+e6BamdM26itAfe30rzTzSr0WxiHZYGX3K5mSZ0+p/FD4Up0MFALukn1xZ6+WLd8c
+gsi0li246g2aUf+rjjKlg4wmx2JndYL5vUP2SJJfFxulvzgDtHw2RfsgA2eN9Zvi
+5a/1QH9m39qO6LXZxwVu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..08154a53ee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-all-usages
+subject:ee-keyEncipherment-only
+extension:keyUsage:keyEncipherment
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..8e45895208
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIUf2jeIliw8Hs+4yN24J1B9he7DEIwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdlZS1rZXlFbmNp
+cGhlcm1lbnQtb25seTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEB
+CwUAA4IBAQAto3rwCaozt9tPSju24aTGvGPQwoiZ1uJzp9PJGKTMKpm2jobT1c1o
+RLjpfa5P2TM6vUCOS7M+uLkzlYsr8aW5WrD0ehJX3Ge1oOFA2A/xwHbffwPpUXgS
+euBMN/RV5Oq9pPLlI5FCG2nWTNjG1u2oEx9Lxf0iMs4YpPwFU1w/mbgFqdnQNn5N
+54DWg3MFNMeNXpGJZrJnKZj7iPFpDtGbTVAKe9tsR4wu5EbReOxa4LvN79BP2Z44
+jivHsnId2SMu1xbaqXLg8ZoTTNX8zL9Mls6kQkjf7vunGrK968x6wDffhz+FTafZ
+qx0xbp/j82UxSPGnj+MYe3dPKU+yZaAZ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..9bdcf4b7b8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-missing-keyCertSign
+subject:ee-keyEncipherment-only
+extension:keyUsage:keyEncipherment
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..2cf8010b45
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUOXP432q/p9DYN1yjp9TtbUn7sCMwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCIxIDAeBgNVBAMMF2VlLWtleUVu
+Y2lwaGVybWVudC1vbmx5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCBSAwDQYJKoZIhvcN
+AQELBQADggEBAJ/fbi3UftOoyyTSyNPq2zRMDDpEkHx7jcmSDB72wVVfiIDD0tYW
+BaI0zVBHa7PtePCWorCc1SR9rzMKRLl4jpKmfBdmFWDKBrzA+Yd6s2eN+G7zQw9R
+CN0BTou7vHPqAdVeT8e0XhQPBB4IyPw0Zk/8KO3kin5g5Dyf2Eaqc1CY63PzS0F7
+U9MAGwHo8o1ikA6gdKM/vi282sd2Nqa/HaYR4TXgFOCe3zzkq1DKAm+26lfWznmO
+L2KINdoqRhtEEc69NAsoJa5xKXm5+aemk5YNA5JpUH3NgACaUomIseU1JwSgJauk
+3BreCw1pwCuWG/ArNgCkMG4bNJA7I5nc49E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..a2383ecfdd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-keyEncipherment-only
+extension:keyUsage:keyEncipherment
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem
new file mode 100644
index 0000000000..3c8fd4266e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyzCCAbOgAwIBAgIUE3y2+REalJVr9BJgRHvD/0X6kggwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhlZS1uby1rZXlVc2FnZS1leHRl
+bnNpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAH710Q5yUWJdwRYPAucysm6E
+cJtzX5CD2fs8pJkKtFY4CTofI7rKdU+dIuTsfX/xrnIhdknMAit8kbkQzRsyk0c3
+Am1qgD8pBbrBtNkzHD1cWvNIQGuntI8+4CWqSNkgFtDEmhNH4N3gr4I7ozNfeZKy
+vaZQCqrDpZ6hJdrFbkKeuivZisCXT6OMkhCtJmUz1g2Vlzq1JD5Jffj6nz5u88+G
+gYQ8oJ//R3+AkYmdbF1SzL3XAGFKgJ752UowrCVRTWhe7jj7qqgjMTLwHd7WbRfW
+eyPcDf8l8Fx40I8W4mv7SYArfYpSBohHHMA2ajD2ZglVmkYweK8vO3V3as62lXw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..6d2e672961
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-all-usages
+subject:ee-no-keyUsage-extension
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..ca06b96af7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAgIUN3Gtxz6p1g5APefpvRImgppez0gwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhlZS1uby1rZXlV
+c2FnZS1leHRlbnNpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJ5tsZ2pBNLa
+SQyu952+mbY0McHswPvp34q9ihKtUAaZiwusSnVDGP09FTzu6ejRO857Mjqk4oCf
+C77FyXsWhAVSEqZyYeKwn+UZyZONA3ZY6plx5rpn5CFVZleh5G0TC6eAVmUcJ13J
+x2mmhgPyU2LvHxIRFOaWhTJ9r0qikIDr+96Vti6qDdBeroKuSi2eWUKyofwgV3zK
+FsXauOjGzzLZT3va4c0NUdC4+/qppAoC6ejma0iqj3A1gm00DnYU3GMsBXtSSHAH
+iZGsbtiuZtCZXxgf2os0NLl5demKOcOzKAHs1No2KwVcxonE6t5uqbKsQFbC47x+
+mT2WDtwpQSo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..3cba2f0d81
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-missing-keyCertSign
+subject:ee-no-keyUsage-extension
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..c667430b40
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1jCCAb6gAwIBAgIUcUkpEkAlszLM+q9hdNYNVNbjhhQwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGVlLW5vLWtl
+eVVzYWdlLWV4dGVuc2lvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcX+eZ5QZ
+2ji/0gf+sLsw5M/OGw6LMqCKUd5X36XybPCbY1xx8D9Z9dGMV1kzq5TkCSpLOg6f
+1qBqUCIQa/Cpeg1ScHJC9zgmo9XFIniX2ZhiT0o33dDXvTn7l6AuKA4hicbdTcx2
+aGI2MoNpIFINwrNnr6gKQMrBUCBPkWYuCOANqhH8jV9BYgVvYuqK1ecmll5/Cgxp
+ikQ6dzmpUHXFgN46UokyFfaudvt/PVqnukiYfjarKltAH5sfFjCQzrkXrK4QjWUW
+vjd2AJSsxJb6N3wQgfjEI2WTxLfr2DzhNSFB/SdB2tOcJTxIaIkHbS65aimhNXOx
+mppJ0lp9HXjpeg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..c850725a63
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-no-keyUsage-extension
diff --git a/security/manager/ssl/tests/unit/test_cert_override_read.js b/security/manager/ssl/tests/unit/test_cert_override_read.js
new file mode 100644
index 0000000000..4dc3cbff0e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_override_read.js
@@ -0,0 +1,207 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This test checks parsing of the the certificate override file
+
+function run_test() {
+ // These are hard-coded to avoid initialization of NSS before setup is complete
+ // bad_certs/mitm.pem
+ let cert1 = {
+ sha256Fingerprint:
+ "E9:3A:91:F6:15:11:FB:DD:02:76:DD:45:8C:4B:F4:9B:D1:14:13:91:2E:96:4B:EC:D2:4F:90:D5:F4:BB:29:5C",
+ dbKey: "This isn't relevant for this test.",
+ };
+ // bad_certs/selfsigned.pem
+ let cert2 = {
+ sha256Fingerprint:
+ "51:BC:41:90:C1:FD:6E:73:18:19:B0:60:08:DD:A3:3D:59:B2:5B:FB:D0:3D:DD:89:19:A5:BB:C6:2B:5A:72:A7",
+ dbKey: "This isn't relevant for this test.",
+ };
+ // bad_certs/noValidNames.pem
+ let cert3 = {
+ sha256Fingerprint:
+ "C3:A3:61:02:CA:64:CC:EC:45:1D:24:B6:A0:69:DB:DB:F0:D8:58:76:FC:50:36:52:5A:E8:40:4C:55:72:08:F4",
+ dbKey: "This isn't relevant for this test.",
+ };
+
+ let profileDir = do_get_profile();
+ let overrideFile = profileDir.clone();
+ overrideFile.append(CERT_OVERRIDE_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!overrideFile.exists());
+ let outputStream = FileUtils.openFileOutputStream(overrideFile);
+ let lines = [
+ "# PSM Certificate Override Settings file",
+ "# This is a generated file! Do not edit.",
+ "test.example.com:443:^privateBrowsingId=1\tOID.2.16.840.1.101.3.4.2.1\t" +
+ cert1.sha256Fingerprint +
+ "\t\t" +
+ cert1.dbKey,
+ "test.example.com:443:^privateBrowsingId=2\tOID.2.16.840.1.101.3.4.2.1\t" +
+ cert1.sha256Fingerprint +
+ "\t\t" +
+ cert1.dbKey,
+ "test.example.com:443:^privateBrowsingId=3\tOID.2.16.840.1.101.3.4.2.1\t" + // includes bits (now obsolete)
+ cert1.sha256Fingerprint +
+ "\tM\t" +
+ cert1.dbKey,
+ "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" +
+ cert2.sha256Fingerprint +
+ "\t\t" +
+ cert2.dbKey,
+ "[::1]:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // IPv6
+ cert2.sha256Fingerprint +
+ "\t\t" +
+ cert2.dbKey,
+ "old.example.com:443\tOID.2.16.840.1.101.3.4.2.1\t" + // missing attributes (defaulted)
+ cert1.sha256Fingerprint +
+ "\t\t" +
+ cert1.dbKey,
+ ":443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing host name
+ cert3.sha256Fingerprint +
+ "\t\t" +
+ cert3.dbKey,
+ "example.com::\tOID.2.16.840.1.101.3.4.2.1\t" + // missing port
+ cert3.sha256Fingerprint +
+ "\t\t" +
+ cert3.dbKey,
+ "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // wrong fingerprint/dbkey
+ cert2.sha256Fingerprint +
+ "\t\t" +
+ cert3.dbKey,
+ "example.com:443:\tOID.0.00.000.0.000.0.0.0.0\t" + // bad OID
+ cert3.sha256Fingerprint +
+ "\t\t" +
+ cert3.dbKey,
+ "example.com:443:\t.0.0.0.0\t" + // malformed OID
+ cert3.sha256Fingerprint +
+ "\t\t" +
+ cert3.dbKey,
+ "example.com:443:\t\t" + // missing OID
+ cert3.sha256Fingerprint +
+ "\t\t" +
+ cert3.dbKey,
+ "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing fingerprint
+ "\t\t" +
+ cert3.dbKey,
+ "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing dbkey
+ cert3.sha256Fingerprint +
+ "\t\t",
+ ];
+ writeLinesAndClose(lines, outputStream);
+ let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
+ Ci.nsICertOverrideService
+ );
+ notEqual(overrideService, null);
+
+ // Now that the override service is initialized we can actually read the certificates
+ cert1 = constructCertFromFile("bad_certs/mitm.pem");
+ info(
+ `if this test fails, try updating cert1.sha256Fingerprint to "${cert1.sha256Fingerprint}"`
+ );
+ cert2 = constructCertFromFile("bad_certs/selfsigned.pem");
+ info(
+ `if this test fails, try updating cert2.sha256Fingerprint to "${cert2.sha256Fingerprint}"`
+ );
+ cert3 = constructCertFromFile("bad_certs/noValidNames.pem");
+ info(
+ `if this test fails, try updating cert3.sha256Fingerprint to "${cert3.sha256Fingerprint}"`
+ );
+
+ const OVERRIDES = [
+ {
+ host: "test.example.com",
+ port: 443,
+ cert: cert1,
+ attributes: { privateBrowsingId: 1 },
+ },
+ {
+ host: "test.example.com",
+ port: 443,
+ cert: cert1,
+ attributes: { privateBrowsingId: 2 },
+ },
+ {
+ host: "test.example.com",
+ port: 443,
+ cert: cert1,
+ attributes: { privateBrowsingId: 3 },
+ },
+ {
+ host: "example.com",
+ port: 443,
+ cert: cert2,
+ attributes: {},
+ },
+ {
+ host: "::1",
+ port: 443,
+ cert: cert2,
+ attributes: {},
+ },
+ {
+ host: "example.com",
+ port: 443,
+ cert: cert2,
+ attributes: { userContextId: 1 }, // only privateBrowsingId is used
+ },
+ {
+ host: "old.example.com",
+ port: 443,
+ cert: cert1,
+ attributes: {},
+ },
+ ];
+ const BAD_OVERRIDES = [
+ {
+ host: "test.example.com",
+ port: 443,
+ cert: cert1,
+ attributes: { privateBrowsingId: 4 }, // wrong attributes
+ },
+ {
+ host: "test.example.com",
+ port: 443,
+ cert: cert3, // wrong certificate
+ attributes: { privateBrowsingId: 1 },
+ },
+ {
+ host: "example.com",
+ port: 443,
+ cert: cert3,
+ attributes: {},
+ },
+ ];
+
+ for (let override of OVERRIDES) {
+ let temp = {};
+ ok(
+ overrideService.hasMatchingOverride(
+ override.host,
+ override.port,
+ override.attributes,
+ override.cert,
+ temp
+ ),
+ `${JSON.stringify(override)} should have an override`
+ );
+ equal(temp.value, false);
+ }
+
+ for (let override of BAD_OVERRIDES) {
+ let temp = {};
+ ok(
+ !overrideService.hasMatchingOverride(
+ override.host,
+ override.port,
+ override.attributes,
+ override.cert,
+ temp
+ ),
+ `${override} should not have an override`
+ );
+ }
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides.js b/security/manager/ssl/tests/unit/test_cert_overrides.js
new file mode 100644
index 0000000000..bd4a4b96d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -0,0 +1,734 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests the certificate overrides we allow.
+// add_cert_override_test will queue a test that does the following:
+// 1. Attempt to connect to the given host. This should fail with the
+// given error.
+// 2. Add an override for that host/port/certificate.
+// 3. Connect again. This should succeed.
+
+do_get_profile();
+
+function check_telemetry() {
+ let histogram = Services.telemetry
+ .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
+ .snapshot();
+ equal(histogram.values[0], 0, "Should have 0 unclassified values");
+ equal(
+ histogram.values[2],
+ 9,
+ "Actual and expected SEC_ERROR_UNKNOWN_ISSUER values should match"
+ );
+ equal(
+ histogram.values[3],
+ 1,
+ "Actual and expected SEC_ERROR_CA_CERT_INVALID values should match"
+ );
+ equal(
+ histogram.values[4] || 0,
+ 0,
+ "Actual and expected SEC_ERROR_UNTRUSTED_ISSUER values should match"
+ );
+ equal(
+ histogram.values[5],
+ 1,
+ "Actual and expected SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE values should match"
+ );
+ equal(
+ histogram.values[6] || 0,
+ 0,
+ "Actual and expected SEC_ERROR_UNTRUSTED_CERT values should match"
+ );
+ equal(
+ histogram.values[7] || 0,
+ 0,
+ "Actual and expected SEC_ERROR_INADEQUATE_KEY_USAGE values should match"
+ );
+ equal(
+ histogram.values[8],
+ 2,
+ "Actual and expected SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED values should match"
+ );
+ equal(
+ histogram.values[9],
+ 9,
+ "Actual and expected SSL_ERROR_BAD_CERT_DOMAIN values should match"
+ );
+ equal(
+ histogram.values[10],
+ 1,
+ "Actual and expected SEC_ERROR_EXPIRED_CERTIFICATE values should match"
+ );
+ equal(
+ histogram.values[11],
+ 2,
+ "Actual and expected MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY values should match"
+ );
+ equal(
+ histogram.values[12],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA values should match"
+ );
+ equal(
+ histogram.values[13],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE values should match"
+ );
+ equal(
+ histogram.values[14],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE values should match"
+ );
+ equal(
+ histogram.values[15],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE values should match"
+ );
+ equal(
+ histogram.values[16],
+ 2,
+ "Actual and expected SEC_ERROR_INVALID_TIME values should match"
+ );
+ equal(
+ histogram.values[17],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME values should match"
+ );
+ equal(
+ histogram.values[19],
+ 4,
+ "Actual and expected MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT values should match"
+ );
+ equal(
+ histogram.values[20],
+ 1,
+ "Actual and expected MOZILLA_PKIX_ERROR_MITM_DETECTED values should match"
+ );
+
+ let keySizeHistogram = Services.telemetry
+ .getHistogramById("CERT_CHAIN_KEY_SIZE_STATUS")
+ .snapshot();
+ equal(
+ keySizeHistogram.values[0],
+ 0,
+ "Actual and expected unchecked key size values should match"
+ );
+ equal(
+ keySizeHistogram.values[1],
+ 16,
+ "Actual and expected successful verifications of 2048-bit keys should match"
+ );
+ equal(
+ keySizeHistogram.values[2] || 0,
+ 0,
+ "Actual and expected successful verifications of 1024-bit keys should match"
+ );
+ equal(
+ keySizeHistogram.values[3],
+ 70,
+ "Actual and expected verification failures unrelated to key size should match"
+ );
+
+ run_next_test();
+}
+
+// Internally, specifying "port" -1 is the same as port 443. This tests that.
+function run_port_equivalency_test(inPort, outPort) {
+ Assert.ok(
+ (inPort == 443 && outPort == -1) || (inPort == -1 && outPort == 443),
+ "The two specified ports must be -1 and 443 (in any order)"
+ );
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ let cert = constructCertFromFile("bad_certs/default-ee.pem");
+ let expectedTemporary = true;
+ certOverrideService.rememberValidityOverride(
+ "example.com",
+ inPort,
+ {},
+ cert,
+ expectedTemporary
+ );
+ let actualTemporary = {};
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "example.com",
+ outPort,
+ {},
+ cert,
+ actualTemporary
+ ),
+ `override set on port ${inPort} should match port ${outPort}`
+ );
+ equal(
+ actualTemporary.value,
+ expectedTemporary,
+ "input override temporary value should match output temporary value"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride("example.com", 563, {}, cert, {}),
+ `override set on port ${inPort} should not match port 563`
+ );
+ certOverrideService.clearValidityOverride("example.com", inPort, {});
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.com",
+ outPort,
+ {},
+ cert,
+ {}
+ ),
+ `override cleared on port ${inPort} should match port ${outPort}`
+ );
+}
+
+function run_test() {
+ run_port_equivalency_test(-1, 443);
+ run_port_equivalency_test(443, -1);
+
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+ let fakeOCSPResponder = new HttpServer();
+ fakeOCSPResponder.registerPrefixHandler("/", function(request, response) {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ });
+ fakeOCSPResponder.start(8888);
+
+ add_simple_tests();
+ add_localhost_tests();
+ add_combo_tests();
+ add_distrust_tests();
+
+ add_test(function() {
+ fakeOCSPResponder.stop(check_telemetry);
+ });
+
+ run_next_test();
+}
+
+function add_simple_tests() {
+ add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE);
+ add_cert_override_test(
+ "notyetvalid.example.com",
+ MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE
+ );
+ add_cert_override_test("before-epoch.example.com", SEC_ERROR_INVALID_TIME);
+ add_cert_override_test(
+ "before-epoch-self-signed.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+ );
+ add_cert_override_test(
+ "selfsigned.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+ );
+ add_cert_override_test("unknownissuer.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+ add_cert_override_test(
+ "expiredissuer.example.com",
+ SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
+ );
+ add_cert_override_test(
+ "notyetvalidissuer.example.com",
+ MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE
+ );
+ add_cert_override_test(
+ "before-epoch-issuer.example.com",
+ SEC_ERROR_INVALID_TIME
+ );
+ add_cert_override_test(
+ "md5signature.example.com",
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ );
+ add_cert_override_test(
+ "emptyissuername.example.com",
+ MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME
+ );
+ // This has name information in the subject alternative names extension,
+ // but not the subject common name.
+ add_cert_override_test("mismatch.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
+ // This has name information in the subject common name but not the subject
+ // alternative names extension.
+ add_cert_override_test("mismatch-CN.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
+
+ // A Microsoft IIS utility generates self-signed certificates with
+ // properties similar to the one this "host" will present.
+ add_cert_override_test(
+ "selfsigned-inadequateEKU.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+ );
+
+ add_prevented_cert_override_test(
+ "inadequatekeyusage.example.com",
+ SEC_ERROR_INADEQUATE_KEY_USAGE
+ );
+
+ // Test triggering the MitM detection. We don't set-up a proxy here. Just
+ // set the pref. Without the pref set we expect an unkown issuer error.
+ add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+ add_test(function() {
+ Services.prefs.setStringPref(
+ "security.pki.mitm_canary_issuer",
+ "CN=Test MITM Root"
+ );
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
+ run_next_test();
+ });
+ add_cert_override_test("mitm.example.com", MOZILLA_PKIX_ERROR_MITM_DETECTED);
+ add_test(function() {
+ Services.prefs.setStringPref(
+ "security.pki.mitm_canary_issuer",
+ "CN=Other MITM Root"
+ );
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
+ run_next_test();
+ });
+ // If the canary issuer doesn't match the one we see, we exepct and unknown
+ // issuer error.
+ add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+ // If security.pki.mitm_canary_issuer.enabled is false, there should always
+ // be an unknown issuer error.
+ add_test(function() {
+ Services.prefs.setBoolPref(
+ "security.pki.mitm_canary_issuer.enabled",
+ false
+ );
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
+ run_next_test();
+ });
+ add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+ add_test(function() {
+ Services.prefs.clearUserPref("security.pki.mitm_canary_issuer");
+ run_next_test();
+ });
+
+ // This is intended to test the case where a verification has failed for one
+ // overridable reason (e.g. unknown issuer) but then, in the process of
+ // reporting that error, a non-overridable error is encountered. The
+ // non-overridable error should be prioritized.
+ add_test(function() {
+ let rootCert = constructCertFromFile("bad_certs/test-ca.pem");
+ setCertTrust(rootCert, ",,");
+ run_next_test();
+ });
+ add_prevented_cert_override_test(
+ "nsCertTypeCritical.example.com",
+ SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION
+ );
+ add_test(function() {
+ let rootCert = constructCertFromFile("bad_certs/test-ca.pem");
+ setCertTrust(rootCert, "CTu,,");
+ run_next_test();
+ });
+
+ // Bug 990603: Apache documentation has recommended generating a self-signed
+ // test certificate with basic constraints: CA:true. For compatibility, this
+ // is a scenario in which an override is allowed.
+ add_cert_override_test(
+ "self-signed-end-entity-with-cA-true.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+ );
+
+ add_cert_override_test(
+ "ca-used-as-end-entity.example.com",
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+
+ // If an X.509 version 1 certificate is not a trust anchor, we will
+ // encounter an overridable error.
+ add_cert_override_test(
+ "end-entity-issued-by-v1-cert.example.com",
+ MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
+ );
+ // If we make that certificate a trust anchor, the connection will succeed.
+ add_test(function() {
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride(
+ "end-entity-issued-by-v1-cert.example.com",
+ 8443,
+ {}
+ );
+ let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem");
+ setCertTrust(v1Cert, "CTu,,");
+ clearSessionCache();
+ run_next_test();
+ });
+ add_connection_test(
+ "end-entity-issued-by-v1-cert.example.com",
+ PRErrorCodeSuccess
+ );
+ // Reset the trust for that certificate.
+ add_test(function() {
+ let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem");
+ setCertTrust(v1Cert, ",,");
+ clearSessionCache();
+ run_next_test();
+ });
+
+ // Due to compatibility issues, we allow overrides for certificates issued by
+ // certificates that are not valid CAs.
+ add_cert_override_test(
+ "end-entity-issued-by-non-CA.example.com",
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ // This host presents a 1016-bit RSA key.
+ add_cert_override_test(
+ "inadequate-key-size-ee.example.com",
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+ );
+
+ add_cert_override_test(
+ "ipAddressAsDNSNameInSAN.example.com",
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ add_cert_override_test("noValidNames.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
+ add_cert_override_test(
+ "badSubjectAltNames.example.com",
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+
+ add_cert_override_test(
+ "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_test(function() {
+ // At this point, the override for bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
+ // is still valid. Do some additional tests relating to IDN handling.
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ let uri = Services.io.newURI(
+ "https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp"
+ );
+ let cert = constructCertFromFile("bad_certs/idn-certificate.pem");
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ uri.asciiHost,
+ 8443,
+ {},
+ cert,
+ {}
+ ),
+ "IDN certificate should have matching override using ascii host"
+ );
+ Assert.throws(
+ () =>
+ !certOverrideService.hasMatchingOverride(
+ uri.displayHost,
+ 8443,
+ {},
+ cert,
+ {}
+ ),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "IDN certificate should not have matching override using (non-ascii) host"
+ );
+ let invalidHost = uri.asciiHost.replace(/./g, c =>
+ String.fromCharCode(c.charCodeAt(0) | 0x100)
+ );
+ Assert.throws(
+ () =>
+ !certOverrideService.hasMatchingOverride(
+ invalidHost,
+ 8443,
+ {},
+ cert,
+ {}
+ ),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "hasMatchingOverride should not truncate high-bytes"
+ );
+ run_next_test();
+ });
+
+ add_test(function() {
+ // Add a bunch of overrides...
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ let cert = constructCertFromFile("bad_certs/default-ee.pem");
+ certOverrideService.rememberValidityOverride(
+ "example.com",
+ 443,
+ {},
+ cert,
+ false
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride("example.com", 443, {}, cert, {}),
+ "Should have added override for example.com:443"
+ );
+ certOverrideService.rememberValidityOverride(
+ "example.com",
+ 80,
+ {},
+ cert,
+ false
+ );
+ certOverrideService.rememberValidityOverride("::1", 80, {}, cert, false);
+ Assert.ok(
+ certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}),
+ "Should have added override for example.com:80"
+ );
+ certOverrideService.rememberValidityOverride(
+ "example.org",
+ 443,
+ {},
+ cert,
+ false
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride("example.org", 443, {}, cert, {}),
+ "Should have added override for example.org:443"
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride("::1", 80, {}, cert, {}),
+ "Should have added override for [::1]:80"
+ );
+ // When in a private browsing context, overrides added in non-private
+ // contexts should match (but not vice-versa).
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "example.org",
+ 443,
+ { privateBrowsingId: 1 },
+ cert,
+ {}
+ ),
+ "Should have override for example.org:443 with privateBrowsingId 1"
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "example.org",
+ 443,
+ { privateBrowsingId: 2 },
+ cert,
+ {}
+ ),
+ "Should have override for example.org:443 with privateBrowsingId 2"
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "example.org",
+ 443,
+ { firstPartyDomain: "example.org", userContextId: 1 },
+ cert,
+ {}
+ ),
+ "Should ignore firstPartyDomain and userContextId when checking overrides"
+ );
+ certOverrideService.rememberValidityOverride(
+ "example.org",
+ 80,
+ {},
+ cert,
+ true
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}),
+ "Should have added override for example.org:80"
+ );
+ certOverrideService.rememberValidityOverride(
+ "test.example.org",
+ 443,
+ { firstPartyDomain: "example.org", userContextId: 1 },
+ cert,
+ false
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "test.example.org",
+ 443,
+ {},
+ cert,
+ {}
+ ),
+ "Should ignore firstPartyDomain and userContextId when adding overrides"
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "test.example.org",
+ 443,
+ { firstPartyDomain: "example.com", userContextId: 2 },
+ cert,
+ {}
+ ),
+ "Should ignore firstPartyDomain and userContextId when checking overrides"
+ );
+ certOverrideService.rememberValidityOverride(
+ "example.test",
+ 443,
+ { privateBrowsingId: 1 },
+ cert,
+ false
+ );
+ Assert.ok(
+ certOverrideService.hasMatchingOverride(
+ "example.test",
+ 443,
+ { privateBrowsingId: 1 },
+ cert,
+ {}
+ ),
+ "Should have added override for example.test:443 with privateBrowsingId 1"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.test",
+ 443,
+ { privateBrowsingId: 2 },
+ cert,
+ {}
+ ),
+ "Should not have override for example.test:443 with privateBrowsingId 2"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.test",
+ 443,
+ {},
+ cert,
+ {}
+ ),
+ "Should not have override for example.test:443 with non-private OriginAttributes"
+ );
+ // Clear them all...
+ certOverrideService.clearAllOverrides();
+
+ // And ensure they're all gone.
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.com",
+ 443,
+ {},
+ cert,
+ {}
+ ),
+ "Should have removed override for example.com:443"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}),
+ "Should have removed override for example.com:80"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.org",
+ 443,
+ {},
+ cert,
+ {}
+ ),
+ "Should have removed override for example.org:443"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}),
+ "Should have removed override for example.org:80"
+ );
+ Assert.ok(
+ !certOverrideService.hasMatchingOverride(
+ "example.org",
+ 443,
+ { privateBrowsingId: 1 },
+ cert,
+ {}
+ ),
+ "Should have removed override for example.org:443 with privateBrowsingId 1"
+ );
+
+ run_next_test();
+ });
+}
+
+function add_localhost_tests() {
+ add_cert_override_test("localhost", SEC_ERROR_UNKNOWN_ISSUER);
+ add_cert_override_test("127.0.0.1", SSL_ERROR_BAD_CERT_DOMAIN);
+ add_cert_override_test("::1", SSL_ERROR_BAD_CERT_DOMAIN);
+}
+
+function add_combo_tests() {
+ add_cert_override_test(
+ "mismatch-expired.example.com",
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ add_cert_override_test(
+ "mismatch-notYetValid.example.com",
+ SSL_ERROR_BAD_CERT_DOMAIN
+ );
+ add_cert_override_test(
+ "mismatch-untrusted.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_cert_override_test(
+ "untrusted-expired.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_cert_override_test(
+ "mismatch-untrusted-expired.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+
+ add_cert_override_test(
+ "md5signature-expired.example.com",
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ );
+
+ add_cert_override_test(
+ "ca-used-as-end-entity-name-mismatch.example.com",
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+}
+
+function add_distrust_tests() {
+ // Before we specifically distrust this certificate, it should be trusted.
+ add_connection_test("untrusted.example.com", PRErrorCodeSuccess);
+
+ add_distrust_test(
+ "bad_certs/default-ee.pem",
+ "untrusted.example.com",
+ SEC_ERROR_UNTRUSTED_CERT
+ );
+
+ add_distrust_test(
+ "bad_certs/other-test-ca.pem",
+ "untrustedissuer.example.com",
+ SEC_ERROR_UNTRUSTED_ISSUER
+ );
+
+ add_distrust_test(
+ "bad_certs/test-ca.pem",
+ "ca-used-as-end-entity.example.com",
+ SEC_ERROR_UNTRUSTED_ISSUER
+ );
+}
+
+function add_distrust_test(certFileName, hostName, expectedResult) {
+ let certToDistrust = constructCertFromFile(certFileName);
+
+ add_test(function() {
+ // Add an entry to the NSS certDB that says to distrust the cert
+ setCertTrust(certToDistrust, "pu,,");
+ clearSessionCache();
+ run_next_test();
+ });
+ add_prevented_cert_override_test(hostName, expectedResult);
+ add_test(function() {
+ setCertTrust(certToDistrust, "u,,");
+ run_next_test();
+ });
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js
new file mode 100644
index 0000000000..80fa27a5d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js
@@ -0,0 +1,94 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests that permanent certificate error overrides can be added even if the
+// certificate/key databases are in read-only mode.
+
+// Helper function for add_read_only_cert_override_test. Probably doesn't need
+// to be called directly.
+function add_read_only_cert_override(aHost, aSecurityInfo) {
+ let cert = aSecurityInfo.serverCert;
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ // Setting the last argument to false here ensures that we attempt to store a
+ // permanent override (which is what was failing in bug 1427273).
+ certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, false);
+}
+
+// Given a host and an expected error code, tests that an initial connection to
+// the host fails with the expected errors and that adding an override results
+// in a subsequent connection succeeding.
+function add_read_only_cert_override_test(aHost, aExpectedError) {
+ add_connection_test(
+ aHost,
+ aExpectedError,
+ null,
+ add_read_only_cert_override.bind(this, aHost)
+ );
+ add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => {
+ Assert.ok(
+ aSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+ "Cert override flag should be set on the security state"
+ );
+ });
+}
+
+function run_test() {
+ let profile = do_get_profile();
+ const KEY_DB_NAME = "key4.db";
+ const CERT_DB_NAME = "cert9.db";
+ let srcKeyDBFile = do_get_file(
+ `test_cert_overrides_read_only/${KEY_DB_NAME}`
+ );
+ srcKeyDBFile.copyTo(profile, KEY_DB_NAME);
+ let srcCertDBFile = do_get_file(
+ `test_cert_overrides_read_only/${CERT_DB_NAME}`
+ );
+ srcCertDBFile.copyTo(profile, CERT_DB_NAME);
+
+ // set the databases to read-only
+ let keyDBFile = do_get_profile();
+ keyDBFile.append(KEY_DB_NAME);
+ keyDBFile.permissions = 0o400;
+ let certDBFile = do_get_profile();
+ certDBFile.append(CERT_DB_NAME);
+ certDBFile.permissions = 0o400;
+
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ // Specifying false as the last argument means we don't try to add the default
+ // test root CA (which would fail).
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs", false);
+
+ let fakeOCSPResponder = new HttpServer();
+ fakeOCSPResponder.registerPrefixHandler("/", function(request, response) {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ });
+ fakeOCSPResponder.start(8888);
+
+ // Since we can't add the root CA to the (read-only) trust db, all of these
+ // will result in an "unknown issuer error" and need the "untrusted" error bit
+ // set in addition to whatever other specific error bits are necessary.
+ add_read_only_cert_override_test(
+ "expired.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_read_only_cert_override_test(
+ "selfsigned.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+ );
+ add_read_only_cert_override_test(
+ "mismatch.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+
+ add_test(function() {
+ fakeOCSPResponder.stop(run_next_test);
+ });
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db
new file mode 100644
index 0000000000..3d452f335c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db
new file mode 100644
index 0000000000..44d0cb1728
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1.js b/security/manager/ssl/tests/unit/test_cert_sha1.js
new file mode 100644
index 0000000000..9513102b56
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1.js
@@ -0,0 +1,53 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests the rejection of SHA-1 certificates.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+// (new Date("2016-03-01")).getTime() / 1000
+const VALIDATION_TIME = 1456790400;
+
+function certFromFile(certName) {
+ return constructCertFromFile("test_cert_sha1/" + certName + ".pem");
+}
+
+function loadCertWithTrust(certName, trustString) {
+ addCertFromFile(certdb, "test_cert_sha1/" + certName + ".pem", trustString);
+}
+
+function checkEndEntity(cert, expectedResult) {
+ return checkCertErrorGenericAtTime(
+ certdb,
+ cert,
+ expectedResult,
+ certificateUsageSSLServer,
+ VALIDATION_TIME
+ );
+}
+
+add_task(async function() {
+ loadCertWithTrust("ca", "CTu,,");
+ loadCertWithTrust("int-pre", ",,");
+ loadCertWithTrust("int-post", ",,");
+
+ await checkEndEntity(
+ certFromFile("ee-pre_int-pre"),
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ );
+ await checkEndEntity(
+ certFromFile("ee-post_int-pre"),
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ );
+ await checkEndEntity(
+ certFromFile("ee-post_int-post"),
+ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem
new file mode 100644
index 0000000000..60140056de
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUUbC4F7yPobFDd+B73iWKejQ3THkwDQYJKoZIhvcNAQEF
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCU+Y0AeMXFIfX4/L2aX37uSR70
+pGpPrh0FPOwBO2ETUc4j7Whol9wOSPnUwuPIpiDhar5qRuhY6aCPGTIJbRZrVeXv
+T5uFQXq+3CQdIyI55AkFDh9tO7wX7p3pRgzma47mBxIH082Uwy7+eEeQfhuJ5cU4
+e/zyHf6FEdkSrDjgwDip+dn8Q7tnjdaN3WYQjOFRXkHyYCIFkORDPTbYSYZ6DAqq
+Q/loKTdrcbyeEwFVBZxQu4Nb6mjhkfk8U+8TIGMCTQXhoQhgMWMeMo2E0kWvYbjc
+YDiRzmnsdvPu2LKnTvH28M9ODi3ZzcOuLs6jAKAiXISq0CbmwaddV/oAMoF2
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec
new file mode 100644
index 0000000000..7e65e9ee30
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec
@@ -0,0 +1,6 @@
+issuer:ca
+subject:ca
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem
new file mode 100644
index 0000000000..8fb93e69e3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ2gAwIBAgIUJWQl8gkrLL7gPn47YYMdN7qBP5wwDQYJKoZIhvcNAQEF
+BQAwEzERMA8GA1UEAwwIaW50LXBvc3QwIhgPMjAxNjAxMDIwMDAwMDBaGA8yMDE3
+MDIwMTAwMDAwMFowEjEQMA4GA1UEAwwHZWUtcG9zdDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQUFAAOCAQEAVOPvLS8zwos/RdClnabdxMh5g1WN5T1BsIMExE6oU6sJ7n4HyIXt
+RnFTFe0t2CdXBCQPK6qG8ymeLQFNKykYlQxVZb8m5YgUK3k4IeMS/EoX4g7taREI
+IwK9/n7+oKZYlz2Q/ro/R2HFmLXsCIUrsxV3vAWQCm8rSeCKzEVNlDaQ5FEMVAM7
+VlNhNNKtUnXkzZ3SRj6O4eOq3G4azr5DNo5kAQPaIbAI3k/3AHyPqIjHcoSiG1Ug
+aqzIK6fNNCIAxIKAY2ERJfxA4fPlBZXono2sCOgCdFfF7QAo+o9SO8v3B+djuHgb
+flbfdyEnN+y32UpYe3qV8LnFmRqGAe/vbQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec
new file mode 100644
index 0000000000..76834f8447
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-post
+subject:ee-post
+validity:20160102-20170201
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem
new file mode 100644
index 0000000000..2385322a64
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUIVsTCuql4BDO2r4O5zePBEoHg3QwDQYJKoZIhvcNAQEF
+BQAwEjEQMA4GA1UEAwwHaW50LXByZTAiGA8yMDE2MDEwMTAwMDAwMFoYDzIwMTcw
+MjAxMDAwMDAwWjASMRAwDgYDVQQDDAdlZS1wb3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4IBAQCW5zeJg+LzGn07GtdBprRLarL7aLNFSr+s+3yzphq9kN43prElX6eD
+gdggPWicZozTm3IFLfJfsuhiodBZjWmkF/dsvvT3W77AcKzNWjShCnnA/Vf5IF6k
+U01ROfjmgcX0mMuhVUB7b9Fl6G5DFxJgny2jYehZcJIzWUBLiwu41TIxj5Cv5F9p
++XIHEyygqm8rYzbW8F49FRbsDD9nvhmdVqXsoTaKxY8bsKKu1EpBSBXozRbLKcAn
+/zrLy0HHS4qfXTHm0UKt+RCYVylL5I5YGR6rapXHChkBTBHFXdkPVsW5uHKBdBqY
+98zoAAMWRvJ3xOuqAbtKG6DKadiOpz6l
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec
new file mode 100644
index 0000000000..1e8bb35b34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-pre
+subject:ee-post
+validity:20160101-20170201
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem
new file mode 100644
index 0000000000..11a5e41e99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUOU+CyYnf3GRRgGHvbeJB8HTUvJ4wDQYJKoZIhvcNAQEF
+BQAwEjEQMA4GA1UEAwwHaW50LXByZTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMTcw
+MjAxMDAwMDAwWjARMQ8wDQYDVQQDDAZlZS1wcmUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEF
+BQADggEBACWLcVnT0nNyU/qFZNDZPGDFPuZCXuodBf3sgz1XDmcp5wlH+IjW3J8H
+3HH6ZwIUpTtppqVxuvo2y9GP+GNyeXhxmokHTVdKDj8HqYl5lV+reO1UmzEH0AU8
+x3hd2Fkzv/h3N3EPVETWuPiFSB0oAN/xwsXC/7Yi4AY0s/I/4q/vkS76Oa2RyL3f
+gbaa80+nR73BX+0wRqyg+Sgo2hOzjkCQchtZPUFYsRLhsHHBnokD8GJlT7NBKSN1
+TFt6uXpfEmqDICoyZoAw6rtnFfdEsZNo+PU6NDN3T0fkolBQPvuzfqcqAl85dpJK
+ow8mFKkb2t6qQH98yabi/172l03/P34=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec
new file mode 100644
index 0000000000..0f4a6ec257
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-pre
+subject:ee-pre
+validity:20150101-20170201
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem
new file mode 100644
index 0000000000..94ab4f5b15
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAbegAwIBAgIUYQ6xulHM0FrQ0sKMdbPI2ecC3PcwDQYJKoZIhvcNAQEF
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjAxMDEwMDAwMDBaGA8yMDI2MDEwMTAw
+MDAwMFowEzERMA8GA1UEAwwIaW50LXBvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIB
+BjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCJN8/XexXMusXYbhVW
+uYA1YpaSTrz96CXlckIuABnzCrGD5iHkfFoB0LPKd+EZ80fdHIvS1zQTYohy6O95
+JageOaTY9HsOEqsgr1BA9VKZW4QlGp7csQzNMa52WRetimv6XY/lrfPf4qAhomWG
+/ImmLJpGTVPhEdz6Pl4Kvmf9zNf/BcXtBTWLSGWUC5UItC58WTopqcr5kLg3DmXB
+Qr7DjqA7DT92N6qefFkTYspDZJzv0nL9OfqkdCj/s6bm3iisTQq3aek6IP6OEkXF
+4TWUF3RDBsyRpG8jt/XsOsrwJDOGZGFPmMTz2uZPsZkeZhU+sfFDWL7wojl7kHV1
+c7f5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec
new file mode 100644
index 0000000000..50156c9f6e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec
@@ -0,0 +1,6 @@
+issuer:ca
+subject:int-post
+validity:20160101-20260101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem
new file mode 100644
index 0000000000..0b916d5755
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIUYW27TGzVOIbjpG1ADx7m7mZnrNQwDQYJKoZIhvcNAQEF
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDIwMDEwMTAw
+MDAwMFowEjEQMA4GA1UEAwwHaW50LXByZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEG
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAESNgcKkxBwkaBykKo2Q
+GzgimnI3eNw8O8GrhefL+r3Ek/CH4/oBHGvfvrz6D19uemdOyHxo5QNW2iWEq0No
+pE6Hhm504P1fdkfQvjqjIhu/h3y5QjO3zdMGeVE/39TWAGrGsNFKE+jSxm8IbycF
+Ue6165agasf+PhQdorjFca48iLcowKYs5Df0SAhY7zbw1fM1HTr1YGAXc1K9aCA5
+fTmu8Nd0fNKc1NcbNDpdCG2YEj1nox1iMN5A4nY1ve88zJsnlpfsoJkHJqo2Cy+M
+mpQSnkTlf3Gfpl8NO3UW9FTcnK8L4Ix2DSNBDe8Yg2YL5w/VIxecFwlmwV0wWdg6
+vl0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec
new file mode 100644
index 0000000000..9f0a59ee99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec
@@ -0,0 +1,6 @@
+issuer:ca
+subject:int-pre
+validity:20100101-20200101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures.js b/security/manager/ssl/tests/unit/test_cert_signatures.js
new file mode 100644
index 0000000000..e92b5a4ab8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -0,0 +1,140 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that certificates cannot be tampered with without being detected.
+// Tests a combination of cases: RSA signatures, ECDSA signatures, certificate
+// chains where the intermediate has been tampered with, chains where the
+// end-entity has been tampered, tampering of the signature, and tampering in
+// the rest of the certificate.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+// Reads a PEM-encoded certificate, modifies the nth byte (0-indexed), and
+// returns the base64-encoded bytes of the certificate. Negative indices may be
+// specified to modify a byte from the end of the certificate.
+function readAndTamperWithNthByte(certificatePath, n) {
+ let pem = readFile(do_get_file(certificatePath, false));
+ let der = atob(pemToBase64(pem));
+ if (n < 0) {
+ // remember, n is negative at this point
+ n = der.length + n;
+ }
+ let replacement = "\x22";
+ if (der.charCodeAt(n) == replacement) {
+ replacement = "\x23";
+ }
+ der = der.substring(0, n) + replacement + der.substring(n + 1);
+ return btoa(der);
+}
+
+// The signature on certificates appears last. This should modify the contents
+// of the signature such that it no longer validates correctly while still
+// resulting in a structurally valid certificate.
+const BYTE_IN_SIGNATURE = -8;
+function addSignatureTamperedCertificate(certificatePath) {
+ let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE);
+ certdb.addCertFromBase64(base64, ",,");
+}
+
+function ensureSignatureVerificationFailure(certificatePath) {
+ let cert = constructCertFromFile(certificatePath);
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ SEC_ERROR_BAD_SIGNATURE,
+ certificateUsageSSLServer
+ );
+}
+
+function tamperWithSignatureAndEnsureVerificationFailure(certificatePath) {
+ let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE);
+ let cert = certdb.constructX509FromBase64(base64);
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ SEC_ERROR_BAD_SIGNATURE,
+ certificateUsageSSLServer
+ );
+}
+
+// The beginning of a certificate looks like this (in hex, using DER):
+// 30 XX XX XX [the XX encode length - there are probably 3 bytes here]
+// 30 XX XX XX [length again]
+// A0 03
+// 02 01
+// 02
+// 02 XX [length again - 1 byte as long as we're using pycert]
+// XX XX ... [serial number - 20 bytes as long as we're using pycert]
+// Since we want to modify the serial number, we need to change something from
+// byte 15 to byte 34 (0-indexed). If it turns out that the two length sections
+// we assumed were 3 bytes are shorter (they can't be longer), modifying
+// something from byte 15 to byte 30 will still get us what we want. Since the
+// serial number is a DER INTEGER and because it must be positive, it's best to
+// skip the first two bytes of the serial number so as to not run into any
+// issues there. Thus byte 17 is a good byte to modify.
+const BYTE_IN_SERIAL_NUMBER = 17;
+function addSerialNumberTamperedCertificate(certificatePath) {
+ let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SERIAL_NUMBER);
+ certdb.addCertFromBase64(base64, ",,");
+}
+
+function tamperWithSerialNumberAndEnsureVerificationFailure(certificatePath) {
+ let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SERIAL_NUMBER);
+ let cert = certdb.constructX509FromBase64(base64);
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ SEC_ERROR_BAD_SIGNATURE,
+ certificateUsageSSLServer
+ );
+}
+
+add_task(async function() {
+ addCertFromFile(certdb, "test_cert_signatures/ca-rsa.pem", "CTu,,");
+ addCertFromFile(certdb, "test_cert_signatures/ca-secp384r1.pem", "CTu,,");
+
+ // Tamper with the signatures on intermediate certificates and ensure that
+ // end-entity certificates issued by those intermediates do not validate
+ // successfully.
+ addSignatureTamperedCertificate("test_cert_signatures/int-rsa.pem");
+ addSignatureTamperedCertificate("test_cert_signatures/int-secp384r1.pem");
+ await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
+ await ensureSignatureVerificationFailure(
+ "test_cert_signatures/ee-secp384r1.pem"
+ );
+
+ // Tamper with the signatures on end-entity certificates and ensure that they
+ // do not validate successfully.
+ await tamperWithSignatureAndEnsureVerificationFailure(
+ "test_cert_signatures/ee-rsa-direct.pem"
+ );
+ await tamperWithSignatureAndEnsureVerificationFailure(
+ "test_cert_signatures/ee-secp384r1-direct.pem"
+ );
+
+ // Tamper with the serial numbers of intermediate certificates and ensure
+ // that end-entity certificates issued by those intermediates do not validate
+ // successfully.
+ addSerialNumberTamperedCertificate("test_cert_signatures/int-rsa.pem");
+ addSerialNumberTamperedCertificate("test_cert_signatures/int-secp384r1.pem");
+ await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
+ await ensureSignatureVerificationFailure(
+ "test_cert_signatures/ee-secp384r1.pem"
+ );
+
+ // Tamper with the serial numbers of end-entity certificates and ensure that
+ // they do not validate successfully.
+ await tamperWithSerialNumberAndEnsureVerificationFailure(
+ "test_cert_signatures/ee-rsa-direct.pem"
+ );
+ await tamperWithSerialNumberAndEnsureVerificationFailure(
+ "test_cert_signatures/ee-secp384r1-direct.pem"
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem
new file mode 100644
index 0000000000..60fb8c8280
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUT8jfl072RlfOreJkjWraanVZqnUwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBExDzANBgNVBAMMBmNhLXJzYTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBACAWVqoxSxIyJ0Am
+28SrJn1ussg8npP2ETHrTfoynoV5bz8qNIoK0draCheU4gKNut8dZ68mkj8gMSoj
+vxGfXMRW3FNIrAKbn/Asuyjz2MD9LHRvf4ELypEIywS0bBDdV1sWSbek9XU7uobz
+mQMvn/HzTo4PW2+N9M+V0SEj2WV8fY7j1YHmggnmDy2TJrgrviXeJC9StlifNQy8
+GwN7EDctuJ0epoKzpKJGTdSLOty4FyuAEfY2MKQcvvP5xk6u8rEWCbbEq7gW4Voo
+F8EbC8AauuFRyXgD3hN3YHgFvRatXMF0y/w/g6RH3Phl+1P5kxTz702UJradTjzo
+zRHh5Pc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec
new file mode 100644
index 0000000000..5890d2db60
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-rsa
+subject:ca-rsa
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem
new file mode 100644
index 0000000000..7a6421456b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjzCCARSgAwIBAgIUU56dEINjI+b83xJvJn1PQt/p41YwCgYIKoZIzj0EAwIw
+FzEVMBMGA1UEAwwMY2Etc2VjcDM4NHIxMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy
+NDAyMDUwMDAwMDBaMBcxFTATBgNVBAMMDGNhLXNlY3AzODRyMTB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMt
+qM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC
+8Fr3Gh/dzIN0qm6pzqMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYI
+KoZIzj0EAwIDaQAwZgIxAO0GJz6haDpUtNgaQ3SESJY85j6+gRcD7Nc9cvCiVAZZ
+1OxFRuhW515lVbeTqfcA8wIxAIr+3diKqPT5EEiOXgoswSP8CwuLNe4pc6AjdCV+
+dnE9Ibr64s45zjHfjcRLja/Z+w==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec
new file mode 100644
index 0000000000..0701c23c1e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ca-secp384r1
+subject:ca-secp384r1
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem
new file mode 100644
index 0000000000..46e6e5ceae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuTCCAaGgAwIBAgIUGzRGmvrzu+NFvnMfZjX1GG3QF4gwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBgxFjAUBgNVBAMMDWVlLXJzYS1kaXJlY3QwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZI
+hvcNAQELBQADggEBAHtV0do2QpXEzm8OwnFt1LVlNqxaVCRKFENCc9nOKBHODbhS
+/6YZcvI/CNn1JNFhDgHKiTdiiYdu2aqy0Y6WbnSzHqfHmGrvLBskMH+6xDK+6qSp
+bvTR6iWyUql7X4K/J1VGeXAZHFysbxlvrhONSkRHZBDv+4nu3zEB6euIFeCMfGNH
+sxgp9I51d3vb8JiRqvB0FA5FcN7Od2MHv008rcXRAcCfKvm7DX25ZLVX9hSmPD/4
+KiJFK6nidDiguIkaD558IFp0Oc/5zOP0iGpynzICRuuAOdO5lAXMpzRrJzftvQiP
+B3+ED28z7nuI0nkSMBWlpIy/uL7s4VaChR/uSEo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec
new file mode 100644
index 0000000000..4e25ddcf94
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-rsa
+subject:ee-rsa-direct
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem
new file mode 100644
index 0000000000..1eafd948f2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUSTmi0SZM0FZ2whVeqfymGPKOiZ8wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHaW50LXJzYTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjARMQ8wDQYDVQQDDAZlZS1yc2EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAIFbfCcJOg5Q4wsfmHgwyx4P80o11WKLC6UytwA17yc47sCGx8+df/Ac
+KxrG4j0pVqee/61NxpwvIozJV8k2aoj8pDmECa4CfbHpikSU6Gd0xWX3zl/z6gAl
+6w0LIrIFk5edWlcLwrH3zX5FmukXcXb5oiEubSoaO2F78ws1UXzA7AzMoY5yZEbM
+0fAJr3f1KMpdOY8nNLIctzD23oFxeiN/HuzE4KI2FLXjYsMFYGXo8cMJlwnRxr05
+L5Po1VCe6lzFAZpC62S4l9BKlPHOOtBL77RNVz07KDxKyzoTMWRw7EgYp5HyvBa6
+lG8GpcFyJcMN5eq2PTKxrEaZKu73PQ8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec
new file mode 100644
index 0000000000..b974a0a0a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-rsa
+subject:ee-rsa
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem
new file mode 100644
index 0000000000..d66fd61ef5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBdjCB/KADAgECAhRFwdFDhUYutDxj04OT4wqoqfIMRTAKBggqhkjOPQQDAjAX
+MRUwEwYDVQQDDAxjYS1zZWNwMzg0cjEwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0
+MDIwNTAwMDAwMFowHjEcMBoGA1UEAwwTZWUtc2VjcDM4NHIxLWRpcmVjdDB2MBAG
+ByqGSM49AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22CO
+JS3ktxMtqM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXED
+viiIz/AC8Fr3Gh/dzIN0qm6pzjAKBggqhkjOPQQDAgNpADBmAjEA7QYnPqFoOlS0
+2BpDdIRIljzmPr6BFwPs1z1y8KJUBlnU7EVG6FbnXmVVt5Op9wDzAjEAu7C/bumy
+Dq9mke/MI7TCi3WKCJ5jFXDA2qErfTjJQ2FvSVk4970Vd78vSR8e7xZ3
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec
new file mode 100644
index 0000000000..386ab95f78
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-secp384r1
+subject:ee-secp384r1-direct
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem
new file mode 100644
index 0000000000..b3a310303a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbzCB9qADAgECAhRHCf3/9aTW4X0AHQfxJGe+P2tNazAKBggqhkjOPQQDAjAY
+MRYwFAYDVQQDDA1pbnQtc2VjcDM4NHIxMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy
+NDAyMDUwMDAwMDBaMBcxFTATBgNVBAMMDGVlLXNlY3AzODRyMTB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMt
+qM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC
+8Fr3Gh/dzIN0qm6pzjAKBggqhkjOPQQDAgNoADBlAjEA7QYnPqFoOlS02BpDdIRI
+ljzmPr6BFwPs1z1y8KJUBlnU7EVG6FbnXmVVt5Op9wDzAjBtn1PwZNY1ZR//hvpP
+r6deQnBTAS/f09KRS1DnuZypQdLFxlHVuGb3U5PL5bF298A=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec
new file mode 100644
index 0000000000..b8f7993be8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-secp384r1
+subject:ee-secp384r1
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem
new file mode 100644
index 0000000000..f886a9a3a6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0jCCAbqgAwIBAgIUActQ49AIBGNcpw2ugrUFaaE2qMIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBIxEDAOBgNVBAMMB2ludC1yc2EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQF
+MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBskZ1Lc1PHuC2r
+Jk317zOhzQlXtGCx7EbKq+wd4kdb/1dnjEiLqgASktBIaNd2249DZC1bpiF+DGYR
+k1D7DBfduygiukI3/MY19+tvUaM0C2RCo+H69pjFKGS0y9mVSxm15iwk4+DzAOpC
+Q/duzYUflOQJVDL6adPWubRAlAk9p1n4LDD9JQhuGIE5Tt4MytjxN6aGSNb6erFd
+mDgRS4dLN8JdwyI0b1AVIFulCpimnS/jf9PSEKD63xZmL/ofqXGe/V5OA3LsmHkw
+rIocCL7q/F4wImI2hELlEVsT9O6hAFSC6yVtvSCsh1421+QR1xqrfqY6luO4rMK2
+AdB34jUa
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec
new file mode 100644
index 0000000000..a86d28b44a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-rsa
+subject:int-rsa
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem
new file mode 100644
index 0000000000..5a62aaf50a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjzCCARWgAwIBAgIUKebpNrQIc1+bS1ss5l/kfaGctGwwCgYIKoZIzj0EAwIw
+FzEVMBMGA1UEAwwMY2Etc2VjcDM4NHIxMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy
+NDAyMDUwMDAwMDBaMBgxFjAUBgNVBAMMDWludC1zZWNwMzg0cjEwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAAShaHJDNitcexiJ83kVRhWhxz+0je6GPgIpFdtgjiUt5LcT
+LajOmOgxU05qnAwLCcjWOa3oMgbluoE0c6EfozDgXajJbkOD/ieHPalxA74oiM/w
+AvBa9xof3cyDdKpuqc6jHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA2gAMGUCMQDtBic+oWg6VLTYGkN0hEiWPOY+voEXA+zXPXLwolQG
+WdTsRUboVudeZVW3k6n3APMCMD4MFMoR0AN/qV8Z7nT39tgi0LNpH8s05ltV61rc
+qqcPR+e8kOLUxDV29JfJM4icfg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec
new file mode 100644
index 0000000000..e002a1569a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ca-secp384r1
+subject:int-secp384r1
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_storage.js b/security/manager/ssl/tests/unit/test_cert_storage.js
new file mode 100644
index 0000000000..7cb61e2b6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage.js
@@ -0,0 +1,258 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This test checks a number of things:
+// * it ensures that data loaded from revocations.txt on startup is present
+// * it ensures that data served from OneCRL are persisted correctly
+// * it ensures that items in the CertBlocklist are seen as revoked by the
+// cert verifier
+// * it does a sanity check to ensure other cert verifier behavior is
+// unmodified
+
+const { RemoteSecuritySettings } = ChromeUtils.import(
+ "resource://gre/modules/psm/RemoteSecuritySettings.jsm"
+);
+
+// First, we need to setup appInfo for the blocklist service to work
+var id = "xpcshell@tests.mozilla.org";
+var appName = "XPCShell";
+var version = "1";
+var platformVersion = "1.9.2";
+const { updateAppInfo } = ChromeUtils.importESModule(
+ "resource://testing-common/AppInfo.sys.mjs"
+);
+updateAppInfo({
+ name: appName,
+ ID: id,
+ version,
+ platformVersion: platformVersion ? platformVersion : "1.0",
+ crashReporter: true,
+});
+
+// we need to ensure we setup revocation data before certDB, or we'll start with
+// no revocation.txt in the profile
+var gProfile = do_get_profile();
+
+var gRevocations = gProfile.clone();
+gRevocations.append("revocations.txt");
+if (!gRevocations.exists()) {
+ let existing = do_get_file("test_onecrl/sample_revocations.txt", false);
+ existing.copyTo(gProfile, "revocations.txt");
+}
+
+var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const certBlocklist = [
+ // test with some bad data ...
+ {
+ issuerName: "Some nonsense in issuer",
+ serialNumber: "AkHVNA==",
+ },
+ {
+ issuerName: "MA0xCzAJBgNVBAMMAmNh",
+ serialNumber: "some nonsense in serial",
+ },
+ {
+ issuerName: "and serial",
+ serialNumber: "some nonsense in both issuer",
+ },
+ // some mixed
+ // In these case, the issuer name and the valid serialNumber correspond
+ // to test-int.pem in bad_certs/
+ {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "oops! more nonsense.",
+ },
+ {
+ issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+ serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+ },
+ // ... and some good
+ // In this case, the issuer name and the valid serialNumber correspond
+ // to other-test-ca.pem in bad_certs/ (for testing root revocation)
+ {
+ issuerName: "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=",
+ serialNumber: "Rym6o+VN9xgZXT/QLrvN/nv1ZN4=",
+ },
+ // These items correspond to an entry in sample_revocations.txt where:
+ // isser name is the base-64 encoded subject DN for the shared Test
+ // Intermediate and the serialNumbers are base-64 encoded 78 and 31,
+ // respectively.
+ // We need this to ensure that existing items are retained if they're
+ // also in the blocklist
+ {
+ issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl",
+ serialNumber: "Tg==",
+ },
+ {
+ issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl",
+ serialNumber: "Hw==",
+ },
+ // This item revokes same-issuer-ee.pem by subject and pubKeyHash.
+ {
+ subject: "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5",
+ pubKeyHash: "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=",
+ },
+];
+
+function verify_cert(file, expectedError) {
+ let ee = constructCertFromFile(file);
+ return checkCertErrorGeneric(
+ certDB,
+ ee,
+ expectedError,
+ certificateUsageSSLServer
+ );
+}
+
+// The certificate blocklist currently only applies to TLS server certificates.
+async function verify_non_tls_usage_succeeds(file) {
+ let ee = constructCertFromFile(file);
+ await checkCertErrorGeneric(
+ certDB,
+ ee,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certDB,
+ ee,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certDB,
+ ee,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+}
+
+function load_cert(cert, trust) {
+ let file = "bad_certs/" + cert + ".pem";
+ addCertFromFile(certDB, file, trust);
+}
+
+async function update_blocklist() {
+ const { OneCRLBlocklistClient } = RemoteSecuritySettings.init();
+
+ const fakeEvent = {
+ current: certBlocklist, // with old .txt revocations.
+ deleted: [],
+ created: certBlocklist, // with new cert storage.
+ updated: [],
+ };
+ await OneCRLBlocklistClient.emit("sync", { data: fakeEvent });
+ // Save the last check timestamp, used by cert_storage to assert
+ // if the blocklist is «fresh».
+ Services.prefs.setIntPref(
+ OneCRLBlocklistClient.lastCheckTimePref,
+ Math.floor(Date.now() / 1000)
+ );
+}
+
+function run_test() {
+ // import the certificates we need
+ load_cert("test-ca", "CTu,CTu,CTu");
+ load_cert("test-int", ",,");
+ load_cert("other-test-ca", "CTu,CTu,CTu");
+
+ add_task(async function() {
+ // check some existing items in revocations.txt are blocked.
+ // This test corresponds to:
+ // issuer: MBIxEDAOBgNVBAMMB1Rlc3QgQ0E= (CN=Test CA)
+ // serial: Kg== (42)
+ let file = "test_onecrl/ee-revoked-by-revocations-txt.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // This test corresponds to:
+ // issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate)
+ // serial: Tg== (78)
+ file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // And this test corresponds to:
+ // issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate)
+ // serial: Hw== (31)
+ // (we test this issuer twice to ensure we can read multiple serials)
+ file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // Test that a certificate revoked by subject and public key hash in
+ // revocations.txt is revoked
+ // subject: MCsxKTAnBgNVBAMMIEVFIFJldm9rZWQgQnkgU3ViamVjdCBhbmQgUHViS2V5
+ // (CN=EE Revoked By Subject and PubKey)
+ // pubkeyhash: VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8 (this is the
+ // shared RSA SPKI)
+ file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // Soon we'll load a blocklist which revokes test-int.pem, which issued
+ // test-int-ee.pem.
+ // Check the cert validates before we load the blocklist
+ file = "test_onecrl/test-int-ee.pem";
+ await verify_cert(file, PRErrorCodeSuccess);
+
+ // The blocklist also revokes other-test-ca.pem, which issued
+ // other-ca-ee.pem. Check the cert validates before we load the blocklist
+ file = "bad_certs/other-issuer-ee.pem";
+ await verify_cert(file, PRErrorCodeSuccess);
+
+ // The blocklist will revoke same-issuer-ee.pem via subject / pubKeyHash.
+ // Check the cert validates before we load the blocklist
+ file = "test_onecrl/same-issuer-ee.pem";
+ await verify_cert(file, PRErrorCodeSuccess);
+ });
+
+ // blocklist load is async so we must use add_test from here
+ add_task(update_blocklist);
+
+ add_task(async function() {
+ // The blocklist will be loaded now. Let's check the data is sane.
+ // In particular, we should still have the revoked issuer / serial pair
+ // that was in revocations.txt but not the blocklist.
+ let file = "test_onecrl/ee-revoked-by-revocations-txt.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // We should also still have the revoked issuer / serial pairs that were in
+ // revocations.txt and are also in the blocklist.
+ file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+ file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // The cert revoked by subject and pubkeyhash should still be revoked.
+ file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+ // Check the blocklisted intermediate now causes a failure
+ file = "test_onecrl/test-int-ee.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+ await verify_non_tls_usage_succeeds(file);
+
+ // Check the ee with the blocklisted root also causes a failure
+ file = "bad_certs/other-issuer-ee.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+ await verify_non_tls_usage_succeeds(file);
+
+ // Check the ee blocked by subject / pubKey causes a failure
+ file = "test_onecrl/same-issuer-ee.pem";
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+ await verify_non_tls_usage_succeeds(file);
+
+ // Check a non-blocklisted chain still validates OK
+ file = "bad_certs/default-ee.pem";
+ await verify_cert(file, PRErrorCodeSuccess);
+
+ // Check a bad cert is still bad (unknown issuer)
+ file = "bad_certs/unknownissuer.pem";
+ await verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER);
+ });
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js b/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js
new file mode 100644
index 0000000000..185f7cff00
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js
@@ -0,0 +1,72 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file tests cert_storage's automatic database recreation mechanism. If
+// opening the database for the first time fails, cert_storage will re-create
+// it.
+
+function call_has_prior_data(certStorage, type) {
+ return new Promise(resolve => {
+ certStorage.hasPriorData(type, (rv, hasPriorData) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(hasPriorData);
+ });
+ });
+}
+
+async function check_has_prior_revocation_data(certStorage, expectedResult) {
+ let hasPriorRevocationData = await call_has_prior_data(
+ certStorage,
+ Ci.nsICertStorage.DATA_TYPE_REVOCATION
+ );
+ Assert.equal(
+ hasPriorRevocationData,
+ expectedResult,
+ `should ${expectedResult ? "have" : "not have"} prior revocation data`
+ );
+}
+
+async function check_has_prior_cert_data(certStorage, expectedResult) {
+ let hasPriorCertData = await call_has_prior_data(
+ certStorage,
+ Ci.nsICertStorage.DATA_TYPE_CERTIFICATE
+ );
+ Assert.equal(
+ hasPriorCertData,
+ expectedResult,
+ `should ${expectedResult ? "have" : "not have"} prior cert data`
+ );
+}
+
+add_task(async function() {
+ // Create an invalid database.
+ let fileToCopy = do_get_file("test_cert_storage_broken_db.js");
+ let dbDirectory = do_get_profile();
+ dbDirectory.append("security_state");
+ fileToCopy.copyTo(dbDirectory, "data.mdb");
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ check_has_prior_revocation_data(certStorage, false);
+ check_has_prior_cert_data(certStorage, false);
+
+ let result = await new Promise(resolve => {
+ certStorage.setRevocations([], resolve);
+ });
+ Assert.equal(result, Cr.NS_OK, "setRevocations should succeed");
+
+ check_has_prior_revocation_data(certStorage, true);
+ check_has_prior_cert_data(certStorage, false);
+
+ result = await new Promise(resolve => {
+ certStorage.addCerts([], resolve);
+ });
+ Assert.equal(result, Cr.NS_OK, "addCerts should succeed");
+
+ check_has_prior_revocation_data(certStorage, true);
+ check_has_prior_cert_data(certStorage, true);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct.js b/security/manager/ssl/tests/unit/test_cert_storage_direct.js
new file mode 100644
index 0000000000..a1ba818dd9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct.js
@@ -0,0 +1,417 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file consists of unit tests for cert_storage (whereas test_cert_storage.js is more of an
+// integration test).
+
+do_get_profile();
+
+this.certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+);
+
+async function addCerts(certInfos) {
+ let result = await new Promise(resolve => {
+ certStorage.addCerts(certInfos, resolve);
+ });
+ Assert.equal(result, Cr.NS_OK, "addCerts should succeed");
+}
+
+async function removeCertsByHashes(hashesBase64) {
+ let result = await new Promise(resolve => {
+ certStorage.removeCertsByHashes(hashesBase64, resolve);
+ });
+ Assert.equal(result, Cr.NS_OK, "removeCertsByHashes should succeed");
+}
+
+function getLongString(uniquePart, length) {
+ return String(uniquePart).padStart(length, "0");
+}
+
+class CertInfo {
+ constructor(cert, subject) {
+ this.cert = btoa(cert);
+ this.subject = btoa(subject);
+ this.trust = Ci.nsICertStorage.TRUST_INHERIT;
+ }
+}
+CertInfo.prototype.QueryInterface = ChromeUtils.generateQI(["nsICertInfo"]);
+
+add_task(async function test_common_subject() {
+ let someCert1 = new CertInfo(
+ "some certificate bytes 1",
+ "some common subject"
+ );
+ let someCert2 = new CertInfo(
+ "some certificate bytes 2",
+ "some common subject"
+ );
+ let someCert3 = new CertInfo(
+ "some certificate bytes 3",
+ "some common subject"
+ );
+ await addCerts([someCert1, someCert2, someCert3]);
+ let storedCerts = certStorage.findCertsBySubject(
+ stringToArray("some common subject")
+ );
+ let storedCertsAsStrings = storedCerts.map(arrayToString);
+ let expectedCerts = [
+ "some certificate bytes 1",
+ "some certificate bytes 2",
+ "some certificate bytes 3",
+ ];
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should find expected certs"
+ );
+
+ await addCerts([
+ new CertInfo("some other certificate bytes", "some other subject"),
+ ]);
+ storedCerts = certStorage.findCertsBySubject(
+ stringToArray("some common subject")
+ );
+ storedCertsAsStrings = storedCerts.map(arrayToString);
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should still find expected certs"
+ );
+
+ let storedOtherCerts = certStorage.findCertsBySubject(
+ stringToArray("some other subject")
+ );
+ let storedOtherCertsAsStrings = storedOtherCerts.map(arrayToString);
+ let expectedOtherCerts = ["some other certificate bytes"];
+ Assert.deepEqual(
+ storedOtherCertsAsStrings,
+ expectedOtherCerts,
+ "should have other certificate"
+ );
+});
+
+add_task(async function test_many_entries() {
+ const NUM_CERTS = 500;
+ const CERT_LENGTH = 3000;
+ const SUBJECT_LENGTH = 40;
+ let certs = [];
+ for (let i = 0; i < NUM_CERTS; i++) {
+ certs.push(
+ new CertInfo(
+ getLongString(i, CERT_LENGTH),
+ getLongString(i, SUBJECT_LENGTH)
+ )
+ );
+ }
+ await addCerts(certs);
+ for (let i = 0; i < NUM_CERTS; i++) {
+ let subject = stringToArray(getLongString(i, SUBJECT_LENGTH));
+ let storedCerts = certStorage.findCertsBySubject(subject);
+ Assert.equal(
+ storedCerts.length,
+ 1,
+ "should have 1 certificate (lots of data test)"
+ );
+ let storedCertAsString = arrayToString(storedCerts[0]);
+ Assert.equal(
+ storedCertAsString,
+ getLongString(i, CERT_LENGTH),
+ "certificate should be as expected (lots of data test)"
+ );
+ }
+});
+
+add_task(async function test_removal() {
+ // As long as cert_storage is given valid base64, attempting to delete some nonexistent
+ // certificate will "succeed" (it'll do nothing).
+ await removeCertsByHashes([btoa("thishashisthewrongsize")]);
+
+ let removalCert1 = new CertInfo(
+ "removal certificate bytes 1",
+ "common subject to remove"
+ );
+ let removalCert2 = new CertInfo(
+ "removal certificate bytes 2",
+ "common subject to remove"
+ );
+ let removalCert3 = new CertInfo(
+ "removal certificate bytes 3",
+ "common subject to remove"
+ );
+ await addCerts([removalCert1, removalCert2, removalCert3]);
+
+ let storedCerts = certStorage.findCertsBySubject(
+ stringToArray("common subject to remove")
+ );
+ let storedCertsAsStrings = storedCerts.map(arrayToString);
+ let expectedCerts = [
+ "removal certificate bytes 1",
+ "removal certificate bytes 2",
+ "removal certificate bytes 3",
+ ];
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should find expected certs before removing them"
+ );
+
+ // echo -n "removal certificate bytes 2" | sha256sum | xxd -r -p | base64
+ await removeCertsByHashes(["2nUPHwl5TVr1mAD1FU9FivLTlTb0BAdnVUhsYgBccN4="]);
+ storedCerts = certStorage.findCertsBySubject(
+ stringToArray("common subject to remove")
+ );
+ storedCertsAsStrings = storedCerts.map(arrayToString);
+ expectedCerts = [
+ "removal certificate bytes 1",
+ "removal certificate bytes 3",
+ ];
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should only have first and third certificates now"
+ );
+
+ // echo -n "removal certificate bytes 1" | sha256sum | xxd -r -p | base64
+ await removeCertsByHashes(["8zoRqHYrklr7Zx6UWpzrPuL+ol8KL1Ml6XHBQmXiaTY="]);
+ storedCerts = certStorage.findCertsBySubject(
+ stringToArray("common subject to remove")
+ );
+ storedCertsAsStrings = storedCerts.map(arrayToString);
+ expectedCerts = ["removal certificate bytes 3"];
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should only have third certificate now"
+ );
+
+ // echo -n "removal certificate bytes 3" | sha256sum | xxd -r -p | base64
+ await removeCertsByHashes(["vZn7GwDSabB/AVo0T+N26nUsfSXIIx4NgQtSi7/0p/w="]);
+ storedCerts = certStorage.findCertsBySubject(
+ stringToArray("common subject to remove")
+ );
+ Assert.equal(storedCerts.length, 0, "shouldn't have any certificates now");
+
+ // echo -n "removal certificate bytes 3" | sha256sum | xxd -r -p | base64
+ // Again, removing a nonexistent certificate should "succeed".
+ await removeCertsByHashes(["vZn7GwDSabB/AVo0T+N26nUsfSXIIx4NgQtSi7/0p/w="]);
+});
+
+add_task(async function test_batched_removal() {
+ let removalCert1 = new CertInfo(
+ "batch removal certificate bytes 1",
+ "batch subject to remove"
+ );
+ let removalCert2 = new CertInfo(
+ "batch removal certificate bytes 2",
+ "batch subject to remove"
+ );
+ let removalCert3 = new CertInfo(
+ "batch removal certificate bytes 3",
+ "batch subject to remove"
+ );
+ await addCerts([removalCert1, removalCert2, removalCert3]);
+ let storedCerts = certStorage.findCertsBySubject(
+ stringToArray("batch subject to remove")
+ );
+ let storedCertsAsStrings = storedCerts.map(arrayToString);
+ let expectedCerts = [
+ "batch removal certificate bytes 1",
+ "batch removal certificate bytes 2",
+ "batch removal certificate bytes 3",
+ ];
+ Assert.deepEqual(
+ storedCertsAsStrings.sort(),
+ expectedCerts.sort(),
+ "should find expected certs before removing them"
+ );
+ // echo -n "batch removal certificate bytes 1" | sha256sum | xxd -r -p | base64
+ // echo -n "batch removal certificate bytes 2" | sha256sum | xxd -r -p | base64
+ // echo -n "batch removal certificate bytes 3" | sha256sum | xxd -r -p | base64
+ await removeCertsByHashes([
+ "EOEEUTuanHZX9NFVCoMKVT22puIJC6g+ZuNPpJgvaa8=",
+ "Xz6h/Kvn35cCLJEZXkjPqk1GG36b56sreLyAXpO+0zg=",
+ "Jr7XdiTT8ZONUL+ogNNMW2oxKxanvYOLQPKBPgH/has=",
+ ]);
+ storedCerts = certStorage.findCertsBySubject(
+ stringToArray("batch subject to remove")
+ );
+ Assert.equal(storedCerts.length, 0, "shouldn't have any certificates now");
+});
+
+class CRLiteCoverage {
+ constructor(ctLogID, minTimestamp, maxTimestamp) {
+ this.b64LogID = ctLogID;
+ this.minTimestamp = minTimestamp;
+ this.maxTimestamp = maxTimestamp;
+ }
+}
+CRLiteCoverage.prototype.QueryInterface = ChromeUtils.generateQI([
+ "nsICRLiteCoverage",
+]);
+
+add_task(async function test_crlite_filter() {
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ addCertFromFile(
+ certdb,
+ "test_cert_storage_direct/valid-cert-issuer.pem",
+ ",,"
+ );
+ let validCert = constructCertFromFile(
+ "test_cert_storage_direct/valid-cert.pem"
+ );
+ addCertFromFile(
+ certdb,
+ "test_cert_storage_direct/revoked-cert-issuer.pem",
+ ",,"
+ );
+ let revokedCert = constructCertFromFile(
+ "test_cert_storage_direct/revoked-cert.pem"
+ );
+ let filterFile = do_get_file(
+ "test_cert_storage_direct/test-filter.crlite",
+ false
+ );
+ ok(filterFile.exists(), "test filter file should exist");
+ let enrollment = [];
+ let coverage = [];
+ let filterBytes = stringToArray(readFile(filterFile));
+ // First simualte a filter that does not cover any certificates. With CRLite
+ // enabled, none of the certificates should appear to be revoked.
+ let setFullCRLiteFilterResult = await new Promise(resolve => {
+ certStorage.setFullCRLiteFilter(filterBytes, enrollment, coverage, resolve);
+ });
+ Assert.equal(
+ setFullCRLiteFilterResult,
+ Cr.NS_OK,
+ "setFullCRLiteFilter should succeed"
+ );
+
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "skynew.jp",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "schunk-group.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // Now replace the filter with one that covers the "valid" and "revoked"
+ // certificates. CRLite should flag the revoked certificate.
+ coverage.push(
+ new CRLiteCoverage(
+ "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",
+ 0,
+ 1641612275000
+ )
+ );
+
+ // crlite_enrollment_id.py test_crlite_filters/issuer.pem
+ enrollment.push("UbH9/ZAnjuqf79Xhah1mFOWo6ZvgQCgsdheWfjvVUM8=");
+ // crlite_enrollment_id.py test_crlite_filters/no-sct-issuer.pem
+ enrollment.push("Myn7EasO1QikOtNmo/UZdh6snCAw0BOY6wgU8OsUeeY=");
+ // crlite_enrollment_id.py test_cert_storage_direct/revoked-cert-issuer.pem
+ enrollment.push("HTvSp2263dqBYtgYA2fldKAoTYcEVLPVTlRia9XaoCQ=");
+
+ setFullCRLiteFilterResult = await new Promise(resolve => {
+ certStorage.setFullCRLiteFilter(filterBytes, enrollment, coverage, resolve);
+ });
+ Assert.equal(
+ setFullCRLiteFilterResult,
+ Cr.NS_OK,
+ "setFullCRLiteFilter should succeed"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "skynew.jp",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "schunk-group.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // If we're only collecting telemetry, none of the certificates should appear to be revoked.
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeTelemetryOnlyPrefValue
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "skynew.jp",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "schunk-group.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // If CRLite is disabled, none of the certificates should appear to be revoked.
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeDisabledPrefValue
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "skynew.jp",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "schunk-group.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem
new file mode 100644
index 0000000000..d775817b33
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEoDCCA4igAwIBAgIQBpaPlkroI1bHThfCtTZbADANBgkqhkiG9w0BAQsFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTE3MTEwNjEyMjI1N1oXDTI3MTEwNjEyMjI1N1owXzEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTEeMBwGA1UEAxMVVGhhd3RlIEVWIFJTQSBDQSAyMDE4MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0Cu52zmdJFnSezXMKvL0rso
+WgA/1X7OxjMQHsAllID1eDG836ptJXSTPg+DoEenHfkKyw++wXobgahr0cU/2v8R
+WR3fID53ZDhEGHzS+Ol7V+HRtZG5teMWCY7gldtBQH0r7xUEp/3ISVsZUVBqtUmL
+VJlf9nxJD6Cxp4LBlcJJ8+N6kSkV+fA+WdQc0HYhXSg3PxJP7XSU28Wc7gf6y9kZ
+zQhK4WrZLRrHHbHC2QXdqQYUxR927QV+UCNXnlbTcZy2QpxWTPLzK+/cKXX4cwP6
+MGF7+8RnUgHlij/5V2k/tIF9ep4B72ucqaS/UhEPpIN/T7A3OAw995yrB38glQID
+AQABo4IBSTCCAUUwHQYDVR0OBBYEFOcB/AwWGMp9sozshyejb2GBO4Q5MB8GA1Ud
+IwQYMBaAFLE+w2kD+L9HAdSYJhoIAu9jZCvDMA4GA1UdDwEB/wQEAwIBhjAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0
+BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
+LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
+RGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYE
+VR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
+MA0GCSqGSIb3DQEBCwUAA4IBAQAWGka+5ffLpfFuzT+WlwDRwhyTZSunnvecZWZT
+PPKXipynjpXx5dK8YG+2XoH74285GR1UABuvHMFV94XeDET9Pzz5s/NHS1/eAr5e
+GdwfBl80XwPkwXaYqzRtw6J4RAxeLqcbibhUQv9Iev9QcP0kNPyJu413Xov76mSu
+JlGThKzcurJPive2eLmwmoIgTPH11N/IIO9nHLVe8KTkt+FGgZCOWHA3kbFBZR39
+Mn2hFS974rhUkM+VS9KbCiQQ5OwkfbZ/6BINkE1CMtiESZ2WkbxJKPsF3dN7p9DF
+YWiQSbYjFP+rCT0/MkaHHYUkEvLNPgyJ6z29eMf0DjLu/SXJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem
new file mode 100644
index 0000000000..81e01bd783
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem
@@ -0,0 +1,41 @@
+-----BEGIN CERTIFICATE-----
+MIIHOzCCBiOgAwIBAgIQBi31aKBRMQgg1+xDJ+G6/TANBgkqhkiG9w0BAQsFADBf
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMR4wHAYDVQQDExVUaGF3dGUgRVYgUlNBIENBIDIwMTgw
+HhcNMTgwNTI4MDAwMDAwWhcNMjAwNTIxMTIwMDAwWjCB6zEdMBsGA1UEDwwUUHJp
+dmF0ZSBPcmdhbml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCREUxFjAUBgsrBgEE
+AYI3PAIBAhMFSGVzc2UxGDAWBgsrBgEEAYI3PAIBAQwHR2llw59lbjERMA8GA1UE
+BRMISFJCIDY5MDIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDASBgNV
+BAcTC0hldWNoZWxoZWltMRQwEgYDVQQKEwtTY2h1bmsgR21iSDELMAkGA1UECxMC
+SVQxGTAXBgNVBAMTEHNjaHVuay1ncm91cC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCvkuQZz2ExPv9paJb622OOk+o4bWnjDe1zHGK6qnK25mMT
+Zldk74sXF+Wfr9lbwqHTcjGhQFwmVDqvtr55KVX8FOv0CSqNaewOrnNrFz8Xg4rn
+OlIs3+MmqD5CIK+el0rA+xltEY8WvNlwZKG7yeJYrdsr+5DAThDuwCVe8bU7it4h
+sjsMsof5ocee9zDkFThNVGR4sMk5EgBxb1Gt4n9wXUj4OBT78whhlkLH/pVZrrhs
+tQwC3q90MOPC5RJcEolSCNjGdHCKRbexmRqJgbJj/qZ9JT+fQ+Ko6a+UAWvc2BUc
+POnzGV2GzCdFFGOubJb6RjU0nuPG4Lmdc/BuS9kFAgMBAAGjggNkMIIDYDAfBgNV
+HSMEGDAWgBTnAfwMFhjKfbKM7Icno29hgTuEOTAdBgNVHQ4EFgQUNb1SY8Bkil98
+tD8zoxE30jBA1NIwZwYDVR0RBGAwXoIQc2NodW5rLWdyb3VwLmNvbYIUd3d3LnNj
+aHVuay1ncm91cC5jb22CG3NjaHVuay1jYXJib250ZWNobm9sb2d5LmNvbYIXc2No
+dW5rLXNpbnRlcm1ldGFscy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY2Rw
+LnRoYXd0ZS5jb20vVGhhd3RlRVZSU0FDQTIwMTguY3JsMEsGA1UdIAREMEIwNwYJ
+YIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
+bS9DUFMwBwYFZ4EMAQEwcQYIKwYBBQUHAQEEZTBjMCQGCCsGAQUFBzABhhhodHRw
+Oi8vc3RhdHVzLnRoYXd0ZS5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnRz
+LnRoYXd0ZS5jb20vVGhhd3RlRVZSU0FDQTIwMTguY3J0MAkGA1UdEwQCMAAwggF7
+BgorBgEEAdZ5AgQCBIIBawSCAWcBZQB1AKS5CZC0GFgUh7sTosxncAo8NZgE+Rvf
+uON3zQ7IDdwQAAABY6Ze9XAAAAQDAEYwRAIgNUeXL3GwlpGQtTS/wKBlOkHJvHR5
+knSop0OPumeCfQECIEdxY7qr/WRVbWkQFvP48fgWkZHkd4vTq70Y0aaSZTbPAHUA
+VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFjpl71tQAABAMARjBE
+AiAtxKdc/wum3TE7r9BoRd/gkrjYLWyqeLuL/opRBRy9xwIgPF6uEZxyhEoLZ+9G
+AFBAP+X89zjZphVALjIXu0RRea4AdQC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQ
+lmQ2jh7RhQAAAWOmXvY1AAAEAwBGMEQCIHc04ERlUbIkVrlC+I89C9xtugvRCwbR
+a7qZzSdqHltUAiBRVwTacf1dnO9AgLSgrxft5LV32DvH3qNT7pWYh8dFNjANBgkq
+hkiG9w0BAQsFAAOCAQEARJ+tbnM+yS6chgpyzfB3e7IWPq2Den46Ja1H6/4qaKrd
+nsbElcvd4cCQf1zYY6jlQkO6qtfMUChKrEar5aqqnyX8x/8T9PkpHp8XyUxgGlmT
+hrnHML0gDJFS8O4MB5pFnGkgoOQa+OIQokWCXr4/a4AwsTG3Ms+lC+R+vRYz90lg
+TEJLNHB2fSvQyvpXDUL9aAjACBp/9pKxfM9iq06MFO5jP483xJUfdqtVteHMw75w
+1mb8IrM9R1dP47GsblTrf2rZYdaoxdyLjtJQG2aaOdU5unE6QeFrXbz0qeTPePs8
+ftuXSW9xb053HjAkCcVo48j07b2cHfU1hxzGGptVbQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite b/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite
new file mode 100644
index 0000000000..34ced4b840
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem
new file mode 100644
index 0000000000..705827a85e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEkDCCA3igAwIBAgIJIrmxUyPlrv3NMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
+BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw
+JQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTIwHhcNMTgwODIy
+MDczMjI0WhcNMjgwODIyMDczMjI0WjBQMQswCQYDVQQGEwJKUDElMCMGA1UEChMc
+U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEaMBgGA1UEAxMRQ3Jvc3NUcnVz
+dCBEViBDQTUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnTNi5Kgrt
+FL8qBuEmpL2gvLFY7f9MEgjzClvic/45ebM+DxZ2CMuqtMtImgf8XPIpLaFFbozx
+3VgqH41cmGHbpAoDRKpwfF1f53peHYhRxpOVgcnsiVCPZJPBPCUM9St+cuEjfo0d
+YGbr3aG5urdT2zeKIFyxKbggdkU0LVRHwvLFsIpXCn/YK/8Rmx87yW9VB80OXkzf
+IQoZop83+aebq1VwzjNCN3u4bWSFLYDyJGqE40WlZ53NZh+TwBsa6gld9YXPGQfx
+k8x38zkFXberlMQOYhX9KyuTOMdlFkbx6LfIUqVKJavpcr54+XPzVyeroNPpKxtZ
+mEqUYiFjAqUVAgMBAAGjggFeMIIBWjAdBgNVHQ4EFgQUT4twz6lAHJbllF13rNZv
+TS2b8ncwHwYDVR0jBBgwFoAUCoWpd2UFmHxAgfgPlyw48QrsPM8wEgYDVR0TAQH/
+BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwSQYDVR0fBEIwQDA+oDygOoY4aHR0
+cDovL3JlcG9zaXRvcnkuc2Vjb210cnVzdC5uZXQvU0MtUm9vdDIvU0NSb290MkNS
+TC5jcmwwUgYDVR0gBEswSTBHBgoqgwiMmxtkhwUEMDkwNwYIKwYBBQUHAgEWK2h0
+dHBzOi8vcmVwb3NpdG9yeS5zZWNvbXRydXN0Lm5ldC9TQy1Sb290Mi8wQAYIKwYB
+BQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8vc2Nyb290Y2EyLm9jc3Auc2Vj
+b210cnVzdC5uZXQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD
+ggEBABEDSrrhhR+Js5q45yih2Ne4cMLZmrH0AZwU3eM+7HZplzi1EhppgvcYk/2k
+LM9haQGWnAZ5wiixLqKu7WlWrHgblZbXyCxALmMBK1rqeP0omxXExqKVqWNHU8KZ
+t3jahH1wDYSzfetM7guWR+PAPpb9oQCtAx8DVyI/3Ocswvti/uWb517Bdo6Nd0+9
+mf0LiphNKcSzSFX0s1Cb47cJROYHGBe2J6NUSWR7wE0asPtKsznGyNO+NJCUR+0h
+OLN2cA2KJwPhZjYJt8UkucAF/EE7qC0Fc8B9Q/gttQ52en5BZxdkDrHCi4qnsSvi
+gueQme/RzYkEaQlNT1WCZ9AIgVE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem
new file mode 100644
index 0000000000..195d2d8ca2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF4DCCBMigAwIBAgIQC3d196+a5UJlyc0yVxB3jjANBgkqhkiG9w0BAQsFADBQ
+MQswCQYDVQQGEwJKUDElMCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4s
+TFRELjEaMBgGA1UEAxMRQ3Jvc3NUcnVzdCBEViBDQTUwHhcNMTkwNjExMDUyMjEy
+WhcNMjEwNjMwMTQ1OTU5WjAUMRIwEAYDVQQDEwlza3luZXcuanAwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeciw7C297026HA4oIwc29vL2h29GVrRF7
+HGdeXzAJA7kh+qwo8rTBFfdX7sgHy6nnE1+flEtFt91Ss8i3BZMEqoFUZFb1jGXd
+DbQtmIWxz7O5skkjR1gdKwt9GImy1hEPt8dwU52mwVsSUEKvlZlsjeofUPAEbnYY
++iA/nYaYXiXyCxJzk6Y09VlzghyMIhkLwDa7rL3S9FgUQI6tSUwsiNYNoQzlYgXF
+yPfQfd57LbBwZJtqVPC6rjPOZZd0sw7uvrDNuxnAM2k2mzlML9Vwt8EvSlZX60xD
+oGQCsQQ/ZgjEQTA8WRZ+fxW/LqQNYYm70KU/1M+e8o4MKmA9xkH5AgMBAAGjggLw
+MIIC7DAfBgNVHSMEGDAWgBRPi3DPqUAcluWUXXes1m9NLZvydzA8BggrBgEFBQcB
+AQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9kdmNhNS5vY3NwLnNlY29tdHJ1c3Qu
+bmV0MCMGA1UdEQQcMBqCCXNreW5ldy5qcIINd3d3LnNreW5ldy5qcDBaBgNVHSAE
+UzBRMEUGCiqDCIybG26BVQIwNzA1BggrBgEFBQcCARYpaHR0cHM6Ly9yZXBvMS5z
+ZWNvbXRydXN0Lm5ldC9zcHBjYS94dGR2NS8wCAYGZ4EMAQIBMBMGA1UdJQQMMAoG
+CCsGAQUFBwMBMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9yZXBvMS5zZWNvbXRy
+dXN0Lm5ldC9zcHBjYS94dGR2NS9mdWxsY3JsLmNybDAdBgNVHQ4EFgQUuj9305tQ
+JIeVAQtsz9JHx3PTqaQwDgYDVR0PAQH/BAQDAgWgMIIBfgYKKwYBBAHWeQIEAgSC
+AW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWtF
+Bb6pAAAEAwBHMEUCIHUQkmFzUh01r1Px/zWMZSL21dNNQwM+rN1z0gutxV3JAiEA
+jSb2/GAm4+2qiNWDtx1EkHsMXjNW+5S4GhJePexjJR8AdgDuS723dc5guuFCaR+r
+4Z5mow9+X7By2IMAxHuJeqj9ywAAAWtFBcdeAAAEAwBHMEUCIDVHdfP9wnVgz45l
+eX80DpRCRNEV/OCDwfW+B0g/dveYAiEArbpLQb5Z9hul3r00kF2LrivNuI7kwEBy
+MpkYsLtSPJoAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAWtF
+BdCQAAAEAwBHMEUCIE2GUo6x3qDrIhacnCmjikBCHF2yT6Fv5GAehZB569YCAiEA
+vXwMXV8+y3xNFys+A6u9EjKiy8CTKv+SQxqsJ4s6jK0wDQYJKoZIhvcNAQELBQAD
+ggEBAAzlm9W+N5fviTJ9wDsc5nXKYur3744V/cm75+8dUM61Rko1isK6IZt5aNPN
+wOfhBsTzHHSYmAFMR9Xjoq8iDYZtIk01IGI6LEWuls9F2hVcERiHMWJOLTiH35xN
+vRNTG0AbBdIpTX2sURsoCPJ+8DTnVUr3pTzXnIY4EQ4UXfANuYwceOHShF6UJo/L
+PK0uRdHcd5SmMa03gFUdkTc9gU6PIEO/UgubazGh9xDBHtHECeleL+gpSfOP3SkF
+7W1RgmbE6WJdVPlto7FRQtl2xIzHs/gNaPezqNKPHgFlx4c+ECTjPLqoW8LdeXu+
+N8dueJg1+h+lQifkmgl23DqEIiI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js b/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js
new file mode 100644
index 0000000000..744cc7fc37
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js
@@ -0,0 +1,48 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file tests that cert_storage correctly persists its "has prior data"
+// information across runs of the browser.
+// (The test DB files for this test were created by running the test
+// `test_cert_storage_broken_db.js` and copying them from that test's profile
+// directory.)
+
+/* eslint-disable no-unused-vars */
+add_task(async function() {
+ let dbDirectory = do_get_profile();
+ dbDirectory.append("security_state");
+ let dbFile = do_get_file("test_cert_storage_preexisting/data.safe.bin");
+ dbFile.copyTo(dbDirectory, "data.safe.bin");
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ let hasPriorRevocationData = await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_REVOCATION,
+ (rv, hasPriorData) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(hasPriorData);
+ }
+ );
+ });
+ Assert.equal(
+ hasPriorRevocationData,
+ true,
+ "should have prior revocation data"
+ );
+
+ let hasPriorCertData = await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CERTIFICATE,
+ (rv, hasPriorData) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(hasPriorData);
+ }
+ );
+ });
+ Assert.equal(hasPriorCertData, true, "should have prior cert data");
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb
new file mode 100644
index 0000000000..df4cb182a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin
new file mode 100644
index 0000000000..011ed93484
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb
new file mode 100644
index 0000000000..dc4b50fdfc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js
new file mode 100644
index 0000000000..e94cbbfb0c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js
@@ -0,0 +1,83 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file tests that cert_storage correctly persists its information across
+// runs of the browser specifically in the case of CRLite.
+// (The test DB files for this test were created by running the test
+// `test_cert_storage_direct.js` and copying them from that test's profile
+// directory.)
+
+/* eslint-disable no-unused-vars */
+add_task(async function() {
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+
+ let dbDirectory = do_get_profile();
+ dbDirectory.append("security_state");
+ let crliteFile = do_get_file(
+ "test_cert_storage_preexisting_crlite/crlite.filter"
+ );
+ crliteFile.copyTo(dbDirectory, "crlite.filter");
+ let coverageFile = do_get_file(
+ "test_cert_storage_preexisting_crlite/crlite.coverage"
+ );
+ coverageFile.copyTo(dbDirectory, "crlite.coverage");
+ let enrollmentFile = do_get_file(
+ "test_cert_storage_preexisting_crlite/crlite.enrollment"
+ );
+ enrollmentFile.copyTo(dbDirectory, "crlite.enrollment");
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+
+ // Add an empty stash to ensure the filter is considered to be fresh.
+ await new Promise(resolve => {
+ certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => {
+ Assert.equal(rv, Cr.NS_OK, "marked filter as fresh");
+ resolve();
+ });
+ });
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let validCertIssuer = constructCertFromFile(
+ "test_cert_storage_direct/valid-cert-issuer.pem"
+ );
+ let validCert = constructCertFromFile(
+ "test_cert_storage_direct/valid-cert.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2019-10-28T00:00:00Z").getTime() / 1000,
+ false,
+ "skynew.jp",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ let revokedCertIssuer = constructCertFromFile(
+ "test_cert_storage_direct/revoked-cert-issuer.pem"
+ );
+ let revokedCert = constructCertFromFile(
+ "test_cert_storage_direct/revoked-cert.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+ false,
+ "schunk-group.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage
new file mode 100644
index 0000000000..2bd13319e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment
new file mode 100644
index 0000000000..aac0238188
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment
@@ -0,0 +1 @@
+3)û«Õ¤:Óf£õv¬œ 0ИëðëyæQ±ýý'ŽêŸïÕájfå¨é›à@(,v–~;ÕPÏ;Ò§mºÝÚbØgåt (M‡T³ÕNTbkÕÚ $ \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter
new file mode 100644
index 0000000000..34ced4b840
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin
new file mode 100644
index 0000000000..d96571f128
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js
new file mode 100644
index 0000000000..43fbaa6174
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -0,0 +1,324 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function load_cert(cert_name, trust_string) {
+ let cert_filename = cert_name + ".pem";
+ return addCertFromFile(
+ certdb,
+ "test_cert_trust/" + cert_filename,
+ trust_string
+ );
+}
+
+function setup_basic_trusts(ca_cert, int_cert) {
+ certdb.setCertTrust(
+ ca_cert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL | Ci.nsIX509CertDB.TRUSTED_EMAIL
+ );
+
+ certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
+}
+
+async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
+ // On reset most usages are successful
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Test of active distrust. No usage should pass.
+ setCertTrust(cert_to_modify_trust, "p,p,p");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailRecipient
+ );
+
+ // Trust set to T - trusted CA to issue client certs, where client cert is
+ // usageSSLClient.
+ setCertTrust(cert_to_modify_trust, "T,T,T");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+
+ // XXX(Bug 982340)
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Now tests on the SSL trust bit
+ setCertTrust(cert_to_modify_trust, "p,C,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer
+ );
+
+ // XXX(Bug 982340)
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Inherited trust SSL
+ setCertTrust(cert_to_modify_trust, ",C,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ // XXX(Bug 982340)
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Now tests on the EMAIL trust bit
+ setCertTrust(cert_to_modify_trust, "C,p,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailRecipient
+ );
+
+ // inherited EMAIL Trust
+ setCertTrust(cert_to_modify_trust, "C,,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+}
+
+add_task(async function() {
+ let certList = ["ca", "int", "ee"];
+ let loadedCerts = [];
+ for (let certName of certList) {
+ loadedCerts.push(load_cert(certName, ",,"));
+ }
+
+ let ca_cert = loadedCerts[0];
+ notEqual(ca_cert, null, "CA cert should have successfully loaded");
+ let int_cert = loadedCerts[1];
+ notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
+ let ee_cert = loadedCerts[2];
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+ setup_basic_trusts(ca_cert, int_cert);
+ await test_ca_distrust(ee_cert, ca_cert, true);
+
+ setup_basic_trusts(ca_cert, int_cert);
+ await test_ca_distrust(ee_cert, int_cert, false);
+
+ // Reset trust to default ("inherit trust")
+ setCertTrust(ca_cert, ",,");
+ setCertTrust(int_cert, ",,");
+
+ // End-entities can be trust anchors for interoperability with users who
+ // prefer not to build a hierarchy and instead directly trust a particular
+ // server certificate.
+ setCertTrust(ee_cert, "CTu,CTu,CTu");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem
new file mode 100644
index 0000000000..54b436cdab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUbd6irDfViDg0hGYGrBFpSOiAgmswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBa/UJSVAkS4R5UUprUZ+VETh+G
+TbLf+xbhyhpXn39i7Rk0/U7IelYJN3qalF3eIL7ab4qij3jWLrdOJz1ERkxVWXeX
+a9rjQC7nQQqnOrdcEPvq297cHuwtKb+jTTKDI4ATy7UVeE3DDW6VWewmAz8VA7FH
+SxAwdLWgqKzAqLEhhrg6l0JtpDmCfoBZ5yVA9gPdcSouaQ+6WnL0TFmNtriZPZI5
+Sq7Ua1aM1X/Ca3kQLo1DD06lgR7bJbjH+2j0uRYbB7NeB5aeYYnnxRdXcbXtM2Wl
+dPg/8WETAK3hjbaY0Xq5UFP9tLkLbq3a1lew5BEz9xFz7P+offg8hSAONOZu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec
new file mode 100644
index 0000000000..d809dbd635
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem
new file mode 100644
index 0000000000..82e6a30f34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUMdajt4X/9IBhgxXiQsm9Bu84o80wDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozUwMzAxBgNVHSUEKjAoBggrBgEF
+BQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDAzANBgkqhkiG9w0BAQsF
+AAOCAQEAA7nG4h3CGUtm2eS08c0e+mROnPPpkOMaOS0McOFIDOamQlKtxuzl6md7
+CmZtQfckTwVxy8KaEtVhcJ5Dj4w+HJJ2uwun8PspBkgEaVJAMxhm8CAOBHO72vee
+1WU1K2lxcGz1tTFzyvGi7b+frWWaeoTM4/4qUQkKEBTbJannKqmKSHdawNNeJ7XB
+yxyO+Pf5JlWMDpSoFY3IEG2j01ALdWcI4T63TFLB0lEmuMRGZ6o2EnNOFvg2bDkg
++peiKONSzIVqiVHkJjgMDGOdXfeei2pFyQz+1ESWYl3+LuxHbxXauyKV5tAjXL8n
+RbN+Ds8/8RpSFhDOTRLVCVrQiFqNag==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec
new file mode 100644
index 0000000000..9666c18062
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:ee
+extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem b/security/manager/ssl/tests/unit/test_cert_trust/int.pem
new file mode 100644
index 0000000000..f12ebf91fd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUS7UFd8kviZT6AzkUw+zBza2WxxcwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
+A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAXr6DXGOqX+xkzyNm1YZc+wtm
+6yFQo2jgeCMxgOv4j07wEEgGPP4adgyHjAhqTtYNbdBCuPtEbMInVRHdJooWNGk7
+MeoyTmJLlEJlnzVHdCUDi0mb+E7w2vVWNeirXnUSBN8qStok8vNoHJDT7pX3QEQs
+zRRNHw5qs/xxZKxzxeBiljYlh1d1zVgqNWTx9LP5IOEKOQ9OzxpzsCpJtPZRxh/d
+gip6TZT9srCndY2jCFUEYdSFRWOjsb6ni9TGC2o4SUxxJvC8jmrLjgGqPGNdTMiX
+DOxuAjt1gue4kqK6r6nMqxOZ04TEe0c/M5+hF4dhQaxqga6vvGBl0oF2QMxXGA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec
new file mode 100644
index 0000000000..a7f6d81419
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_utf8.js b/security/manager/ssl/tests/unit/test_cert_utf8.js
new file mode 100644
index 0000000000..caeddd8158
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_utf8.js
@@ -0,0 +1,79 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function run_test() {
+ // This certificate has a number of placeholder byte sequences that we can
+ // replace with invalid UTF-8 to ensure that we handle these cases safely.
+ let certificateToAlterFile = do_get_file(
+ "test_cert_utf8/certificateToAlter.pem",
+ false
+ );
+ let certificateBytesToAlter = atob(
+ pemToBase64(readFile(certificateToAlterFile))
+ );
+ testUTF8InField("issuerName", "ISSUER CN", certificateBytesToAlter);
+ testUTF8InField("issuerOrganization", "ISSUER O", certificateBytesToAlter);
+ testUTF8InField(
+ "issuerOrganizationUnit",
+ "ISSUER OU",
+ certificateBytesToAlter
+ );
+ testUTF8InField("issuerCommonName", "ISSUER CN", certificateBytesToAlter);
+ testUTF8InField("organization", "SUBJECT O", certificateBytesToAlter);
+ testUTF8InField("organizationalUnit", "SUBJECT OU", certificateBytesToAlter);
+ testUTF8InField("subjectName", "SUBJECT CN", certificateBytesToAlter);
+ testUTF8InField("displayName", "SUBJECT CN", certificateBytesToAlter);
+ testUTF8InField("commonName", "SUBJECT CN", certificateBytesToAlter);
+ testUTF8InField(
+ "emailAddress",
+ "SUBJECT EMAILADDRESS",
+ certificateBytesToAlter
+ );
+}
+
+// Every (issuer, serial number) pair must be unique. If NSS ever encounters two
+// different (in terms of encoding) certificates with the same values for this
+// pair, it will refuse to import it (even as a temporary certificate). Since
+// we're creating a number of different certificates, we need to ensure this
+// pair is always unique. The easiest way to do this is to change the issuer
+// distinguished name each time. To make sure this doesn't introduce additional
+// UTF8 issues, always use a printable ASCII value.
+var gUniqueIssuerCounter = 32;
+
+function testUTF8InField(field, replacementPrefix, certificateBytesToAlter) {
+ let toReplace = `${replacementPrefix} REPLACE ME`;
+ let replacement = "";
+ for (let i = 0; i < toReplace.length; i++) {
+ replacement += "\xEB";
+ }
+ let bytes = certificateBytesToAlter.replace(toReplace, replacement);
+ let uniqueIssuerReplacement =
+ "ALWAYS MAKE ME UNIQU" + String.fromCharCode(gUniqueIssuerCounter);
+ bytes = bytes.replace("ALWAYS MAKE ME UNIQUE", uniqueIssuerReplacement);
+ ok(
+ gUniqueIssuerCounter < 127,
+ "should have enough ASCII replacements to make a unique issuer DN"
+ );
+ gUniqueIssuerCounter++;
+ let cert = gCertDB.constructX509(stringToArray(bytes));
+ notEqual(cert[field], null, `accessing nsIX509Cert.${field} shouldn't fail`);
+ notEqual(
+ cert.getEmailAddresses(),
+ null,
+ "calling nsIX509Cert.getEmailAddresses() shouldn't assert"
+ );
+ ok(
+ !cert.containsEmailAddress("test@test.test"),
+ "calling nsIX509Cert.containsEmailAddress() shouldn't assert"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem
new file mode 100644
index 0000000000..344858e1fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7zCCAtegAwIBAgIUBd/A9SPEdfUGTxKTRoSskwSi2UYwDQYJKoZIhvcNAQEL
+BQAwfDEcMBoGA1UECgwTSVNTVUVSIE8gUkVQTEFDRSBNRTEdMBsGA1UECwwUSVNT
+VUVSIE9VIFJFUExBQ0UgTUUxHTAbBgNVBAMMFElTU1VFUiBDTiBSRVBMQUNFIE1F
+MR4wHAYDVQQHDBVBTFdBWVMgTUFLRSBNRSBVTklRVUUwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowgY8xHTAbBgNVBAoMFFNVQkpFQ1QgTyBSRVBM
+QUNFIE1FMR4wHAYDVQQLDBVTVUJKRUNUIE9VIFJFUExBQ0UgTUUxHjAcBgNVBAMM
+FVNVQkpFQ1QgQ04gUkVQTEFDRSBNRTEuMCwGCSqGSIb3DQEJARYfU1VCSkVDVCBF
+TUFJTEFERFJFU1MgUkVQTEFDRSBNRTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNRME8wTQYDVR0RBEYwRIIeU1VC
+SkVDVCBBTFQgRE5TTkFNRSBSRVBMQUNFIE1FgSJTVUJKRUNUIEFMVCBSRkM4MjJA
+TkFNRSBSRVBMQUNFIE1FMA0GCSqGSIb3DQEBCwUAA4IBAQAKUSa8BdHwFUeuwcIx
+zjUMm3VfByLFQ1bGMPzH8oZ2iYPEuna+2yWgMt1PyqKlRu6LUFbxDhS1zyNdHmTE
+IgZ5L7AqA92pi1NNHJdMPJx5Pm2S0YzvTGoJMiU+btqykWq1YA4qviVFJC41V7mF
+ykgLl31W+5EOT6H3kPwFOa80s5u7PdtNZ18M9rRX36fP1W3vBLd9QUlEyKlJBwNf
++bLIQF8LbG4R5DbvinZufeMa6CQLQI1eot9WzBYddIzJVVJy04RBiCnZhZjdow1t
+j3daswBkJDX0kEPlW707yXHrLQhlI8imTYrEXCO0u9+n1NmRqD0eNhNEqdjAAgpC
+5PAD
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec
new file mode 100644
index 0000000000..6579ac5550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/O=ISSUER O REPLACE ME/OU=ISSUER OU REPLACE ME/CN=ISSUER CN REPLACE ME/L=ALWAYS MAKE ME UNIQUE
+subject:/O=SUBJECT O REPLACE ME/OU=SUBJECT OU REPLACE ME/CN=SUBJECT CN REPLACE ME/emailAddress=SUBJECT EMAILADDRESS REPLACE ME
+extension:subjectAlternativeName:SUBJECT ALT DNSNAME REPLACE ME,SUBJECT ALT RFC822@NAME REPLACE ME
diff --git a/security/manager/ssl/tests/unit/test_cert_version.js b/security/manager/ssl/tests/unit/test_cert_version.js
new file mode 100644
index 0000000000..73b0f458f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version.js
@@ -0,0 +1,304 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests the interaction between the basic constraints extension and the
+// certificate version field. In general, the testcases consist of verifying
+// certificate chains of the form:
+//
+// end-entity (issued by) intermediate (issued by) trusted X509v3 root
+//
+// where the intermediate is one of X509 v1, v2, v3, or v4, and either does or
+// does not have the basic constraints extension. If it has the extension, it
+// either does or does not specify that it is a CA.
+//
+// To test cases where the trust anchor has a different version and/or does or
+// does not have the basic constraint extension, there are testcases where the
+// intermediate is trusted as an anchor and the verification is repeated.
+// (Loading a certificate with trust "CTu,," means that it is a trust anchor
+// for SSL. Loading a certificate with trust ",," means that it inherits its
+// trust.)
+//
+// There are also testcases for end-entities issued by a trusted X509v3 root
+// where the end-entities similarly cover the range of versions and basic
+// constraint extensions.
+//
+// Finally, there are testcases for self-signed certificates that, again, cover
+// the range of versions and basic constraint extensions.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function certFromFile(certName) {
+ return constructCertFromFile("test_cert_version/" + certName + ".pem");
+}
+
+function loadCertWithTrust(certName, trustString) {
+ addCertFromFile(
+ certdb,
+ "test_cert_version/" + certName + ".pem",
+ trustString
+ );
+}
+
+function checkEndEntity(cert, expectedResult) {
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ expectedResult,
+ certificateUsageSSLServer
+ );
+}
+
+function checkIntermediate(cert, expectedResult) {
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ expectedResult,
+ certificateUsageSSLCA
+ );
+}
+
+add_task(async function() {
+ loadCertWithTrust("ca", "CTu,,");
+
+ // Section for CAs lacking the basicConstraints extension entirely:
+ loadCertWithTrust("int-v1-noBC_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v1-noBC_ca"),
+ MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v1-noBC"),
+ MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
+ );
+ // A v1 certificate with no basicConstraints extension may issue certificates
+ // if it is a trust anchor.
+ loadCertWithTrust("int-v1-noBC_ca", "CTu,,");
+ await checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess);
+
+ loadCertWithTrust("int-v2-noBC_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v2-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v2-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v2-noBC_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v2-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v2-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ loadCertWithTrust("int-v3-noBC_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v3-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v3-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v3-noBC_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v3-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v3-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ loadCertWithTrust("int-v4-noBC_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v4-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v4-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v4-noBC_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v4-noBC_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v4-noBC"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ // Section for CAs with basicConstraints not specifying cA:
+ loadCertWithTrust("int-v1-BC-not-cA_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v1-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v1-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v1-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v1-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ loadCertWithTrust("int-v2-BC-not-cA_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v2-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v2-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v2-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v2-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ loadCertWithTrust("int-v3-BC-not-cA_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v3-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v3-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v3-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v3-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ loadCertWithTrust("int-v4-BC-not-cA_ca", ",,");
+ await checkIntermediate(
+ certFromFile("int-v4-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v4-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,");
+ await checkIntermediate(
+ certFromFile("int-v4-BC-not-cA_ca"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+ await checkEndEntity(
+ certFromFile("ee_int-v4-BC-not-cA"),
+ SEC_ERROR_CA_CERT_INVALID
+ );
+
+ // Section for CAs with basicConstraints specifying cA:
+ loadCertWithTrust("int-v1-BC-cA_ca", ",,");
+ await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
+ loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,");
+ await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
+
+ loadCertWithTrust("int-v2-BC-cA_ca", ",,");
+ await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
+ loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,");
+ await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
+
+ loadCertWithTrust("int-v3-BC-cA_ca", ",,");
+ await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
+ loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,");
+ await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
+
+ loadCertWithTrust("int-v4-BC-cA_ca", ",,");
+ await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
+ loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,");
+ await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
+
+ // Section for end-entity certificates with various basicConstraints:
+ await checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess);
+
+ await checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess);
+
+ await checkEndEntity(
+ certFromFile("ee-v1-BC-cA_ca"),
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+ await checkEndEntity(
+ certFromFile("ee-v2-BC-cA_ca"),
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+ await checkEndEntity(
+ certFromFile("ee-v3-BC-cA_ca"),
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+ await checkEndEntity(
+ certFromFile("ee-v4-BC-cA_ca"),
+ MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+ );
+
+ // Section for self-signed certificates:
+ await checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+
+ await checkEndEntity(
+ certFromFile("ss-v1-BC-not-cA"),
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ await checkEndEntity(
+ certFromFile("ss-v2-BC-not-cA"),
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ await checkEndEntity(
+ certFromFile("ss-v3-BC-not-cA"),
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ await checkEndEntity(
+ certFromFile("ss-v4-BC-not-cA"),
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+
+ await checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ca.pem
new file mode 100644
index 0000000000..e640e32bbf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUR09v04QlrQMgLL9A9x5Lis3g49EwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBYoi35Dp3gNfLJAi4Gk2GwxCie
+kk5hUcWiM7wAttc1NTH3PU7lzcnmkL4Fn0urD8DpYr17Fzd3LMvPTcvc/fHgl2R9
+uxXEvS38SCuAq8gfEraHy9m7w+J11SBA8PsnZqNJSDdGblAjNXbv3yeAIjI22+rE
++gUEd+62kObnUYoPC6tX/kq7uJU1h10jjoR1nYrghij6yRM5ozeqbl/AEam1YgnU
+RZWRSnsP5g2QDrpwlpOxAQZxpwW2KYk+Jr1uFROsbn/cUbMRLg8pwAw3DasmIJlS
+31oldY5nuSACsBWcJW1Cck5h2+PJqT9SfP9AqtPWF1BMUjC4xiCV0W3NVKLf
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec
new file mode 100644
index 0000000000..8689ef9ea1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem
new file mode 100644
index 0000000000..f5ba3ee376
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwDCCAagCFC+ZWtAQE8lVz0D4wb40yUfGwCkNMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBYxFDASBgNVBAMMC2VlLXYxLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAMBgNVHRMEBTADAQH/
+MA0GCSqGSIb3DQEBCwUAA4IBAQAcgP1lvoA0169HURGT56n+WBBbjkGXuH5cmkhg
+BHZxU8AsonQl5T+IXRWNT/iyWVNlfvYTOZeWga5G42tvQxYsJ3nOg4Tg16b+Ny7p
++F9QFv/ggvVdiV9EF9ofy+0gY8Kp6h7sIfjqqjkRUquPkuFmsucYbpKHV66XB0z3
+VKHwZxBWkOgmHOeCuY8+7eVrhntDOuLD5SHwN/NPBQy0CLppN0T9rPJ8rMZ4BGsk
+NCakLrw2hISVBajKmcFtdEYPZ65PCuJI24ziDPhGlc2lTkjocf8Ixg4V881Lqy3x
+rWkR5qu1OoMM6oWzXw+0YunB8bRuP4/tBJDVpvu6xBqkgGKv
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..4570e6e3ff
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v1-BC-cA
+version:1
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..9815e5e13c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwTCCAakCFCXWLDfdUshis2BR2AOx1Wx0Pe4/MA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBoxGDAWBgNVBAMMD2VlLXYxLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMNMAswCQYDVR0TBAIw
+ADANBgkqhkiG9w0BAQsFAAOCAQEAmOBNxj3ggsPlL425Fdsnlwg9xe+YGYrQ+qDx
+gXgQypAf9+A6PzJde3x0todPYShaItrpUkkqq+65y3PFQ5/Cx4JTSuLZowx1US3D
+TVCTr8zPkx44+pFsPpVo/H46ntgTdJzeGxy4CLwRuzfCwE7xDXu4RGWG6HJ0H4H0
+BQQQoY+PZwjQKzV8ac+mO7zXxEA9KG+J0whj89x6Ps31Oj5wsQb6mt5M1KzihzLe
+yJMc2J/d0xj0NN/mxjFyeu2gg5efJgByZgCs1oGImlvrV8mll6zNazGwIzAEjOv7
+qFlzeX8fnowEZkYjt655nzH6qV51D5Ml2KPanMUdwXwttsgJ9w==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..f4257841fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v1-BC-not-cA
+version:1
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem
new file mode 100644
index 0000000000..276596cf8f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrTCCAZUCFDfaJVmc86Op+Njp91sQs3VibqnjMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBUxEzARBgNVBAMMCmVlLXYxLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AKNZOtDY6VR1afUmrbxsYNmSlbJfDH1Wf1yW1mGlEaaAt+2jCwq4XQe+WydH+XNY
+1hF6qB8Dfv6BjHtz3mDlEurO8OQLzbEsCjoHTsC2k7xBX5AqjgLOd7VXTw+nkWpl
+KS16AGoFwWwJoRiqvRIN7QmrL4+VTy9qiMjW/xQZpJRjgclghsyD1ftuS8MO6CFA
+Xl8H10FX+iLrQ1vVZEpFvawJsaPqpP1Q/aaUbuVFOdl9FdO/AoYg9T4OoNMuVAri
+1EdM0PJ2fLuBZEfGu0Xzfx3DQMGTGY3b+rbXXsAvKDY7Lz2uH3QQ3dV8u/A/ziXR
+4CuNiCfPf9ln9nYZryvPhTo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..48fe9e5416
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v1-noBC
+version:1
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem
new file mode 100644
index 0000000000..d0f8108576
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAQIUSfJg0GeqJHFEX50dYSwtSQ3bMKowDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtdjItQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAA+oYLQRft2MQcjzbocFjcHuOtGLN2zd
+h/VRTr6kdHVUlTWGxPAlbbMQebdqxrkOs7z7AUdXND4ByKTtNEuQPr+wXwwXSTE3
+iYjViklkaO/90FwPXCY0cKPP3Wlr+dU//+ae8MHxUgITiz1pSaCxpn+aWNuT0YEh
+OyPHJp604kUXsaS/tnh9Gs+PcUnbzDdajbsCgKHoxtjMJWvYzr7AbHxmZdNJj5+s
+oayWjkj57NlX3fSRPLwcLoLanp7stBFXQuYdUdHBxPo4NJvCePu+qX9dKRfs8iOh
+QX/C7/hznhGYCmr+bwA5vDP2/hlaXVY3Y86QVtSxjfzAR8FipCk7Csw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..f714725d2b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v2-BC-cA
+version:2
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..70137183e2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAQIUDxDa2ifUgdQYpJ8MdfEeYRaJsdMwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGjEYMBYGA1UEAwwPZWUtdjItQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV
+HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCddjVLxryXnecJPMqSm0jUBYLnM+AK
+Rq6/2mzN4RpEVWZp6GNnWYzmONMwJ6wtGVgARfg0FuBONBzNtHxpdLcbia6wajf0
+/A9FZ2IA6TmEDt9iBQQYphczJquzzrPU1ST472ueH9ugSWm6CV2a8tWZTqpADewy
+waivrK76PCatnMHWZy+h0QlMStf5j9mvEXydnDVZtyqH28THAHOfTyseEBdkl+VI
+rJ/mnuK6toyJRJOEajDPfhJveAu8Xc139qWrC79P9Tp82eqNLZxfIEBh20eNYxSk
+PFkDwGE+pmEQEpGuIrFBR/e2vZTQJ6OTNhWxG8JriY58UlIQ1kACWw7y
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..db72288814
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v2-BC-not-cA
+version:2
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem
new file mode 100644
index 0000000000..f2c644ce6f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAQIUXbeigSj410bH6jRhgrqYja0GpzowDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtdjItbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAuDsqRa2nVMQ97V4Tf2WevBu+k7ZhcIaW68a5tlKLEKhx6/eGSSGeij4m
+OeBOyFOr885Y/Kkhd+aHEefJV61HcgHYNDkRAcEFg6WRDwoto3u06wlqDt4hWr5x
+I/gRPudZ702Mw4trcwXljvm8lKYOL1O79Ic9kbqpCoIdFRbf2n+mMwqf/z17Lis/
+TSQTmYwO4lMDqv2XJ4a+DAyCItLvlAUsWukWEyHY9RUaKS+flqwLB6w5nkM8enI0
+oiqxEeSgn0DwnSEyLzb8bjybErM+qnDjmRPXN/w9lkpzs6LhhP+YY1eUhlw7JRJO
+EHESM9OVGl3i60Ed9U2vNPgwqciqbw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..cc304ab87e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v2-noBC
+version:2
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem
new file mode 100644
index 0000000000..8b9056a167
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAgIUc98+jTM4qNvfdiHHTt3xeTnklo0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtdjMtQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPnZLZtuRfQew8WQGlkkLGRBVLTqudE
+eGIVRcAMToZ8clV5nFTRJd8TDPJtEnJq7JuVzKXwYyibfd1jGixewFSs1NVZqshN
+Twx+FSQCoWNTrH1g09hhJDKDYZAIl940Jfp3tI9dmLDAT6eJK7MtfocJcnfJT++X
+6OXE9CzwA+jNoqEhPXjmPa41SMpAgr0lLviONqy0sUjUy6Wwd/Awi3BsV7pgkInb
+59hTTWaxwsIVXr8d5uXvxNvXiTFRmxAsF4EgF/OR413gel2cR8ERy4GLp7y044AE
+7NaFQoeto9yW3IpYr3fvmyYbMLPXdQcv7OPvolLgN9756qU73BaYhwA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..6f69c35743
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v3-BC-cA
+version:3
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..c909ceae66
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUZbMh4u0fW5ML6yh8z8pbXjOe1VEwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGjEYMBYGA1UEAwwPZWUtdjMtQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV
+HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCYkQCEZnA8CNk3m3GRWOmmfSHggAEg
+DPhdb/lD5HPuwk7mZvlmVWuLzL7KkbNe71lGcDxH9/az8loi/3F+qPtTAQm0dIv6
++PMeJ9M81FrrL9QOlt1g6oD2H3CpeBmPXTZhw8BrY8G5vOazqng8BHv5HhDu64U2
+tG0uCynb/9DP0JyZykV9l8r8c4Tsz2xFAMfbowricN3kNoeV0WLY9NL7T3iBa22+
+mSVUVfVb6JgX59hkupfq6ykSWy90aHpHvOYGvnxAp+r31ddwGAix9FyebSNNQn80
+YfMR6qlPWwTqe5nVGqEdQ4fTg+qC93OqWtcDJrXshB3j415ubudwKN59
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..4a9de06358
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v3-BC-not-cA
+version:3
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem
new file mode 100644
index 0000000000..b5c0319790
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAgIUAQDoVGw+r6lNT2b+jJm2+epsWHcwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtdjMtbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAGpZrWuH+x+qgSsl+EtFBQ6dlKN1w481HZlxA9UEXLqcV4ePHpdu0gb2p
+nIlDxJDCIbPmsmh2NkiwrxtW+UO7Gee2qSJx+HzTbDU4Zf61AdzrSLy7UXeAa/Db
+HoVqGZ6SY7HRfUZSwHhNjUhxemp7b98HCQWn8lIvkcDrkXRpaQUWd1slyEA3VNem
+EXVbjybmuoO60Xka65CSSg3B8+UY/fhYONh6UvpyWLc5N+qoMEywqvSCB8vNPcmw
+fVr8AFzvWQ0XKT5YxUtPZvAcreC0lUZXIF41us5JVbx7eX9GU5/viguxOUTj5W4B
+jyLS9tyap1ysIq3sPPlXW7S1i1pmXA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..9d385900f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v3-noBC
+version:3
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem
new file mode 100644
index 0000000000..d780e80fcd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAwIUCd37312Tb5EZpix3723WyR6xMJUwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtdjQtQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBALC4++IlQxFJcpwHvCdfQ7DjwM579Sn2
+/QRXYfA4UnHWzx5GCggoMPnyvI70hbYXNZvsOg4fkk/wY4vLYblGPYY3NRB51DAr
+2udwFlqnMhHLwzGntRWb7Fvnug0f9GCjD6+CI8sfamlTBg33JDT/LQUB0+7Pwih7
+6kxSr+D4TXxDZkCcn+imjA2y6t90jl09Gyaxj2fGya1Tz3O4F2dhUlhD+Z1VyGSO
+WeMCDMJq0HlHymc2C9NJa+l8mxP3ZhAhCkquz98l9iNi8feKET3Mor1QkZQrw4iX
+EztBsqyMP7TZJrzgzNVQgdM67gj670qOOlYDG0fftJkPhvwUtUzGJIQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..1f44c1dd27
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v4-BC-cA
+version:4
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..580730ead1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAwIUf14/9bHAT4wfeg67o/l7Z6hx1RIwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGjEYMBYGA1UEAwwPZWUtdjQtQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV
+HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBa8RvfZI03C2soSzVOamYtjem/rQ9c
+sCUr5b/twKBFUxFWPPeM+zQbLjKwCVMKfhOrBddqxiWtBEXoeDgGN4Hz7dYtedQY
+yZXrBHFx8NTkP1hu7ZLH6/Wmq8pIY1clVkCW9BaN/VrooivYDVT9FAQ3Olmb7ndY
+WpG/HAJtvLI0IvFq4AzMXa0zJJFOzWd+zeYFkizdEIeWTd9blb70czeru3hf5NwO
+zxE4bsKgWXO9hRaJwdb6STlit2BVtx8mMOibJn852IZ0tECKRGlTLJSC2Pz2kk67
+dqRTLC4ys09cGT/wQbE9nBYqdRD46LeSYnxBLlPaJZ8tJ3p82VK8I+ob
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..e9659153e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v4-BC-not-cA
+version:4
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem
new file mode 100644
index 0000000000..685d2da6b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAwIUaR0hFbbBz1XsN9CW31yoUhYk7k0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtdjQtbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAcWHh1vTXippkY8F4flCD4/4S7e6X0hr/WKPPpQGWKMDUyTBp5bvlSlJo
+CQnceIqJ7PW48tEhSv7XjCFYAtrJaN+I5ttP+RvhWk7CY8bZFH469PWMKiEZQrR7
+CJyk1LBX3zDRbRRweT8h0DuzqcHqFXE9J+DEfYue/Y0ZMlly3u9NAFiFj+etyrX7
+zm9cG3cc1AVbnQMC0tAyJnbepwj1QHDbxDGN1UBI9SlUW9FolPBJzgtNuLMiY/VX
+B8SfNGvTm5nvHGrL+tp0jp32ufCtwT/DGp4jasa4vG3gpD7l91SoIx3W0cKJuclB
+/dTVAfLtVNFvJWV6J5FdrHiPzufHNw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..19229ba766
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v4-noBC
+version:4
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem
new file mode 100644
index 0000000000..e7c3b79420
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUVWOyeMgSib4O1LKG1AJMZEOfA5EwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXYxLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBhWnPGcosA9XFiil1ODUfKcRa6J5Pp3R/n/tdp7XZFauH6q512f4wy
+23L0zJhhov7dJdnI+spAuXcsKR9rDFYximIGUSjYPoJmGTdemTW60ddF3DjLYZvf
+BJJQyZMn1zvlJE73G24vZK1FNP0u0zRQvKVPt3/OFwE906AysPk8waodm0fMjCgu
+rRWcX0HJcnYj+LCic8/hiNypu/z4eES136pkpzegh08fOS9NmTERXovIMOEGKLzq
+2nGX4qR/q78kbM1T79Qv0RAqz/BWTrrf3HOwtguQ4LqM8wRN4xeyEqfvzw2I5tSt
+pGJtVfIXSwWoC7oVw1rgRdPOmzVyXMI2
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec
new file mode 100644
index 0000000000..6a7dc5c436
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v1-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem
new file mode 100644
index 0000000000..41206cae7b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUQxRBwJhxMEAFMa7BzkaZKbkhuoQwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXYxLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAVNqzFe5ctks0XWw8TEF8pasaXlMvpB8KTAJAr2Qamo3eyS+r
+Sj9di81UA6ty83yKcUQgxaAcE+1K39vynS2/uMdOycbOLrfA/bEDqtTYxL86LvRS
+5nzbk1gfq2HfMt5Y1EpRAJ+loOKynLGnuJ07Q62unUtMf5G9BXKbkQ90s4tAhVh5
+EWTdV8Yj9loI1TqkjXMFGUAMhMh/dSvdbQib1z0ikJtGHmeIwbs6sZzLt+9IHABj
+xFBgjrveLBD5vKvGmno3BN3lqzlU+KaQ8HJmYRX1VP1sancFbGFWWhdJpcBPVRkV
+0uiOvCLHBfGA6TN1XhRwgMwSUr+1Qh36sov0jQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..639f83d660
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v1-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem
new file mode 100644
index 0000000000..31f154b29b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUSZxrSB1ASCb/9OLKTfbXvWhu8oMwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXYxLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAF2GVw1iaU9gHhCPgZVZlAOb6O5k507/xrT2SdYiRkFQaHfH9iL2l5aL
+tQ+gQNH4BY3fUyxIR0wOKR2WUiBKBFPzvgZYzdajTzd1Cwy8F4v4hvCkx8T9dY16
+UE0TRSM7M2D+UpelJ/c8k2EzbBdeeNs1LR1XEGqVFUoTb0voFVgPb4ZnpSw+36wc
+v2kZaZjxPJOkoNcif3kuGbp0RVZW9zG0LVfgsZTyfczWmMdpdVCXVdXe4cJ1wAxy
+kQUGPMjv6xUXMcawgOLvT7JmX+9hQFkqidP2oR7eU8bGX8Kc9mFtJEG3I+xmcig6
+TbgPEBsnRfM8KxHcZpnxeKsRAP3msoo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec
new file mode 100644
index 0000000000..d704f3086d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v1-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem
new file mode 100644
index 0000000000..3948a89f26
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUU/Jvq3MSz1uQv7XntCtIuprX+bMwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXYyLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBFv3t9QETpW/vJYCDwA6xAUS3h68J+0pwHhq/dVsart/cgsC8LzHhG
+bOJUKseHitl0gHjHiH50dkuzKzjH2bfrG8a+t3J46WnmxDEJP09viwRZYyxufSzt
+eX4+P+Z83ByRdqoIPFzd5ytWRo97oyZemNz3a3pU7bsbytYq2nIjCOAVAWxnIS2Z
+LPaQhEaQTeZ8hkHOlgQzAWAo5ncgVtmlgy4B6ObxDrHMMRG76rG96enCkrtxmqTm
+CjNyMC0Kim0q5rli6V7CV5hyF4V8/k+0uAeYFPboTHXOC7qY/1Kuer7BMejwEYOh
+uaYfipGohEbIYJGPgqf7wVFsZH+rsECZ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec
new file mode 100644
index 0000000000..5d3a65e650
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v2-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem
new file mode 100644
index 0000000000..b8161aa201
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUQ0aSCvyN3w9lBlcjtfY7MI+9znEwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXYyLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAPFTPXlcnxZn3v2lA4XKkBMjgz6ofD2k3Q+9CBIPAQ8adsr2U
+k6J5bDHr0hZs3OTSjm4MvnkDPUXnz0TEaCkGPaMDJSm5Pc+QNz8mtFZ3LCU7kaXk
+eye/mgUyA6kzp9m+beI2bPFgs6yfNF1hJwmFLprfr8tAfhSRdG0Be1n2ZlxD5+JK
+m2VRUXuWfZk9zG2XEVH7aiIsdvsvP2LvisfpPVWG1UaMv+RytnGT3bwHB1qaTeEz
+QUriOWNRevenmHzRBAsepSUlNvejPrGh8kiGaQXA2TVUHMFxhn3nrG081cZnlBpB
+8MJmJXvgAciIbuOwA3EofUzjIgvRCbl6YoGIhw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..591a16aca0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v2-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem
new file mode 100644
index 0000000000..e1f66e9e51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUX0FaQnSAZBS9om1VZNfOrAUkAe0wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXYyLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAKwAvSfgc83j7dwYrrblbKrMEi/+XVeMuFNHnBh2HYvSInBbRA4Opflg
+EgGkh8X3X6cHemjTzNRqQAI1dsODNRgjigY1KJ3voiRWdasd4em/qBHtUr8yL3H2
+E8AAQKtHNzDimP5bYcf4ABibTVw9n6fRsmsP9WsQPafiyBOfqpu95ZBrc5xSCi/I
+z7QEO90pPoBmvmb0vDQnAZ2qrqXXRmMes+wDceWTQRz4aHErlmriyCbqI8jsFqDg
+IcuydsUzZXUxa9Jw2LAUEQ4uNnNXycOZrZYG3Y6EW9AmwkTT5mHGWdBlVVUfgPyy
+T7tC1iWYC10v6b2QqW6E5AlRjEMMa74=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec
new file mode 100644
index 0000000000..7f99393cf2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v2-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem
new file mode 100644
index 0000000000..6c037d9e29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUZ4+j89wGn7o9vFoh7xjDTNgsTikwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXYzLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQANK4s2ijXn8xh45oXq0QjgiWMF1QnA6egTC7uKlDk1BYHtW+hztq4i
+71dkmot4SOL6Qf7ar3HSmRl8HzFfD0uasf8uobH5zFfn9wImjs2k0ZFMl9rc2NVj
+adNi0fqZ6x6sAN49QAZzkwx9nwnUj7larBg7F0KYNEpQ3li44l7W9ZYR6A39pCmJ
+QSUOJLH2OZEelAn/Ys8gQBz6od6Csa3sYYZGxvzfe3XEsGGFKktZjJzlwrZq0wqn
+1hPXy9cj5LbwB28F1OuO9Xwqt2pNdNI6oMW0N/SnGL9bcJs6zH0HFO4o6oRtNUFn
+4uaz1Oxe4NjHmU1p3UEXwzuUs2eAOl9H
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec
new file mode 100644
index 0000000000..13af934f29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v3-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem
new file mode 100644
index 0000000000..386d5a0b6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUM0bo32+v9wg+ySb7JNgS9bNERjQwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXYzLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAoZ1c9YGZvP5LfhC/PkgXr+ASbbfXpAs2ku/vLcVCx83/tf4H
+suQhyjyIJxwh73C4MvJLwhjhRN7wTbsGjcQdmFRsR4bFnFPSmtXbbkG9ZETo/fdX
+dRp8tOS73ZoqFNaO5f+9+CWFcMIE2WznMVruBXK3AfNZ2pxmT6hvYngpvoulHaab
+kTsAZhtGIlKZ50UgTfW9xo7vEREgFXU5aRptA20zjHC/jlzlrYA5FJNnT8Kb3h2d
+yVtan28mbtC8Chaytfhg/olwNyXmlugid1wZ1MyKq2aRXE4phvubhHhfVE19EQ7x
+0KAx2S5LmSIM6kPVX2A87G8asDPRIdE8JGq/OQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..8539715a03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v3-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem
new file mode 100644
index 0000000000..e9a5dbc060
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUYwcJlTtvWVYPYl8zRS5OIB6KHyMwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXYzLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAAZLo88i5xTVqbh2Q0eIlYQ3U/2wiCEt31iTlWIBegfemPs47yZszm6Z
+H/TEl6pw4sBBUmRRD8R/kFwqruJ3I83m83XgVv8wV6rxgQy+l/7vgS+9aRzwJ4rE
+I+jsYxtrCab/rQB+1ExmLfLM+SlyBu+pwyrJrhMCxfQ3YXftWdJ/OnuHF7HOQSgO
+N9mskwjAiJLgZkW4ncsJ9yqlmCMSCL954P+gZP+a7vh7t52/+Ye3QgqrzdW4njGw
+RTVXZv9WT0nutkzz2UN1LXe2YPACVC15Z2jAx0NE+soF/cv7+ABLbNi3cJ4xT2ub
+NJpF2DU/rhqYqRCNXKthPm+/HgxuygA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec
new file mode 100644
index 0000000000..a65e41cea5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v3-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem
new file mode 100644
index 0000000000..68597d3617
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUJQnuCvzn6Cptf7mbf5euO8tqA6QwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXY0LUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQA2iunDwwbF7DjKjXfY8TagUVcuYRlM0aR0NOWDJht7HGQ165jGvlbD
+tGFiV8LCttQ7mHIkM5petJQOijZ/WOE+TBOPdwOlGKI7LK64Dx0jD+STXeR8funZ
+C9oxou7BQTguKsDL8e+Vx3CiduJ//82yCvoiSOWKZNt2/XzMJVkXe2zwqjWJ1mZy
+eFM1R+HhmeTiElWHylyNmZu1rMQEvM8cRVT9T07BkUwe/Q1YNC2pssg8zWvsXlJe
+uyEKxd+rtbxXfZ2Ca5K6zoc03Da92DF/ZYeA1rr2jLfWlekcUUWyytQ1tvFpXX28
+wB9+G2j4ghLch847KX6jFvLloB4XAUsZ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec
new file mode 100644
index 0000000000..35a3a9ff36
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v4-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem
new file mode 100644
index 0000000000..6459172a25
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUP4CbTDW2dlD720iPom3sJdQk4i4wDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXY0LUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAADRGeHq/tJLPiJSuPdGLKRV06gwvSqynXeTGxuLouD37GAf0
+IH0JKP6zMKAo06am7YJxThwQSj+cdyEmR5fPcZXeJW25s05YP+CyY76J8Zevxu7I
+1E/lEPg9D0xOiwbN4LtlK8UXCCgkVJEkqqtcxaa2QNvUsdu9C4tpGz9NdYbfSFtu
+ItcfOH0mX0JqSwnYjaYys8FuP2xCTvCIY0iqUw3bJw8X5kvUrC/tOURl/vvAo5JE
+x/qqoJCZi8zYkF6FQ2ore2XH4WrovFRr0QHEO6iSPJwFFuBmHLBSZN+Qcb6lf0AY
+Im7gb1hJdEOqnICcEgwqRslVm6WduwjbrzQ9Nw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..7627d3a8a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v4-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem
new file mode 100644
index 0000000000..e7ca4d52cb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUMQUX3zZT021FdxR9n54rCz06Yq8wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXY0LW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAC4Z3DsSJU8p7V/8G++ImlrraGiZgr1ORJkDA3CpOkWkPftYlQoY+fvD
+1GoJs5kLnhrhhchOatRvWVR+/y6QZPV5SVNydDzPl+c7vVesxjnN2sQmekCt5olS
+GI/UnTCFUNUA1Tdsi8rYN9wHjJuhbq82+1kvxPBT69rJ7YxEvQYi9qiEj1/6k5n8
+QSMImyp4wvr2QXgO8PcfThZEq4f62jH/tqqkk4UhN839N+R5v7n12GcS+/OfArDT
+XNr2KxiSZoApP3gDrEU4HEcltszfkBxhc/fjvHLqJdJvVlbNeY4TJxXHOtCEuG1p
+hGLFa63QwhnIaYfHRn8G1Oy+H2SZepk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec
new file mode 100644
index 0000000000..a780337539
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v4-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/generate.py b/security/manager/ssl/tests/unit/test_cert_version/generate.py
new file mode 100755
index 0000000000..2afaace3b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/generate.py
@@ -0,0 +1,93 @@
+#!/usr/bin/env python
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# This file generates the certspec files for test_cert_version.js. The naming
+# convention for those files is generally of the form
+# "<subject-description>_<issuer-description>.pem.certspec". End-entity
+# certificates are generally called "ee". Intermediates are called
+# "int". The root CA is called "ca" and self-signed certificates are called
+# "ss".
+# In the case that the subject and issuer are the same, the redundant part is
+# not repeated.
+# If there is nothing particularly special about a certificate, it has no
+# description ("nothing particularly special" meaning the certificate is X509v3
+# and has or does not have the basic constraints extension as expected by where
+# it is in the hierarchy). Otherwise, the description includes its version and
+# details about the extension. If the extension is not present, the string
+# "noBC" is used. If it is present but the cA bit is not asserted, the string
+# "BC-not-cA" is used. If it is present with the cA bit asserted, the string
+# "BC-cA" is used.
+# For example, a v1 intermediate that does not have the extension that was
+# issued by the root CA has the name "int-v1-noBC_ca.pem.certspec".
+# A v4 end-entity that does have the extension but does not assert the cA bit
+# that was issued by the root CA has the name
+# "ee-v4-BC-not-cA_ca.pem.certspec".
+# An end-entity issued by a v3 intermediate with the extension that asserts the
+# cA bit has the name "ee_int-v3-BC-cA.pem.certspec".
+
+versions = {"v1": 1, "v2": 2, "v3": 3, "v4": 4}
+
+basicConstraintsTypes = {
+ "noBC": "",
+ "BC-not-cA": "extension:basicConstraints:,",
+ "BC-cA": "extension:basicConstraints:cA,",
+}
+
+
+def writeCertspec(issuer, subject, fields):
+ filename = "%s_%s.pem.certspec" % (subject, issuer)
+ if issuer == subject:
+ filename = "%s.pem.certspec" % subject
+ with open(filename, "w") as f:
+ f.write("issuer:%s\n" % issuer)
+ f.write("subject:%s\n" % subject)
+ for field in fields:
+ if len(field) > 0:
+ f.write("%s\n" % field)
+
+
+keyUsage = "extension:keyUsage:keyCertSign,cRLSign"
+basicConstraintsCA = "extension:basicConstraints:cA,"
+
+writeCertspec("ca", "ca", [keyUsage, basicConstraintsCA])
+
+for versionStr, versionVal in versions.iteritems():
+ # intermediates
+ versionText = "version:%s" % versionVal
+ for (
+ basicConstraintsType,
+ basicConstraintsExtension,
+ ) in basicConstraintsTypes.iteritems():
+ intermediateName = "int-%s-%s" % (versionStr, basicConstraintsType)
+ writeCertspec(
+ "ca", intermediateName, [keyUsage, versionText, basicConstraintsExtension]
+ )
+ writeCertspec(intermediateName, "ee", [])
+
+ # end-entities
+ versionText = "version:%s" % versionVal
+ for (
+ basicConstraintsType,
+ basicConstraintsExtension,
+ ) in basicConstraintsTypes.iteritems():
+ writeCertspec(
+ "ca",
+ "ee-%s-%s" % (versionStr, basicConstraintsType),
+ [versionText, basicConstraintsExtension],
+ )
+
+ # self-signed certificates
+ versionText = "version:%s" % versionVal
+ for (
+ basicConstraintsType,
+ basicConstraintsExtension,
+ ) in basicConstraintsTypes.iteritems():
+ selfSignedName = "ss-%s-%s" % (versionStr, basicConstraintsType)
+ writeCertspec(
+ selfSignedName, selfSignedName, [versionText, basicConstraintsExtension]
+ )
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem
new file mode 100644
index 0000000000..4713680eab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbYCFE/Qhor9ec3ELTS4N1BGKhj1nEShMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBcxFTATBgNVBAMMDGludC12MS1CQy1jQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEG
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJCQfexxdv7+4MqcTMOj
+1keHx0hdsqx6lvRPatw3YgAyuaT6ZPWLfFZk+LF5uK6CpkMY9v5Cq3x0Le42vQZH
+5ekERe6JA87bJuDgndHUAde7UKYb1JIdomBBISQjS1yP46asX2a9s7Tbaa6rLrRH
+CCvGI6Gk6KK8l9CMUuMqWb0TxoZosfhz+Wn+Jw/gthcZXjxc+cM2XRCUe6G+NNa1
+EtvEujaOBlzF+XMESgm9MSp3E4tc0uWHcp+K0sA2Cq1CtC/NULUS0RgdFKfE7sc4
+5a9MpamgJ/EiCOiwoNGVwd0CxJEforr8nsRBT5Wlbkla6Q4VjFlYjiqTJ1QSXoOr
+Spc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..77f3ae9147
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v1-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:1
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..d566d59e30
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAbcCFDmurlX239tmJzMSwE2yWclnP/YTMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBsxGTAXBgNVBAMMEGludC12MS1CQy1ub3QtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAsGA1UdDwQE
+AwIBBjAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQA2sZIPc4usxnbGoqze
+dBE+p3d+XcbH9gMfNBbmUl6XfKf+RZFcZuE7Jml1Uv+6Jd+nZdJDJaYJMPzbRRn6
+E8lTi7Ml5dCkmyRVJfmjuaec3IegrNcInau7ApNCidM6wPfcd+P7b3doh1qYD7l2
+NYOdNGik4yFqDgYVH7RghAYGKmJ1yvejqB0ulfNCJCXz2e+jxbgvMVm176wDxhi4
+yCmwvRWRi9byXpMmI6PqC2za4aZL3Ztb7uqyoa/CYEJQVZtS8OtDmpjru4bq9wlV
+RGhgg2zygpRsmBGim9LVIgWZVDehvJ8fP8cFsndVEQ03OrQohq827x2SkKoWurzU
+x1Qp
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..2a366535b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v1-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:1
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem
new file mode 100644
index 0000000000..2d63a43993
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvzCCAacCFFlMGtxn81zLZeWwYjryulK7jFX7MA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBYxFDASBgNVBAMMC2ludC12MS1ub0JDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBABIkDbeDGKocP3t3H8pcicHy57lHkPUqzOV5Qz4k
+K1py+SKGY7dn08rfts6L5GsNB4euv7TXt4CJvUxZfyv6V87ZfP5hN0si3YwDaBRq
+WmHtOQuyoEu3Gjagq5rvnM32YVV+2luA2LH3uKRyD+WWyY8OKekxCnNGpgG5CH/t
+tKujd2VQPZ++74rzI4zFLDEohdPJ+V/zYWHFcIAIXbKFnaFXOiDdps3+Wjm83uLO
+t8103w1lFRl4si1ilr++cnZdWw7KGY5pSi+XM5f3X7O+tF01QTBTB4oYHpR7aLMr
+KSun8GxhvE5N/im6BHW7MlwWg7/dCBcWFdVvoahLtpbTtEM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..63bf6ed737
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v1-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:1
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem
new file mode 100644
index 0000000000..ab3de4239d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAQIUdRNyE5Q7FT2TnlhkA3MFGPl8kHMwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LXYyLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAeTnN/gKQj4Ke
+OTTweVvVugkfTU9BKBrqNGwarLQCznA7RHo+FvVKLjoY3Q+baHcK4EtO0u6SG9p5
+wP77QcvAmf2Zr3cnU5thgEPhn6GD3hpxDTH1Ai1i+5Y+kD+0AoDyXcAoDYYSOL8J
+XoTDeWFlKwUchWcVqr6T23dQk1ugYX2jSvozQJ92uTdk3xFqj3glhPEY/KmsiGGd
+WX9CWt9df/sw2fkCHWDTx4Uwa4f6bnu0YL/rHV5F/J3iHM0PN++vtLifyEJmwWh9
+pkLR79Pvd7eQelrdt+vcnUbvT9L/KdlUptcO4FWtlPE+hfkQdlSL0M9Wo+bsJTeG
+CekrPZWLOw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..ca1bf67a7d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v2-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:2
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..e18ee2c0cb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAQIUZbO+K3eIJS/mMdcdqWTFhjTgZYswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LXYyLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD
+VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHPwO/Xglbd7
+0tOHcMV5fgQOIPY1qXyG3DM/dYNYJ1+Ma+2F09nZjaOtJpUeSNJReTD6TNWFuNbH
+pcDge8qlQImjjM1CN7TIgefwY1riWqryJniX9mL0oGaZsRMWH8Ad2e44vAbG9yRv
+2t933F9LC9MjEHMhrLCaY/DRtA3Hbao1l+ykAOl/Y8M7AVQmscsyw+BKtAv10lxR
+ktTz0ksevwxGIBgx6MTJRFreY3JbCraJBdkM4RjiKhmXhmEjQS2+TRWTp0do030N
+FO9ELuo59+DMCf8hZi33IlekAfda6qmtuIxBg4USLKhoF0KAa+KnIIVY3G17zO94
+VnA8/fR5uJ8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..fc28ff150e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v2-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:2
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem
new file mode 100644
index 0000000000..8ef8e505bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAQIUUQLaY8ipGIlTLB/nSbAqMeW6VScwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LXYyLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAioRpOtyrsMKsL6Hty1aZ71A8VK6rccVF
+87ONK3VlT2PqrT9QW4RnVpyBgghPNqFTup9i/5SmC8Onva8beyRFj0zXThw0R4dg
+jEssH8l0a/kHZL/WYhrgIEjddoyoghcNKEldlzTjystlwSF19vjaAjIuyMXkz6vB
+sxZPybLUsku/Vadr6q+IgVQfbAnnKi4nlmju4Y7qcBDHSMNRyiSQ+UvCLYRqBp4P
+eJmNQ6CIveosdZHN0GL5TA2wwLaZPeg2dSIMyZZkJ3wZ8f9rUo+K3djlhBlsNbb8
+tnXTtF+V0Cuw1K27sUDwcpzGkW3KZOyTNChnNGeTRuRvL8atnovoiQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..2d3fe59ffa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v2-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:2
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem
new file mode 100644
index 0000000000..020f8c95a0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUI1ybSEPY2poauHkhPwser00Xp/MwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LXYzLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAOGTAs8e845vz
+QlLoD0fleQQZ2MXLA+/OrpWyzsN5ACv3PMShQs7TBl+/xxAu8lt2AvGso5lFsV8b
+0URtUP/X+nSrrKDFDx9g6A47q4XNpWeDESAWxJzigH2JYszzg/YtEdTcf78cIIIF
+rLvoohH3zobR95yMXsfbs2JSvYH3vzWDZV+cz0FyaUXw16e2KS0MnmIwP+37t6xk
+sJQ5bCoWQhg2vuanikOUoqvr3aFgoLJ0HjArk5rDAi7fX8/JuAWc3cIJufHUTlXD
+Q9t8x8dbmGk02IcNDqyzpTzyht8vWEkx3NeA+xalUdC7Q7ERK5RfnTGZE61NCP2t
+Hc/W4GT9Jg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..56fcb21a03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v3-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:3
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..84a3cb5aa9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAgIUD4qSXNFu/c46+734YKWQ34JSbYwwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LXYzLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD
+VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAGScr4E0l8ED
+DTvqNg3LofHZhzXbcjnIMCtF0Lsm+bgD/lcakGq36EHfRe5lzYkCUJNYZdzhoEPA
+vusoj+SxXvmvGf0a58yW6m3Qm1nwIS3g93AA5QakNeMAKNqwNubLK2LCeaI7BUzh
+Q8rMOwskLjPe9dTVFWQc+w8xFwM3okYQQbwtwm8xJ/246RTCsN0bNDX3+stMy9q9
+cIJe3Qn4Ts/1MRdk3h9xmpY3gxP7Z1pAoVGR4rkw90ZHQgyVKZeewEl3FSH2MUNA
+0pAwdNCudoSrsVzWyd5/B8cdLzbaZX5K3+6/O2b7EYSxcLTwSxbhFFrzBchdr7gW
+6h1ZkGIuZ54=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..a2def8d323
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v3-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:3
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem
new file mode 100644
index 0000000000..95da1f083f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAgIUI2KYUx6IdZc7V+QOkPrR6lb8mB0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LXYzLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAaeXb3bAjhYr/PTWrfsPEbafwF60e9iMB
+SIvCE4EgFkk4jVmnSsQ3x9gipx1j+7M0xIMPSvkC/wdK9G1gdUVg64xjIUoBy38h
+YP9Mla/4vThWkkOt/0LDqtVio26R89GKR0v1tLwOfSBGJtZIpzZmZeGfYhFQDKc6
+MioBkNO/2QGABwyTtzRBhirgm3Sr39mLO1LiAeX/9kZ8kx+RQ+rhb5zxkwh1J5Fu
+c53sY4bfssi1PZTCiqv1TunBNfCnUexSsryFVpt66nUmTFpxAFTF4LB0o2nxesN0
+MB6t/FCjQB4ohAjsDZFuvay20i39QeOdn1giiq8WKxkJ/1gJEJoghQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..b336397ab6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v3-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:3
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem
new file mode 100644
index 0000000000..3a70fcb59f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAwIUf4EySk0lSBQJqR+4lgqvertC0zYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LXY0LUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAaZBJSMK66toq
+1l0vfxuY8w6uwbged4tuAEZPtl8hA2I/E70HwcaFpphKZGC5W1HeCrUsooZpRJPb
+UZntyARmXdaTD3tUi85VUX2LnZ4OjmfATAcEHZixItQSmRrXRQrDOk2hwADrLRD0
+aH8dR23aE+pbZSvPt8Oj/0M0PMeyfYLjPwacyspMKBOKB2psAISnRqiRJidprhuy
+XDmYPaCMzw+cB5nFK3w6UJagxR6n9p70BQXaj5vodHpAsYDKHNmJzoUTewQhDjvu
+8IZ7IwwIQCkzBYD1hzgyv3iwos1Fdruo3HlUG3QrTlKRJWTg+uy22mjz2LkQTASs
+GtMjAMQoXg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..12b94e63a5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v4-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:4
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..258edfd30b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAwIUaRagMmDSJscXn/t4Oc6wCFBRsAswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LXY0LUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD
+VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBALc+XVxkZhVz
+jUck7fZy1tMh8WoDXjeVEg1nLC/ZR7RSKyJrsvqiz3lVgI5PHKEJTdX4GGUIduaV
+cqF5NegfOEIxbz1e4TIETyr6+bZpSyEY9+yRZlXViXYu3RN/06D7iRs+GiCRalD6
+LqWGka40hU2RnfTJMQl5vdKYRsEkgKJdDcy9siqtyy+N0q99qrjdgmEp9frvFOeK
+n+Z2A0q2dd4SvNJMjBuWOSDkf7OWe8ikG9a6/LuqvKTLKbSGPcn3kBBRWa50fhXF
+VD7zNYCEenOUkKtSEuOLjfCXkclq5E+2x6xevQzLhaq+YEn9eWIB1lkUKlIKRctH
+mMxi6abwwmo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..43a04f70fd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v4-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:4
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem
new file mode 100644
index 0000000000..eb04abd1ac
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAwIUHQVqHNDgKUKfLlJSssV/DtzK7n8wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LXY0LW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAOlKR1lHnYxbIL/rDMu7L9iOV/r1rz2X9
+hD5cIsB21vlgGyX2Mgp5FqnzqdEwspUDkK37R0rKQx1RSERbgFSoGomTmkcoGcxw
+eZu7uURGGkhHCUxGa58LgDsbsRTJ8z6M61fC9bax9rTTSNdmwMoQ6RVNTeTcPBC0
+FuzC0IkKpTSRlkZiRiGsGmOboDdyJepopFNBdiiF4TP6h6R1VuG36wxWkuVjpmo7
+EjQATtHKW3hA2OUeG7MZ3uXfA9LB6J0YLeQx6RAtxJz3l8h1H6FLQqjHzZdpaqlz
+TiZK2iVAFwysASY934d3960AVXf6w7sTcm+VATUJ6FeyZqv+MHLzrw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..4970d1e945
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v4-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:4
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem
new file mode 100644
index 0000000000..26d1e24ab8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbECFEm03vqIwHzrulQ6ThsgNEQPGQ1pMA0GCSqGSIb3DQEBCwUAMBYx
+FDASBgNVBAMMC3NzLXYxLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBYxFDASBgNVBAMMC3NzLXYxLUJDLWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCxarz9SPSE3MKd2HcoDsHx66Cj
+VpIgwPpGRCNoagkknbjSunYdIIi2NDnMHIzQBD0ldQWh6up2fdXGeVVyvKfs9Nt4
+c8oodt2JpOh8F3HHYeXy3xCr/5CA7t+MUamcMrE7xsZ36ozbVMKHR6FmgQ+J62ht
+onoprRvwvwh/Q9RFC+oG4hC+M+PzDH+XXVXJ9tVsuOEPElb27sQATNr/msGfwNV3
+ly2KUdrexprB03HC/WxrkW82vJEqWBx2AtQ5p1VpczAcKW6hxknIE3aW/T8BAk+u
+BrVWnL/Dm2WWMAiMYLdp0/yB0qCVwBLbWxr1pyzvvI71ht/rQ2cLuFaMaWGV
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec
new file mode 100644
index 0000000000..731396f034
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v1-BC-cA
+subject:ss-v1-BC-cA
+version:1
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem
new file mode 100644
index 0000000000..58e32058f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbYCFB2XtG2qFhxdho3Q01DnHGTK3Mn4MA0GCSqGSIb3DQEBCwUAMBox
+GDAWBgNVBAMMD3NzLXYxLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9zcy12MS1CQy1ub3QtY0EwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+DTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAEfB+j9e5x5l1ucXYQwj
+bIB2mGM0OmgN7gWjknyMNO7G48cydDPSay6OgX7yulT3TPNE+/p447hOo5LOeUSx
+om+pLouQ6YejxgFzmfpNyOz3E2wJpLhMTis0S2z/YlyHQ+jKPawgH80pgPMcWdIJ
+X/yz4whWW5XyELYsMR/M3wAhRK1KWgdDruZ/TvDhUkKmZWb5R2Q9fp1hqj88E8vI
+0tW74SjrTVRO+N8r9SvaXxtzJgKl3lBKE54JUTaCCCgNZfDFw4qJNy46KkbX9nQF
+rBCc5W7Ol3UvFRXCXFgvKWjKZNIs4+hHtKze9BnTN6P7qojv//6YPILPvtxRLBQu
+OSE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..20d716d494
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v1-BC-not-cA
+subject:ss-v1-BC-not-cA
+version:1
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem
new file mode 100644
index 0000000000..897b2929d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ0CFCtTEqIZaepqohtlFuKdl2gKmSgLMA0GCSqGSIb3DQEBCwUAMBUx
+EzARBgNVBAMMCnNzLXYxLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIw
+NTAwMDAwMFowFTETMBEGA1UEAwwKc3MtdjEtbm9CQzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEAl3uPUlywKxXEyN2YufvSbOK1YUXV0U50+Y7ForOzz4fkGagQ3JnJ
+0kxPSyKBv49f+NKPWQXpTQI18vhJCAsuKu91h26iPVmNpIpur9c80J0MuB9h7d/N
+OvnjU+mOZERvNjiMREKmf/iXc9muxD8m768uXLx9fD/TlVnNSGg3EB01xGdIYUVb
+4OeiYdRveU7tTHRYQm+7fDpvz0bsushAC/IP+gMVKr9L0cOi9Sm8kXYofF6KE9OP
+uqZubzychgdd8NeDFiZV+gKuzrFo+KDfZXgv7uPLsLXJTPrF4oa8K0f2o/7eodzy
+dCqgcGAMiG8RY99fj/wkr53PTeoyjmH8JA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec
new file mode 100644
index 0000000000..58d2f0d7f5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v1-noBC
+subject:ss-v1-noBC
+version:1
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem
new file mode 100644
index 0000000000..a9698fa84b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAQIUccKKmvoyz83s/BA7Se0cmdaDyA4wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLc3MtdjItQkMtY0EwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjItQkMtY0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKCYVHe7DQRTQ8bGEkSf
+WFzWfcbVaijFx7fxDP7bSQ8odxLQ6HL9+qFY7YFAdlYNtzxnd1/7Lq91nmRn0yqV
+W7KVCLMld9OsXMtrGZoA8BQ7AeiaC+UHjpdvNNkPVm4rMqutTTXzEfhlJ6sIYUFg
+CTmRpBrAHZiQy0KoUAyu+mAEYgoZoBITapgj150ScwHYDrZZRMHQyBmWtS9Y/vkL
+4mlU1k2x3vGp1OzEZ7ha/W6UKGj11vKYNH0wTJ7CFFOMWOybLnr47GkGvqYpM4AX
+baIDecJcHu83EIVbVolkEhPyxGpdKd6ooSulOx4kqvOUfpa3qmtK8L1mG0GhtB8m
+8EY=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec
new file mode 100644
index 0000000000..8dbb3a65ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v2-BC-cA
+subject:ss-v2-BC-cA
+version:2
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem
new file mode 100644
index 0000000000..3962a757d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAQIUJfSgjF/arNqPCRg7D0Wxb4V09DEwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPc3MtdjItQkMtbm90LWNBMCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXYyLUJDLW5vdC1jQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAEj9uU+SGjK3L
+BX2rRLlAmmY2gqpFPvVaPyxFlmqsLOnr/1LYzT5oWGP0TA57WLNv5KG1oJK+Jgcy
+8kzVQvV3y/nMjYLF+JmPiNwkhZgHtjLuEpymjGtmqPQ1xyPRHz9tJwpw06HTcSZB
+QgOY8gbAThJUyXS4/2ScOnSCyHXA/vOD2b11LPD+N3YWqsSg8DwMGoD2NoeoOlB/
+E3f7/oC4o/t17dRaivcruajM2BtAgG2hxWDXacNw1CuM19aCK2WFczP5bC20jwFT
+a0G++6UnUD9VtnuZqSpPAUy57sddBavoLAhBe/CqSCgRAsPdNxyg1xBrZ6+We3O3
+r7Lsq4PH4Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..2b8f4bcc55
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v2-BC-not-cA
+subject:ss-v2-BC-not-cA
+version:2
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem
new file mode 100644
index 0000000000..a8fa3cf4ee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAaKgAwIBAQIUQdBy+4wdhpohAMac8EXVk4wUnPkwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKc3MtdjItbm9CQzAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12Mi1ub0JDMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQCW9HCqtoNi0A4JKT5I/zdq3m5e7gBPXxA1ZKdN0mqkkrhS
+nqH+QvQmQrX/k53N/h3j/E/Dim9UYg26M+avN4/hfU/cx6AS5oHBHUwT4FVktktg
+Qi7LCVnEop0GfRh37F3ELH2CP4/dPQCtVv1SUzMyJluKxnxjSfMHZtdzysGrAmRR
+5cZKkaEBhqRPhfbhcb9zg6aE8Zkz/wJDERbQPNm64zUnvCok+Odzd9k1LiEeVcZ6
+f9BHkfij47T1v0thdmPFt7nEj7K2NslaTu1F9fvt8Km8d6RYYyb7LPROaW9vCvpa
+O8RjTqqO5WuhaTG8Dm5JKWdv7sI7Y5idy9BcJ5V/
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec
new file mode 100644
index 0000000000..7656115a84
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v2-noBC
+subject:ss-v2-noBC
+version:2
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem
new file mode 100644
index 0000000000..a86689c286
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIUV3RPQ09ejjSXQuMvUHp+zUtwebkwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLc3MtdjMtQkMtY0EwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjMtQkMtY0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJOBJL+9cOC3goHK5Koy
+QtMAovGwLK/6C79HM3rmAm/sKgc1fKNR6HKSN+dHT20n7DbNNLs0Yi0vxREqe77Q
+tc57OM99Qa4AHDKyKM7C/dLNjvhedDJUGQx9Z6BdmvnsplPJ0mLE0Q/Tfvv/ptDV
+frUiJtHAytpSQdIHex6pTn1duw9C6077MeOFWTFBhN46ofaWX7CJ/VFmo3cFe4w2
+81W2l4OY47KOMShPOulWegPoD7F5n7RLxCJmglgc3YqNKU0ZmjIbGd0pxBwA3hJ6
+RJYABAgFt4vWHiR681o92EdrvGxynQrt+rNua7vnbd15mpdlWhOzf2TpH6Eb1xQJ
+xh0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec
new file mode 100644
index 0000000000..df822e99b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v3-BC-cA
+subject:ss-v3-BC-cA
+version:3
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem
new file mode 100644
index 0000000000..50cb38c511
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUe6vAs3LdMkG/SJQc7W2Z2nK0BhQwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPc3MtdjMtQkMtbm90LWNBMCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXYzLUJDLW5vdC1jQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAucdyWJ2AEXtX
+Q39648iG6PVW1J3wcnGX8qzmgFATl6bJAnW4kvUIJPx7Giuwr5FXiU0+4iH1UjvF
+BorUywDb3H8R8PawAeNZK2pgbhy1aar1sAGINhJHq6ezyJzBHo/Kc6VHaHT2CHLa
+3++MB9afCWa5+mUKfXbwQErCoI66N+ft6CEFRMtEvgLdqNNjoXrtW8Nag0elXwCs
+dLBlErXmUnms8qXm4qnYu4bmw1fTbhpEmWYTZVEFpjcukKceOsK9g0HcuCzIKRTc
+XH09WTxYiic5b2czUkCFA7LLwlslk6wzUZ/7ZwzR/+g/m+09ov/LkSPaacFIoOn0
+zaDYXSF1aw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..0b2b575573
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v3-BC-not-cA
+subject:ss-v3-BC-not-cA
+version:3
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem
new file mode 100644
index 0000000000..088bb2090b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAaKgAwIBAgIUaVRk3sXNmaUjSjJv3jBL0P0UTWIwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKc3MtdjMtbm9CQzAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12My1ub0JDMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQCyXkVIdklwHrjupe3kra+HJFuVX4YmH1aPmTmbZ6lcbjue
+4s3N4B6vMko1EpSLTkURaXptwIqTXepJW408wvq/I90AS41yFZdJWIqA4Ja660wo
+GPiAg2pXYrRkJF3EuHywZBnAwW2ofvHfrWorZILvDuJHzV5ATwZq3Ol/h+Y0A/5m
+tSD0nX3HsQzP12vJGe49MDcns/KZ/EjM2OYjES/0RaKO0RlsjcNwMRumDzONIQuy
+nK/fqLUb3Kr85TUszug43hYLxggthGtQPABoKe3SWZdcUw436BcVajALLooIvPL2
+hWOvLzNaoTe/s0hstVlQA+w4A7gXBJ/ObXEig8Ug
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec
new file mode 100644
index 0000000000..96314e51a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v3-noBC
+subject:ss-v3-noBC
+version:3
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem
new file mode 100644
index 0000000000..ac28f2a876
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAwIUKQWpRSl3Uj/ocXqC2oi769nb2qcwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLc3MtdjQtQkMtY0EwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjQtQkMtY0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKlNt44BoIpzXgsZi0C7
+OIzkY4K3S7sa16Y+yyTlLNmUFSWd2LlFsecbqF5hsfQpGr4VGZ2qiRMMp/58SN6x
+ZcIooVxuoPzrgmAsi88+oIg8/3y44rMYXTzUDEtT8qdCj+ZPFDJ+kXCQJgZg073/
+7Ds6gZrssJ7522Srneba/UCqpULVh3L7GCirWi9l55fWARGDpzzqx6jQ0VgKX51M
+5h9F+xtqN1AauQwIszYR5Hayd31isphb3Xi+QHKkDu0hLeUIoYL+R3wrK3v66PsQ
+UN3vP5uFlPSTytFyxHxznq/XK7PQTKJtDEsw83w1Zf/eC/OQqhpp5CQRIqhp4uvc
+6fM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec
new file mode 100644
index 0000000000..54269184ed
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v4-BC-cA
+subject:ss-v4-BC-cA
+version:4
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem
new file mode 100644
index 0000000000..513c923439
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAwIUIeyKT44j1c2KJk9pttBpbzR9ZSYwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPc3MtdjQtQkMtbm90LWNBMCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXY0LUJDLW5vdC1jQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAmotdMTHJSzQd
+7qW3zeMmT8LJrfAcYBH6mG0akuU+qI6DJyhxPZ1+WAg/WaDA9RxIBPX2kiWf3M6P
+KPNlVQpenRuMVBpRGmkpdZVZzliM0Fy5GASUppXYwkUsXCDRD0bAOhvFR7c4JnSN
+9jcE6GBJ0uMg06+YU5iAAX9G2WraWzp7Pk+xjqP8mbwda1xeNzj17jQ+byH+uYD6
+06l4yVrc5tEhvaLNQ4kj6WfwH2McfH8QKmTcKc4Hrurpy1DoIvhiPUXgjWRh10mY
+hK2cyYKxOLkARC9rZyNC+Gs49QPNIvP8hx0bcBt2155KCyq+maY2z89V+4GDniCb
+cotpFITaQQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..3d65335316
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v4-BC-not-cA
+subject:ss-v4-BC-not-cA
+version:4
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem
new file mode 100644
index 0000000000..21c3e5ab41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAaKgAwIBAwIUY9VIv+NEAO2/Qp7CbzKTT7ZFeIwwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKc3MtdjQtbm9CQzAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12NC1ub0JDMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQC167h5gNohDcvc3rNzNfzoEVyRnF9dxUkqjJRoNZ+LG+SQ
+5zpkmFbbztbh+lto9oKNaLZre6ZKIVortL5zuKIaL7wl5D/V4sww/PDE7As8bWen
+GR5ayqzq1jtOdVS0rbE11phIrnRciT6poZ8OQjasD1PYU/vYn1p8n8bEKqFR5uzq
+g0nHMvGrVBPoe0fHYC1XIhIxFzJly0iDG2mObdgA4lusktAPBdXTbQElkQBuLVnE
+yoL1lqt1jDPaOBhptIMuJC1yOqQcdlFPHdqRAd2xTur/ZwVOGSD2K+a0fqIyfFDl
+hI+MT6xYiExzrkfQ+FV5wGQ95omzeVweeqhUCcbw
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec
new file mode 100644
index 0000000000..d02e04de51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v4-noBC
+subject:ss-v4-noBC
+version:4
diff --git a/security/manager/ssl/tests/unit/test_constructX509FromBase64.js b/security/manager/ssl/tests/unit/test_constructX509FromBase64.js
new file mode 100644
index 0000000000..7a4f3915af
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_constructX509FromBase64.js
@@ -0,0 +1,90 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks that ConstructX509FromBase64() accepts valid input and rejects invalid
+// input.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function excMessage(e) {
+ if (e.message) {
+ let msg = e.message;
+ if (e.data) {
+ msg = msg + ": " + e.data;
+ }
+ return msg;
+ }
+
+ return e.toString();
+}
+
+function testGood(data) {
+ try {
+ let cert = certDB.constructX509FromBase64(data.cert);
+ equal(
+ cert.commonName,
+ data.cn,
+ "Actual and expected commonName should match"
+ );
+ } catch (e) {
+ info(`Exception: ${excMessage(e)}`);
+ ok(false, `Should not have gotten an exception for "CN=${data.cn}"`);
+ }
+}
+
+function testBad(data) {
+ throws(
+ () => certDB.constructX509FromBase64(data.input),
+ data.result,
+ `Should get "${data.result}" for "${data.input}"`
+ );
+}
+
+function run_test() {
+ const badCases = [
+ // Wrong type or too short
+ { input: null, result: /NS_ERROR_ILLEGAL_VALUE/ },
+ { input: "", result: /NS_ERROR_ILLEGAL_VALUE/ },
+ { input: "=", result: /NS_ERROR_ILLEGAL_VALUE/ },
+ { input: "==", result: /NS_ERROR_ILLEGAL_VALUE/ },
+ // Not base64
+ { input: "forty-four dead stone lions", result: /NS_ERROR_ILLEGAL_VALUE/ },
+ // Not a cert
+ {
+ input: "Zm9ydHktZm91ciBkZWFkIHN0b25lIGxpb25z",
+ result: /NS_ERROR_FAILURE/,
+ },
+ ];
+
+ // Real certs with all three padding levels
+ const goodCases = [
+ {
+ cn: "A",
+ cert:
+ "MIHhMIGcAgEAMA0GCSqGSIb3DQEBBQUAMAwxCjAIBgNVBAMTAUEwHhcNMTEwMzIzMjMyNTE3WhcNMTEwNDIyMjMyNTE3WjAMMQowCAYDVQQDEwFBMEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxANFm7ZCfYNJViaDWTFuMClX3+9u18VFGiyLfM6xJrxir4QVtQC7VUC/WUGoBUs9COQIDAQABMA0GCSqGSIb3DQEBBQUAAzEAx2+gIwmuYjJO5SyabqIm4lB1MandHH1HQc0y0tUFshBOMESTzQRPSVwPn77a6R9t",
+ },
+ {
+ cn: "Bo",
+ cert:
+ "MIHjMIGeAgEAMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNVBAMTAkJvMB4XDTExMDMyMzIzMjYwMloXDTExMDQyMjIzMjYwMlowDTELMAkGA1UEAxMCQm8wTDANBgkqhkiG9w0BAQEFAAM7ADA4AjEA1FoSl9w9HqMqVgk2K0J3OTiRsgHeNsQdPUl6S82ME33gH+E56PcWZA3nse+fpS3NAgMBAAEwDQYJKoZIhvcNAQEFBQADMQAo/e3BvQAmygiATljQ68tWPoWcbMwa1xxAvpWTEc1LOvMqeDBinBUqbAbSmPhGWb4=",
+ },
+ {
+ cn: "Cid",
+ cert:
+ "MIHlMIGgAgEAMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNVBAMTA0NpZDAeFw0xMTAzMjMyMzI2MzJaFw0xMTA0MjIyMzI2MzJaMA4xDDAKBgNVBAMTA0NpZDBMMA0GCSqGSIb3DQEBAQUAAzsAMDgCMQDUUxlF5xKN+8KCSsR83sN+SRwJmZdliXsnBB7PU0OgbmOWN0u8yehRkmu39kN9tzcCAwEAATANBgkqhkiG9w0BAQUFAAMxAJ3UScNqRcjHFrNu4nuwRldZLJlVJvRYXp982V4/kYodQEGN4gJ+Qyj+HTsaXy5x/w==",
+ },
+ ];
+
+ for (let badCase of badCases) {
+ testBad(badCase);
+ }
+ for (let goodCase of goodCases) {
+ testGood(goodCase);
+ }
+}
diff --git a/security/manager/ssl/tests/unit/test_content_signing.js b/security/manager/ssl/tests/unit/test_content_signing.js
new file mode 100644
index 0000000000..7e96ea2df6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing.js
@@ -0,0 +1,431 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// These tests ensure content signatures are working correctly.
+
+const TEST_DATA_DIR = "test_content_signing/";
+
+const ONECRL_NAME = "oneCRL-signer.mozilla.org";
+const ABOUT_NEWTAB_NAME = "remotenewtab.content-signature.mozilla.org";
+var VERIFICATION_HISTOGRAM = Services.telemetry.getHistogramById(
+ "CONTENT_SIGNATURE_VERIFICATION_STATUS"
+);
+var ERROR_HISTOGRAM = Services.telemetry.getKeyedHistogramById(
+ "CONTENT_SIGNATURE_VERIFICATION_ERRORS"
+);
+
+function getSignatureVerifier() {
+ return Cc["@mozilla.org/security/contentsignatureverifier;1"].getService(
+ Ci.nsIContentSignatureVerifier
+ );
+}
+
+function getCertHash(name) {
+ let cert = constructCertFromFile(`test_content_signing/${name}.pem`);
+ return cert.sha256Fingerprint.replace(/:/g, "");
+}
+
+function loadChain(prefix, names) {
+ let chain = [];
+ for (let name of names) {
+ let filename = `${prefix}_${name}.pem`;
+ chain.push(readFile(do_get_file(filename)));
+ }
+ return chain;
+}
+
+function check_telemetry(expected_index, expected, expectedId) {
+ for (let i = 0; i < 10; i++) {
+ let expected_value = 0;
+ if (i == expected_index) {
+ expected_value = expected;
+ }
+ let errorSnapshot = ERROR_HISTOGRAM.snapshot();
+ for (let k in errorSnapshot) {
+ // We clear the histogram every time so there should be only this one
+ // category.
+ equal(k, expectedId);
+ equal(errorSnapshot[k].values[i] || 0, expected_value);
+ }
+ equal(
+ VERIFICATION_HISTOGRAM.snapshot().values[i] || 0,
+ expected_value,
+ "count " +
+ i +
+ ": " +
+ VERIFICATION_HISTOGRAM.snapshot().values[i] +
+ " expected " +
+ expected_value
+ );
+ }
+ VERIFICATION_HISTOGRAM.clear();
+ ERROR_HISTOGRAM.clear();
+}
+
+add_task(async function run_test() {
+ // set up some data
+ const DATA = readFile(do_get_file(TEST_DATA_DIR + "test.txt"));
+ const GOOD_SIGNATURE =
+ "p384ecdsa=" +
+ readFile(do_get_file(TEST_DATA_DIR + "test.txt.signature")).trim();
+
+ const BAD_SIGNATURE =
+ "p384ecdsa=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2r" +
+ "UWM4GJke4pE8ecHiXoi-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1G" +
+ "q25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L";
+
+ let remoteNewTabChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "remote_newtab_ee",
+ "int",
+ ]);
+
+ let oneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "onecrl_ee",
+ "int",
+ ]);
+
+ let oneCRLBadKeyChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "onecrl_wrong_key_ee",
+ "int",
+ ]);
+
+ let noSANChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "onecrl_no_SAN_ee",
+ "int",
+ ]);
+
+ let expiredOneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "onecrl_ee_expired",
+ "int",
+ ]);
+
+ let notValidYetOneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [
+ "onecrl_ee_not_valid_yet",
+ "int",
+ ]);
+
+ // Check signature verification works without throwing when using the wrong
+ // root
+ VERIFICATION_HISTOGRAM.clear();
+ let chain1 = oneCRLChain.join("\n");
+ let verifier = getSignatureVerifier();
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIContentSignatureVerifier.ContentSignatureProdRoot
+ )),
+ "using the wrong root, signatures should fail to verify but not throw."
+ );
+ // Check for generic chain building error.
+ check_telemetry(6, 1, getCertHash("content_signing_onecrl_ee"));
+
+ // Check good signatures from good certificates with the correct SAN
+ ok(
+ await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ ),
+ "A OneCRL signature should verify with the OneCRL chain"
+ );
+ let chain2 = remoteNewTabChain.join("\n");
+ ok(
+ await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain2,
+ ABOUT_NEWTAB_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ ),
+ "A newtab signature should verify with the newtab chain"
+ );
+ // Check for valid signature
+ check_telemetry(0, 2, getCertHash("content_signing_remote_newtab_ee"));
+
+ // Check a bad signature when a good chain is provided
+ chain1 = oneCRLChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ BAD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A bad signature should not verify"
+ );
+ // Check for invalid signature
+ check_telemetry(1, 1, getCertHash("content_signing_onecrl_ee"));
+
+ // Check a good signature from cert with good SAN but a different key than the
+ // one used to create the signature
+ let badKeyChain = oneCRLBadKeyChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ badKeyChain,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the signing key is wrong"
+ );
+ // Check for wrong key in cert.
+ check_telemetry(9, 1, getCertHash("content_signing_onecrl_wrong_key_ee"));
+
+ // Check a good signature from cert with good SAN but a different key than the
+ // one used to create the signature (this time, an RSA key)
+ let rsaKeyChain = oneCRLBadKeyChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ rsaKeyChain,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the signing key is wrong (RSA)"
+ );
+ // Check for wrong key in cert.
+ check_telemetry(9, 1, getCertHash("content_signing_onecrl_wrong_key_ee"));
+
+ // Check a good signature from cert with good SAN but with no path to root
+ let missingInt = [oneCRLChain[0], oneCRLChain[2]].join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ missingInt,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the chain is incomplete (missing int)"
+ );
+ // Check for generic chain building error.
+ check_telemetry(6, 1, getCertHash("content_signing_onecrl_ee"));
+
+ // Check good signatures from good certificates with the wrong SANs
+ chain1 = oneCRLChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ ABOUT_NEWTAB_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A OneCRL signature should not verify if we require the newtab SAN"
+ );
+ // Check for invalid EE cert.
+ check_telemetry(7, 1, getCertHash("content_signing_onecrl_ee"));
+
+ chain2 = remoteNewTabChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain2,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A newtab signature should not verify if we require the OneCRL SAN"
+ );
+ // Check for invalid EE cert.
+ check_telemetry(7, 1, getCertHash("content_signing_remote_newtab_ee"));
+
+ // Check good signatures with good chains with some other invalid names
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ "",
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the SANs do not match an empty name"
+ );
+ // Check for invalid EE cert.
+ check_telemetry(7, 1, getCertHash("content_signing_onecrl_ee"));
+
+ // Test expired certificate.
+ let chainExpired = expiredOneCRLChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chainExpired,
+ "",
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the signing certificate is expired"
+ );
+ // Check for expired cert.
+ check_telemetry(4, 1, getCertHash("content_signing_onecrl_ee_expired"));
+
+ // Test not valid yet certificate.
+ let chainNotValidYet = notValidYetOneCRLChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chainNotValidYet,
+ "",
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the signing certificate is not valid yet"
+ );
+ // Check for not yet valid cert.
+ check_telemetry(5, 1, getCertHash("content_signing_onecrl_ee_not_valid_yet"));
+
+ let relatedName = "subdomain." + ONECRL_NAME;
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ relatedName,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the SANs do not match a related name"
+ );
+
+ let randomName =
+ "\xb1\x9bU\x1c\xae\xaa3\x19H\xdb\xed\xa1\xa1\xe0\x81\xfb" +
+ "\xb2\x8f\x1cP\xe5\x8b\x9c\xc2s\xd3\x1f\x8e\xbbN";
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ randomName,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the SANs do not match a random name"
+ );
+
+ // check good signatures with chains that have strange or missing SANs
+ chain1 = noSANChain.join("\n");
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A signature should not verify if the SANs do not match a supplied name"
+ );
+
+ // Check malformed signature data
+ chain1 = oneCRLChain.join("\n");
+ let bad_signatures = [
+ // wrong length
+ "p384ecdsa=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ecHiXoi-" +
+ "7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L==",
+ // incorrectly encoded
+ "p384ecdsa='WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ecHiXoi" +
+ "-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L=",
+ // missing directive
+ "other_directive=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ec" +
+ "HiXoi-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L",
+ // actually sha256 with RSA
+ "p384ecdsa=XS_jiQsS5qlzQyUKaA1nAnQn_OvxhvDfKybflB8Xe5gNH1wNmPGK1qN-jpeTfK" +
+ "6ob3l3gCTXrsMnOXMeht0kPP3wLfVgXbuuO135pQnsv0c-ltRMWLe56Cm4S4Z6E7WWKLPWaj" +
+ "jhAcG5dZxjffP9g7tuPP4lTUJztyc4d1z_zQZakEG7R0vN7P5_CaX9MiMzP4R7nC3H4Ba6yi" +
+ "yjlGvsZwJ_C5zDQzWWs95czUbMzbDScEZ_7AWnidw91jZn-fUK3xLb6m-Zb_b4GAqZ-vnXIf" +
+ "LpLB1Nzal42BQZn7i4rhAldYdcVvy7rOMlsTUb5Zz6vpVW9LCT9lMJ7Sq1xbU-0g==",
+ ];
+ for (let badSig of bad_signatures) {
+ await Assert.rejects(
+ verifier.asyncVerifyContentSignature(
+ DATA,
+ badSig,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ ),
+ /NS_ERROR/,
+ `Bad or malformed signature "${badSig}" should be rejected`
+ );
+ }
+
+ // Check malformed and missing certificate chain data
+ let chainSuffix = [oneCRLChain[1], oneCRLChain[2]].join("\n");
+ let badChains = [
+ // no data
+ "",
+ // completely wrong data
+ "blah blah \n blah",
+ ];
+
+ let badSections = [
+ // data that looks like PEM but isn't
+ "-----BEGIN CERTIFICATE-----\nBSsPRlYp5+gaFMRIczwUzaioRfteCjr94xyz0g==\n",
+ // data that will start to parse but won't base64decode
+ "-----BEGIN CERTIFICATE-----\nnon-base64-stuff\n-----END CERTIFICATE-----",
+ // data with garbage outside of PEM sections
+ "this data is garbage\n-----BEGIN CERTIFICATE-----\nnon-base64-stuff\n" +
+ "-----END CERTIFICATE-----",
+ ];
+
+ for (let badSection of badSections) {
+ // ensure we test each bad section on its own...
+ badChains.push(badSection);
+ // ... and as part of a chain with good certificates
+ badChains.push(badSection + "\n" + chainSuffix);
+ }
+
+ for (let badChain of badChains) {
+ await Assert.rejects(
+ verifier.asyncVerifyContentSignature(
+ DATA,
+ GOOD_SIGNATURE,
+ badChain,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ ),
+ /NS_ERROR/,
+ `Bad chain data starting "${badChain.substring(0, 80)}" ` +
+ "should be rejected"
+ );
+ }
+
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA + "appended data",
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A good signature should not verify if the data is tampered with (append)"
+ );
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ "prefixed data" + DATA,
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A good signature should not verify if the data is tampered with (prefix)"
+ );
+ ok(
+ !(await verifier.asyncVerifyContentSignature(
+ DATA.replace(/e/g, "i"),
+ GOOD_SIGNATURE,
+ chain1,
+ ONECRL_NAME,
+ Ci.nsIX509CertDB.AppXPCShellRoot
+ )),
+ "A good signature should not verify if the data is tampered with (modify)"
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem
new file mode 100644
index 0000000000..d615eccf22
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUNZb51bNpKyzQtWTCj5zrdME7cKYwDQYJKoZIhvcNAQEL
+BQAwKTEnMCUGA1UEAwweeHBjc2hlbGwgc2lnbmVkIGFwcHMgdGVzdCByb290MCIY
+DzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBExDzANBgNVBAMMBmlu
+dC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaMlMCMwDAYDVR0TBAUwAwEB/zATBgNVHSUEDDAKBggrBgEFBQcD
+AzANBgkqhkiG9w0BAQsFAAOCAQEAefvKJnF/4qRY9sf/jYCPhWyngBx6JhWFJKiy
+IUHmejn9q/LUX3nskHXA4gAt+KF9hfk9Nx5naL5DaYOkvETawdrSw55Hvphi4MB2
+yHManuj+yplqr8rtDh8Tb2Wm/AeiBqKMTa4AFN9xPbKOrUAVgU+VsXlEIUmOzEI+
+E0HeeIoPCCa6vWPpwhKb4LUlVupe3toJHVbFSp2KcD4gCRsgK60lyqZBosAG8Sat
+Vk7XLPv152/jl7j+pYqnlwabF/LEyVSqegVvvr481kgX8RyEjiPx2wNYYqUF3CPG
+SE2lDXWy629KUGwTH9rUpayMqbfL5bQ9fSGA5vE9pT7vlbBaRg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec
new file mode 100644
index 0000000000..fc9dfd47ae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:xpcshell signed apps test root
+subject:int-CA
+extension:basicConstraints:cA,
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem
new file mode 100644
index 0000000000..041fa0ebc1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUfVErdg1uvVM/D2oapMLb9gSeabswDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBExDzANBgNVBAMMBmVlLVJTQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM9MDswEwYDVR0lBAww
+CgYIKwYBBQUHAwMwJAYDVR0RBB0wG4IZb25lQ1JMLXNpZ25lci5tb3ppbGxhLm9y
+ZzANBgkqhkiG9w0BAQsFAAOCAQEAOLPmVQpsFu7rL6Tc6TUQdS1/wnBDZeO3Q8uq
+x7FSm7tyvrMwCx2pGGJATWIdH33amhRDe3fH5IB7dvFiQx0qDewROnE900ooOQCu
+dsjKDzYurpGmlpYsBHtdFz8tEVgN2CUzfFLRTrJK0wAio5OqbyuZQwb8QBl/HMyk
+aqG33hm/1t8gR7NLn4c03XtaK/xbBGC07aCijsWTj09UB5wgtB12p9Wt7IWrkh2B
+9omSirPYgCWaD0wWJP1d1PlheeNeOYweNbEncjQlH+ukYjMzzZ3IVm7zFN1kit/W
+M7enx5fdED/84092ZzuDheLYKaA63ysJhQvCCzOovWr0PuOnLg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec
new file mode 100644
index 0000000000..7b2a02bdaf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-CA
+subject:ee-RSA
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem
new file mode 100644
index 0000000000..6f15597b6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICPzCCASegAwIBAgIUSRecknZ3alfumVeo6yV/3O5nvrswDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE
+oWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3Ey2ozpjoMVNOapwMCwnI
+1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP8ALwWvcaH93Mg3SqbqnO
+oz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAkBgNVHREEHTAbghlvbmVDUkwtc2ln
+bmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQBElZXLzQGRPdygDJ33
+2LuNJiDU8lFXdDulPXcZAQjVXo5gy9XQfMtbTLzf07dpPuQntzJNbGuS4ypboEal
+ixi2jYZHy/Q3CCxFk8jWi18auKES+uRF6qI3PK9RsXXxm7Xt0vk9akYwmmnuAJl9
+eYTCNZ0VaXANvv5GjuFczMHF08XTW1j2x81s0epmblgagcaMIcaq5nKSNuFt/2j/
+hXtGzNfI1njHIT8X6Fp4QeGqQiSlW90WVPoDPxfUHh8VvE/9Y0fnnHcDwGICb7LH
+on1mz76mcXNwOgA+dBmHKS/5t7/PBT/F7+UuORfYdoFKrnc7npVYhQmH06ENKHMS
+9Bmv
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec
new file mode 100644
index 0000000000..ab22807b9e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-CA
+subject:ee
+subjectKey:secp384r1
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem
new file mode 100644
index 0000000000..ef22669f4d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICTjCCATagAwIBAgIUOQNrYQz01j0SirgoHMLKbtGL9RowDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMTMwMTAxMDAwMDAwWhgPMjAxNDAx
+MDEwMDAwMDBaMBwxGjAYBgNVBAMMEWVlLWludC1DQS1leHBpcmVkMHYwEAYHKoZI
+zj0CAQYFK4EEACIDYgAEoWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3
+Ey2ozpjoMVNOapwMCwnI1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP
+8ALwWvcaH93Mg3SqbqnOoz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAkBgNVHREE
+HTAbghlvbmVDUkwtc2lnbmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEBCwUAA4IB
+AQBZJPo4llgMe5588+BnRLnFguspIiwMWmTeqCfi8VQBx/tUwRiTizbU7J2Yh9bo
+yZEPKfPSP2o8J0eSUgvXdVOxU1fNRuocsVfXUlveq5x10ddjXBT9X4AY1mtR7HJw
+hl/7269N8b4itfrfvZmCBToJayjv0I2N84bqjpOnXJ/iB5YVdk8oZIJDXWi4SR3B
+E9IejwA1fikpt++RjpJSZ1BSNU7FfiyGGUonxHDoP/29znaOJnpAqaH5LVJCRkfN
+H12vePBbunZd+ay5r+mMJPaXR+V2sY8OaOfcrPSHQLa8Eb/EEhBuITMKkOucohjx
+zqvM6S2iOI9GbwHClybEHRO7
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec
new file mode 100644
index 0000000000..48fd9c8cc7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec
@@ -0,0 +1,6 @@
+issuer:int-CA
+subject:ee-int-CA-expired
+subjectKey:secp384r1
+validity:20130101-20140101
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem
new file mode 100644
index 0000000000..6cf5c6a312
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICVDCCATygAwIBAgIUbV+rBAfhGRv/bU22A92xneoAy3owDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwNTAwMTAxMDAwMDAwWhgPMjA1MTAx
+MDEwMDAwMDBaMCIxIDAeBgNVBAMMF2VlLWludC1DQS1ub3QteWV0LXZhbGlkMHYw
+EAYHKoZIzj0CAQYFK4EEACIDYgAEoWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXb
+YI4lLeS3Ey2ozpjoMVNOapwMCwnI1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2p
+cQO+KIjP8ALwWvcaH93Mg3SqbqnOoz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAk
+BgNVHREEHTAbghlvbmVDUkwtc2lnbmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEB
+CwUAA4IBAQAjXmLNn2kLa/FzNp7F3PqcSXuAO2jT31Y2g4pZnVqCDfMqplsl2ZFn
+oam3wyQnepm3q9DD4BOAW9JFYR3wqnl9cBRNHlSGyjGM4qBpuSD6WxAz7EdFcRO6
+fcA50245fAuB45UJeYJ58QvIBv7AwoBGnqAI7ZDN3eIGopZIL56jiH7vO9WyQPWj
+XZAWrXTG68rEf0RxXRtjUv9coFiuInT8+oyXB3NwK2EbaI5IeR+x3qIDEgNKk+t+
+PlE3NrtaAiK19p0s9RtQQilBKNmo+5irrUq/OD2H1aurDaAXpLTM5vLUpfyN3/qD
+HzuZujaUIeMsRiXsIRDNql1S+nq4oNRy
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec
new file mode 100644
index 0000000000..b2926dfc42
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec
@@ -0,0 +1,6 @@
+issuer:int-CA
+subject:ee-int-CA-not-yet-valid
+subjectKey:secp384r1
+validity:20500101-20510101
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem
new file mode 100644
index 0000000000..6c35f2f377
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICIDCCAQigAwIBAgIUI9ZQ+lOT4QPSefKaSaGvSm4BzikwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLW5vLVNBTjB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMtqM6Y6DFT
+TmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC8Fr3Gh/d
+zIN0qm6pzqMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQAD
+ggEBABwtpcPoXa4bLLw8WCuLPMPm7RiWrj7ifWqeyNoQO+xIxIefZhFTxhs6yM0Y
+H+B2jSzrCmfslRaX0eZPQ3BOPPI0CCo4eZOlq7oNaltXCLP3NwPodLfxd8pGlOIK
+xpRB/+iyXu5bKHfG1v4XJ+g+yXPh8p0ykVJeH/hc/+kAhq4vey+0PB/KjIcpAsGo
+S7Yvbal7pSr0CQCxDB4mTWJeE1/FeTQpeFiIiCtvkEyLD+igxRlP5lbLOd6Lt5Oh
+BSJ6TnUdMajalOku3BufB5j4ynDBGNi9h935ZCOKWu3qgbFlIE1qZIJS+u7+2PTN
+vIlU3orErRSmuAlusdo6Z9YtxbQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec
new file mode 100644
index 0000000000..4a9b9a3ceb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-CA
+subject:ee-no-SAN
+subjectKey:secp384r1
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem
new file mode 100644
index 0000000000..d76f4501cb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICLDCCARSgAwIBAgIUV+E6VhJoKZrnCV22wV/aVW9aglwwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBcxFTATBgNVBAMMDGVlLXdyb25nLWtleTBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnS
+M0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCjPTA7MBMGA1UdJQQMMAoGCCsG
+AQUFBwMDMCQGA1UdEQQdMBuCGW9uZUNSTC1zaWduZXIubW96aWxsYS5vcmcwDQYJ
+KoZIhvcNAQELBQADggEBAFOgIZXl0sf1hEH0H5fqGPshlMemqjhFZKPBgLlWl+3W
+wSIcuBPw5GSDkoQOdAxE/iIsLfZoC0PfYdee+twANQ13MMbwP0NmR78qJKLPOO4b
+yWRiQFaIU6fTleU7wSD6tcDtIsKAfTDNF6EiC3czw3XuOiNh4r7A2EJ3GyGuUq7d
+YgpwA5I2s3VjG/2lhRKP06UH/YGCpBTio23NUyzS2NINPhTnrLjyY2IWIp9EiXXj
+d6QRQ8ytp6wU/rI3HAueWOWEQ6dDWR5hfe0Y/QDB0n9hEBgf+lUOtuqpTs/ZK0eM
+HPC6swGdKVnJ1DCcfyzMsDIvGZKUyj8v6E2E7x8AdLk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec
new file mode 100644
index 0000000000..fbc8e603f4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-CA
+subject:ee-wrong-key
+subjectKey:secp256r1
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem
new file mode 100644
index 0000000000..b2e7d3cdbb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUDCCATigAwIBAgIUd9FOUg8KGZnunc6wzwp+21rSdVswDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE
+oWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3Ey2ozpjoMVNOapwMCwnI
+1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP8ALwWvcaH93Mg3SqbqnO
+o04wTDATBgNVHSUEDDAKBggrBgEFBQcDAzA1BgNVHREELjAsgipyZW1vdGVuZXd0
+YWIuY29udGVudC1zaWduYXR1cmUubW96aWxsYS5vcmcwDQYJKoZIhvcNAQELBQAD
+ggEBAJvuDgm64Fca8XKLPxCSaANEFXIQy3I0lvPqmRRFtkP8cNpgjaRQTNNwyRPL
+eI6VZv9IfecgjMNMcSbrdUPSmETA5M0kzH0lVBPsgzcv1EO6FFS+B9uwip52nKot
+HsWYhDIVKYFYLrFcBHS0qSaoPWUpRZ+igI0uBgzmSIBuZYLDbe0xcXzZmpdPnGYt
+pjRmTuNtJ8R/Qvbp37aTpN279AwhOP/uF+x3HdPgI4M1pQKjZ/Oxk9JHIeSafjG5
+58D1rGivjWYq6Yl1vwzBWwlPJvDAgADWCQR4wWjlXc0Hzn/393QRs3rvbkCFWZfi
+1GMOoGuxmHzb7VL+1Kf4igjHXcQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec
new file mode 100644
index 0000000000..81e1eefe1d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-CA
+subject:ee
+subjectKey:secp384r1
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:remotenewtab.content-signature.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/pysign.py b/security/manager/ssl/tests/unit/test_content_signing/pysign.py
new file mode 100644
index 0000000000..23c6128aa2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/pysign.py
@@ -0,0 +1,36 @@
+#!/usr/bin/env python
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Create an ECDSA signature on the P-384 curve using the SHA-384 hash of data from
+stdin. The key used for the signature is the secp384r1Encoded key used in pykey
+and pycert.
+
+The certificates for the content signature tests make use of this program.
+You can use pysign.py like this:
+
+cat test.txt | python pysign.py > test.txt.signature
+"""
+
+import base64
+import binascii
+import hashlib
+import pathlib
+import six
+import sys
+
+import ecdsa
+
+# For pykey, find the relative file location and add it to path
+toolsDir = (pathlib.Path(__file__).parents[4] / "tools").resolve()
+sys.path.append(str(toolsDir))
+import pykey
+
+data = sys.stdin.buffer.read()
+
+key = pykey.ECCKey("secp384r1")
+sig = key.signRaw(b"Content-Signature:\00" + data, pykey.HASH_SHA384)
+print(str(base64.b64encode(sig)).replace("+", "-").replace("/", "_"))
diff --git a/security/manager/ssl/tests/unit/test_content_signing/test.txt b/security/manager/ssl/tests/unit/test_content_signing/test.txt
new file mode 100644
index 0000000000..2daac1cb00
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/test.txt
@@ -0,0 +1 @@
+This is a test file to test content-signature verification with a PKI.
diff --git a/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature b/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature
new file mode 100644
index 0000000000..e613981473
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature
@@ -0,0 +1 @@
+hSvmvvA7_QLedDsjRJGBevqLwjPILx1EtWSPP4A0fepaWWPuuZRB8VfDT2j07bKDacRsbmJjmvg_R4CpKmnoWF8-2w5lSszlFFDqYSvQVQxpKhu-HMM_qquu_l0KecQ2
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash b/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash
new file mode 100644
index 0000000000..7bde8641b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash
@@ -0,0 +1 @@
+ÿÿÿÿ \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter b/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter
new file mode 100644
index 0000000000..f76dd238ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment
new file mode 100644
index 0000000000..119fd67098
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment
@@ -0,0 +1,2 @@
+
+  \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage
new file mode 100644
index 0000000000..119fd67098
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage
@@ -0,0 +1,2 @@
+
+  \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage
new file mode 100644
index 0000000000..787a2bdfc7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage
new file mode 100644
index 0000000000..c76b47cac6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage
new file mode 100644
index 0000000000..d08c818596
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment
new file mode 100644
index 0000000000..3ef70ac188
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js b/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js
new file mode 100644
index 0000000000..2b71c3dfe2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is missing.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = undefined;
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js
new file mode 100644
index 0000000000..1782885964
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is truncated in a LogID field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_corrupted/trunc-log-id.coverage");
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js
new file mode 100644
index 0000000000..0eed16bac3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js
@@ -0,0 +1,19 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is truncated in a MinTimestamp field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file(
+ "test_crlite_corrupted/trunc-min-timestamp.coverage"
+);
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js
new file mode 100644
index 0000000000..419a639b07
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js
@@ -0,0 +1,19 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is truncated in a MaxTimestamp field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file(
+ "test_crlite_corrupted/trunc-max-timestamp.coverage"
+);
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_version.js b/security/manager/ssl/tests/unit/test_crlite_coverage_version.js
new file mode 100644
index 0000000000..1764e5abaf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_version.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file's version is not recognized.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_corrupted/version-0.coverage");
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js b/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js
new file mode 100644
index 0000000000..5f259f28a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js
@@ -0,0 +1,19 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted enrollment file. Specifically, this handles the case
+// where the enrollment file is truncated in an issuer ID field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+let enrollment = do_get_file(
+ "test_crlite_corrupted/trunc-issuer-id.enrollment"
+);
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js b/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js
new file mode 100644
index 0000000000..8c673a47d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted enrollment file. Specifically, this handles the case
+// where the enrollment file's version is not recognized.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+let enrollment = do_get_file("test_crlite_corrupted/version-0.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js b/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js
new file mode 100644
index 0000000000..cc947d287f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js
@@ -0,0 +1,21 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted filter file.
+//
+// There are many ways that a filter file could be corrupted, but the parsing
+// is done in rust-cascade, not cert_storage, so it is sufficient for us to
+// test any form of corruption here. For simplicity we just try to load a
+// single \x00 byte as the filter.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_corrupted/hash-alg-0.filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters.js b/security/manager/ssl/tests/unit/test_crlite_filters.js
new file mode 100644
index 0000000000..9e43f8928b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters.js
@@ -0,0 +1,880 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite filter downloading works correctly.
+
+// The file `test_crlite_filters/20201017-0-filter` can be regenerated using
+// the rust-create-cascade program from https://github.com/mozilla/crlite.
+//
+// The input to this program is a list of known serial numbers and a list of
+// revoked serial numbers. The lists are presented as directories of files in
+// which each file holds serials for one issuer. The file names are
+// urlsafe-base64 encoded SHA256 hashes of issuer SPKIs. The file contents are
+// ascii hex encoded serial numbers. The program crlite_key.py in this directory
+// can generate these values for you.
+//
+// The test filter was generated as follows:
+//
+// $ ./crlite_key.py test_crlite_filters/issuer.pem test_crlite_filters/valid.pem
+// 8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8=
+// 00da4f392bfd8bcea8
+//
+// $ ./crlite_key.py test_crlite_filters/issuer.pem test_crlite_filters/revoked.pem
+// 8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8=
+// 2d35ca6503fb1ba3
+//
+// $ mkdir known revoked
+// $ echo "00da4f392bfd8bcea8" > known/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\=
+// $ echo "2d35ca6503fb1ba3" >> known/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\=
+// $ echo "2d35ca6503fb1ba3" > revoked/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\=
+//
+// $ rust-create-cascade --known ./known/ --revoked ./revoked/
+//
+
+"use strict";
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const { RemoteSecuritySettings } = ChromeUtils.import(
+ "resource://gre/modules/psm/RemoteSecuritySettings.jsm"
+);
+const { TestUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/TestUtils.sys.mjs"
+);
+
+const { CRLiteFiltersClient } = RemoteSecuritySettings.init();
+
+const CRLITE_FILTERS_ENABLED_PREF =
+ "security.remote_settings.crlite_filters.enabled";
+const INTERMEDIATES_ENABLED_PREF =
+ "security.remote_settings.intermediates.enabled";
+const INTERMEDIATES_DL_PER_POLL_PREF =
+ "security.remote_settings.intermediates.downloads_per_poll";
+
+// crlite_enrollment_id.py test_crlite_filters/issuer.pem
+const ISSUER_PEM_UID = "UbH9/ZAnjuqf79Xhah1mFOWo6ZvgQCgsdheWfjvVUM8=";
+// crlite_enrollment_id.py test_crlite_filters/no-sct-issuer.pem
+const NO_SCT_ISSUER_PEM_UID = "Myn7EasO1QikOtNmo/UZdh6snCAw0BOY6wgU8OsUeeY=";
+
+function getHashCommon(aStr, useBase64) {
+ let hasher = Cc["@mozilla.org/security/hash;1"].createInstance(
+ Ci.nsICryptoHash
+ );
+ hasher.init(Ci.nsICryptoHash.SHA256);
+ let stringStream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+ Ci.nsIStringInputStream
+ );
+ stringStream.data = aStr;
+ hasher.updateFromStream(stringStream, -1);
+
+ return hasher.finish(useBase64);
+}
+
+// Get a hexified SHA-256 hash of the given string.
+function getHash(aStr) {
+ return hexify(getHashCommon(aStr, false));
+}
+
+// Get the name of the file in the test directory to serve as the attachment
+// for the given filter.
+function getFilenameForFilter(filter) {
+ if (filter.type == "full") {
+ return "20201017-0-filter";
+ }
+ if (filter.id == "0001") {
+ return "20201017-1-filter.stash";
+ }
+ // The addition of another stash file was written more than a month after
+ // other parts of this test. As such, the second stash file for October 17th,
+ // 2020 was not readily available. Since the structure of stash files don't
+ // depend on each other, though, any two stash files are compatible, and so
+ // this stash from December 1st is used instead.
+ return "20201201-3-filter.stash";
+}
+
+/**
+ * Simulate a Remote Settings synchronization by filling up the local data with
+ * fake records.
+ *
+ * @param {*} filters List of filters for which we will create records.
+ * @param {boolean} clear Whether or not to clear the local DB first. Defaults
+ * to true.
+ */
+async function syncAndDownload(filters, clear = true) {
+ const localDB = await CRLiteFiltersClient.client.db;
+ if (clear) {
+ await localDB.clear();
+ }
+
+ for (let filter of filters) {
+ const filename = getFilenameForFilter(filter);
+ const file = do_get_file(`test_crlite_filters/${filename}`);
+ const fileBytes = readFile(file);
+
+ const record = {
+ details: {
+ name: `${filter.timestamp}-${filter.type}`,
+ },
+ attachment: {
+ hash: getHash(fileBytes),
+ size: fileBytes.length,
+ filename,
+ location: `security-state-workspace/cert-revocations/test_crlite_filters/${filename}`,
+ mimetype: "application/octet-stream",
+ },
+ incremental: filter.type == "diff",
+ effectiveTimestamp: new Date(filter.timestamp).getTime(),
+ parent: filter.type == "diff" ? filter.parent : undefined,
+ id: filter.id,
+ coverage: filter.type == "full" ? filter.coverage : undefined,
+ enrolledIssuers:
+ filter.type == "full" ? filter.enrolledIssuers : undefined,
+ };
+
+ await localDB.create(record);
+ }
+ // This promise will wait for the end of downloading.
+ let promise = TestUtils.topicObserved(
+ "remote-security-settings:crlite-filters-downloaded"
+ );
+ // Simulate polling for changes, trigger the download of attachments.
+ Services.obs.notifyObservers(null, "remote-settings:changes-poll-end");
+ let results = await promise;
+ return results[1]; // topicObserved gives back a 2-array
+}
+
+add_task(async function test_crlite_filters_disabled() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, false);
+
+ let result = await syncAndDownload([
+ {
+ timestamp: "2019-01-01T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [
+ {
+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ ],
+ },
+ ]);
+ equal(result, "disabled", "CRLite filter download should not have run");
+});
+
+add_task(async function test_crlite_no_filters() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([]);
+ equal(
+ result,
+ "unavailable",
+ "CRLite filter download should have run, but nothing was available"
+ );
+});
+
+add_task(async function test_crlite_only_incremental_filters() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ {
+ timestamp: "2019-01-01T06:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ {
+ timestamp: "2019-01-01T18:00:00Z",
+ type: "diff",
+ id: "0002",
+ parent: "0001",
+ },
+ {
+ timestamp: "2019-01-01T12:00:00Z",
+ type: "diff",
+ id: "0003",
+ parent: "0002",
+ },
+ ]);
+ equal(
+ result,
+ "unavailable",
+ "CRLite filter download should have run, but no full filters were available"
+ );
+});
+
+add_task(async function test_crlite_incremental_filters_with_wrong_parent() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+ {
+ timestamp: "2019-01-01T06:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ {
+ timestamp: "2019-01-01T12:00:00Z",
+ type: "diff",
+ id: "0003",
+ parent: "0002",
+ },
+ {
+ timestamp: "2019-01-01T18:00:00Z",
+ type: "diff",
+ id: "0004",
+ parent: "0003",
+ },
+ ]);
+ let [status, filters] = result.split(";");
+ equal(status, "finished", "CRLite filter download should have run");
+ let filtersSplit = filters.split(",");
+ deepEqual(
+ filtersSplit,
+ ["2019-01-01T00:00:00Z-full", "2019-01-01T06:00:00Z-diff"],
+ "Should have downloaded the expected CRLite filters"
+ );
+});
+
+add_task(async function test_crlite_incremental_filter_too_early() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ { timestamp: "2019-01-02T00:00:00Z", type: "full", id: "0000" },
+ {
+ timestamp: "2019-01-01T00:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ ]);
+ equal(
+ result,
+ "finished;2019-01-02T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+});
+
+add_task(async function test_crlite_filters_basic() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+ ]);
+ equal(
+ result,
+ "finished;2019-01-01T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+});
+
+add_task(async function test_crlite_filters_not_cached() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+ let filters = [
+ { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+ ];
+ let result = await syncAndDownload(filters);
+ equal(
+ result,
+ "finished;2019-01-01T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+
+ let records = await CRLiteFiltersClient.client.db.list();
+
+ // `syncAndDownload` should not cache the attachment, so this download should
+ // get the attachment from the source.
+ let attachment = await CRLiteFiltersClient.client.attachments.download(
+ records[0]
+ );
+ equal(attachment._source, "remote_match");
+ await CRLiteFiltersClient.client.attachments.deleteDownloaded(records[0]);
+});
+
+add_task(async function test_crlite_filters_full_and_incremental() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ // These are deliberately listed out of order.
+ {
+ timestamp: "2019-01-01T06:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+ {
+ timestamp: "2019-01-01T18:00:00Z",
+ type: "diff",
+ id: "0003",
+ parent: "0002",
+ },
+ {
+ timestamp: "2019-01-01T12:00:00Z",
+ type: "diff",
+ id: "0002",
+ parent: "0001",
+ },
+ ]);
+ let [status, filters] = result.split(";");
+ equal(status, "finished", "CRLite filter download should have run");
+ let filtersSplit = filters.split(",");
+ deepEqual(
+ filtersSplit,
+ [
+ "2019-01-01T00:00:00Z-full",
+ "2019-01-01T06:00:00Z-diff",
+ "2019-01-01T12:00:00Z-diff",
+ "2019-01-01T18:00:00Z-diff",
+ ],
+ "Should have downloaded the expected CRLite filters"
+ );
+});
+
+add_task(async function test_crlite_filters_multiple_days() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ // These are deliberately listed out of order.
+ {
+ timestamp: "2019-01-02T06:00:00Z",
+ type: "diff",
+ id: "0011",
+ parent: "0010",
+ },
+ {
+ timestamp: "2019-01-03T12:00:00Z",
+ type: "diff",
+ id: "0022",
+ parent: "0021",
+ },
+ {
+ timestamp: "2019-01-02T12:00:00Z",
+ type: "diff",
+ id: "0012",
+ parent: "0011",
+ },
+ {
+ timestamp: "2019-01-03T18:00:00Z",
+ type: "diff",
+ id: "0023",
+ parent: "0022",
+ },
+ {
+ timestamp: "2019-01-02T18:00:00Z",
+ type: "diff",
+ id: "0013",
+ parent: "0012",
+ },
+ { timestamp: "2019-01-02T00:00:00Z", type: "full", id: "0010" },
+ { timestamp: "2019-01-03T00:00:00Z", type: "full", id: "0020" },
+ {
+ timestamp: "2019-01-01T06:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ {
+ timestamp: "2019-01-01T18:00:00Z",
+ type: "diff",
+ id: "0003",
+ parent: "0002",
+ },
+ {
+ timestamp: "2019-01-01T12:00:00Z",
+ type: "diff",
+ id: "0002",
+ parent: "0001",
+ },
+ { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+ {
+ timestamp: "2019-01-03T06:00:00Z",
+ type: "diff",
+ id: "0021",
+ parent: "0020",
+ },
+ ]);
+ let [status, filters] = result.split(";");
+ equal(status, "finished", "CRLite filter download should have run");
+ let filtersSplit = filters.split(",");
+ deepEqual(
+ filtersSplit,
+ [
+ "2019-01-03T00:00:00Z-full",
+ "2019-01-03T06:00:00Z-diff",
+ "2019-01-03T12:00:00Z-diff",
+ "2019-01-03T18:00:00Z-diff",
+ ],
+ "Should have downloaded the expected CRLite filters"
+ );
+});
+
+add_task(async function test_crlite_confirm_revocations_mode() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeConfirmRevocationsValue
+ );
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ addCertFromFile(certdb, "test_crlite_filters/issuer.pem", ",,");
+ addCertFromFile(certdb, "test_crlite_filters/no-sct-issuer.pem", ",,");
+
+ let result = await syncAndDownload([
+ {
+ timestamp: "2020-10-17T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [
+ {
+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ {
+ logID: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ ],
+ enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+ },
+ ]);
+ equal(
+ result,
+ "finished;2020-10-17T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+
+ // The CRLite result should be enforced for this certificate and
+ // OCSP should not be consulted.
+ let validCert = constructCertFromFile("test_crlite_filters/valid.pem");
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ undefined,
+ "vpn.worldofspeed.org",
+ 0
+ );
+
+ // OCSP should be consulted for this certificate, but OCSP is disabled by
+ // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY so this will be treated as a soft-failure
+ // and the CRLite result will be used.
+ let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ undefined,
+ "us-datarecovery.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // Reload the filter w/o coverage and enrollment metadata.
+ result = await syncAndDownload([
+ {
+ timestamp: "2020-10-17T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [],
+ enrolledIssuers: [],
+ },
+ ]);
+ equal(
+ result,
+ "finished;2020-10-17T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+
+ // OCSP will be consulted for the revoked certificate, but a soft-failure
+ // should now result in a Success return.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ undefined,
+ "us-datarecovery.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+});
+
+add_task(async function test_crlite_filters_and_check_revocation() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ addCertFromFile(certdb, "test_crlite_filters/issuer.pem", ",,");
+ addCertFromFile(certdb, "test_crlite_filters/no-sct-issuer.pem", ",,");
+
+ let result = await syncAndDownload([
+ {
+ timestamp: "2020-10-17T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [
+ {
+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ {
+ logID: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ ],
+ enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+ },
+ ]);
+ equal(
+ result,
+ "finished;2020-10-17T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+
+ let validCert = constructCertFromFile("test_crlite_filters/valid.pem");
+ // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that
+ // the implementation does not fall back to OCSP fetching, because if it
+ // did, the implementation would attempt to connect to a server outside the
+ // test infrastructure, which would result in a crash in the test
+ // environment, which would be treated as a test failure.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "vpn.worldofspeed.org",
+ 0
+ );
+
+ let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "us-datarecovery.com",
+ 0
+ );
+
+ // Before any stashes are downloaded, this should verify successfully.
+ let revokedInStashCert = constructCertFromFile(
+ "test_crlite_filters/revoked-in-stash.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStashCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "stokedmoto.com",
+ 0
+ );
+
+ result = await syncAndDownload(
+ [
+ {
+ timestamp: "2020-10-17T03:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ ],
+ false
+ );
+ equal(
+ result,
+ "finished;2020-10-17T03:00:00Z-diff",
+ "Should have downloaded the expected CRLite filters"
+ );
+
+ // After downloading the first stash, this should be revoked.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStashCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "stokedmoto.com",
+ 0
+ );
+
+ // Before downloading the second stash, this should not be revoked.
+ let revokedInStash2Cert = constructCertFromFile(
+ "test_crlite_filters/revoked-in-stash-2.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStash2Cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "icsreps.com",
+ 0
+ );
+
+ result = await syncAndDownload(
+ [
+ {
+ timestamp: "2020-10-17T06:00:00Z",
+ type: "diff",
+ id: "0002",
+ parent: "0001",
+ },
+ ],
+ false
+ );
+ equal(
+ result,
+ "finished;2020-10-17T06:00:00Z-diff",
+ "Should have downloaded the expected CRLite filters"
+ );
+
+ // After downloading the second stash, this should be revoked.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStash2Cert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "icsreps.com",
+ 0
+ );
+
+ // The other certificates should still get the same results as they did before.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "vpn.worldofspeed.org",
+ 0
+ );
+
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "us-datarecovery.com",
+ 0
+ );
+
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStashCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "stokedmoto.com",
+ 0
+ );
+
+ // This certificate has no embedded SCTs, so it is not guaranteed to be in
+ // CT, so CRLite can't be guaranteed to give the correct answer, so it is
+ // not consulted, and the implementation falls back to OCSP. Since the real
+ // OCSP responder can't be reached, this results in a
+ // SEC_ERROR_OCSP_SERVER_ERROR.
+ let noSCTCert = constructCertFromFile("test_crlite_filters/no-sct.pem");
+ // NB: this will cause an OCSP request to be sent to localhost:80, but
+ // since an OCSP responder shouldn't be running on that port, this should
+ // fail safely.
+ Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com");
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ await checkCertErrorGenericAtTime(
+ certdb,
+ noSCTCert,
+ SEC_ERROR_OCSP_SERVER_ERROR,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "mail233.messagelabs.com",
+ 0
+ );
+ Services.prefs.clearUserPref("network.dns.localDomains");
+ Services.prefs.clearUserPref("security.OCSP.require");
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+
+ // The revoked certificate example has one SCT from the log with ID "9ly...="
+ // at time 1598140096613 and another from the log with ID "XNx...=" at time
+ // 1598140096917. The filter we construct here fails to cover it by one
+ // millisecond in each case. The implementation will fall back to OCSP
+ // fetching. Since this would result in a crash and test failure, the
+ // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY is used.
+ result = await syncAndDownload([
+ {
+ timestamp: "2020-10-17T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [
+ {
+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+ minTimestamp: 0,
+ maxTimestamp: 1598140096612,
+ },
+ {
+ logID: "XNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDso=",
+ minTimestamp: 1598140096917,
+ maxTimestamp: 9999999999999,
+ },
+ ],
+ enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+ },
+ ]);
+ equal(
+ result,
+ "finished;2020-10-17T00:00:00Z-full",
+ "CRLite filter download should have run"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "us-datarecovery.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+});
+
+add_task(async function test_crlite_filters_avoid_reprocessing_filters() {
+ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+ let result = await syncAndDownload([
+ {
+ timestamp: "2019-01-01T00:00:00Z",
+ type: "full",
+ id: "0000",
+ coverage: [
+ {
+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+ minTimestamp: 0,
+ maxTimestamp: 9999999999999,
+ },
+ ],
+ enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+ },
+ {
+ timestamp: "2019-01-01T06:00:00Z",
+ type: "diff",
+ id: "0001",
+ parent: "0000",
+ },
+ {
+ timestamp: "2019-01-01T12:00:00Z",
+ type: "diff",
+ id: "0002",
+ parent: "0001",
+ },
+ {
+ timestamp: "2019-01-01T18:00:00Z",
+ type: "diff",
+ id: "0003",
+ parent: "0002",
+ },
+ ]);
+ let [status, filters] = result.split(";");
+ equal(status, "finished", "CRLite filter download should have run");
+ let filtersSplit = filters.split(",");
+ deepEqual(
+ filtersSplit,
+ [
+ "2019-01-01T00:00:00Z-full",
+ "2019-01-01T06:00:00Z-diff",
+ "2019-01-01T12:00:00Z-diff",
+ "2019-01-01T18:00:00Z-diff",
+ ],
+ "Should have downloaded the expected CRLite filters"
+ );
+ // This simulates another poll without clearing the database first. The
+ // filter and stashes should not be re-downloaded.
+ result = await syncAndDownload([], false);
+ equal(result, "finished;");
+
+ // If a new stash is added, only it should be downloaded.
+ result = await syncAndDownload(
+ [
+ {
+ timestamp: "2019-01-02T00:00:00Z",
+ type: "diff",
+ id: "0004",
+ parent: "0003",
+ },
+ ],
+ false
+ );
+ equal(result, "finished;2019-01-02T00:00:00Z-diff");
+});
+
+let server;
+
+function run_test() {
+ server = new HttpServer();
+ server.start(-1);
+ registerCleanupFunction(() => server.stop(() => {}));
+
+ server.registerDirectory(
+ "/cdn/security-state-workspace/cert-revocations/",
+ do_get_file(".")
+ );
+
+ server.registerPathHandler("/v1/", (request, response) => {
+ response.write(
+ JSON.stringify({
+ capabilities: {
+ attachments: {
+ base_url: `http://localhost:${server.identity.primaryPort}/cdn/`,
+ },
+ },
+ })
+ );
+ response.setHeader("Content-Type", "application/json; charset=UTF-8");
+ response.setStatusLine(null, 200, "OK");
+ });
+
+ Services.prefs.setCharPref(
+ "services.settings.server",
+ `http://localhost:${server.identity.primaryPort}/v1`
+ );
+
+ // Set intermediate preloading to download 0 intermediates at a time.
+ Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 0);
+
+ Services.prefs.setCharPref("browser.policies.loglevel", "debug");
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter
new file mode 100644
index 0000000000..151cac41a9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash
new file mode 100644
index 0000000000..d43193a78c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash b/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash
new file mode 100644
index 0000000000..52c9ee8d51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem b/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem
new file mode 100644
index 0000000000..ead19e3c14
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem
new file mode 100644
index 0000000000..70b86dfd71
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
+U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
+nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
+KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
+/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
+kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
+/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
+aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
+Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
+oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
+QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
+d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
+xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
+CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
+5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
+8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
+2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
+c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
+j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem
new file mode 100644
index 0000000000..a690a0ad0d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFpDCCBIygAwIBAgIQDVHBpbd6yyk2LgPoPr9QyjANBgkqhkiG9w0BAQsFADBN
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
+aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMTE4MDAwMDAwWhcN
+MjExMTE4MTIwMDAwWjCBlDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
+aWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHTAbBgNVBAoTFFN5bWFudGVjIENv
+cnBvcmF0aW9uMRcwFQYDVQQLEw5TeW1hbnRlYy5jbG91ZDEgMB4GA1UEAxMXbWFp
+bDIzMy5tZXNzYWdlbGFicy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCyM1Fy9hAlahRqqeEnPKDWgUmsxofivWEWKNeSMEKcnXX3TCQOGbLQTthN
+xfNU7IWY8ViTPwQ8JBWWDxNhd6dTYLNnytKrNRG8qDQ3rFMKJY4p0dZImMp55X3W
+1xcKMxSOkPv0YUCGp7qlAHq6+N3YY1ILw6MRdJ75Njh4Kw8qe5F3rHLwD+AyYQmx
+3WsMCRp5NZtWUcU5Vbc9ca/osrh9xBF7U3ZYR6GoPXQlizrNjXv7/BaKWWO5ChbD
+iRI4Nj8d3HhWUHsJoGvYDof5Iudgtbubz3c5cwp6+VNNMas7izpvbixqW8zXdUug
+8v5v47IkRNYnlma/zvv2IDC1dVlxAgMBAAGjggI2MIICMjAfBgNVHSMEGDAWgBQP
+gGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUZnBdWwGQjkPX/+A2ZEYdUdnw
+lN8wfQYDVR0RBHYwdIIbY2x1c3RlcjguZXUubWVzc2FnZWxhYnMuY29tgh5jbHVz
+dGVyOG91dC5ldS5tZXNzYWdlbGFicy5jb22CHGNsdXN0ZXI4YS5ldS5tZXNzYWdl
+bGFicy5jb22CF21haWwyMzMubWVzc2FnZWxhYnMuY29tMA4GA1UdDwEB/wQEAwIF
+oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2g
+K4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6At
+oCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwG
+A1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
+LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHwGCCsGAQUFBwEBBHAwbjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpo
+dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2Vy
+dmVyQ0EuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAK7vS/qDcGKb
+QYu26+jGtBemopT3+2YJjtALeR62eNhF9LoHu+mnmNLvPI0M0NMhz56Ss/6sUHOz
+hJgB98SLAQ5ElSWXrnZThLIjsiH5X5MYTD0Y8MqzoJSi2Lf2Muy/UpyrD3wB14E1
+kUYhvUnaWDDPIN81DCFzEosBmnsRqr5zlcZSKs0e1LVQ8cNkt8svVkiwFgeOIhwo
+QF22GJAZPtRceSGlbRTFBYKh+u3KN8eNS/X+C935y+F4J/grufDCzRSGtRRseTcd
+1QW49+QME/rx1mBb7id4iXNKxvGuJTivBlxaHWBQLh/RGk39DSdHfjAhYvt2gmxh
+C3gxXMNrymE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem b/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem
new file mode 100644
index 0000000000..bac70a76bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGpzCCBY+gAwIBAgIIfLPIa/Mc/f4wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjIwMTA2MDA1MTI5WhcN
+MjMwMjA0MTUxNjQwWjAeMRwwGgYDVQQDExNwZWVrYWJvb3Bob25pY3MuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCKkB+36Yd/mBwwlq/F+B2R/
+ibNdUncADG1+xCB21TB6H0UWR1Aj92ZsIKXwXIyhj02VT58y0Oh4eycsMtEi/lLq
+KXhpWjRAMZaxjdyIrSJxpQVXC3v8Taej6PG2RewGMA3uXj+oWfl7t25JnEes1l2n
+JOnDXs5w4K0aDD1+r7wqCgZA7evmmdK3WJMWD/GSeF2hYcXFgb5dM2TiSRBGkv/9
+jMAvOSuJO8/kxKHLtLfM4I3O0gugB5Uyxtn5a6+P4vOphozsYgHqnSapCV8eAEN2
+SWRhFpfwsbt6/Dw/k38F2A5axSF0n+IQ49ejtWjs+f/GNTloieTsDbcpKkDSEwID
+AQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6
+Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS0zNzEwLmNybDBdBgNVHSAEVjBUMEgG
+C2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMu
+Z29kYWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGow
+aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUF
+BzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+Z2RpZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDcGA1Ud
+EQQwMC6CE3BlZWthYm9vcGhvbmljcy5jb22CF3d3dy5wZWVrYWJvb3Bob25pY3Mu
+Y29tMB0GA1UdDgQWBBRElZlefxDT9BFjvpeq7zP6TlVv+TCCAYEGCisGAQQB1nkC
+BAIEggFxBIIBbQFrAHcA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4A
+AAF+LN6rOQAABAMASDBGAiEAssjNEfjNFhpQmiFRCFZSr1zZk7ISWHqPIzoghyZ+
+UbgCIQDB6iKxtMkpx1I9P9uL40M93xynsb/3DVl1OX8pSO1n9gB3ADXPGRu/sWxX
+vw+tTG1Cy7u2JyAmUeo/4SrvqAPDO9ZMAAABfizerPwAAAQDAEgwRgIhANUhPyqm
+inLVPy1zUqikc64dwi0P/nvCoNtC1gO2cDHgAiEAjv1Gw04htq5OyTP3XYQTHsZW
+h35omGu+WCS68t8LnIEAdwB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1Lr
+UgAAAX4s3q2BAAAEAwBIMEYCIQDqxot9iMPghZbHZSegX98g1o5dvSsG1azMv290
+Cp+sBgIhALiMl5lj1A3nWkHTQKF9bF3ops5/ZxxJYE7XwBxlkZYYMA0GCSqGSIb3
+DQEBCwUAA4IBAQAOfIC7VLhn3oBYQKTzX4CN+249JN7l5tbSMqC2zjKRjOWOF3p/
+yNb2gk/v6EW0xN024E2yo8K4XF+QJMfzlwpsed1yuziYHIpjeiad7JGUs/57jdCo
+EUQrvwkuIeR5CZrGcXKG8nlVM5SaNhmId8XixnJz7XfEWiCxszlRkXIZ4Uhpwz2D
+XhQ8RE1DhwX3x6oO5y9Eu6o6+bz2Y14E0lL4hCng09UmrOFEUzVcO4bK8qsSp9oe
+1NNPlMQ3SD6RlGBy+2O5Iy8Kj4BRv2US2stuDeZWSvxp6N2RwLGBnDTyT08VAFD5
+SkulqE2/r6AHWNMe649z1clhq14i1+kQjEq5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem
new file mode 100644
index 0000000000..9550453493
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGNTCCBR2gAwIBAgIIFn0oGKdatdgwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwOTI3MTE0MzI0WhcN
+MjExMDI5MTE0MzI0WjA5MSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
+ZWQxFDASBgNVBAMTC2ljc3JlcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAydMKPhCqRWjy5h1aPUNdRb80kt0hP/g55ytjlSF04PG+1CbIcId1
+GJg1qkbTR1vqZyvaI8wjv3zdfvsvYbka9OQFJiOasJfeqmiA+sDd9AvFiD2EF5zN
+D9uKHi+sF8Ut4JMl7jqaRAu/gbjBvY/9ammkz4sUiTlp1x4rteda3tuX9O7yMO7U
+ldnyfabHgGmmm8KU3nvRAjNbHCq3J/V/zw8YeolXU5OpOeZMhI8KAGKpxk8tRiIb
+LkdSdCTWoKgXO60extYcGTxIT8c8zfY6OoN0VaQY8HA1VyBZQIw2RTWivmI8le0J
+ypXYxNcUtInS0ivO4ymiNnCjYR9pgQ6+tQIDAQABo4ICwzCCAr8wDAYDVR0TAQH/
+BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
+AgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Rp
+ZzJzMS0yMzM0LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYB
+BQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9y
+eS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
+L29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNh
+dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaA
+FEDCvSeOzDSDMKIz1/tss/C0LIDOMCcGA1UdEQQgMB6CC2ljc3JlcHMuY29tgg93
+d3cuaWNzcmVwcy5jb20wHQYDVR0OBBYEFEgqFQnM5zH3cKFGtFanJxxD9zdPMIIB
+BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98M
+LyALzE7xZOMAAAF0z1/40gAABAMARjBEAiADSOnqg/I15y+dJDSWta8NzBwE6Xti
+UzyBKMT2OYHCYwIgb1aFpZxlkhx6XCCuniBLTcr5JbhigoM/lAfUmvvUqrIAdwBc
+3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXTPX/oBAAAEAwBIMEYC
+IQD6WvavTba+Lydf6uhaaxcRmhuuPeddzSmC8t4+tBLGGgIhANJPxhRl1pGYm6WX
+ay9jPCM2SqtBraOJYncaV6k37zGYMA0GCSqGSIb3DQEBCwUAA4IBAQA0IknIoU51
+FCBqpksgo7zR9OJj5MoQmlsQbzSFppdRKgyHhk8rW6IrBi3yrtWjo3HxcwihZlJQ
+2AbinRTNnHvBpiiiXXxR5u9yVly+9l3KfF/uHIGMnIqsahaKXNOy5h98uq4o4N0+
+YCGu9wSeDwtaCzdT+V447Fq63nmW629pjwin8FYCz2S8RdztranPZuOgwYqBNlWu
+u3Mi9DWIV2hP6eFwMZh7BWgbvnhWiI37TE74YQ+3cEVaLxLHJH9jkBjsel+ZwVIo
+9xeE6kGsh5+D0uHS5NWf9zu+fvW0iTgsB8J4VX5OihAa1v4FS4IaF3snkaMa0PCd
+MJMOgY5VkZiw
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem
new file mode 100644
index 0000000000..1073159662
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGPTCCBSWgAwIBAgIJAJeW47AXop8NMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
+MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
+cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
+dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIwMDgyMjIzMDI0NVoX
+DTIxMDkyMTIxMTYxMVowPDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
+dGVkMRcwFQYDVQQDEw5zdG9rZWRtb3RvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANLX8D4Cin6x2bmoSdgnuw9O+tGcD1x1S++3110NJVXUlpSc
+3uSUwqpU4rMOkJlRnuaBtHXYUFG8NMMnbTJYY9JuuhAlnHzVqoRWmcTNRp72fpDA
+XoD3U20spJeGQZXuQnGfe/k9EouvXt5du029YqItkFbjdbub4FP5MbIz1CWeelEn
+fEwpe/peLVYEfKSyYf325tFI9wZhuIM/zTe9DE6lauznM8hg1ioiBujxzeWWSstZ
+K2uJKaI8nlWkSr6vwPqJEBvvoShcWHFEmG8SWqPBy1tsNsLNjJkaHfD7gvG/J1Rc
+G21D0XO2IA0rEo6lo8MNEkWoHZA/oHO1eHrCjNkCAwEAAaOCAscwggLDMAwGA1Ud
+EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
+/wQEAwIFoDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmdvZGFkZHkuY29t
+L2dkaWcyczEtMjIzNy5jcmwwXQYDVR0gBFYwVDBIBgtghkgBhv1tAQcXATA5MDcG
+CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
+aXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRp
+ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSME
+GDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjAtBgNVHREEJjAkgg5zdG9rZWRtb3Rv
+LmNvbYISd3d3LnN0b2tlZG1vdG8uY29tMB0GA1UdDgQWBBTP8YI0WwVBgvg5GABQ
+fUksbk6evjCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1APZclC/RdzAiFFQYCDCU
+Vo7jTRMZM7/fDC8gC8xO8WTjAAABdBhpJtAAAAQDAEYwRAIgcrebTXyuMk/ciVyg
+LMbbd6qbkyB3yRAY1QnBs5sGK1ICIGw6EpH/NMXcOfYdkuSmhSYgUx0AIDdT9QWH
+rRIT50D3AHUAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF0GGko
+AwAABAMARjBEAiBtzQQHVVML3yZhZRsLLhJkYcc11nXeU/S/rouOZCCZQQIgVYKY
+jgjCU5HQyY6R5PZQTsCQGWiaOm1VguAIgPbvKzYwDQYJKoZIhvcNAQELBQADggEB
+AH6jCZU9+5TMaR5XThGL/z8EYQ1uFVN0hlXXB+gP3IDQLmyxkqrk9cOSf1D6fLRT
+5T4tGzPLvmReBLfrzQEkuqkXpUieortbpi116V82K+zBDT5s9Dol6+MxhwIZyZ7K
+DkHSbcFyiV9hkr2bf8JZzjvpCOfw9kYZTcYv8M8kheIOQsONdfe/rqNQnMRy56UZ
+OGZmxqDT2RwbewHEMAEb5ZsZ55/UHq08vZSVSA8qIqX/BU+7frwwt4vmv4WQ7AoJ
+YNml0TdV4R27NlnvhbAclucuqEMBcBg8gNylvKD3Mid7O4c5gCX5Wuml6rLpOr05
+vpJJqSf0uy73EtNcyTqfwUQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem
new file mode 100644
index 0000000000..ece7360def
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem
@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIHTjCCBjagAwIBAgIILTXKZQP7G6MwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwODIyMjM0ODE1WhcN
+MjEwMTE0MjEwMzAxWjBDMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
+ZWQxHjAcBgNVBAMMFSoudXMtZGF0YXJlY292ZXJ5LmNvbTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKzuSr8LaH2Aw/G1aKN4URo0RwaFv4+7MzM0RVTB
+189BdE8rgNRfxskoAVfte+iftO7P5qjg+1Jx8SCE1ZCNT2TGtcYwlsjyNLnbP3xV
+Cq514bODlwimOKLhpUFH1/ofO4/enbU8E4hlxS4DPtOGbsjouTiRHAOLsi7D+WT3
+3pZelFa5Hgmed5dL/CCJTiwbF10lbTXNwLgI7efUqiwvHRwf/CXEW9IvKJ9HG2We
+tT9ouQGOHfz4fyGOMN268dHqP89K+auCcf9b3BzzWOsknhmDisl+06WaIJe/W7Dn
++eG07nAuJLhE6nH9KLYiU2X5CHnLPvBTOPDdm/hzH84hnHkX2pSbst4d1aNtU4uP
+hyQcE5aMfnV7Yr1ZQUlLreCKzwIAb6BKqF/gHMASXUX7Fw5OFUHxV1xcPbcHQLs6
+D3XAoLBzopTR4YjxIDqhS3pkxHu5u9OEzFfaeP5zYnrj69Bke3lrdbrKV8aXIxHn
+xh9xJV4zAaPoHe8ze03zvdBXfu69DU+TTQkRfzJSZx/sXV6BHe15WGSHZxe0i61z
+wA1Oi7QgySMKIKSs6dsPOqppmePc3seMJy7y0FSxF1Kq6a1tR+W3j2WT9nY1c4Wb
+4LWc+0gDK3nvibJbFqCfnPznq/Q+q0V6m9BqBNjvqyyWXbgzCVn7qcT4apiP47IV
++MiBAgMBAAGjggLSMIICzjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
+BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYn
+aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTIyMzcuY3JsMF0GA1UdIARW
+MFQwSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmlj
+YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUH
+AQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYI
+KwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3Np
+dG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4w
+NQYDVR0RBC4wLIIVKi51cy1kYXRhcmVjb3ZlcnkuY29tghN1cy1kYXRhcmVjb3Zl
+cnkuY29tMB0GA1UdDgQWBBTooRcQfblnnD7pJFCZfGGcf4kD4jCCAQUGCisGAQQB
+1nkCBAIEgfYEgfMA8QB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTj
+AAABdBiSoGUAAAQDAEgwRgIhAI4Cd+FhKsWdUZkBugaburD9dzdlVHSxKq6oYNyI
+vmIIAiEAwlmkvAiPb9nwDirqe7MZud5nu/lmq/Ip7M1xSKuraykAdgBc3EOS/uar
+RUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXQYkqGUAAAEAwBHMEUCIQCpYqq+
+Uc881tR+ikvsR97FRl6jBfxG50Sum+cdHEQkYQIgZJbGaeNoDS9+LAKI88NNRiCK
+vtQZkwWigDYr+2dWguYwDQYJKoZIhvcNAQELBQADggEBAD+sj44+86AvdVUrAN9h
+cU6kt4I6K1TM0KBmKg3rG8JEY7+Ec4Rztls3uviLR0ajH5tkQPwD7vRBVrLVDtQS
+Ndt2StR38AXiBRWwewy/sPMz11YzOPLyHaTl4pJVfyzHJ+rPdWuFZLtpTras/MIK
+IFnnbInlh5XtRhDCv6UEkAmGu5BeftA+9XxTuZlbwQlO5U1yg9Hqor9zANMqX9Ad
+3omIZrPtBkTdVOwHRU8SoaS6XxQ9jxcmWRgNTVAhU1/J7Bgvg3CPSpcHyV78sXkS
+D9bb1f4jdadaMKuJc0mTHBAxZenr3IFV8upf2FRTJnrCiS0jX8kKobN/+04Gbev6
+Tr0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem b/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem
new file mode 100644
index 0000000000..6769ba3d37
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem
@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIGyTCCBbGgAwIBAgIJANpPOSv9i86oMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
+MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
+cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
+dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE4MTAxNTE5NTQxNFoX
+DTIwMTAyNDE4MzczOFowQjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
+dGVkMR0wGwYDVQQDExR2cG4ud29ybGRvZnNwZWVkLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKb1cjhtYv6yiyZa1feabWaSBOCmN0JuqXIMkX3r
+4g+5heKAwPFlPFbZ3vZ3DQXiliV7jb5nhlx0O6nYG+MoGFmj6hEHDptCASAfdd3j
+4tCxg0FlilXgrgMkJCg+SjW0npZ86jMkfc0WzufUyMjxv2pUUicPNXyWbaQr+PCq
+zs6AsOkmuQ8RUUAqZ+Q0EJfQnjuhql7NCdByNui9S2LmrPcV6TAHHeTwKX733edv
+zsNzaLNgE6TLGXSSRvsW/eZ/uNScPHLybE4wdxxCDwSYCPwaQq34csc3a8SUTWfS
+4UkdbOn7j5sZPx7Jj0uUlm20ZDsj2FUi/0SXNvz5flFQbVsCAwEAAaOCA00wggNJ
+MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4G
+A1UdDwEB/wQEAwIFoDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmdvZGFk
+ZHkuY29tL2dkaWcyczEtODc4LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcB
+MDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20v
+cmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcw
+AYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8v
+Y2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8G
+A1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDkGA1UdEQQyMDCCFHZwbi53
+b3JsZG9mc3BlZWQub3Jnghh3d3cudnBuLndvcmxkb2ZzcGVlZC5vcmcwHQYDVR0O
+BBYEFGjmOgodY5yPX19UPVcACFpVExz1MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFp
+AWcAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWZ5SxEeAAAE
+AwBHMEUCIEL5OLHwBpIALbEnLFQntFlGBe8Oko6U/arr15jU4sLDAiEA6uy8DEnh
+PFLOxXDC3ZaeOlK2+cdx76IAr6M6As74ETEAdgDuS723dc5guuFCaR+r4Z5mow9+
+X7By2IMAxHuJeqj9ywAAAWZ5SxMzAAAEAwBHMEUCIFWIeePa6jdf6y9o/YYxoqWr
+Je3j8W94e4f5bixaGPiyAiEA7aJRZI+aWCE/zz5DpvcyRgkIoSKS3+dKS2irf/mp
+qx0AdQBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWZ5SxPjAAAE
+AwBGMEQCIEkYw6g/cIZBdOUh+ETwl2XX2S0Bv8iGGiaOKOoXqVK6AiAh3eqABfMc
+9b/wLJZo186YgbzmbZB0N3y5TUJKK1oMYDANBgkqhkiG9w0BAQsFAAOCAQEAPEwx
+d597oqiP9/TN8RDrZqhn4uLZ9K5mXOD93RorUN8T8O1kV0B4UcXM1CkU2zxv4a9S
+tG3diHjmfJgcrhpa4i19sZD7+QpTU8j0e82JlsB3MpbtuaiBwqb979c5qNPixQlJ
+kDs4DWf8kV+4B9/DWWLDKvs+FtL8ST8n+LfwstZqi2EyK+1ZyM0p9hkUAzrT/M2h
+Ou1DYELbCt2HaKMHMPSlrkESG7Q9v9Ba23EXElG+oFXxgnPwk4n84rYG8lI8pPyA
+clunJNqc2cISUTDMdgGctCFdSVGyEq+8VVG5Y6Od5LMwtOLKcv+VPi17+iGfxNt/
++dAMbzGIlDuJELwn0g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting.js b/security/manager/ssl/tests/unit/test_crlite_preexisting.js
new file mode 100644
index 0000000000..c788a11b54
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting.js
@@ -0,0 +1,208 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that starting a profile with a preexisting CRLite filter and stash
+// works correctly.
+
+"use strict";
+
+add_task(async function test_preexisting_crlite_data() {
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ // These need to be available to be able to find them during path building
+ // for certificate verification.
+ let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem");
+ ok(issuerCert, "issuer certificate should decode successfully");
+ let noSCTCertIssuer = constructCertFromFile(
+ "test_crlite_filters/no-sct-issuer.pem"
+ );
+ ok(
+ noSCTCertIssuer,
+ "issuer certificate for certificate without SCTs should decode successfully"
+ );
+
+ let validCert = constructCertFromFile("test_crlite_filters/valid.pem");
+ let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+
+ // We didn't load a data.bin file, so the filter is not considered fresh and
+ // we should get a "no filter" result. We later test that CRLite considers
+ // this cert to be revoked. So success here shows that CRLite is not
+ // consulted when the filter is stale.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "us-datarecovery.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+
+ // Add an empty stash to ensure the filter is considered to be fresh.
+ await new Promise(resolve => {
+ certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => {
+ Assert.equal(rv, Cr.NS_OK, "marked filter as fresh");
+ resolve();
+ });
+ });
+
+ // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that
+ // the implementation does not fall back to OCSP fetching, because if it
+ // did, the implementation would attempt to connect to a server outside the
+ // test infrastructure, which would result in a crash in the test
+ // environment, which would be treated as a test failure.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "vpn.worldofspeed.org",
+ 0
+ );
+
+ // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that
+ // the implementation does not fall back to OCSP fetching, because if it
+ // did, the implementation would attempt to connect to a server outside the
+ // test infrastructure, which would result in a crash in the test
+ // environment, which would be treated as a test failure.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ validCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "vpn.worldofspeed.org",
+ 0
+ );
+
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "us-datarecovery.com",
+ 0
+ );
+
+ let revokedInStashCert = constructCertFromFile(
+ "test_crlite_filters/revoked-in-stash.pem"
+ );
+ // The stash may not have loaded yet, so await a task that ensures the stash
+ // loading task has completed.
+ await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL,
+ (rv, _) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve();
+ }
+ );
+ });
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStashCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "stokedmoto.com",
+ 0
+ );
+
+ let revokedInStash2Cert = constructCertFromFile(
+ "test_crlite_filters/revoked-in-stash-2.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedInStash2Cert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "icsreps.com",
+ 0
+ );
+
+ // This certificate has no embedded SCTs, so it is not guaranteed to be in
+ // CT, so CRLite can't be guaranteed to give the correct answer, so it is
+ // not consulted, and the implementation falls back to OCSP. Since the real
+ // OCSP responder can't be reached, this results in a
+ // SEC_ERROR_OCSP_SERVER_ERROR.
+ let noSCTCert = constructCertFromFile("test_crlite_filters/no-sct.pem");
+ // NB: this will cause an OCSP request to be sent to localhost:80, but
+ // since an OCSP responder shouldn't be running on that port, this should
+ // fail safely.
+ Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com");
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ await checkCertErrorGenericAtTime(
+ certdb,
+ noSCTCert,
+ SEC_ERROR_OCSP_SERVER_ERROR,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ false,
+ "mail233.messagelabs.com",
+ 0
+ );
+ Services.prefs.clearUserPref("network.dns.localDomains");
+ Services.prefs.clearUserPref("security.OCSP.require");
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+
+ let notCoveredCert = constructCertFromFile(
+ "test_crlite_filters/notcovered.pem"
+ );
+ await checkCertErrorGenericAtTime(
+ certdb,
+ notCoveredCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ new Date("2022-01-07T00:00:00Z").getTime() / 1000,
+ false,
+ "peekaboophonics.com",
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+ );
+});
+
+function run_test() {
+ let securityStateDirectory = do_get_profile();
+ securityStateDirectory.append("security_state");
+ // For simplicity, re-use the filter from test_crlite_filters.js.
+ let crilteFile = do_get_file("test_crlite_filters/20201017-0-filter");
+ crilteFile.copyTo(securityStateDirectory, "crlite.filter");
+ // This stash file and the following cert storage file were obtained by
+ // running just the task `test_crlite_filters_and_check_revocation` in
+ // test_crlite_filters.js, causing it to hang (by adding something like
+ // `add_test(() => {});`), and then copying the files from the temporary
+ // profile directory.
+ let stashFile = do_get_file("test_crlite_preexisting/crlite.stash");
+ stashFile.copyTo(securityStateDirectory, "crlite.stash");
+ let coverageFile = do_get_file("test_crlite_preexisting/crlite.coverage");
+ coverageFile.copyTo(securityStateDirectory, "crlite.coverage");
+ let enrollmentFile = do_get_file("test_crlite_preexisting/crlite.enrollment");
+ enrollmentFile.copyTo(securityStateDirectory, "crlite.enrollment");
+ let certStorageFile = do_get_file(
+ "test_crlite_preexisting/crlite.enrollment"
+ );
+ certStorageFile.copyTo(securityStateDirectory, "crlite.enrollment");
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage
new file mode 100644
index 0000000000..2bd13319e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment
new file mode 100644
index 0000000000..7f34283ded
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment
@@ -0,0 +1 @@
+3)û«Õ¤:Óf£õv¬œ 0ИëðëyæQ±ýý'ŽêŸïÕájfå¨é›à@(,v–~;ÕPÏ \ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash
new file mode 100644
index 0000000000..25bd87d8eb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js b/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js
new file mode 100644
index 0000000000..707e2f400b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js
@@ -0,0 +1,91 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted stash file.
+
+"use strict";
+
+add_task(async function test_crlite_stash_corrupted() {
+ let securityStateDirectory = do_get_profile();
+ securityStateDirectory.append("security_state");
+
+ Services.prefs.setIntPref(
+ "security.pki.crlite_mode",
+ CRLiteModeEnforcePrefValue
+ );
+
+ let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+ coverage.copyTo(securityStateDirectory, "crlite.coverage");
+
+ let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+ enrollment.copyTo(securityStateDirectory, "crlite.enrollment");
+
+ let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+ filter.copyTo(securityStateDirectory, "crlite.filter");
+
+ let stash = do_get_file("test_crlite_corrupted/bad.stash");
+ stash.copyTo(securityStateDirectory, "crlite.stash");
+
+ let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+
+ // Add an empty stash to ensure the filter is considered to be fresh.
+ await new Promise(resolve => {
+ certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => {
+ Assert.equal(rv, Cr.NS_OK, "marked filter as fresh");
+ resolve();
+ });
+ });
+
+ // Await a task that ensures the stash loading task has completed.
+ await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL,
+ (rv, _) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve();
+ }
+ );
+ });
+
+ // This certificate is revoked according to `test_crlite_filters/20201017-0-filter`.
+ // Its issuer is enrolled according to `test_crlite_preexisting/crlite.enrollment`,
+ // and it is covered according to `test_crlite_preexisting/crlite.coverage`.
+ let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+
+ // The issuer's certificate needs to be available for path building.
+ let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem");
+ ok(issuerCert, "issuer certificate should decode successfully");
+
+ // Loading the stash should not have caused any problems, and `revokedCert`
+ // should be marked as revoked.
+ await checkCertErrorGenericAtTime(
+ certdb,
+ revokedCert,
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ certificateUsageSSLServer,
+ new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+ undefined,
+ "us-datarecovery.com",
+ 0
+ );
+
+ let hasFilter = await new Promise(resolve => {
+ certStorage.hasPriorData(
+ Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL,
+ (rv, result) => {
+ Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+ resolve(result);
+ }
+ );
+ });
+ Assert.equal(hasFilter, true, "CRLite should have a filter");
+});
diff --git a/security/manager/ssl/tests/unit/test_ct.js b/security/manager/ssl/tests/unit/test_ct.js
new file mode 100644
index 0000000000..1f436eb44d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct.js
@@ -0,0 +1,72 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+function expectCT(value) {
+ return securityInfo => {
+ Assert.equal(
+ securityInfo.certificateTransparencyStatus,
+ value,
+ "actual and expected CT status should match"
+ );
+ };
+}
+
+registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("security.pki.certificate_transparency.mode");
+ let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
+ setCertTrust(cert, ",,");
+});
+
+function run_test() {
+ Services.prefs.setIntPref("security.pki.certificate_transparency.mode", 1);
+ add_tls_server_setup("BadCertAndPinningServer", "test_ct");
+ // These certificates have a validity period of 800 days, which is a little
+ // over 2 years and 2 months. This gets rounded down to 2 years (since it's
+ // less than 2 years and 3 months). Our policy requires N + 1 embedded SCTs,
+ // where N is 2 in this case. So, a policy-compliant certificate would have at
+ // least 3 SCTs.
+ add_connection_test(
+ "ct-valid.example.com",
+ PRErrorCodeSuccess,
+ null,
+ expectCT(
+ Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT
+ )
+ );
+ // This certificate has only 2 embedded SCTs, and so is not policy-compliant.
+ add_connection_test(
+ "ct-insufficient-scts.example.com",
+ PRErrorCodeSuccess,
+ null,
+ expectCT(
+ Ci.nsITransportSecurityInfo
+ .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS
+ )
+ );
+
+ // Test that if an end-entity is marked as a trust anchor, CT verification
+ // returns a "not enough SCTs" result.
+ add_test(() => {
+ let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
+ setCertTrust(cert, "CTu,,");
+ clearSessionCache();
+ run_next_test();
+ });
+ add_connection_test(
+ "ct-valid.example.com",
+ PRErrorCodeSuccess,
+ null,
+ expectCT(
+ Ci.nsITransportSecurityInfo
+ .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS
+ )
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem
new file mode 100644
index 0000000000..dc5ba854a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEsjCCA5qgAwIBAgIUO1A7IKB0sCUgXosbjKr2+i1ynO0wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjArMSkwJwYDVQQDDCBjdC1pbnN1ZmZpY2llbnQtc2N0cy5leGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOCAeEwggHdMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20w
+ggG/BgorBgEEAdZ5AgQCBIIBrwSCAasBqQB2ACq4MEQzuRTe0vMeQgfyUcF6N6CS
+aFLZCAIG+F5XORYqAAABUfp73AAAAAQDAEcwRQIgXHVRnxMRUM1dit4go7wGMJH/
+snN1XzFk7P3LQoAKcOYCIQCukSzwRcH5LaZUGjQQswNOAf0giSm/7LC6Awq+EMMD
+jAEvADEI9rbdchgH8BaVhE2FAla2cZNgg9u9OTSgUFJQGiiSAAABUfp73AAAAAQB
+AQBfrqR5eXq3/2XT6FUWtKVv8DHpP6VnLw8rARRr3GJM8nd4SMk/ds+1nWLFT+Uu
+CNm2wcVImCmumIi9zWoaWbh5xWpO2SN4KX85vZVhhsyPH27iR9M9PZ/OEblBJdIz
+W/QFLBKRmFe06GyLq0LuW5aQun+tjGx//dm0LB4Sug1NixnEUYUhCt4uGdcEyohj
+Hk95Gv89hAtiz2O6GS2fMzoe78IoN2d7XaCXNWTz4JkMCwTUwkxbpn76f/kGyD1K
++usjemQdVBOhZ8KE46+wZiI3BgqugHrmWY2xpr6oZxYbKzrVC3+BuKMI4sDDsX64
+pR88XkOqvluKcfxtTnVjhKmyMA0GCSqGSIb3DQEBCwUAA4IBAQAjm3TIr026oz6N
+DZyj2+9PqoOYsngraVhZlogvwWK/GIkcNUGupczij7JdoCA5b4szCcaYqSC/gTMl
+kp9YmrUzYjbI8OU7KIwPazx/3QZzZDmmUUvTlM5cfDhDPJX0MmwypzM+klmRJKh4
+2hyE6TiKmoARMLDSrHxLaU43Ph8Q9PDricAdUk+r87Xq/z2785l32XJUeXFFbM1A
+ZrD059jjQX+oWucVxdql9+SM/ZnHC5gnZS+UOIYY9USu1FhSyX8OqwlrLzl0GeI1
+GLrgvHPBLYhbl6NtdVHxXrAy6ueL89wPZevBkAZ6G5GXDhtbrdLQuXIvluWyRfRu
+PjrboP8a
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec
new file mode 100644
index 0000000000..c40f26d5d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:ct-insufficient-scts.example.com
+extension:subjectAlternativeName:*.example.com
+extension:embeddedSCTList:secp256r1:20160101,alternate:20160101
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem
new file mode 100644
index 0000000000..539a558f4a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF1zCCBL+gAwIBAgIUVcPTyId6kLmdmBE+lvZPcEuHWWowDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRjdC12YWxpZC5leGFtcGxlLmNvbTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaOCAxIwggMOMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wggLwBgorBgEEAdZ5
+AgQCBIIC4ASCAtwC2gEvAFQiJZjzPTZIBULa7ODmuU3hXA7ujFkUykjXXjxIToA/
+AAABUfp73AAAAAQBAQApU8txbrW74luVlVcqhBmSPgDDrO1DJwJD5Nh0AFi+IHUp
+1HGttD5v4631GMKg6YQurbxBjIyf2XoIEcz0ItvcH6JAn5DQ+hnNVN38CFy2LKvQ
+fZ5+YMmbQQICUZvNaknC5QDD04CmfcJBNtE6f2NOsw2ssUOEy37fnHIQNqb68YWG
+HMJDHdhhN/PdPA55ew79w1Q8l5+ShU0sewGQkXMsWiNVPJwf/YZ9ZwglcVZMTU7S
+w00EntzeShcDb8XVsCNvuw/7R10cW9XEnFxC+/aIZp/MnbagJctiKpuEioPpkJtz
+UHa2G8j98u21W4ZRYpzUjuhtZMXg4WrAt2kMQtKEAHYAKrgwRDO5FN7S8x5CB/JR
+wXo3oJJoUtkIAgb4Xlc5FioAAAFR+nvcAAAABAMARzBFAiBcdVGfExFQzV2K3iCj
+vAYwkf+yc3VfMWTs/ctCgApw5gIhAKuTtYDsjlbPaI0qWB+4k+jdEMRWTLeoLyGe
+0OFrQx5lAS8AMQj2tt1yGAfwFpWETYUCVrZxk2CD2705NKBQUlAaKJIAAAFR+nvc
+AAAABAEBAEBwuP6rrIG0L8/cMl/TNSQBumJtza2IzHNGQ8Y1nrhzYebNwrcrm+gB
+ur+EalPi7JucxOehxiiRvWNVhQ5gk1TG78GWnrWQMHCAiISGGNRru5MyIlu+VqY4
+dae1sKb9jiuQ1zm1PnZnpIfUxr2Q4oKVwkCMPl0m+ddbAaNBbuhfqdd8vCY9GeAf
+tfRq3Zm7Zrwj3nqQduAMErRbZ3ief6vUGmJR4JY6pHfhf9xE65LpsPbWo2DSI5br
+2jTojixZ6B6ECtHTvZWohypMbbb2tMEdVPCRRwuWar0mhfQ9w/EaDkd3smVfuxJp
+hfFTN2pvqKHAMkQMj7Q1wOWZC1Y/cREwDQYJKoZIhvcNAQELBQADggEBAGeXrpKU
+mMhXj+8NlmQFd5GoqUHEWIz6Ryz4esAznDDphASxRSnzzYzzRoti3M6Dk3QvHvUG
+d/cU2pmhZBonKBeGbAkXIHkv1jGQfzr0/KrTPALl61RUFZ9xxp4UXGH8fJUtMIko
+sg4YMvsMsgobX6PozctO+teNWG4fsOfSRJACFbqGzOEJh/lVA0VWDbABHOBoNRw4
+m254+oECn39t4WAenTAbqueF3fKN18WvWNYiY2OIYyfolipg9/YnZwhGXOlPVIzQ
+xpcKKBaRYWgmHRZlm5r34ywxYrG2MqkvK9D6eBB5EVGJQg2ClvgnO+GRbFjNG602
+sSp/9KiOM6Z4HiQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec
new file mode 100644
index 0000000000..0ecf46d89c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:ct-valid.example.com
+extension:subjectAlternativeName:*.example.com
+extension:embeddedSCTList:default:20160101,secp256r1:20160101,alternate:20160101
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.key b/security/manager/ssl/tests/unit/test_ct/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.pem b/security/manager/ssl/tests/unit/test_ct/default-ee.pem
new file mode 100644
index 0000000000..5dc7cf4ef8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti
+AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym
+qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc
+5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm
+lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo
+Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/test_ct/test-ca.pem b/security/manager/ssl/tests/unit/test_ct/test-ca.pem
new file mode 100644
index 0000000000..67e7ca56e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUP5NBbozOXrtwcuQwu3pzUXbOl7owDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEABBSMkSBFq/bK
+LpntIx6QJdqPtmnjdjwTpCbQyKKfQjjrazCfru5SheZq7ACtQ0uWFokUOQhB+Xvv
+sqy9HqJhK4UN0zfNPjtkHOSbNefWXOseEzA6XxuaCzQXWOp1WNNPnfdtYZizy6hT
+fKuKjhniKLmIQD61KNl7Ev1hWUhWC7R8U+IFztXusYYFUUmqqaZ/v7lNfY1sHu4k
+zHQFp+xqeaXvkoRpTXhoSdwDQ7ldquwqMM0NIQXlhtcmg7IYwZBGlJgzoejN4k2H
+2WycvxPW70I10NeAAhtie1+K4JHwr6/SLLwCCnJDoRMMpMhM9/853Ye/4PTDGhuK
+fqhEoHH9Ig==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec
new file mode 100644
index 0000000000..5d2435d7bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test CA
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_db_format_pref_new.js b/security/manager/ssl/tests/unit/test_db_format_pref_new.js
new file mode 100644
index 0000000000..9921948927
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_db_format_pref_new.js
@@ -0,0 +1,30 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests that when PSM initializes, we create the sqlite-backed certificate and
+// key databases.
+
+function run_test() {
+ let profileDir = do_get_profile();
+ let certificateDBFile = profileDir.clone();
+ let certificateDBName = "cert9.db";
+ certificateDBFile.append(certificateDBName);
+ ok(
+ !certificateDBFile.exists(),
+ `${certificateDBName} should not exist beforehand`
+ );
+ let keyDBFile = profileDir.clone();
+ let keyDBName = "key4.db";
+ keyDBFile.append(keyDBName);
+ ok(!keyDBFile.exists(), `${keyDBName} should not exist beforehand`);
+ // This should start PSM.
+ Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports);
+ ok(
+ certificateDBFile.exists(),
+ `${certificateDBName} should exist in the profile`
+ );
+ ok(keyDBFile.exists(), `${keyDBName} should exist in the profile`);
+}
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials.js b/security/manager/ssl/tests/unit/test_delegated_credentials.js
new file mode 100644
index 0000000000..a1623ddcb2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials.js
@@ -0,0 +1,91 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of certificates marked as permitting delegated credentials
+
+function shouldBeDelegatedCredential(aTransportSecurityInfo) {
+ Assert.ok(
+ aTransportSecurityInfo.isDelegatedCredential,
+ "This host should have used a delegated credential"
+ );
+}
+
+function shouldNotBeDelegatedCredential(aTransportSecurityInfo) {
+ Assert.ok(
+ !aTransportSecurityInfo.isDelegatedCredential,
+ "This host should not have used a delegated credential"
+ );
+}
+
+do_get_profile();
+
+add_tls_server_setup(
+ "DelegatedCredentialsServer",
+ "test_delegated_credentials"
+);
+
+// Test:
+// Server certificate supports DC
+// Server DC support enabled
+// Client DC support disabled
+// Result: Successful connection without DC
+add_test(function() {
+ clearSessionCache();
+ Services.prefs.setBoolPref(
+ "security.tls.enable_delegated_credentials",
+ false
+ );
+ run_next_test();
+});
+add_connection_test(
+ "delegated-enabled.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldNotBeDelegatedCredential
+);
+
+// Test:
+// Server certificate does not support DC
+// Server DC support enabled
+// Client DC support enabled
+// Result: SSL_ERROR_DC_INVALID_KEY_USAGE from client when
+// checking DC against EE cert, no DC in aTransportSecurityInfo.
+add_test(function() {
+ clearSessionCache();
+ Services.prefs.setBoolPref("security.tls.enable_delegated_credentials", true);
+ run_next_test();
+});
+add_connection_test(
+ "standard-enabled.example.com",
+ SSL_ERROR_DC_INVALID_KEY_USAGE,
+ null,
+ // We'll never |mHaveCipherSuiteAndProtocol|,
+ // and therefore can't check IsDelegatedCredential
+ null
+);
+
+// Test:
+// Server certificate supports DC
+// Server DC support disabled
+// Client DC support enabled
+// Result: Successful connection without DC
+add_connection_test(
+ "delegated-disabled.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldNotBeDelegatedCredential
+);
+
+// Test:
+// Server certificate supports DC
+// Server DC support enabled
+// Client DC support enabled
+// Result: Successful connection with DC
+add_connection_test(
+ "delegated-enabled.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldBeDelegatedCredential
+);
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key
new file mode 100644
index 0000000000..a926a54efb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
+1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec
new file mode 100644
index 0000000000..03c3ce198f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec
@@ -0,0 +1 @@
+secp256r1
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem
new file mode 100644
index 0000000000..4ee85cb1eb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICSDCCATCgAwIBAgIUN26/sySuiNB+ynuprhHIoxsuFXQwDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBUxEzARBgNVBAMM
+CmRlZmF1bHQtZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGm
+ClmshwTi7AULQj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQej
+BOqgSqbAo0AwPjATBgNVHSUEDDAKBggrBgEFBQcDATAnBgNVHREEIDAeghxzdGFu
+ZGFyZC1lbmFibGVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBIxTo+
+s5Tg/YrX0tLgg0rKcrZumJdN64j10IW1JwKCgYqoP/XhXK5AEISudekcedjrQOtb
+Kalacxn9Pecmw+EiDvhXklxQfZKSHBtsecLtmQnr2RaDdbxQx+ebAmAtn4y9MwjO
+rWVqdW80viHcsn+1S/+uDF8tNPuBTTInLh7yYRwBZ1O44sT/w/5DXujmjefK5LoK
+VORWpnHZ9JA1jVEj4MHlhHXky6og2SG+10WnouvmOGKJsV7JfWrUe/ogMnW1nkEZ
+dcOBIqjHQWLCWKd27ZQASmTZThVDHoN+QnXe/dEYwBaCcUmoafM+uis9A2zcMdJw
+o6scbgbJMwgS/e/d
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec
new file mode 100644
index 0000000000..5ebe9b5ba7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:delegated-credential-intermediate
+subjectKey:secp256r1
+subject:default-ee
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:standard-enabled.example.com
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem
new file mode 100644
index 0000000000..8da0838e6f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICiTCCAXGgAwIBAgIUXdQo1CMJjWFQKxkJ45F9RpbesCQwDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBcxFTATBgNVBAMM
+DGRlbGVnYXRlZC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5
+saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3st
+B6ME6qBKpsCjfzB9MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDBI
+BgNVHREEQTA/gh1kZWxlZ2F0ZWQtZW5hYmxlZC5leGFtcGxlLmNvbYIeZGVsZWdh
+dGVkLWRpc2FibGVkLmV4YW1wbGUuY29tMA8GCSsGAQQBgtpLLAQCBQAwDQYJKoZI
+hvcNAQELBQADggEBABih6ICVs7RsbhTEhAJQ16rrD36fF0fCe+1XqUy52nUaQuAj
+a2JWbkqp24Ib76dU40B40L7Pd4ksmYnazKS4aFZ8HrTRKfPzmKR743Jex6rcFiRM
+0JnqLw75p5LbZcOfW4+Nu1AzhgUiPp1u0PJnfCbVTlcCkyS3Fb+SH7knCftF6BJt
+zS+ZQFRzorbVjjUAkUeN2B7qeesYJVLqFpGfhsTSge9+F8JIAqE9Fso7+a+sHuhp
+5ItAKczQkFcXwyCdTCBnNo4yy7NvQ66tNj6+v0ifHnINg3wqd2gOAJ9xMY7mGE7F
+uXi/dBWquWVHsg481ybTW20Ovk4HWJz33Ylxc6E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec
new file mode 100644
index 0000000000..e90fa3b646
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec
@@ -0,0 +1,7 @@
+issuer:delegated-credential-intermediate
+subject:delegated-ee
+subjectKey:secp256r1
+extension:extKeyUsage:serverAuth
+extension:keyUsage:digitalSignature,keyEncipherment
+extension:subjectAlternativeName:delegated-enabled.example.com,delegated-disabled.example.com
+extension:delegationUsage:
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key
new file mode 100644
index 0000000000..1c1af40bda
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDADXHobENn6/oN7ZK2S
+8i9c7QeJGGU4ZptcbYcs7D2SYSKzk3crV2Av8xNl7+E5MkahZANiAAShaHJDNitc
+exiJ83kVRhWhxz+0je6GPgIpFdtgjiUt5LcTLajOmOgxU05qnAwLCcjWOa3oMgbl
+uoE0c6EfozDgXajJbkOD/ieHPalxA74oiM/wAvBa9xof3cyDdKpuqc4=
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec
new file mode 100644
index 0000000000..11f041d996
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec
@@ -0,0 +1 @@
+secp384r1
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem
new file mode 100644
index 0000000000..8090606694
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUV5QPCtt30cr0OHQqp5FKh9iORPUwDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAyMTEx
+MjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowIjEgMB4GA1UEAwwXZGVsZWdhdGVk
+LWNyZWRlbnRpYWwtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
+AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQB7snna6hblvBPTwNKeReVfshWDEeeW4cFM
+zDZIxdQ+Xh9dWSZHN8fT0r4ZH621vnfipRqlfKTNp2/472WfVLGWRJSBX/bSqfVG
+EH2SQVixHOAHnmgi2zfE6XY0O5CT1IoHLNOEoGkpPXXgpw6ya/XPWHNw/I+Poj9F
+sEnot00uDdn3yO/mzMyHaOnWoKoycLIPHxsRQb/twRYFs5rypEzXvRd2IWj6E0Kj
+TDAusnuYrzZOyTG+pqvq7V9Xr5igwD29f48KQVYRu+wuXaxH8KXw8nB3N7+rhMOW
+x9nnItSoPDkZI2fxWedhDF6YLoDPkISZpw8/4vs4kVkBAgjnKxZ5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec
new file mode 100644
index 0000000000..91227f5da0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:delegated-credential-ca
+subject:delegated-credential-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem
new file mode 100644
index 0000000000..dbeca6352f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIUJRD5PaFbjcWhPAHq+mbNZw66NKowDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAyMTEx
+MjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhZGVsZWdhdGVk
+LWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/
+MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAeRvreFXifukKi5uoS290
+3UcsmVcGiPGrFFBvOi279MqzZFawGwsAFD9hCrQbx6Ym3PvMdKjcwAb/sVGui7b8
+NYKXt7U5hSvncWQOFShK0eWUYZp7yVUt+ZPd0NPpmP5QGbnBoR4YVAuubb/lLycZ
+r3tt41pYBKhOBov4AX2Rab16yW619pClss4Qqd7pIAimSXYxRFh0p8FRh8c9a2tK
+Cc8qA0tc8lQfem1Z1gWHhUMiFBTS0HRwRr6s4JqYVJcu1zMzU6QxEDzTClA3BVHB
+tiSwVSDRg2blzlIbaAD4OQwip9aTzQQw0Sc7wV//UOjuR5DmcX5d6Qd18qE5NQHR
+aA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec
new file mode 100644
index 0000000000..64cc4e5693
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:delegated-credential-ca
+subject:delegated-credential-intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_der.js b/security/manager/ssl/tests/unit/test_der.js
new file mode 100644
index 0000000000..258f161aa1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_der.js
@@ -0,0 +1,355 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Tests DER.jsm functionality.
+
+// Until DER.jsm is actually used in production code, this is where we have to
+// import it from.
+var { DER } = ChromeUtils.import("resource://gre/modules/psm/DER.jsm");
+
+function run_simple_tests() {
+ throws(
+ () => new DER.DERDecoder("this is not an array"),
+ /invalid input/,
+ "should throw given non-array input"
+ );
+
+ let testReadByte = new DER.DERDecoder([0x0a, 0x0b]);
+ equal(testReadByte.readByte(), 0x0a, "should read 0x0a");
+ equal(testReadByte.readByte(), 0x0b, "should read 0x0b");
+ throws(
+ () => testReadByte.readByte(),
+ /data truncated/,
+ "reading more data than is available should fail"
+ );
+
+ let testReadBytes = new DER.DERDecoder([0x0c, 0x0d, 0x0e]);
+ deepEqual(
+ testReadBytes.readBytes(3),
+ [0x0c, 0x0d, 0x0e],
+ "should read correct sequence of bytes"
+ );
+
+ let testReadNegativeBytes = new DER.DERDecoder([0xff, 0xaf]);
+ throws(
+ () => testReadNegativeBytes.readBytes(-4),
+ /invalid length/,
+ "reading a negative number of bytes should fail"
+ );
+
+ let testReadZeroBytes = new DER.DERDecoder([]);
+ equal(
+ testReadZeroBytes.readBytes(0).length,
+ 0,
+ "reading zero bytes should result in a zero-length array"
+ );
+
+ let testReadTooManyBytes = new DER.DERDecoder([0xab, 0xcd, 0xef]);
+ throws(
+ () => testReadTooManyBytes.readBytes(4),
+ /data truncated/,
+ "reading too many bytes should fail"
+ );
+
+ let testSEQUENCE = new DER.DERDecoder([0x30, 0x01, 0x01]);
+ let content = testSEQUENCE.readTagAndGetContents(DER.SEQUENCE);
+ equal(content.length, 1, "content should have length 1");
+ equal(content[0], 1, "value of content should be [1]");
+ ok(testSEQUENCE.atEnd(), "testSEQUENCE should be at the end of its input");
+ testSEQUENCE.assertAtEnd();
+
+ // The length purports to be 4 bytes, but there are only 2 available.
+ let truncatedSEQUENCE = new DER.DERDecoder([0x30, 0x04, 0x00, 0x00]);
+ throws(
+ () => truncatedSEQUENCE.readTagAndGetContents(DER.SEQUENCE),
+ /data truncated/,
+ "should get 'data truncated' error"
+ );
+
+ // With 2 bytes of content, there is 1 remaining after reading the content.
+ let extraDataSEQUENCE = new DER.DERDecoder([0x30, 0x02, 0xab, 0xcd, 0xef]);
+ content = extraDataSEQUENCE.readTagAndGetContents(DER.SEQUENCE);
+ equal(content.length, 2, "content should have length 2");
+ deepEqual(content, [0xab, 0xcd], "value of content should be [0xab, 0xcd]");
+ ok(
+ !extraDataSEQUENCE.atEnd(),
+ "extraDataSEQUENCE should not be at the end of its input"
+ );
+ throws(
+ () => extraDataSEQUENCE.assertAtEnd(),
+ /extra data/,
+ "should get 'extra data' error"
+ );
+
+ // The length of 0x81 0x01 is invalid because it could be encoded as just
+ // 0x01, which is shorter.
+ let invalidLengthSEQUENCE1 = new DER.DERDecoder([0x30, 0x81, 0x01, 0x00]);
+ throws(
+ () => invalidLengthSEQUENCE1.readTagAndGetContents(DER.SEQUENCE),
+ /invalid length/,
+ "should get 'invalid length' error"
+ );
+
+ // Similarly, 0x82 0x00 0x01 could be encoded as just 0x01, which is shorter.
+ let invalidLengthSEQUENCE2 = new DER.DERDecoder([
+ 0x30,
+ 0x82,
+ 0x00,
+ 0x01,
+ 0x00,
+ ]);
+ throws(
+ () => invalidLengthSEQUENCE2.readTagAndGetContents(DER.SEQUENCE),
+ /invalid length/,
+ "should get 'invalid length' error"
+ );
+
+ // Lengths requiring 4 bytes to encode are not supported.
+ let unsupportedLengthSEQUENCE = new DER.DERDecoder([
+ 0x30,
+ 0x83,
+ 0x01,
+ 0x01,
+ 0x01,
+ ]);
+ throws(
+ () => unsupportedLengthSEQUENCE.readTagAndGetContents(DER.SEQUENCE),
+ /unsupported length/,
+ "should get 'unsupported length' error"
+ );
+
+ // Indefinite lengths are not supported (and aren't DER anyway).
+ let unsupportedASN1SEQUENCE = new DER.DERDecoder([
+ 0x30,
+ 0x80,
+ 0x01,
+ 0x00,
+ 0x00,
+ ]);
+ throws(
+ () => unsupportedASN1SEQUENCE.readTagAndGetContents(DER.SEQUENCE),
+ /unsupported asn.1/,
+ "should get 'unsupported asn.1' error"
+ );
+
+ let unexpectedTag = new DER.DERDecoder([0x31, 0x01, 0x00]);
+ throws(
+ () => unexpectedTag.readTagAndGetContents(DER.SEQUENCE),
+ /unexpected tag/,
+ "should get 'unexpected tag' error"
+ );
+
+ let readTLVTestcase = new DER.DERDecoder([0x02, 0x03, 0x45, 0x67, 0x89]);
+ let bytes = readTLVTestcase.readTLV();
+ deepEqual(
+ bytes,
+ [0x02, 0x03, 0x45, 0x67, 0x89],
+ "bytes read with readTLV should be equal to expected value"
+ );
+
+ let peekTagTestcase = new DER.DERDecoder([0x30, 0x01, 0x00]);
+ ok(
+ peekTagTestcase.peekTag(DER.SEQUENCE),
+ "peekTag should return true for peeking with a SEQUENCE at a SEQUENCE"
+ );
+ ok(
+ !peekTagTestcase.peekTag(DER.SET),
+ "peekTag should return false for peeking with a SET at a SEQUENCE"
+ );
+ peekTagTestcase.readTLV();
+ ok(
+ !peekTagTestcase.peekTag(DER.SEQUENCE),
+ "peekTag should return false for peeking at a DER with no more data"
+ );
+
+ let tlvChoiceTestcase = new DER.DERDecoder([0x31, 0x02, 0xaa, 0xbb]);
+ let tlvChoiceContents = tlvChoiceTestcase.readTLVChoice([DER.NULL, DER.SET]);
+ deepEqual(
+ tlvChoiceContents,
+ [0x31, 0x02, 0xaa, 0xbb],
+ "readTLVChoice should return expected bytes"
+ );
+
+ let tlvChoiceNoMatchTestcase = new DER.DERDecoder([0x30, 0x01, 0xff]);
+ throws(
+ () => tlvChoiceNoMatchTestcase.readTLVChoice([DER.NULL, DER.SET]),
+ /unexpected tag/,
+ "readTLVChoice should throw if no matching tag is found"
+ );
+}
+
+function run_bit_string_tests() {
+ let bitstringDER = new DER.DERDecoder([0x03, 0x04, 0x03, 0x01, 0x02, 0xf8]);
+ let bitstring = bitstringDER.readBIT_STRING();
+ equal(bitstring.unusedBits, 3, "BIT STRING should have 3 unused bits");
+ deepEqual(
+ bitstring.contents,
+ [0x01, 0x02, 0xf8],
+ "BIT STRING should have expected contents"
+ );
+
+ let bitstringTooManyUnusedBits = new DER.DERDecoder([0x03, 0x02, 0x08, 0x00]);
+ throws(
+ () => bitstringTooManyUnusedBits.readBIT_STRING(),
+ /invalid BIT STRING encoding/,
+ "BIT STRING with too many unused bits should throw"
+ );
+
+ // A BIT STRING must have the unused bits byte, and so its length must be at
+ // least one.
+ let bitstringMissingUnusedBits = new DER.DERDecoder([0x03, 0x00]);
+ throws(
+ () => bitstringMissingUnusedBits.readBIT_STRING(),
+ /invalid BIT STRING encoding/,
+ "BIT STRING with missing unused bits (and no contents) should throw"
+ );
+
+ // The minimal BIT STRING is 03 01 00 (zero bits of padding and zero bytes of
+ // content).
+ let minimalBitstringDER = new DER.DERDecoder([0x03, 0x01, 0x00]);
+ let minimalBitstring = minimalBitstringDER.readBIT_STRING();
+ equal(
+ minimalBitstring.unusedBits,
+ 0,
+ "minimal BIT STRING should have 0 unused bits"
+ );
+ equal(
+ minimalBitstring.contents.length,
+ 0,
+ "minimal BIT STRING should have empty contents"
+ );
+
+ // However, a BIT STRING with zero bytes of content can't have any padding,
+ // because that makes no sense.
+ let noContentsPaddedBitstringDER = new DER.DERDecoder([0x03, 0x01, 0x03]);
+ throws(
+ () => noContentsPaddedBitstringDER.readBIT_STRING(),
+ /invalid BIT STRING encoding/,
+ "BIT STRING with no contents with non-zero padding should throw"
+ );
+}
+
+function run_compound_tests() {
+ let derBytes = [
+ 0x30,
+ 0x1a, // SEQUENCE
+ 0x02,
+ 0x02,
+ 0x77,
+ 0xff, // INTEGER
+ 0x06,
+ 0x03,
+ 0x2b,
+ 0x01,
+ 0x01, // OBJECT IDENTIFIER
+ 0x30,
+ 0x07, // SEQUENCE
+ 0x05,
+ 0x00, // NULL
+ 0x02,
+ 0x03,
+ 0x45,
+ 0x46,
+ 0x47, // INTEGER
+ 0x30,
+ 0x06, // SEQUENCE
+ 0x02,
+ 0x02,
+ 0x00,
+ 0xff, // INTEGER
+ 0x05,
+ 0x00,
+ ]; // NULL
+ let der = new DER.DERDecoder(derBytes);
+ let contents = new DER.DERDecoder(der.readTagAndGetContents(DER.SEQUENCE));
+ let firstINTEGER = contents.readTagAndGetContents(DER.INTEGER);
+ deepEqual(
+ firstINTEGER,
+ [0x77, 0xff],
+ "first INTEGER should have expected value"
+ );
+ let oid = contents.readTagAndGetContents(DER.OBJECT_IDENTIFIER);
+ deepEqual(
+ oid,
+ [0x2b, 0x01, 0x01],
+ "OBJECT IDENTIFIER should have expected value"
+ );
+
+ let firstNested = new DER.DERDecoder(
+ contents.readTagAndGetContents(DER.SEQUENCE)
+ );
+ let firstNestedNULL = firstNested.readTagAndGetContents(DER.NULL);
+ equal(
+ firstNestedNULL.length,
+ 0,
+ "first nested NULL should have expected value (empty array)"
+ );
+ let firstNestedINTEGER = firstNested.readTagAndGetContents(DER.INTEGER);
+ deepEqual(
+ firstNestedINTEGER,
+ [0x45, 0x46, 0x47],
+ "first nested INTEGER should have expected value"
+ );
+ firstNested.assertAtEnd();
+
+ let secondNested = new DER.DERDecoder(
+ contents.readTagAndGetContents(DER.SEQUENCE)
+ );
+ let secondNestedINTEGER = secondNested.readTagAndGetContents(DER.INTEGER);
+ deepEqual(
+ secondNestedINTEGER,
+ [0x00, 0xff],
+ "second nested INTEGER should have expected value"
+ );
+ let secondNestedNULL = secondNested.readTagAndGetContents(DER.NULL);
+ equal(
+ secondNestedNULL.length,
+ 0,
+ "second nested NULL should have expected value (empty array)"
+ );
+ secondNested.assertAtEnd();
+
+ contents.assertAtEnd();
+ der.assertAtEnd();
+
+ let invalidDERBytes = [
+ 0x30,
+ 0x06, // SEQUENCE
+ 0x30,
+ 0x02, // SEQUENCE
+ 0x02,
+ 0x01, // INTEGER (missing data)
+ 0x05,
+ 0x00, // NULL
+ 0x00,
+ 0x00,
+ ]; // (extra data)
+ let invalidDER = new DER.DERDecoder(invalidDERBytes);
+ let invalidContents = new DER.DERDecoder(
+ invalidDER.readTagAndGetContents(DER.SEQUENCE)
+ );
+ let invalidContentsContents = new DER.DERDecoder(
+ invalidContents.readTagAndGetContents(DER.SEQUENCE)
+ );
+ throws(
+ () => invalidContentsContents.readTagAndGetContents(DER.INTEGER),
+ /data truncated/,
+ "should throw due to missing data"
+ );
+ let nestedNULL = invalidContents.readTagAndGetContents(DER.NULL);
+ equal(nestedNULL.length, 0, "nested NULL should have expected value");
+ invalidContents.assertAtEnd();
+ throws(
+ () => invalidDER.assertAtEnd(),
+ /extra data/,
+ "should throw due to extra data"
+ );
+}
+
+function run_test() {
+ run_simple_tests();
+ run_bit_string_tests();
+ run_compound_tests();
+}
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello.js b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js
new file mode 100644
index 0000000000..945a9ea83f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js
@@ -0,0 +1,101 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of Encrypted Client Hello. These ECHConfigs
+// can be regenerated by running EncryptedClientHelloServer
+// and dumping the output of SSL_EncodeEchConfig. They do not
+// expire. An update here is only needed if the host or ECH
+// ciphersuite configuration changes, or if the keypair in
+// EncryptedClientHelloServer.cpp is modified.
+
+// Public name: ech-public.example.com
+const ECH_CONFIG_FIXED =
+ "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA";
+
+// Public name: ech-public.example.com, Unsupported AEAD to prompt retry_configs from a trusted host.
+const ECH_CONFIG_TRUSTED_RETRY =
+ "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA";
+
+// Public name: selfsigned.example.com. Unsupported AEAD to prompt retry_configs from an untrusted host.
+const ECH_CONFIG_UNTRUSTED_RETRY =
+ "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWc2VsZnNpZ25lZC5leGFtcGxlLmNvbQAA";
+
+function shouldBeAcceptedEch(aTransportSecurityInfo) {
+ Assert.ok(
+ aTransportSecurityInfo.isAcceptedEch,
+ "This host should have accepted ECH"
+ );
+ Assert.ok(
+ !aTransportSecurityInfo.usedPrivateDNS,
+ "This connection does not use DoH"
+ );
+}
+
+function shouldBeRejectedEch(aTransportSecurityInfo) {
+ Assert.ok(
+ !aTransportSecurityInfo.isAcceptedEch,
+ "This host should have rejected ECH"
+ );
+ Assert.ok(
+ !aTransportSecurityInfo.usedPrivateDNS,
+ "This connection does not use DoH"
+ );
+}
+
+do_get_profile();
+
+add_tls_server_setup(
+ "EncryptedClientHelloServer",
+ "test_encrypted_client_hello"
+);
+
+// Connect directly without ECH first
+add_connection_test(
+ "ech-public.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldBeRejectedEch
+);
+
+// Connect with ECH
+add_connection_test(
+ "ech-private.example.com",
+ PRErrorCodeSuccess,
+ null,
+ shouldBeAcceptedEch,
+ null,
+ null,
+ ECH_CONFIG_FIXED
+);
+
+// Trigger retry_configs by setting an ECHConfig with a different.
+// AEAD than the server supports.
+add_connection_test(
+ "ech-private.example.com",
+ SSL_ERROR_ECH_RETRY_WITH_ECH,
+ null,
+ null,
+ null,
+ null,
+ ECH_CONFIG_TRUSTED_RETRY
+);
+
+// Trigger retry_configs, but from a host that is untrusted
+// (due to a self-signed certificate for the public name).
+// Retry_configs must not be used or reported as available.
+add_connection_test(
+ "ech-private.example.com",
+ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
+ null,
+ null,
+ null,
+ null,
+ ECH_CONFIG_UNTRUSTED_RETRY
+);
+
+// A client-only (retry_without_ech) test is located in
+// test_encrypted_client_hello_client_only.js We can't easily restart
+// a different server (one without ECHConfigs) here, so put that
+// test in a different file that launches a non-ECH server.
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem
new file mode 100644
index 0000000000..60960b4daa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUWxEI7DW20X+b24MUvyO3J1pngeQwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBgxFjAUBgNVBAMMDWVjaC1wdWJsaWMtZWUwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjJTAjMCEG
+A1UdEQQaMBiCFmVjaC1wdWJsaWMuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD
+ggEBALBk11enYtAuUPy77WPmNv4fN/NigB4wuygvdTJqVQTUDrRLXhX7ThFL68pd
+b7jTdBsCS3QGucU3W05miyyHwGfiN3PqTvzY6xATR6i4+cKPyW2OM8U7gIZmH3du
+et/rIJ8eAio98S4wvqAmd7oMKeQ4zJ3iRomEHIXH80c8VLOaSugarZuZG11hKCWT
+qbSiVYvCkLBuKzNMlLN3QEaK1mSWngwZ7u6AvbzvoDV3+JX1UThFjI97j/41Kpgy
+Ip0PbKONjUOjb+Rd1Fo6FLBAtJ/tfKrJZqCm7HxJiY9PuPJWyL6PBxIAymFcAyRU
+deD8cDEq9EaQmfYM3rPeUortM8g=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec
new file mode 100644
index 0000000000..d5c332ceec
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ech-ca
+subject:ech-public-ee
+extension:subjectAlternativeName:ech-public.example.com
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem
new file mode 100644
index 0000000000..f136a811e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUN7V9tjNwYafgE24tOZNXBSQn96QwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBkxFzAVBgNVBAMMDmVjaC1wcml2YXRlLWVlMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyYwJDAi
+BgNVHREEGzAZghdlY2gtcHJpdmF0ZS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF
+AAOCAQEATfrz7BkT8pNISv2h71JHVkuPNDpjgSG+M0Z0IzXhTON0CpE/6Jk8nRwS
+LjfW9n9nJL7PATF4RT45tQ83+jmfFykhrmPctl2Tiq1HfTKdMdpW2i8lZVOovKZN
+3c98eNWZ5cqicG4XZEQbq1Nu+VsL7R5UCVvhIgLPWAdiEJu1D7VagCzZHguoUBDT
+C428L9nx0z80l4XNOeqYGtJtN2YqRSErkeMPAN1Q7MxVyp0Lsz8lwHQx8D73jYKK
+AN1kjtC18jBr5BYL1HCHvE/sL7ZLlaBRS+PQnF2HW0qkCOb3POlZ1UCjTa09Qy4f
+pxbYP6sTh1c6VShYzlE04jXC3K8KKw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec
new file mode 100644
index 0000000000..c152462f0d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ech-ca
+subject:ech-private-ee
+extension:subjectAlternativeName:ech-private.example.com
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem
new file mode 100644
index 0000000000..eb6a2c1096
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUKXdVQO3RzfhQiRP9uZIuxnydYxAwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbU2VsZi1zaWduZWQgVGVzdCBFbmQtZW50aXR5MCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCYxJDAiBgNVBAMMG1NlbGYt
+c2lnbmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMlMCMwIQYDVR0RBBowGIIWc2Vs
+ZnNpZ25lZC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAXAU/SRgl952l
+O2B26d2oytCFyWJkotYhd7cHLTWcdGdfwgJ6YD2JaW9Bos0NVFbj+Z9PJJh2xNCy
+xULqNCVnRu11dFlGad6FDvY1psli8By00Kvz74kbNseISNuuzCTsZU2Uw5BXS9W9
+ia4S1dskQyuBae5M8ma6BeUyyHHfmu9TiqtzrlrAqIsXDucMs6WhgfOVimgAIQDl
+fA5qju7cmOJ8lzSV+CTrmoAMv2Q80G3rw0CPPIWqKrcTjkf+R5p3CSYUQ5Qq38Qx
+m0hK0fdlZ4MPsSKxQN7k/DeINotW2IaLX/AGL5z6dEFsBMp50iJCMEebkFmuFQ50
+oOILqRNvCA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec
new file mode 100644
index 0000000000..438a08eba2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Self-signed Test End-entity
+subject:Self-signed Test End-entity
+extension:subjectAlternativeName:selfsigned.example.com
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem
new file mode 100644
index 0000000000..80c87da490
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUG1Lw/SgeLtklG97Ln5uybxccJyMwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBExDzANBgNVBAMMBmVjaC1jYTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAAMcKWJnU+OkvNVY
+g3glJ1ZgNURoWjhFnyqX8EmxFYH8mRdEdb8ZBTGeBYUDc3diHdZcmunGJ3FCVO5v
+zOI4UOCfADvIzY0hwtj+adtaavgRBRXeTZp8MyTSiN2a1T/3XgsnzKLYqAK7GIEq
+NwdRcsgu/mFG6p0ktOBvfBgbyD3rlupZhuWoedUQ6fR04BKFgdp4zg411qCG8HBQ
+lSa2t0e+dT5pZ1QTtyzIjtkAQu+GWJqc2Sqr5I4BnHOzRiXPc2lhVl0yGPjROHaD
+qK/jsbIkFxvi++59F9ptkOJTPJk1rAJ69Grx5/V7s1NxtXocCEm6gtDSi0zJ3V0f
+J0Qs50Y=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec
new file mode 100644
index 0000000000..1735a15075
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ech-ca
+subject:ech-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js b/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js
new file mode 100644
index 0000000000..b01c5d6c90
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js
@@ -0,0 +1,32 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Public Name = delegated-enabled.example.com
+const ECH_CONFIG_FIXED =
+ "AFD+DQBMTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QdZGVsZWdhdGVkLWVuYWJsZWQuZXhhbXBsZS5jb20AAA==";
+do_get_profile();
+
+// An arbitrary, non-ECH server.
+add_tls_server_setup(
+ "DelegatedCredentialsServer",
+ "test_delegated_credentials"
+);
+
+add_test(function() {
+ clearSessionCache();
+ run_next_test();
+});
+
+// Connect, sending ECH. The server is not configured for it,
+// but *is* authoritative for the public name.
+add_connection_test(
+ "delegated-disabled.example.com",
+ SSL_ERROR_ECH_RETRY_WITHOUT_ECH,
+ null,
+ null,
+ null,
+ null,
+ ECH_CONFIG_FIXED
+);
diff --git a/security/manager/ssl/tests/unit/test_enterprise_roots.js b/security/manager/ssl/tests/unit/test_enterprise_roots.js
new file mode 100644
index 0000000000..6abd7161ae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_enterprise_roots.js
@@ -0,0 +1,82 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests enterprise root certificate support. When configured to do so, the
+// platform will attempt to find and import enterprise root certificates. This
+// feature is specific to Windows.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const { TestUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/TestUtils.sys.mjs"
+);
+
+async function check_no_enterprise_roots_imported(
+ nssComponent,
+ certDB,
+ dbKey = undefined
+) {
+ let enterpriseRoots = nssComponent.getEnterpriseRoots();
+ notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
+ equal(
+ enterpriseRoots.length,
+ 0,
+ "should not have imported any enterprise roots"
+ );
+ if (dbKey) {
+ let cert = certDB.findCertByDBKey(dbKey);
+ // If the garbage-collector hasn't run, there may be reachable copies of
+ // imported enterprise root certificates. If so, they shouldn't be trusted
+ // to issue TLS server auth certificates.
+ if (cert) {
+ await asyncTestCertificateUsages(certDB, cert, []);
+ }
+ }
+}
+
+async function check_some_enterprise_roots_imported(nssComponent, certDB) {
+ let enterpriseRoots = nssComponent.getEnterpriseRoots();
+ notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
+ notEqual(
+ enterpriseRoots.length,
+ 0,
+ "should have imported some enterprise roots"
+ );
+ let foundNonBuiltIn = false;
+ let savedDBKey = null;
+ for (let certDer of enterpriseRoots) {
+ let cert = certDB.constructX509(certDer);
+ notEqual(cert, null, "should be able to decode cert from DER");
+ if (!cert.isBuiltInRoot && !savedDBKey) {
+ foundNonBuiltIn = true;
+ savedDBKey = cert.dbKey;
+ info("saving dbKey from " + cert.commonName);
+ await asyncTestCertificateUsages(certDB, cert, [certificateUsageSSLCA]);
+ break;
+ }
+ }
+ ok(foundNonBuiltIn, "should have found non-built-in root");
+ return savedDBKey;
+}
+
+add_task(async function run_test() {
+ let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ nssComponent.getEnterpriseRoots(); // blocks until roots are loaded
+ Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
+ await check_no_enterprise_roots_imported(nssComponent, certDB);
+ Services.prefs.setBoolPref("security.enterprise_roots.enabled", true);
+ await TestUtils.topicObserved("psm:enterprise-certs-imported");
+ let savedDBKey = await check_some_enterprise_roots_imported(
+ nssComponent,
+ certDB
+ );
+ Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
+ await check_no_enterprise_roots_imported(nssComponent, certDB, savedDBKey);
+});
diff --git a/security/manager/ssl/tests/unit/test_ev_certs.js b/security/manager/ssl/tests/unit/test_ev_certs.js
new file mode 100644
index 0000000000..f163623919
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -0,0 +1,310 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that end-entity certificates that should successfully verify as EV
+// (Extended Validation) do so and that end-entity certificates that should not
+// successfully verify as EV do not. Also tests related situations (e.g. that
+// failure to fetch an OCSP response results in no EV treatment).
+//
+// A quick note about the certificates in these tests: generally, an EV
+// certificate chain will have an end-entity with a specific policy OID followed
+// by an intermediate with the anyPolicy OID chaining to a root with no policy
+// OID (since it's a trust anchor, it can be omitted). In these tests, the
+// specific policy OID is 1.3.6.1.4.1.13769.666.666.666.1.500.9.1 and is
+// referred to as the test OID. In order to reflect what will commonly be
+// encountered, the end-entity of any given test path will have the test OID
+// unless otherwise specified in the name of the test path. Similarly, the
+// intermediate will have the anyPolicy OID, again unless otherwise specified.
+// For example, for the path where the end-entity does not have an OCSP URI
+// (referred to as "no-ocsp-ee-path-{ee,int}", the end-entity has the test OID
+// whereas the intermediate has the anyPolicy OID.
+// For another example, for the test OID path ("test-oid-path-{ee,int}"), both
+// the end-entity and the intermediate have the test OID.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("network.dns.localDomains");
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+});
+
+Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+const evroot = addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "test_ev_certs/non-evroot-ca.pem", "CTu,,");
+
+const SERVER_PORT = 8888;
+
+function failingOCSPResponder() {
+ return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
+}
+
+class EVCertVerificationResult {
+ constructor(
+ testcase,
+ expectedPRErrorCode,
+ expectedEV,
+ resolve,
+ ocspResponder
+ ) {
+ this.testcase = testcase;
+ this.expectedPRErrorCode = expectedPRErrorCode;
+ this.expectedEV = expectedEV;
+ this.resolve = resolve;
+ this.ocspResponder = ocspResponder;
+ }
+
+ verifyCertFinished(prErrorCode, verifiedChain, hasEVPolicy) {
+ equal(
+ prErrorCode,
+ this.expectedPRErrorCode,
+ `${this.testcase} should have expected error code`
+ );
+ equal(
+ hasEVPolicy,
+ this.expectedEV,
+ `${this.testcase} should result in expected EV status`
+ );
+ this.ocspResponder.stop(this.resolve);
+ }
+}
+
+function asyncTestEV(
+ cert,
+ expectedPRErrorCode,
+ expectedEV,
+ expectedOCSPRequestPaths,
+ ocspResponseTypes = undefined
+) {
+ let now = Date.now() / 1000;
+ return new Promise((resolve, reject) => {
+ let ocspResponder = expectedOCSPRequestPaths.length
+ ? startOCSPResponder(
+ SERVER_PORT,
+ "www.example.com",
+ "test_ev_certs",
+ expectedOCSPRequestPaths,
+ expectedOCSPRequestPaths.slice(),
+ null,
+ ocspResponseTypes
+ )
+ : failingOCSPResponder();
+ let result = new EVCertVerificationResult(
+ cert.subjectName,
+ expectedPRErrorCode,
+ expectedEV,
+ resolve,
+ ocspResponder
+ );
+ certdb.asyncVerifyCertAtTime(
+ cert,
+ certificateUsageSSLServer,
+ 0,
+ "ev-test.example.com",
+ now,
+ result
+ );
+ });
+}
+
+function ensureVerifiesAsEV(testcase) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ let expectedOCSPRequestPaths = [`${testcase}-ee`];
+ return asyncTestEV(
+ cert,
+ PRErrorCodeSuccess,
+ gEVExpected,
+ expectedOCSPRequestPaths
+ );
+}
+
+function ensureVerifiesAsEVWithNoOCSPRequests(testcase) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected, []);
+}
+
+function ensureVerifiesAsDV(testcase, expectedOCSPRequestPaths = undefined) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ return asyncTestEV(
+ cert,
+ PRErrorCodeSuccess,
+ false,
+ expectedOCSPRequestPaths ? expectedOCSPRequestPaths : [`${testcase}-ee`]
+ );
+}
+
+function ensureVerificationFails(testcase, expectedPRErrorCode) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ return asyncTestEV(cert, expectedPRErrorCode, false, []);
+}
+
+function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ let now = Date.now() / 1000;
+ let expectedErrorCode = SEC_ERROR_POLICY_VALIDATION_FAILED;
+ if (expectSuccess && gEVExpected) {
+ expectedErrorCode = PRErrorCodeSuccess;
+ }
+ return new Promise((resolve, reject) => {
+ let ocspResponder = failingOCSPResponder();
+ let result = new EVCertVerificationResult(
+ cert.subjectName,
+ expectedErrorCode,
+ expectSuccess && gEVExpected,
+ resolve,
+ ocspResponder
+ );
+ let flags =
+ Ci.nsIX509CertDB.FLAG_LOCAL_ONLY | Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
+ certdb.asyncVerifyCertAtTime(
+ cert,
+ certificateUsageSSLServer,
+ flags,
+ "ev-test.example.com",
+ now,
+ result
+ );
+ });
+}
+
+function ensureNoOCSPMeansNoEV(testcase) {
+ return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, false);
+}
+
+function ensureVerifiesAsEVWithFLAG_LOCAL_ONLY(testcase) {
+ return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, true);
+}
+
+function verifyWithOCSPResponseType(testcase, response, expectEV) {
+ let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+ addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+ let expectedOCSPRequestPaths = [`${testcase}-ee`];
+ let ocspResponseTypes = [response];
+ return asyncTestEV(
+ cert,
+ PRErrorCodeSuccess,
+ gEVExpected && expectEV,
+ expectedOCSPRequestPaths,
+ ocspResponseTypes
+ );
+}
+
+function ensureVerifiesAsDVWithOldEndEntityOCSPResponse(testcase) {
+ return verifyWithOCSPResponseType(testcase, "longvalidityalmostold", false);
+}
+
+function ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(testcase) {
+ return verifyWithOCSPResponseType(testcase, "ancientstillvalid", false);
+}
+
+// These should all verify as EV.
+add_task(async function plainExpectSuccessEVTests() {
+ await ensureVerifiesAsEV("anyPolicy-int-path");
+ await ensureVerifiesAsEV("test-oid-path");
+ await ensureVerifiesAsEV("cabforum-oid-path");
+ await ensureVerifiesAsEV("cabforum-and-test-oid-ee-path");
+ await ensureVerifiesAsEV("test-and-cabforum-oid-ee-path");
+ await ensureVerifiesAsEV("reverse-order-oids-path");
+ // In this case, the end-entity has both the CA/B Forum OID and the test OID
+ // (in that order). The intermediate has the CA/B Forum OID. Since the
+ // implementation tries all EV policies it encounters, this successfully
+ // verifies as EV.
+ await ensureVerifiesAsEV("cabforum-and-test-oid-ee-cabforum-oid-int-path");
+ // In this case, the end-entity has both the test OID and the CA/B Forum OID
+ // (in that order). The intermediate has only the CA/B Forum OID. Since the
+ // implementation tries all EV policies it encounters, this successfully
+ // verifies as EV.
+ await ensureVerifiesAsEV("test-and-cabforum-oid-ee-cabforum-oid-int-path");
+});
+
+// These fail for various reasons to verify as EV, but fallback to DV should
+// succeed.
+add_task(async function expectDVFallbackTests() {
+ await ensureVerifiesAsDV("anyPolicy-ee-path");
+ await ensureVerifiesAsDV("non-ev-root-path");
+ await ensureVerifiesAsDV("no-ocsp-ee-path", []);
+ await ensureVerifiesAsEV("no-ocsp-int-path");
+ // In this case, the end-entity has the test OID and the intermediate has the
+ // CA/B Forum OID. Since the CA/B Forum OID is not treated the same as the
+ // anyPolicy OID, this will not verify as EV.
+ await ensureVerifiesAsDV("test-oid-ee-cabforum-oid-int-path");
+});
+
+// Test that removing the trust bits from an EV root causes verifications
+// relying on that root to fail (and then test that adding back the trust bits
+// causes the verifications to succeed again).
+add_task(async function evRootTrustTests() {
+ clearOCSPCache();
+ info("untrusting evroot");
+ certdb.setCertTrust(
+ evroot,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.UNTRUSTED
+ );
+ await ensureVerificationFails("test-oid-path", SEC_ERROR_UNKNOWN_ISSUER);
+ info("re-trusting evroot");
+ certdb.setCertTrust(
+ evroot,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL
+ );
+ await ensureVerifiesAsEV("test-oid-path");
+});
+
+// Test that if FLAG_LOCAL_ONLY and FLAG_MUST_BE_EV are specified, that no OCSP
+// requests are made (this also means that nothing will verify as EV).
+add_task(async function localOnlyMustBeEVTests() {
+ clearOCSPCache();
+ await ensureNoOCSPMeansNoEV("anyPolicy-ee-path");
+ await ensureNoOCSPMeansNoEV("anyPolicy-int-path");
+ await ensureNoOCSPMeansNoEV("non-ev-root-path");
+ await ensureNoOCSPMeansNoEV("no-ocsp-ee-path");
+ await ensureNoOCSPMeansNoEV("no-ocsp-int-path");
+ await ensureNoOCSPMeansNoEV("test-oid-path");
+});
+
+// Prime the OCSP cache and then ensure that we can validate certificates as EV
+// without hitting the network. There's two cases here: one where we simply
+// validate like normal and then check that the network was never accessed and
+// another where we use flags to mandate that the network not be used.
+add_task(async function ocspCachingTests() {
+ clearOCSPCache();
+
+ await ensureVerifiesAsEV("anyPolicy-int-path");
+ await ensureVerifiesAsEV("test-oid-path");
+
+ await ensureVerifiesAsEVWithNoOCSPRequests("anyPolicy-int-path");
+ await ensureVerifiesAsEVWithNoOCSPRequests("test-oid-path");
+
+ await ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("anyPolicy-int-path");
+ await ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("test-oid-path");
+});
+
+// Old-but-still-valid OCSP responses are accepted for intermediates but not
+// end-entity certificates (because of OCSP soft-fail this results in DV
+// fallback).
+add_task(async function oldOCSPResponseTests() {
+ clearOCSPCache();
+
+ clearOCSPCache();
+ await ensureVerifiesAsDVWithOldEndEntityOCSPResponse("anyPolicy-int-path");
+ await ensureVerifiesAsDVWithOldEndEntityOCSPResponse("test-oid-path");
+
+ clearOCSPCache();
+ await ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(
+ "anyPolicy-int-path"
+ );
+ await ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse("test-oid-path");
+});
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem
new file mode 100644
index 0000000000..bb67341220
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVzCCAj+gAwIBAgIUHb9CrEDo8VwITKCJOkRAeW4iftkwDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAwwVYW55UG9saWN5LWVlLXBhdGgtaW50MCIYDzIwMjExMTI3
+MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMB8xHTAbBgNVBAMMFGFueVBvbGljeS1l
+ZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo4GFMIGCME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcw
+AYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBvbGljeS1lZS1wYXRo
+LWVlLzARBgNVHSAECjAIMAYGBFUdIAAwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAt3y+8E3yCuL0S85twhU87JxsyNCL
+Am+QQGqyTpH81RsL64uxvSVyswKvyA4LpJBN/w13xsIOue/55AK9CwGhyw9jSPcn
+/OGRXzcqiBjeSkkCHOPXzPV5e/xWuWI9fR0XBBy/UgBsoXQzrrq5lCHR76yr2eyF
+2RA5lh1qqk2fgsqq3cCqsFEiOUbWjsHjlra8yvArfqexLVowlyg5olisnORbi7eJ
+/jm7w+X9eEP17yRDFnb5joeXh+UeCaxdhVp7c71oY/5lBdnesmkwr6b9CNVg9vLk
+LHrp3IyQF5Wj1usyDu/BYr0lu+VRAEusNnqDiz7LZfhnUMZJJwvqC+Tcrg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..a9175c32ed
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:anyPolicy-ee-path-int
+subject:anyPolicy-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-ee/
+extension:certificatePolicies:any
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem
new file mode 100644
index 0000000000..860453152c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRDCCAiygAwIBAgIUHUngL0WtaSVKsjGfK6Ktnv/n3acwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCAxHjAcBgNVBAMMFWFueVBvbGljeS1lZS1wYXRoLWludDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaOBgDB+MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME4GCCsGAQUFBwEBBEIw
+QDA+BggrBgEFBQcwAYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBv
+bGljeS1lZS1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEB
+CwUAA4IBAQCSEsmhHQQkMTDD+JU3kEWCt7v0RujqGvkBuUUM5VObzheZFKTQVYZ1
+1fui+s+AlogSfCWOOHNLGMrF2HQd1imzVqSDaoeeGMqKsiJ/MR9MWKjxZE+omL4J
+HsJ59n0+9U4k28/dujgno3BK65mbfKlAqBEBYFBmGmZO5Fb6U+dtDZi9mOiN2JzM
+Y/l8uax0i1XmKR6TESu9f3ue5D5WFkd2uL9oexGnvpEpV/wEB1f8wViU3W1AFC52
+CYHGiwV/54PZ3cg7zH86i2Gionq4CMApP1QRvOBTheJpkM5ul3BPiGg8mDkjb5lB
+dlPnrj4exf+eoqsrVFxdTX0EL7gQSRqr
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..c49f6c4bcc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:anyPolicy-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
new file mode 100644
index 0000000000..c088a135a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIUBcyX7McNHTUw58i902kjb15KZlswDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWYW55UG9saWN5LWludC1wYXRoLWludDAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAgMR4wHAYDVQQDDBVhbnlQb2xpY3kt
+aW50LXBhdGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjgZQwgZEwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUF
+BzABhjJodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9saWN5LWludC1w
+YXRoLWVlLzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREE
+FzAVghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAxk4+S
+laaEinRp3bXkqJ3rQTdaZwX9uegjAfOfaDLMFnGiD63aGNg9mqvsdt9rgbGmuFYX
+nsoeSzzWhV/Uk1VA/9El7x5eRHOMs3r5VnnW395eIYdAlGmDW81ANm4NIdiAfKZj
+fr2LOkjhPbhrV9i3YtY9lDFIiZheS6V2RgeHLoHc1cj0EB46PH1HC8fP+rg4tOhd
+vq5tL1p6dkHWnhduJ+oKrBuHehmnJfrXV53pz9VoOIj3F6F2F/c/EriyAPc/KOO9
+ocyNrJMoD0aFBF9ijK6uERhga/vM4dXIPUGzECQxceUuTUkn/2wEECNV2ETVmNTZ
+cRcP3J32vzU1jaVQ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..1c643c2f95
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:anyPolicy-int-path-int
+subject:anyPolicy-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
new file mode 100644
index 0000000000..779f2dfa85
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRjCCAi6gAwIBAgIUHyEVo6adgErPC5OEcIkP33KrTjgwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCExHzAdBgNVBAMMFmFueVBvbGljeS1pbnQtcGF0aC1pbnQwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT
+2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV
+JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N
+jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA
+BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh
+He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB
+AAGjgYEwfzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBPBggrBgEFBQcBAQRD
+MEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQ
+b2xpY3ktaW50LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcN
+AQELBQADggEBAINthPjozG2qV5mlu5XJKM+LofF58fyxH7KCNIyDErghGz3DQyR/
+5GcPpKwzfl/gnXvXvF6yWOimQOOmU4u1oDtKv0lodL0EVEAqZQmZ0pDF2wBKPquH
+H7Eaji8uDhSuhnJZpwmyaCpOiMCda3qq5YgxwjyQTZ63lLXqQpEnSqgExfUISueH
+7j68bvPm8Q/SLVhOVLQdNf7mDVacFZE0OmtyjlSUN2ZFBZaN8o7FTnfocNmPlyD8
+EGmdkbdggXmESN5jGnBxo9fqLnqYCJEA8uN0Xckfz3ovKlt6PfbgnEeUzJRT71pN
+fqXYugdt7ppcn3sJbEOKInkw6h8to/pNlCU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
new file mode 100644
index 0000000000..5f5adacc7f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:anyPolicy-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem
new file mode 100644
index 0000000000..0c83086180
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIUfU399SRJMbYE6q+pNnq6hlSOzt4wDQYJKoZIhvcNAQEL
+BQAwPTE7MDkGA1UEAwwyY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLWNhYmZvcnVt
+LW9pZC1pbnQtcGF0aC1pbnQwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowPDE6MDgGA1UEAwwxY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLWNhYmZv
+cnVtLW9pZC1pbnQtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBuTCBtjBqBggrBgEFBQcBAQReMFww
+WgYIKwYBBQUHMAGGTmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9jYWJmb3J1
+bS1hbmQtdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWVlLzAoBgNV
+HSAEITAfMAcGBWeBDAEBMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAV
+ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQB0CMZ2fLLZ
+1qUT8t9DlOq9kMses1ASgX74/g5cl8W96x31QnxgEtRAMQKZrvucke8+us2LRh1d
+Oi5XAYry+g0kNOwfpXiWo+y23WoA+WHX2hYcH26fgzoyz3ULuMMyoM9DMlrwJvHv
+/+v1eMiAw71JfK987KWcbP1uESaTHZ04+5aN57efGVr3ADZiicaj6fUIsDIfMKJ3
+INVgVdMWpX01zFNTsSPNImxMZ7Gtqs1lP0gv30QXwGLTPCG1gARWSYF/fCFwbpon
+P7wBCAr/ADvUJl0UjcdCpU+YmwYxOW0QPGNVwRwgEAdLCnnnztq3y3bOzmGL/lQ4
+eD9G3c6ZD14D
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..c72237e453
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-and-test-oid-ee-cabforum-oid-int-path-int
+subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem
new file mode 100644
index 0000000000..6a2a55cd98
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUDTr/XHbekA2O0a9J+hMLRhyOr3EwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMD0xOzA5BgNVBAMMMmNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1j
+YWJmb3J1bS1vaWQtaW50LXBhdGgtaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GfMIGcMAwGA1UdEwQFMAMB
+Af8wCwYDVR0PBAQDAgEGMGsGCCsGAQUFBwEBBF8wXTBbBggrBgEFBQcwAYZPaHR0
+cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZvcnVtLWFuZC10ZXN0LW9pZC1l
+ZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtaW50LzASBgNVHSAECzAJMAcGBWeBDAEB
+MA0GCSqGSIb3DQEBCwUAA4IBAQCBt+AdgkYRRMubo29YkYXETC2UKiIHcyk/PuMU
+yFtR0xqsj7oe5lUf7XYHUNbJPuoF7hflSIKXx5un5zwZ5Vw3SE0qYcy6kM2PS4dK
+w6SMFkrZxCMf9GHFMubDk01T/p7BmpFKGVVAKgsUZmQSn+s/K+9+v4reDJ7yBfiu
+l+KjNGsa5In6l2kO799Q/QAPfBLxl0ZOYIONF4+IjJAwt6AXuilkPgPUcRkyZ3ka
+p+4GUc962Ylc4rGPxSKxcs93AkFl+8aYy5lW9kkFRQKSDM3W6WRPoal8411BsXEg
+LBcS5MoY024Y4gRn5H2WVUcqYbZ+SQtQ3sqnFbgtvVH0t89E
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec
new file mode 100644
index 0000000000..92ebdb37fd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem
new file mode 100644
index 0000000000..c6f64b2001
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAnqgAwIBAgIUJwEFxlIecfbIub/Yy2vC/isMYB0wDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLXBhdGgtaW50
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCsxKTAnBgNVBAMM
+IGNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GoMIGlMFkG
+CCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL3d3dy5leGFtcGxlLmNv
+bTo4ODg4L2NhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1wYXRoLWVlLzAoBgNVHSAE
+ITAfMAcGBWeBDAEBMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBQdToSfEhnomqt
+UFfMjK3tieFSRqQ60lF28IFX40/Yu48k8AQY8UN/frh7r4tVk59aQK44QDj9CwUo
+E5DIwPwqOozGrrNYfSVaqqsyepepYp410EuT5OTjHIJ71Wus3EPf8w7oPABApidH
+GjOdoMj8dUufmnsCOlXYt32g/x70OpAn1PRw7Sc7YfIQwOuGRuTIuCS2T/JKkU2Y
+s+DNT98tuBlTnpByHen7QpdPdWCmMX+30e7B2bC/1IRetDOaUuT0zLMFBtL1sx2p
+W/U9p4mU3z9IkDflqSuxBuuMudY7n1+ZPw9uJF2z1PqZN4qOGXiebiGfigWlU4Ac
+uDd/MtOD
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..36f80e017b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-and-test-oid-ee-path-int
+subject:cabforum-and-test-oid-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem
new file mode 100644
index 0000000000..8f92651d3a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIUQS8yxTmnGrb3xLk+pZAOVYuZoR0wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCwxKjAoBgNVBAMMIWNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1w
+YXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBjTCBijAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBa
+BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAGGPmh0dHA6Ly93d3cuZXhhbXBsZS5j
+b206ODg4OC9jYWJmb3J1bS1hbmQtdGVzdC1vaWQtZWUtcGF0aC1pbnQvMBEGA1Ud
+IAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAZmY7h/FLsNdMGtjTauA7
+LY6oaWD8kZAEsn9tq59CsAQG/M/nJFrjeFQUtzaSz2vmg8u1xqinelrAoy02Ujup
+Nm+/WULLoOjyb99QmkY3VaK7FkjNdbvt5AfgriRXWnbZpC+vXDHXMWViAQx0+Wm+
+9C1ssqbIClbQMhwsVldyRjVMRFMO5F/hvgGkLsUWaztEaVnMRG4eM/c9bl5HsdVM
+VfSIIb7D92TmQyfPbum2ws2CDmsYL2OKgosy3eylZjwprrE4yq8ZTsRaovvB7FwG
+UGV+L6FjuUVN7nR3EnQTDoXin3a0C5enc6fIfcmM5MLy+bHxpG5nHrQH9yvSwqqI
+zw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..79ae7ae801
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-and-test-oid-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem
new file mode 100644
index 0000000000..fe4447dc7a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWDCCAkCgAwIBAgIUWy0RlFqNWWWgn+O3e6YCiRHdLFkwDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAwwVY2FiZm9ydW0tb2lkLXBhdGgtaW50MCIYDzIwMjExMTI3
+MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMB8xHTAbBgNVBAMMFGNhYmZvcnVtLW9p
+ZC1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo4GGMIGDME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcw
+AYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZvcnVtLW9pZC1wYXRo
+LWVlLzASBgNVHSAECzAJMAcGBWeBDAEBMB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhh
+bXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAH+evAgGQBC6njxTFd0BuozC3Skz
+UGKec1dIMmiYFj7mgzuKp9eTAeOK1WdOvevygxoWRHkHAmquWEY9mvt4dSWIqhsz
+RJ2b5cKnhtkFdfnQf+depCRZbdO4A7fLNYL9HCRnnN1PQKpaFF7fFEZ1rSzSShGX
+nsz4KbEvGQVxCe2HmflqJQARp4gJUGZ+psAIspmwAqA4dViNZSgg79E1neG/g+EG
+Ocq03fAbwb2Ko2eLzI0GF31L2iI1p0keEHzbwsxCjJQ5pRQdra5c7vEQHgQq5eSL
+9RQrtE1J9erO0Jy9MUCDoZ4+WCnl4VZXVlYLt0oUh1YCOKD3J5dm7sRJ93A=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec
new file mode 100644
index 0000000000..86fd9aca39
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-oid-path-int
+subject:cabforum-oid-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-ee/
+extension:certificatePolicies:2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem
new file mode 100644
index 0000000000..f4bbc67785
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUJ3QtUr7ndrb3mL/xD7keEx/Qj1owDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCAxHjAcBgNVBAMMFWNhYmZvcnVtLW9pZC1wYXRoLWludDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaOBgTB/MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME4GCCsGAQUFBwEBBEIw
+QDA+BggrBgEFBQcwAYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZv
+cnVtLW9pZC1wYXRoLWludC8wEgYDVR0gBAswCTAHBgVngQwBATANBgkqhkiG9w0B
+AQsFAAOCAQEAGkKvsFxMmr30hx3Z4gJ8ZKLeQ2yomqPxSgjZxir4sumwkjEguFYE
+ZcaLijKzoTdOHs1G6VnjOxVYUsAXBNT2gC2h3e5TO/toub2lyst6csDB3nj1y4Ee
+2JYctZAyYHg4UJZU+zAvsTpTamEjn4LMievWD5foeoPFAAB5PNTSgvibAe6oi0Mo
+MTb0dwrmWkfIDyH7xjQKNlLCgi0U+KF0TtWX7boZ2QDmMl3b5DLA2/idf1Y21ix3
+EmAXKz4Ni93vL3Oy+Wnj1R5KjEQw4U3RURZ/OnmQOhg2UJloUbDjKAHdtp6lQC0W
+hL8oOBBAkCgkphWeDqOkjgRY+oyVMkgMSQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec
new file mode 100644
index 0000000000..343307164b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-oid-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.key b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
new file mode 100644
index 0000000000..af5ffef782
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAfigAwIBAgIUV4EyKmZfq4MEI8NLfzjTZovpx3owDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTbm8tb2NzcC1lZS1wYXRoLWludDAiGA8yMDIxMTEyNzAw
+MDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAdMRswGQYDVQQDDBJuby1vY3NwLWVlLXBh
+dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjQzBBMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB
+MB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD
+ggEBACqYubzmmeSUHH2ONuYa1B13hyuMCgDvyQKOxI1m/NewbtEZ80UDWmQMolFP
+m2l8lbmlSuNWi25RQxONcXSspCQgIwRzfi4OBql81nZkjyGWWprLUTBrCfyYE3gi
+P2acboz9ObJoXDzYl63MnyAiD/VQifM/iYuiiel/tJRCV5I72a2wQKlZniulgyWQ
+HuWQk9v7lKUX+msgEo9ZW8ndb/hgq+QnEzB3kPmkWgEmLJdK2k05UIjYNBRbgntj
+qGSUgCtdga8gfEeaD/00DweQ8MFwhQkXol2kQVY3j0rddi5T0BI9Fu8BuPaPXU4w
+nr0GvC4bu/ATRI5EuKOJRt4WSv4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..ece1cf816f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:no-ocsp-ee-path-int
+subject:no-ocsp-ee-path-ee
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem
new file mode 100644
index 0000000000..09cfda1739
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPzCCAiegAwIBAgIUcXOmLIKcwe+H0AekAT8yEbaqdJUwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMB4xHDAaBgNVBAMME25vLW9jc3AtZWUtcGF0aC1pbnQwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+fjB8MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEwGCCsGAQUFBwEBBEAwPjA8
+BggrBgEFBQcwAYYwaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L25vLW9jc3At
+ZWUtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOC
+AQEAS/QkZA0m4gZRyp7eyeXeHaR0toxH9RaypHw5FkG/vHQ4EIjO6eXRcC/bPuCX
+N4cMfYmkCpU3Dy5uSZLetYYmu05X+rCwXQu6TZO3D4medEiVslbD3cQH7LmxCLxT
+wBf2foLLFAJ+wFmVmzZk26+G71vbJ5RvzL5djHPZhm6XFQcg8D2oHMfp5mIWEkCk
+VtB3/AIhxh8CIuhs1+lCsOc7XoOAZ04EVPP9kkc8o9K0rPaTzupmfHRTVuWyAQrC
+MPSYnQITQAQAN9Qg/BGgIW1qudgFJpMmjb6AS+7Ts9f7225z+SzLBkNMQggApW14
+ZIUonu/c9e/2+3baPEiVfzcfzA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..5eb952a9a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:no-ocsp-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem
new file mode 100644
index 0000000000..fd01063ac3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIUGwe4TG7p4Bv83RKwPf6KcStdBLAwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUbm8tb2NzcC1pbnQtcGF0aC1pbnQwIhgPMjAyMTExMjcw
+MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowHjEcMBoGA1UEAwwTbm8tb2NzcC1pbnQt
+cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBkjCBjzBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAGG
+MGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9uby1vY3NwLWludC1wYXRoLWVl
+LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCr21rqLU8BEBZN
+oYZ/Mltq+7EXM7NKhRSBvwozcwVvBHgXO90bxogeLsXCyhW8b/zH908M1ne/0Ir2
+MuKUZy82wzLr9VSmN/3tAR4CsIftCR3gbPRgITkkvU/3sZkvZVJLaZkL9cQ7WVdL
+0fwNQR7FQx8/S20/KNa/Ud63l0QnIR2uys6KpS93iT4W2DOiC2vrHS1xja0OAw9+
+BBfnLp99KRVOXi9LHXcWyLWJU7/zW7rbJX1S/mONZbQtq8qwpzb/q0mUSxBX1p4U
+l6SY/m7Pl5Ef4RgwsMdu0zRmmmb6kQmboE/qBX75IgIZjOK5FnrJCZcR6EyV60uu
+jMeIG7hs
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..623057e9e9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:no-ocsp-int-path-int
+subject:no-ocsp-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem
new file mode 100644
index 0000000000..ff07be395f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgIUTZjDIERCE7WIkgtKaDPqLLkqk9IwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMB8xHTAbBgNVBAMMFG5vLW9jc3AtaW50LXBhdGgtaW50MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ozAwLjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjARBgNVHSAECjAIMAYGBFUd
+IAAwDQYJKoZIhvcNAQELBQADggEBAAKFwKsNxeiFmmVyq3YsF2tS11eJJ0/n/KzC
+G4t39HZWfWw8u2osQpHn1O2+L0YhRBNpYX85GgVKSPYzjsptfTmIcAyAWdlJsK5r
+Np9LHrsx65A7cFkKxD6V7FbG1YwL+VbD7qkEZBy3SqFe6m7hQ3om0LgWpaNu756x
+TJeZdqNoSwvtbPdH/GYId1dTj8KdTDncer6eBfefcq0yCoNA1zphgdBMRVBPjXj8
+MFJEd+PTkyDzuTvBG5nB0ChZQ+ca3z8w38rI0KZTeWKH8mW3IU4dSj4q+8ZGymv6
+O1BYsVGr7Z4M//zJ70x9c5+jgDyam7LtxRpsd61R2/sVfqzJVTg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec
new file mode 100644
index 0000000000..548241de3a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec
@@ -0,0 +1,6 @@
+issuer:evroot
+subject:no-ocsp-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
new file mode 100644
index 0000000000..150eb3dfa1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIUVY/VRh2hxRcuAlpF5eXruz6Rbi4wDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUbm9uLWV2LXJvb3QtcGF0aC1pbnQwIhgPMjAyMTExMjcw
+MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowHjEcMBoGA1UEAwwTbm9uLWV2LXJvb3Qt
+cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBkjCBjzBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAGG
+MGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9ub24tZXYtcm9vdC1wYXRoLWVl
+LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBXgdfedO5sSJJE
+n1BMPeTQIZvhXADPJuQfw589m0J3KZIyQrZvpKJpnx70FcfnTx2ef1QFGrRPT0be
+ikVjzahGsKl2YZxJTHsfsYIBtXb3gxJhWMOWjp/o61yJoMOxuv3+sD1FeK15F73R
+LIwZ8FJw+kPVQr6nHKg/KxZ2x6z9AUzxr0vrbEXbClopnIoXVYT2YsnBLASlPKjk
+iHxuR4AR31ue9T38Y2p8eTKAyxssqE5DUYeRlS6RxHQKf3zNPIDlYoU6K+CpXp/R
+aGjUAsUGyFqEXSrqoiYrMthUmkESpgY8pj8gaFwwElIgrhL+TEJDLYVQtRcZf+9/
+NF21J9M2
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
new file mode 100644
index 0000000000..9895732b15
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:non-ev-root-path-int
+subject:non-ev-root-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
new file mode 100644
index 0000000000..fabab40b3d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjCgAwIBAgIUL2l0QIXF1lhAxtAsa96UcJ2xVv0wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNbm9uLWV2cm9vdC1jYTAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRub24tZXYtcm9vdC1wYXRoLWlu
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAAaN/MH0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTQYIKwYBBQUH
+AQEEQTA/MD0GCCsGAQUFBzABhjFodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgv
+bm9uLWV2LXJvb3QtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG
+9w0BAQsFAAOCAQEAVcD0UEY9IIAhyuk9cnSrU9rf28agFR7Gs3YOQUqqGePrNf1w
+ZwiFB3cHGaroBlFYsV9PHRM/o6kGKXiw+c5uo0vTQMAb8+/YcXUYL2eYBZMCIUDx
+Z9yzPUZenK9WBaZCcWFBcoZsWSMb/CV0AasRpM8VMxQ+i0IejzF/Jk1FrfT1+jSO
+H0EoUETMNx8ULbiUh3OWvTbTG5emiBIKA5YdhCQXwaqsB3tqwAz/fu8aYjf3zP3C
+h8PjV5pe+hMk0vkkAekzdiJQJYodPEn0VZz4wiQn9KOtFFGO0PJ9JDxBQLCDLFza
+07HSkmRfF7+Z3Nf9zEiYkuZZiRXWhE637X+rpw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
new file mode 100644
index 0000000000..5ce035ae1e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
@@ -0,0 +1,6 @@
+issuer:non-evroot-ca
+subject:non-ev-root-path-int
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem
new file mode 100644
index 0000000000..345485e228
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUBfqrswEJGDjE9nm6ejtjD0kklVwwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNbm9uLWV2cm9vdC1jYTAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1ub24tZXZyb290LWNhMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAgp5QqEQH2DbmS5o6AFElwUJqETVSj82Mh4x8MmMWX5kx/f2oRMYGd3fuqirQ
+fgZFyp6z1O0Ei+sosKj6B5tsZKcEEIKBiOGJeFPv0XAVeny0GSN/UsCNpJdPI8bA
+WzuwDFCL62a7Rh7rbViNyzEWw8PUwsNjziRUx6TcgbvFahkW25vJJr4mmOiE26zw
+5kqI4AAqVHpzy89p11dsKld30Y122TdLuXVwvuE2Al1w3tW9HK8oeoQPueHpMQcz
+i1SUAZdSSQ0MyOVWVWz6uGEWU+7iSYCQrwLR9eIfpOku8Pb6C6olsYYm0D6vG/a7
+1O2Tm7VL2prtY5lv503AKF7QHA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec
new file mode 100644
index 0000000000..7b61447a80
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:non-evroot-ca
+subject:non-evroot-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem
new file mode 100644
index 0000000000..9c18903539
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUY65iIQOPqad0zzesK3FOt5aVmeIwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbcmV2ZXJzZS1vcmRlci1vaWRzLXBhdGgtaW50MCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCUxIzAhBgNVBAMMGnJldmVy
+c2Utb3JkZXItb2lkcy1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GiMIGfMFMGCCsGAQUFBwEBBEcw
+RTBDBggrBgEFBQcwAYY3aHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3JldmVy
+c2Utb3JkZXItb2lkcy1wYXRoLWVlLzAoBgNVHSAEITAfMAcGBWeBDAEBMBQGEisG
+AQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNldi10ZXN0LmV4YW1wbGUuY29t
+MA0GCSqGSIb3DQEBCwUAA4IBAQC1RiorsYhREaYYkyTYNifb2XLtf5R2diikyO9E
+P+ZObrMhOtiQuGymn/HmhX37bv+lcginsTP+7UhUyAtRrWYFZ/+KFiwogA0X0gVD
+w6XbfCeExMc1PhyaCMTafIxbNjg0E4oaZZMZ8uM8ekxCXJoNVe7hms7AIjofQZkI
+0UTcr35l/8QPwKHdMWarQNNGk/hLfrlKEl+aYCySi1VXmJDFfkw2Ttd75pEaDjCP
+Lmx+8EUKqgLvwWJZ23b9+NbjYBwoS5E25qmd4v+nTykL0J6qYoIIiw3SzppsBE48
+Upeg19FmitAsp19J43mVB9/qvwvrreKs3Sjh2eDp64xmmbDm
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec
new file mode 100644
index 0000000000..31e3e69e53
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:reverse-order-oids-path-int
+subject:reverse-order-oids-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem
new file mode 100644
index 0000000000..7b1255309b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIUMWXAuy7fu9hNxa2wdzYNdAbnEfIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCYxJDAiBgNVBAMMG3JldmVyc2Utb3JkZXItb2lkcy1wYXRoLWlu
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAAaOBnjCBmzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBUBggrBgEF
+BQcBAQRIMEYwRAYIKwYBBQUHMAGGOGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4
+OC9yZXZlcnNlLW9yZGVyLW9pZHMtcGF0aC1pbnQvMCgGA1UdIAQhMB8wFAYSKwYB
+BAHrSYUahRqFGgGDdAkBMAcGBWeBDAEBMA0GCSqGSIb3DQEBCwUAA4IBAQAAgTzv
+rOKCCIsum1ejoJeKdCLVhOoYdkLwMvQPx9GrDrkOK0xBT/hS7CPgKoeni0GTFk8A
+VIKO9p90STMWeAAvkvVoPbMMCjgirXf6H6BXnWBzROu5KQMEmCnozrGj7KlaNcFj
+r8IjxvhKsAHzbIBnPorH2/ksXmai+34XOTDdSzXIDQvfPu8wZHU49xgwFArNfsh+
+m7cwPdqnk3zeBlQ5aMWZyRJG86LeTO2fTvMsyHxlL/p5SYb1JPWyK03qUwKpfKvX
+rRqNqmUapWvsVBdAU60yLPipNO/mw6I10HJ1v3ZU7fdYeoOV/gDl7RPquPnV73Ff
+tt+m1SpB9l5StlS9
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec
new file mode 100644
index 0000000000..a2b523073e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:reverse-order-oids-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-int/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem
new file mode 100644
index 0000000000..5439295f29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIUFUZzpOeJ6SMwLH4GMYnNKJQ6J5YwDQYJKoZIhvcNAQEL
+BQAwPTE7MDkGA1UEAwwydGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLWNhYmZvcnVt
+LW9pZC1pbnQtcGF0aC1pbnQwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowPDE6MDgGA1UEAwwxdGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLWNhYmZv
+cnVtLW9pZC1pbnQtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBuTCBtjBqBggrBgEFBQcBAQReMFww
+WgYIKwYBBQUHMAGGTmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LWFu
+ZC1jYWJmb3J1bS1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWVlLzAoBgNV
+HSAEITAfMBQGEisGAQQB60mFGoUahRoBg3QJATAHBgVngQwBATAeBgNVHREEFzAV
+ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQB2gvv3BrZ0
+3wqNT7VwXUzgtvQ9gRC2l9PpKFGAPjZlN0QlOKh7q2A/efTeVr9IIEOJrvjMdepB
+0qFRuGMw8Zw+veIEv4Gy5YfHYkeNPnYXm/NkvXiWECmCkOUyxZzrqqlEWdzjkcvI
+bUVyspWmS5RjcNCJY+kFOclPRM8xqZbuyZs5gC3Qabo71cYLDW/7QobcOvmMN+P6
+1tBd5GPH4QJnJiJrSWmAotB44vdWM1guAftJhl0zf0wgr0Rxq/eUNBCm7Lc4Qv4R
+neh/1uUBXjeh8py7HCTUK5nJb8eAcg/gD6d4+HYEOik8BpLB/gDqCLyGzuy409VO
+qyX4hAhGVP8e
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..edac2fc1ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-and-cabforum-oid-ee-cabforum-oid-int-path-int
+subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem
new file mode 100644
index 0000000000..7fb0c8a643
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUI59mCZyqqA1n9QHKquSu1nhheGUwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMD0xOzA5BgNVBAMMMnRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1j
+YWJmb3J1bS1vaWQtaW50LXBhdGgtaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GfMIGcMAwGA1UdEwQFMAMB
+Af8wCwYDVR0PBAQDAgEGMGsGCCsGAQUFBwEBBF8wXTBbBggrBgEFBQcwAYZPaHR0
+cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3Rlc3QtYW5kLWNhYmZvcnVtLW9pZC1l
+ZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtaW50LzASBgNVHSAECzAJMAcGBWeBDAEB
+MA0GCSqGSIb3DQEBCwUAA4IBAQAzuiRK8DbNihTSeXbgCz8rEAVK864Fyl+nyPoo
+eMvIp/Xwb2lKakji3IRX2xqJuQR6sdckn8RyzVvvMzZHGXto+DbMnNPh0ACmNE2x
+8rg+OBnNun8da0oP6gIlnl2q2eRP6XbQtQ7w2DSbbHJ7QvNyi77EjgMVOU2ZiE0M
+yeWHvL+OqwqgB6ZsLRWjQeKu/iTKHh5EGG9yPQl+2TYOlTGAlBjpKDyptwA17CW3
++tnXODlgGDBo3hLyFNStKG2JxtpJTwDn4k7IVJ6pJjFmpCNMXpcc9McI6xl6bBy8
+nXKJaRSM4wlJs8sPe4BMnCaSsUayoLEvzwnEu7vW71cOjmzA
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec
new file mode 100644
index 0000000000..68dfd00573
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem
new file mode 100644
index 0000000000..087d1f05e4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAnqgAwIBAgIUYT7HpFGQFkg/E790SoVkCNUtYn8wDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhdGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLXBhdGgtaW50
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCsxKTAnBgNVBAMM
+IHRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GoMIGlMFkG
+CCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL3d3dy5leGFtcGxlLmNv
+bTo4ODg4L3Rlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1wYXRoLWVlLzAoBgNVHSAE
+ITAfMBQGEisGAQQB60mFGoUahRoBg3QJATAHBgVngQwBATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBDRKyEcWf9alVl
+a/qcpHwuJ1+5WGxFv88ZPo6CTav77YrxUdOxTt8abQh2AMMZcJ/Nucerm7eiESPK
+2KO/fgayLkDqsJ0BBz+lpz6WmWk4puvQYNW5C3+FLvpgCI79kksva3h2WcOwRPrN
+YmiITKnZsgzFxrU6EkRjgO/OQBlU/azBS3kHhWYPEmnDGtr3rjr51wBAXUwMFxcM
+fxmopVMe/rERRoStxGvXAFNLfCBGFrcLSiMPB//BN/3Nk24iHrTvjzofF70oeOV3
+kcbYlCvpTF+bg9SzLvpOHqwxCiC9IrOA4D3jQmFv8Udo9QCaGC56IJTua+rhoWqm
+e9viX7js
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..affbd87458
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-and-cabforum-oid-ee-path-int
+subject:test-and-cabforum-oid-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem
new file mode 100644
index 0000000000..cc2f45d3ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIUb2D4HeEORbizbOLDdYEKZeydFOcwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCwxKjAoBgNVBAMMIXRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1w
+YXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBjTCBijAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBa
+BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAGGPmh0dHA6Ly93d3cuZXhhbXBsZS5j
+b206ODg4OC90ZXN0LWFuZC1jYWJmb3J1bS1vaWQtZWUtcGF0aC1pbnQvMBEGA1Ud
+IAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAnxGTQXg6kASA3iTx6F//
+1NJjcf+xLthZA4Nr6Hr36gmgMwIPi1TQd40omtwIs+BcTXRUJsXkvW/NfRB2GIV2
+Zz1+2ViUMp95O98fVnIC1rJOvVha2t6Ct6jUGx9pznghH/5WR8yaK3GUCYjKO9Cn
+t67wF8ff6/GTXxenyCHp8iAffUJOhiXinDEYZ7DF0ylzYCrFr9hUlNicNMCIOLLe
+jeb+aD55bn8lvwgnErNIweOG+DKn3yWjjfnvVLn/PATg1xGRLe86MZgA5VzYU61q
+rEx0y6dlaxpfISarNfuicLrznf67bNXCpU17tyeITzxBCIfokDdeW1VxwWVVlS5K
+Aw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..11630b4b4f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-and-cabforum-oid-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem
new file mode 100644
index 0000000000..a49017dd4a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDlTCCAn2gAwIBAgIUBz5FscfzmfpyDXtVsfMuu/CYTkcwDQYJKoZIhvcNAQEL
+BQAwMDEuMCwGA1UEAwwldGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRo
+LWludDAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAvMS0wKwYD
+VQQDDCR0ZXN0LW9pZC1lZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtZWUwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+gaMwgaAwXQYIKwYBBQUHAQEEUTBPME0GCCsGAQUFBzABhkFodHRwOi8vd3d3LmV4
+YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRo
+LWVlLzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAV
+ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAH14OR4H62
+ENgeo7uXk6xgY01XulxL2jT4a/RY2Dsja43yjevGACMSO3X07y0MbjmPUtCS8vyo
+x9zr8deVnh+4fllU1Q7IZFDraje0qnOueNOtFeYYM6GRt/6fMMikE5VrcOtUkjo8
+b4IRru3eWt56JdUr/sytkDEUGSZiP2ipNXDNhvHKO6KEDuJETwPmOMSS0QkxnisV
+o1s9/tkrQV5ZNoZ3lgrK8hPIV4oHuJJnFyMtkcvLiRoN+uGVVVZL3jwTE17PlG2N
+/pVVC4vZmZPNCIZyzXjfqifzg2vWPTAFdBqy0L+3nUDrGvXswrnKVpi8MbCzFJM9
+ZoOHfu2/Ncex
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..bd0f955ada
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-oid-ee-cabforum-oid-int-path-int
+subject:test-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem
new file mode 100644
index 0000000000..70c6974db9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZjCCAk6gAwIBAgIUMcttbpnyWBC8D4SQ5L52xqdAchgwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMDAxLjAsBgNVBAMMJXRlc3Qtb2lkLWVlLWNhYmZvcnVtLW9pZC1p
+bnQtcGF0aC1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjgZIwgY8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMC
+AQYwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzABhkJodHRwOi8vd3d3LmV4YW1w
+bGUuY29tOjg4ODgvdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWlu
+dC8wEgYDVR0gBAswCTAHBgVngQwBATANBgkqhkiG9w0BAQsFAAOCAQEAkWY3TNtZ
+uIZDgcBslHPsaNJ9CLy88Uv6WK4+0r07WeTK4m716cHARRzaWfG/saYZErCD3wPy
+PXsDvzHH5TB7NYcDO9wGFvHyqr8nM6Y0g675LJZO/MIv/F+6cXnidGFpGQYAyN27
+oYlsg5UxHVf85unSWdYOekEk3Vb3j7yOyDyJlfPUjekCrFb2IXwGCXV8vwySnH08
+sOozuXxRL+IMOqhgXwSygP+uKIOpDTCm+ab9LCQ9rXrS/nSeP5dqsCTwSh08YUYW
+R/7drxxbAIP4hkdfypW+qNSFhVUagRqyNPOlyclnXiT/ECPbvZTJO2aVUnq/2wgf
+AACvPx4gGI/gPQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec
new file mode 100644
index 0000000000..37d4d133a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
new file mode 100644
index 0000000000..b28d658f34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWTCCAkGgAwIBAgIUP0QPDJYHS8iqIxQh16sMCzUo2J4wDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRdGVzdC1vaWQtcGF0aC1pbnQwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowGzEZMBcGA1UEAwwQdGVzdC1vaWQtcGF0aC1l
+ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAAaOBjzCBjDBJBggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAGGLWh0dHA6
+Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LW9pZC1wYXRoLWVlLzAfBgNVHSAE
+GDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNldi10ZXN0LmV4
+YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAulta+AvmR58Lr0CzIcRHSFkx6
+OAXxS7qxSy2DhfMucxyjIGFiL5GTFZ+PjZjpm7kBavXAq3s42/6gYaoUsTWy+exE
+G2wSV22L2iU0zTPJExtcOciLaWpX90yqUZN9ThB0WCosLGg9GiLfZLjlmX+IL0bC
+bGmOMmxpk9wCEdQbQGkSkkucZaPONST/n3W4g0eYzlCiC5bY45HnEbYPVxGKDd1P
+xTcJqEsbxffNflSAMyY4c5+KEY9DFpdXeKJvfAddoT61bBbrUHvi6g4xo+fBDfgP
+Zz9VeBvUMILYrbpFyFBmQL2rd8pCFnUcC7M6+HrSHdrXwAZWKiNmATFexWS4
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
new file mode 100644
index 0000000000..a9d62c65e9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-oid-path-int
+subject:test-oid-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
new file mode 100644
index 0000000000..ad2bd1d509
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUQ9qTdUCkE4CVzUr1Rvfr0N+HsVkwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GL
+MIGIMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEoGCCsGAQUFBwEBBD4wPDA6
+BggrBgEFBQcwAYYuaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3Rlc3Qtb2lk
+LXBhdGgtaW50LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATANBgkq
+hkiG9w0BAQsFAAOCAQEAGmKNKoN7WoJUTqRBPdDm/acbFxtmXXSwl9SdxQ8+yW9w
+ukE9nqMii5V7viy+nimZ96ggcvbGsjZmyL9yMbG7nDyDbMI8z7p+5IaHY4pjPmu/
+JhWaMLneZDIQNADn8JOtBpwkGPRlKzDPBwjMBerfDXBxoj384iZZNsBCB0BLQgdx
+oQL+yrHXCq882e1KFkl+j0JJhvqiNHE3A6WPPcz/iaHm8kKRfjYNIWWapXLlEyv1
+06QQew0gPEmUUZu3nK76gvmxGqJOg4MV9ahCOW4R5ScHCyBH7QNZzlRRwmobfmH/
+gVfq9IkiIV2PXiic+YiXUlERvXElRzLamt/zWaHk6w==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
new file mode 100644
index 0000000000..53534eb526
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-oid-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-int/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key
new file mode 100644
index 0000000000..a926a54efb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
+1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec
new file mode 100644
index 0000000000..03c3ce198f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec
@@ -0,0 +1 @@
+secp256r1
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem
new file mode 100644
index 0000000000..a5c0e04b0a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICMjCCARqgAwIBAgIUQQv+1NaQ2YW3zROTKhMXi0+z4+kwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaZmF1bHR5LXNlcnZlci1pbnRlcm1lZGlhdGUwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowFTETMBEGA1UEAwwKZGVmYXVs
+dC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLs
+BQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCj
+MTAvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5j
+b20wDQYJKoZIhvcNAQELBQADggEBAIa1n0PRvEO1vobr+MUhrdC2pkjrf3BkPofv
+UMX0GArZsYtkZTnB073ZuzRMaR1RNnEbCerDC8ibxVQzPqc3+HjCGhxUH8Mv6QMl
+K/F9FixiEHSiWOocGpSqNIbUtLFTVJOf7GC7GvT5a3rvAzMwtujetHKw+3QzgpZT
+Ja77qqxE1VJDdjnaXGgUc1hUfiNGPy1bh4/Eed/nLIbeDYDP9TfvvkhNTc3mb/vG
+LIxhaAXuQmxm3vHJl7ewXSzL+3g8Slr+LycODwv07SCz5ZYkY42ahqDlELKlkcwM
+O867QbO8leAZV2B/6ugEZJV02Sho1fNJkE/zYr/yBpZkTHqB3Uc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec
new file mode 100644
index 0000000000..5d471da110
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:faulty-server-intermediate
+subjectKey:secp256r1
+subject:default-ee
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:*.example.com
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem
new file mode 100644
index 0000000000..c896de631d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICFjCB/6ADAgECAhQJA7Qytg0FIuJ3Y9mQfFhL/MXBgzANBgkqhkiG9w0BAQsF
+ADAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWludGVybWVkaWF0ZTAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAUMRIwEAYDVQQDDAluby1zYW4t
+ZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AUL
+Qj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAoxcw
+FTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEACQkHi4sl
+CReY+YWeZ7YCkzCt0UYHAlrd4F86n4GEJzXrjdrorzV3R4o1tNQtbDBJVIH3OzuM
+9xH2L7brtnVFP/INP4imkOFwvJiibt24hYssKTVS7vOh6VoIKF2QqLPh2mEO3u5g
+0w7D1xIIqMFATeZ/ovTEJzAhM4rt4cp0sMYJ8Zx8etuK5xDdMxkVuWp+HHNcEaSd
+674tpLwD2Peeoa/n90Dp8q3fxgbZ85jLetXz2Hi0WQE/nTKF3Cr1Fk+ECgCGbEL+
+DS2jbVYuR/P6EdBssZYtaCfW/Lajt9z+5+njqBGqCgfBeBN9m543xdUbvwdxFIGh
+fezZ/D6tdaeSEQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec
new file mode 100644
index 0000000000..68eb6b0202
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:faulty-server-intermediate
+subjectKey:secp256r1
+subject:no-san-ee
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key
new file mode 100644
index 0000000000..a926a54efb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
+1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec
new file mode 100644
index 0000000000..03c3ce198f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec
@@ -0,0 +1 @@
+secp256r1
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem
new file mode 100644
index 0000000000..3d0ae14911
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUGSmSb2HbEr51bpQzj+bUUISSggowDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjAbMRkwFwYDVQQDDBBmYXVsdHktc2VydmVyLWNh
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
+AQsFAAOCAQEARaxPN9ImyTHcTq2l4hCl3vybWKsY+RLOT0cap3xqst1htZbkoejV
+sy9OrA6jMe7k6N7IquopV/3ZuZTbebQZwCP+82HDs48yL20ACrUU3rlQJoOPtTJf
+7yUskA0ztDYkRtuV3KMWoscxoVFGoMIXwzjskUxy/Rp6+vKTuf0gvF+zd4iQzZ11
+oZarse5nF5pSxiFxQscep44bAh9Wnt8cMkUqoXgOc0hJE2MV/Kn1bLptNDVRyVmk
+2e6403EsBzmAjfy7yLLx/mpz2Fl+XgztP52AwK2V0TcWxaHg29cRIc16si0wNqF4
+2xxhvYyAUMArnzvKgRHXHqZbuyyaHV762A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec
new file mode 100644
index 0000000000..bcbf751bb2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:faulty-server-ca
+subject:faulty-server-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem
new file mode 100644
index 0000000000..9964b1ed68
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUFXP/lk1Ozpz/foBDAI+E6dPYOJkwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWlu
+dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBAKKRqr0ubyrDGcUcswUGJGZXcvCZryaa3vbv/ccm
+G26nli+ANlthqjwnInKP1sdTjbk/BnhsOXrs05ygSdFuW/dOZqkeJKlPXbeFGF8i
+wnJb0gYdceBoTqyJ7H83AIVYJbuP5JMR78CE/iFOUv+43OaRQAMQdppcMiyq49oU
+hXMxsVuXOFelUD0XZSP/oAlrEXxeyAVkBJS2iPAN+B3Mxe9CVmkuibCZ47dsMHYr
+LEtzbdKVaO8pg+FHEMiv95Wtx2fBDX+6mhPHbXo21pn8jAVV0uHR3u+CwGvGcMrL
+Y94oWHnU2ojPicyhuy6NOH3v3RxACFW0jQV0sH/VK7bh8Ts=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec
new file mode 100644
index 0000000000..5be535c81d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:faulty-server-ca
+subject:faulty-server-intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
new file mode 100644
index 0000000000..fd0738eda9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
@@ -0,0 +1,119 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ * vim: sw=2 ts=2 sts=2
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// Ensures that HSTS (HTTP Strict Transport Security) information is cleared
+// when using "Forget About This Site".
+
+const { ForgetAboutSite } = ChromeUtils.import(
+ "resource://gre/modules/ForgetAboutSite.jsm"
+);
+
+do_get_profile(); // must be done before instantiating nsIX509CertDB
+
+registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
+});
+
+const GOOD_MAX_AGE_SECONDS = 69403;
+const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
+
+const sss = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+);
+const uri = Services.io.newURI("https://a.pinning.example.com");
+
+// Test the normal case of processing HSTS headers for a.pinning.example.com,
+// using "Forget About Site" on a.pinning2.example.com, and then checking
+// that the platform doesn't consider a.pinning.example.com to be HSTS any
+// longer.
+add_task(async function() {
+ sss.processHeader(uri, GOOD_MAX_AGE);
+
+ Assert.ok(sss.isSecureURI(uri), "a.pinning.example.com should be HSTS");
+
+ await ForgetAboutSite.removeDataFromDomain("a.pinning.example.com");
+
+ Assert.ok(
+ !sss.isSecureURI(uri),
+ "a.pinning.example.com should not be HSTS now"
+ );
+});
+
+// Test the case of processing HSTS headers for a.pinning.example.com, using
+// "Forget About Site" on example.com, and then checking that the platform
+// doesn't consider the subdomain to be HSTS any longer. Also test that
+// unrelated sites don't also get removed.
+add_task(async function() {
+ sss.processHeader(uri, GOOD_MAX_AGE);
+
+ Assert.ok(
+ sss.isSecureURI(uri),
+ "a.pinning.example.com should be HSTS (subdomain case)"
+ );
+
+ // Add an unrelated site to HSTS.
+ let unrelatedURI = Services.io.newURI("https://example.org");
+ sss.processHeader(unrelatedURI, GOOD_MAX_AGE);
+ Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should be HSTS");
+
+ await ForgetAboutSite.removeDataFromDomain("example.com");
+
+ Assert.ok(
+ !sss.isSecureURI(uri),
+ "a.pinning.example.com should not be HSTS now (subdomain case)"
+ );
+
+ Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should still be HSTS");
+});
+
+// Test the case of processing HSTS headers for a.pinning.example.com with
+// various originAttributes, using "Forget About Site" on example.com, and
+// then checking that the platform doesn't consider the subdomain to be HSTS
+// for any originAttributes any longer. Also test that unrelated sites don't
+// also get removed.
+add_task(async function() {
+ let originAttributesList = [
+ {},
+ { userContextId: 1 },
+ { firstPartyDomain: "foo.com" },
+ { userContextId: 1, firstPartyDomain: "foo.com" },
+ ];
+
+ let unrelatedURI = Services.io.newURI("https://example.org");
+
+ for (let originAttributes of originAttributesList) {
+ sss.processHeader(uri, GOOD_MAX_AGE, originAttributes);
+
+ Assert.ok(
+ sss.isSecureURI(uri, originAttributes),
+ "a.pinning.example.com should be HSTS (originAttributes case)"
+ );
+
+ // Add an unrelated site to HSTS.
+ sss.processHeader(unrelatedURI, GOOD_MAX_AGE, originAttributes);
+ Assert.ok(
+ sss.isSecureURI(unrelatedURI, originAttributes),
+ "example.org should be HSTS (originAttributes case)"
+ );
+ }
+
+ await ForgetAboutSite.removeDataFromDomain("example.com");
+
+ for (let originAttributes of originAttributesList) {
+ Assert.ok(
+ !sss.isSecureURI(uri, originAttributes),
+ "a.pinning.example.com should not be HSTS now " +
+ "(originAttributes case)"
+ );
+
+ Assert.ok(
+ sss.isSecureURI(unrelatedURI, originAttributes),
+ "example.org should still be HSTS (originAttributes case)"
+ );
+ }
+});
diff --git a/security/manager/ssl/tests/unit/test_hash_algorithms.js b/security/manager/ssl/tests/unit/test_hash_algorithms.js
new file mode 100644
index 0000000000..3a42017bea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_hash_algorithms.js
@@ -0,0 +1,158 @@
+"use strict";
+
+// This file tests various aspects of the nsICryptoHash implementation for all
+// of the supported algorithms.
+
+const messages = ["The quick brown fox jumps over the lazy dog", ""];
+const ALGORITHMS = [
+ {
+ initString: "md5",
+ initConstant: Ci.nsICryptoHash.MD5,
+ hexHashes: [
+ "9e107d9d372bb6826bd81d3542a419d6",
+ "d41d8cd98f00b204e9800998ecf8427e",
+ ],
+ b64Hashes: ["nhB9nTcrtoJr2B01QqQZ1g==", "1B2M2Y8AsgTpgAmY7PhCfg=="],
+ },
+ {
+ initString: "sha1",
+ initConstant: Ci.nsICryptoHash.SHA1,
+ hexHashes: [
+ "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
+ "da39a3ee5e6b4b0d3255bfef95601890afd80709",
+ ],
+ b64Hashes: ["L9ThxnotKPzthJ7hu3bnORuT6xI=", "2jmj7l5rSw0yVb/vlWAYkK/YBwk="],
+ },
+ {
+ initString: "sha256",
+ initConstant: Ci.nsICryptoHash.SHA256,
+ hexHashes: [
+ "d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592",
+ "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+ ],
+ b64Hashes: [
+ "16j7swfXgJRpypq8sAguT41WUeRtPNt2LQLQvzfJ5ZI=",
+ "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=",
+ ],
+ },
+ {
+ initString: "sha384",
+ initConstant: Ci.nsICryptoHash.SHA384,
+ hexHashes: [
+ "ca737f1014a48f4c0b6dd43cb177b0afd9e5169367544c494011e3317dbf9a509cb1e5dc1e85a941bbee3d7f2afbc9b1",
+ "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
+ ],
+ b64Hashes: [
+ "ynN/EBSkj0wLbdQ8sXewr9nlFpNnVExJQBHjMX2/mlCcseXcHoWpQbvuPX8q+8mx",
+ "OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb",
+ ],
+ },
+ {
+ initString: "sha512",
+ initConstant: Ci.nsICryptoHash.SHA512,
+ hexHashes: [
+ "07e547d9586f6a73f73fbac0435ed76951218fb7d0c8d788a309d785436bbb642e93a252a954f23912547d1e8a3b5ed6e1bfd7097821233fa0538f3db854fee6",
+ "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
+ ],
+ b64Hashes: [
+ "B+VH2VhvanP3P7rAQ17XaVEhj7fQyNeIownXhUNru2Quk6JSqVTyORJUfR6KO17W4b/XCXghIz+gU489uFT+5g==",
+ "z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==",
+ ],
+ },
+];
+
+function doHash(algo, value, cmp) {
+ let hash = Cc["@mozilla.org/security/hash;1"].createInstance(
+ Ci.nsICryptoHash
+ );
+ hash.initWithString(algo);
+
+ let converter = Cc[
+ "@mozilla.org/intl/scriptableunicodeconverter"
+ ].createInstance(Ci.nsIScriptableUnicodeConverter);
+ converter.charset = "utf8";
+ value = converter.convertToByteArray(value);
+ hash.update(value, value.length);
+ equal(
+ hexify(hash.finish(false)),
+ cmp,
+ `Actual and expected hash for ${algo} should match`
+ );
+
+ hash.initWithString(algo);
+ hash.update(value, value.length);
+ equal(
+ hexify(hash.finish(false)),
+ cmp,
+ `Actual and expected hash for ${algo} should match after re-init`
+ );
+}
+
+function doHashStream(algo, value, cmp) {
+ // TODO(Bug 459835): Make updateFromStream() accept zero length streams.
+ if (!value.length) {
+ return;
+ }
+
+ let hash = Cc["@mozilla.org/security/hash;1"].createInstance(
+ Ci.nsICryptoHash
+ );
+ hash.initWithString(algo);
+
+ let converter = Cc[
+ "@mozilla.org/intl/scriptableunicodeconverter"
+ ].createInstance(Ci.nsIScriptableUnicodeConverter);
+ converter.charset = "utf8";
+ let stream = converter.convertToInputStream(value);
+ hash.updateFromStream(stream, stream.available());
+ equal(
+ hexify(hash.finish(false)),
+ cmp,
+ `Actual and expected hash for ${algo} should match updating from stream`
+ );
+}
+
+function testInitConstantAndBase64(
+ initConstant,
+ algoName,
+ message,
+ expectedOutput
+) {
+ let converter = Cc[
+ "@mozilla.org/intl/scriptableunicodeconverter"
+ ].createInstance(Ci.nsIScriptableUnicodeConverter);
+ converter.charset = "utf8";
+ let value = converter.convertToByteArray(message);
+
+ let hash = Cc["@mozilla.org/security/hash;1"].createInstance(
+ Ci.nsICryptoHash
+ );
+ hash.init(initConstant);
+ hash.update(value, value.length);
+ equal(
+ hash.finish(true),
+ expectedOutput,
+ `Actual and expected base64 hash for ${algoName} should match`
+ );
+}
+
+function run_test() {
+ for (let algo of ALGORITHMS) {
+ algo.hexHashes.forEach((hash, i) => {
+ doHash(algo.initString, messages[i], hash);
+ doHashStream(algo.initString, messages[i], hash);
+ });
+ algo.b64Hashes.forEach((hash, i) => {
+ testInitConstantAndBase64(
+ algo.initConstant,
+ algo.initString,
+ messages[i],
+ hash
+ );
+ });
+ }
+
+ // Our buffer size for working with streams is 4096 bytes. This tests we
+ // handle larger inputs.
+ doHashStream("md5", " ".repeat(4100), "59f337d82f9ef5c9571bec4d78d66641");
+}
diff --git a/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js b/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js
new file mode 100644
index 0000000000..f2b7016c05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js
@@ -0,0 +1,5 @@
+"use strict";
+
+function run_test() {
+ run_test_in_child("test_hash_algorithms.js");
+}
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
new file mode 100644
index 0000000000..5bb4b1cecb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@@ -0,0 +1,138 @@
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function load_cert(name, trust) {
+ let filename = "test_intermediate_basic_usage_constraints/" + name + ".pem";
+ addCertFromFile(certdb, filename, trust);
+}
+
+function test_cert_for_usages(certChainNicks, expected_usages) {
+ let certs = [];
+ for (let i in certChainNicks) {
+ let certNick = certChainNicks[i];
+ let certPEM = readFile(
+ do_get_file(
+ "test_intermediate_basic_usage_constraints/" + certNick + ".pem"
+ ),
+ false
+ );
+ certs.push(certdb.constructX509FromBase64(pemToBase64(certPEM)));
+ }
+
+ let cert = certs[0];
+ return asyncTestCertificateUsages(certdb, cert, expected_usages);
+}
+
+add_task(async function() {
+ let ee_usages = [
+ certificateUsageSSLClient,
+ certificateUsageSSLServer,
+ certificateUsageEmailSigner,
+ certificateUsageEmailRecipient,
+ ];
+ let ca_usages = [certificateUsageSSLCA];
+ let eku_usages = [certificateUsageSSLClient, certificateUsageSSLServer];
+
+ // Load the ca into mem
+ let ca_name = "ca";
+ load_cert(ca_name, "CTu,CTu,CTu");
+ await test_cert_for_usages([ca_name], ca_usages);
+
+ // A certificate with no basicConstraints extension is considered an EE.
+ await test_cert_for_usages(["int-no-extensions"], ee_usages);
+
+ // int-no-extensions is an EE (see previous case), so no certs can chain to
+ // it.
+ await test_cert_for_usages(["ee-int-no-extensions", "int-no-extensions"], []);
+
+ // a certificate with basicConstraints.cA==false is considered an EE.
+ await test_cert_for_usages(["int-not-a-ca"], ee_usages);
+
+ // int-not-a-ca is an EE (see previous case), so no certs can chain to it.
+ await test_cert_for_usages(["ee-int-not-a-ca", "int-not-a-ca"], []);
+
+ // a certificate with basicConstraints.cA==false but with the keyCertSign
+ // key usage may not act as a CA (it can act like an end-entity).
+ await test_cert_for_usages(["int-cA-FALSE-asserts-keyCertSign"], ee_usages);
+ await test_cert_for_usages(
+ ["ee-int-cA-FALSE-asserts-keyCertSign", "int-cA-FALSE-asserts-keyCertSign"],
+ []
+ );
+
+ // int-limited-depth has cA==true and a path length constraint of zero.
+ await test_cert_for_usages(["int-limited-depth"], ca_usages);
+
+ // path length constraints do not affect the ability of a non-CA cert to
+ // chain to to the CA cert.
+ await test_cert_for_usages(
+ ["ee-int-limited-depth", "int-limited-depth"],
+ ee_usages
+ );
+
+ // ca
+ // int-limited-depth (cA==true, pathLenConstraint==0)
+ // int-limited-depth-invalid (cA==true)
+ //
+ await test_cert_for_usages(
+ ["int-limited-depth-invalid", "int-limited-depth"],
+ []
+ );
+ await test_cert_for_usages(
+ [
+ "ee-int-limited-depth-invalid",
+ "int-limited-depth-invalid",
+ "int-limited-depth",
+ ],
+ []
+ );
+
+ // int-valid-ku-no-eku has keyCertSign
+ await test_cert_for_usages(["int-valid-ku-no-eku"], ca_usages);
+ await test_cert_for_usages(
+ ["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
+ ee_usages
+ );
+
+ // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
+ // but the KU extension is missing keyCertSign. Note that mozilla::pkix
+ // doesn't validate certificates with basicConstraints.Ca==true for non-CA
+ // uses.
+ await test_cert_for_usages(["int-bad-ku-no-eku"], []);
+ await test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], []);
+
+ // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
+ // We treat a missing KU as "any key usage is OK".
+ await test_cert_for_usages(["int-no-ku-no-eku"], ca_usages);
+ await test_cert_for_usages(
+ ["ee-int-no-ku-no-eku", "int-no-ku-no-eku"],
+ ee_usages
+ );
+
+ // int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU,
+ // and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
+ await test_cert_for_usages(["int-valid-ku-server-eku"], ca_usages);
+ await test_cert_for_usages(
+ ["ee-int-valid-ku-server-eku", "int-valid-ku-server-eku"],
+ eku_usages
+ );
+
+ // int-bad-ku-server-eku has basicConstraints.cA==true, a KU without
+ // keyCertSign, and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
+ await test_cert_for_usages(["int-bad-ku-server-eku"], []);
+ await test_cert_for_usages(
+ ["ee-int-bad-ku-server-eku", "int-bad-ku-server-eku"],
+ []
+ );
+
+ // int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and
+ // EKU=={id-kp-serverAuth,id-kp-clientAuth}.
+ await test_cert_for_usages(["int-no-ku-server-eku"], ca_usages);
+ await test_cert_for_usages(
+ ["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
+ eku_usages
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem
new file mode 100644
index 0000000000..69c16a8d42
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvDCCAaSgAwIBAgIUSyYNcZmBB3Fq//SFPcSyXEpJ6tIwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAFsWYvf5u1J578KdSOtot0N4h6jCRbE41le2inKzuBY4
+bKzTckFPNscz3NXjGydHHuMA0WI1BnskiXw59dotlAsaWttq2V02EP8fPMSC0Sbx
+J+Uap+b9xONUzTTja2yBWVEI4pN47xiCAEyVWu88/XWm+Ig+HyTjfhT3a32FviiO
+4MuXaN73kJvLjzTUqk0KOtzbuhPLF6kRvycIuLEDel7f21cIbp7ezQRBaDcT+nVv
++WdlXsm8aA7GqnKNY1wBGL8FwsIcIOOeAVb4HgCG4FXp4eKODoexywRu3LP9yN1u
+XAy3x+0wUWp85H3CQuTD7p76ZR1Ui4soSHDs0DdRpkc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec
new file mode 100644
index 0000000000..eb7c4b4bee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem
new file mode 100644
index 0000000000..b92dc8fc03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUX2dsScLlfW4gR9BgNZCZQUmGMVgwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LWJhZC1rdS1uby1la3UwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LWJhZC1rdS1u
+by1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3
+DQEBCwUAA4IBAQAwovJGGbmC872VetJzSnRzUuGG5tPdn6OrnalmanwsZipR5yzd
+tNe+V3olt3kh9CS4M0aU8dB1Usu3VX35yNXMFAl1pa0wtgOWm4wU3iUu5e6XYoak
+X1PM6FysCbiJoaRejhKJdt525zVomVZ/4v+Ww/OxfGfvqXOgfnhEkdVBDNsO02qx
+RoDWllKKz+fjQbHfwN65VFMG4qFSeCBAo58+pTWapJgNT6rprIsmfqAX89lnpAyY
+NhgWCSczyLtHL2voIeabbOWCpL4WjKp4yj2hztrlRuvWTnOzbZaiydckXnorkfmD
+AVxdSYCZJT5zf+kDUFj7rSS1SfgGLEXa6uHW
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..390adf2344
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-bad-ku-no-eku
+subject:ee-int-bad-ku-no-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem
new file mode 100644
index 0000000000..6602f1d911
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUaWcqNQwNMI1aFqgOG5mw0z0Ph8kwDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAwwVaW50LWJhZC1rdS1zZXJ2ZXItZWt1MCIYDzIwMjExMTI3
+MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGVlLWludC1iYWQt
+a3Utc2VydmVyLWVrdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCA/gw
+DQYJKoZIhvcNAQELBQADggEBAFK/ct1l9T0Hs5cOB/yhXWKbEwp74UCZvwKzgpuc
+VslyzB3GPHl8a8aOvastiSgBEzsWzOuGlKprqWsGozG4jG2KHLZWHWG535vjISIO
+wrHyOv20wjgTmMca0osxiQxWumQG7HupZZou8xlbm9XDrFVFriWtvXD88sxhvy6r
+DwtFFzTVXqE0W0LC2KVxFMI6oWIsviYClsAovQLBdMUwjcKpyJj0KFGf0158ncMv
+bkdZgO4uvn+BdUTlbnhyJXs74iSgau7D7t8zCT92CcLojI4+Q70rVt6fw3ZqW/wo
+6s6x+LfPkvkiOBifmhUJGxNOnYlIgxos9Jl1Gi+8nRyxgaw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..32bb6c2485
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-bad-ku-server-eku
+subject:ee-int-bad-ku-server-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem
new file mode 100644
index 0000000000..611c93cc97
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAe2gAwIBAgIUCQnY3uTX2s9L1e03jirXWhQ8u0QwDQYJKoZIhvcNAQEL
+BQAwKzEpMCcGA1UEAwwgaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNpZ24w
+IhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowLjEsMCoGA1UEAwwj
+ZWUtaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNpZ24wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3DQEBCwUAA4IBAQCASFIVTN69
+PWqwJI0aACKMn9re9uVfSjXEljM9rxFCCYtW1lcTm3tqMq/Hn4BEa4hIBFGDADOc
+DNAhvzIaLOWjxWPcKdxWSUsbg5QJ9M60yqUpbIMw6Y4igQkIUMZG8gOEqnvL2jW1
+dJnjpuBFNXKfW5Ww/WurNXSrz/M+z+6jSn3LCB3pzOpBrAIXYqul+4J0S6mJvXdZ
+hP41/f2s/2r3pl91M/ZlE2uJtEPiGXlXxc5biHl9NxahBi8ZtO+dQ9fQX34Kj3y+
+SjAl594g+9zBpLyeoMJIu4h8cUSKbfCGEwrhlkWL5r0i2NCvdOjh/rVhAhuYoUKe
+D/AGM1NDr5tC
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..9e0fb65fd6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-cA-FALSE-asserts-keyCertSign
+subject:ee-int-cA-FALSE-asserts-keyCertSign
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem
new file mode 100644
index 0000000000..0313f22fa3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIUJTkDPPQhp5SptWJuRzUcxOQpGrwwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWxpbWl0ZWQtZGVwdGgtaW52YWxpZDAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAnMSUwIwYDVQQDDBxlZS1pbnQt
+bGltaXRlZC1kZXB0aC1pbnZhbGlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwID+DANBgkqhkiG9w0BAQsFAAOCAQEAo54m8X4ZIwPI62dxL0v5YlxaR32S
+8EEnFzpp9ZDKIDxBAjKdY8YLkbhXF/7VTAbqdQJIWZYsFjHVRKvzjgYQzei+oi9K
+fc8HIwFKTaKd+MDcoLzMXm8J4ykRuz482C3jE5SnjwkaGnWWyMH7DLvqd0A+iUzI
+FQhmwQmtiG1O5poN+qCJQmfXInPOs2ne0vKKM679tAMnWFD0qG+nL2+YRba/TJ5T
+unSmCpRbQU/t8obecB38wa67tSC7u9YZ8ot6vWO7BlVe4NWU7eP71JFFCyl891fY
+hD971ulMb9AKsujEhCIqjlcq9Eq64w6ZPFyVhy1P/Mp8dpJg+krXY1yUXg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec
new file mode 100644
index 0000000000..f00b4d1591
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-limited-depth-invalid
+subject:ee-int-limited-depth-invalid
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem
new file mode 100644
index 0000000000..7b206b3253
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUTfEUPuNAjYMBNO7pTXwAW4m2QywwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LWxpbWl0ZWQt
+ZGVwdGgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3
+DQEBCwUAA4IBAQBGRRnLNAucxyYbATTURGI3VH4aOQS5QfZI6X2Alga7U4odlAsN
+l2wZzETWkgLh5PomEW85l4QGw7nt9AGqu+bVS1e7V4DTLdrNFPpMdjcxfBi36tUl
+pZbvzW09pFO9klTUovL3i1i4KtY59wohPHsC1Px46sr1U1kMZbYxcGQnGtE3cerl
+Pbfx1XuLInk1shMU/XnFn5gwtZLkPdRWcHJAjdPpH4DEyMxyiU7Xkq7j/5PmZp3R
+eWFEh8B6Ww77kR9PgFXw9i3evQSwG3HKWiLvkpcfffHc73FQJC8Thhx7DrQqFyGp
+RzG07oNPjprOIwm6GTWNcQ6bDvOksajKhONU
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec
new file mode 100644
index 0000000000..df85342d98
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-limited-depth
+subject:ee-int-limited-depth
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem
new file mode 100644
index 0000000000..ee57cb363b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUO9f0kr95LgU+xDs1PzAfLOKqnBMwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LW5vLWV4dGVuc2lvbnMwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LW5vLWV4dGVu
+c2lvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3
+DQEBCwUAA4IBAQBBAowOTcEZ1VVW0v7xgIo1hga8cgsgRZHVfvh5n9AuEQ0D+l7e
+tZ/oJFNOloyXu1hfTMCNbSE16trQWAE6b6g+3VsvJvwjYdWFJP6t5JgB3M6IvK+W
+nETRBUw5rkcLASwJfNKWZoYvbblgm9q5AbqxcWUQD35vOunNSr+5qp8RwLzFP/Sl
+8SkRS/vwNZALOZ0y6+OLuvw09m+rtrn+PRfxNLnOA0os7M8AlbEJXZoUkmlf2BlP
+AhkHu3v2ujS11eirT7bQCMU2hB0qHr8W8e/PdsBvnjppv/F4/FPdcbH463q4DFV1
+rzUvWbWHFIt4AqdMZFibyQcSVwddPf5dcZzK
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec
new file mode 100644
index 0000000000..c5279046d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-no-extensions
+subject:ee-int-no-extensions
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem
new file mode 100644
index 0000000000..e356ecf72e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUX5IwL/hJqOZ0Iyh2OWGyGSoA0kcwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LW5vLWt1LW5vLWVrdTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1pbnQtbm8ta3Utbm8t
+ZWt1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwID+DANBgkqhkiG9w0B
+AQsFAAOCAQEAONTwF02LG0ZbucYtE7aGaaOP7nG6jZPiT8VPI19y77GVEFNwt+zW
+FtDq/80SIJj1mIzJ4E9oTNUi2v5VxG5m9Slc2VAf2iZfGHdNUBO4gfYKm9waYjqd
+cd7vYA7hEm+K+rMdhgc4TVf4c+I1tK8JtifycRMTZSYSaBeNb7SruB7ZAb+1QhvI
+e8fMYSrZSKpHbE85CfOMHXF/sKJeojouBCdPpYzQRrQ9rbGyQTDZoEqBqdcbuAZo
+m7gCtobppcjq3bBgxrdnPeTU0DMnhS/t5WLzEG28mTcwndIK9OVkZOrxgNTN5Jg8
+qTIRfVlgTurQm6S8BL+c/ncONJObKPwevQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..92ee3cc6d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-no-ku-no-eku
+subject:ee-int-no-ku-no-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem
new file mode 100644
index 0000000000..e5a5e0bea8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUX22fNLvnip6KC7WCdXKFxQXZqUYwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUaW50LW5vLWt1LXNlcnZlci1la3UwIhgPMjAyMTExMjcw
+MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowIjEgMB4GA1UEAwwXZWUtaW50LW5vLWt1
+LXNlcnZlci1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0G
+CSqGSIb3DQEBCwUAA4IBAQBVZ/G/hh1al04zc3kxvCf9GF2KPR98ugcRGqqonXZP
+ix5eHf6w8AgEbucuFqQ7Gd8DbrEeKkL5v7RoQxQuJvL/455BYdFSBN8nx94tRWyy
+8taFHiSrjqt/7wF4kGoTlXuoEWvsowAsI65CgvRe8C/kPa3AYfS5ZsoQDbX39pJo
+adrz5HeSaM7pPrVtxjjd4+0gxH1lwtDJqpPTqR8lpmcVLYxrUFWVmZjRL1nJ30e+
+U5M3vXWORDRPa9Vk6bzJXqwgr6hqXwr76w9ZO5H5RpLL1RNP/DGTt3Jp1yo035BJ
+KPJzAUi7eu6vb/9FCJ69ltUIBdxFYaSYFyF6ZrmmkHm3
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..c148896710
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-no-ku-server-eku
+subject:ee-int-no-ku-server-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem
new file mode 100644
index 0000000000..ddb6b4810f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUNx7IjEtdkB/tsL/CqgWRGxCMkSswDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LW5vdC1hLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD2VlLWludC1ub3QtYS1jYTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCA/gwDQYJKoZIhvcNAQELBQADggEB
+ACLu/f0o3T4sd35U49UKAJiKzzaJMLJJa/OUnxrja5p441nI7SAcr+uLKnQokaj6
+FATB/INGwYpGMg+WPrKp0FAFNFHFrsmcE6ADHdZ5nie2NRPCDSNG98X3uQeAK+La
+90DqyYZoDj6C43KpML/oNxH4MBGS2bLL/zGVjoZBs20Fw8HlbjCmCBfa57gAmUC3
+588bjavhoOEqOIQQ5UXwgLQN03yhz/KAnTpB7/ctv9nzv3RdG5Eh7M8zr+VRoqkh
+M8zMqJDY+lLQ/uNyq7GKfzxnpcEpYdH4mTcnDEKZfeocyl6WSk0dR94Iwpu8iXur
+jRzyrsJEB+h+OipLAuSGHTg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec
new file mode 100644
index 0000000000..a95b0dc260
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-not-a-ca
+subject:ee-int-not-a-ca
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem
new file mode 100644
index 0000000000..907671c3e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAdOgAwIBAgIUVanRJenZNEF+cjecPKqHsbneTa0wDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTaW50LXZhbGlkLWt1LW5vLWVrdTAiGA8yMDIxMTEyNzAw
+MDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAhMR8wHQYDVQQDDBZlZS1pbnQtdmFsaWQt
+a3Utbm8tZWt1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwID+DANBgkq
+hkiG9w0BAQsFAAOCAQEAI1rwnetC4tEnvUYabxo0oNmtHi57Blddig3bLWKjTZB5
+jyWidVZqlhcQsKs1Vy2V/SkgFrERsCr3MejyY9FIS1ugqFp/bdq1I6W3BuRYjYKR
+/EkuUMQXVZr+rijX0JDegh0Yo8gf+RTFzI80/NzBnO2OTCSE++lAvRf6DsjFKU4W
+kLSP5tF4ZBdnuBJt+mlrk6SSDVppG2eMCPjJB2Lejkrvx6jJpIWHSzcWhsDC3jNU
+YxtdZtUxyZlO82/EVJnFrinZSiPrA3X6MqinXX2Glyu1BEG05YUgEbDfUpczNgH1
+HWPojXE3OtirTtvFmCtQ0z0H/iDS2vWqGFI9WSez4w==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..89a66b9f97
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-valid-ku-no-eku
+subject:ee-int-valid-ku-no-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem
new file mode 100644
index 0000000000..ef07acc2d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUOSSwDry8R9Mp7YyOQ8GFPgOKxW4wDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXaW50LXZhbGlkLWt1LXNlcnZlci1la3UwIhgPMjAyMTEx
+MjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowJTEjMCEGA1UEAwwaZWUtaW50LXZh
+bGlkLWt1LXNlcnZlci1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgP4MA0GCSqGSIb3DQEBCwUAA4IBAQC5mUBhwkAJq11r0NRLh32+A+p26fJz1lBT
+Fdct7k75tTY0dE7qTUC4XOWj2Ry63cE/LnNFeNRWrZV3sqmxLPbHLHVZZ3P7a31S
+HAch7qxgtysmDYSMcirMa2SwmL8DEN138HXB2PH0T2B4OYmgYX0p0H4/bOPIjPRt
+HNsDWzz3hg57jf4sR2UC4jV53w5uXmByaJLWVXlzsBsnZcVLnSp+4zmp68aUNsTx
+mNMYTseMNYbtmNhNQlWwsvhBUvIog8zLdF6wYApdHjlyrV0NUVgEv8eDU+Xo73mt
+5sPh9vRb26+B/CdyANACF5nMdse04Incym1yLFqHro0kcRnsnWF0
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..43e83a336e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-valid-ku-server-eku
+subject:ee-int-valid-ku-server-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem
new file mode 100644
index 0000000000..d7cd3b7eb0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAcCgAwIBAgIUBdrcACRCSGk1ypWIXk360U1xp6UwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHDEaMBgGA1UEAwwRaW50LWJhZC1rdS1uby1la3UwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwG
+A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgH6MA0GCSqGSIb3DQEBCwUAA4IBAQCEXus9
+J5tHBLGUt55OM7ms2OxUerMkz8DdgsDO/fzQi++6h4rIxktmYU/wL5XAtQKurf14
+boo+h9Kspx6GBHvhGAsTrFFAjtoDbi5jpXG4+8RagnJfe5gTL4Fipd9Rqxhrw5xu
+lBltX0iCw6JkXBIb5r9EOyztJ9U8D5tQfbC/oqiNqMcJBaXlNayffh8d8jeLm79J
+iEPIzRUMz25YGfPSBNHs5IyyNjCWGTtFDEXfDq82WAJMu4SYPiylgjQ4SQNaIKWX
+sfrPjS7IZsTv0quMTzvNiCVz3JUR5I/IbgzMlLOGaZ3vVSYSI2w+NoWbUffXn+m1
+bZYy1Mh1ehAukwkQ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..f6525449b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-bad-ku-no-eku
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem
new file mode 100644
index 0000000000..6710e14319
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+zCCAeOgAwIBAgIUT+4cv6NAFN70fnPV/T4jEnMVDLYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowIDEeMBwGA1UEAwwVaW50LWJhZC1rdS1zZXJ2ZXItZWt1MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozww
+OjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB+jAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB5ipw/UJs2yK/v6oQHpMkoD
+Q7uoZkgNnOO5Sr5tZoc9OxKSkMluYVOFWFGDTfM24ENSqAT73OmaRbKITV1nR59g
+W3oc/6bHPD4smjOQTK6ShVNBz3l4vSOvW2i/reui/v/vrKf9nZmwaV2JBJVkJBtu
+IJ2VOPSlkA+22X4YaLi74VjgLNlkROjEB28GV0Xsd42h3zFfAmDtWAI1xNUMMKQS
+wRm139Zy8d1UiZ6LchdUC0Ekktolen8eYRvaSlpOigJFBLjiaphJcfATKomyfvc3
+IpktKPHjS8d1MlQEumH8Wn15wfG2QzA5Eri8IXGX25dm9+OTNBLpdzCgn/0wT5k=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..2d324508d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-bad-ku-server-eku
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem
new file mode 100644
index 0000000000..7b677573a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIUHUteHerAK5l63j3cnwe85sn7MHIwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowKzEpMCcGA1UEAwwgaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNp
+Z24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgH+MA0GCSqGSIb3DQEB
+CwUAA4IBAQAp6oogLBAKI9JqnYGFFMTLRZ/v08fWlx8WXyrEMse10gpPluVYw9+Z
+U0LpbLbiiUwrsF1Tt7OMNVRsjCQAnWfXKKvG+ekkUslrLHz0heWlHG0QU9VUqI6q
+oumlE84qeEOrNFjyOscBnw/mqyAsCKyhNPNQIcqfotpDJnnZoPe8BTvn91vckaz6
+YtysMgQO58kNJN/ACFjjbg2cvSxB4qXkP1nDTZbtRVvVi7iqKLxKaJJI/orAvX4s
+wjkW8XzD9oJBy8xV4Za28xHf/Y5flIT7uIn+0idyqCmQ9YMF29ymj7oTZPnVHVXx
++qr0nbnmjj0mLGAfOgsAdUojRpWJchjX
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..39785d8a48
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-cA-FALSE-asserts-keyCertSign
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem
new file mode 100644
index 0000000000..f6c42b54ff
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUf4VnRPe9twPlf+DNyCIgMod7xZ0wDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowJDEiMCAGA1UEAwwZaW50LWxpbWl0ZWQtZGVw
+dGgtaW52YWxpZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
+AAOCAQEAtE9Ejr5Lh+bKpA8ymVLC5uefOx2qgjNPNCICA2ohGuubKIWjiwYa9gpf
+a02v15qTnnlgnldbOiKaoL8jK2GofpAaOWGtnQrjvMtjLz2OoSBaXTXybrOJhdlN
+Vzk5dXsiIWmDGzsmM5H7i/TYm1MfbQK9n+ZBJ6wLq61WoMAKECQCoR+YJaWXyx3z
+AUXRyN/IRWMIE6kCihZpU4/Cr8k+iLHDZ4ZTGUXmyJTzFSHkVLlgiHVeVfAmHPYy
+3Vqjda16ObX7+xA4avruSKnwdpn8+1faHsPFDZri0x7uytM0UNTRIH5tyPWq5pee
+odI/mhuYAlXOlJ0FEsfdSKA4z5A2lg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec
new file mode 100644
index 0000000000..9fdb2a248a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-limited-depth
+subject:int-limited-depth-invalid
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem
new file mode 100644
index 0000000000..db6ac489a4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIUE/WlBd0Of+fhvk5dxXZtLiWD4bYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEzARMA8G
+A1UdEwQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBADwCYAuFWn/72BC3mor7
+YWcirS4nWpVyGfixmVv6E53EBfXn02Ed9yxuEPIN68cXgIlIfKyUk9gEuiTZZEuI
+oFLOnC5vc1UnWGReX7CpzLMGP6FyYvsnP0AXpQ4BjQ42vkuQh8rgSAUAnmDZf0at
+eJEyu/uqJFheWpLJqwYAfyMSyxf3nEz3itLbbTm+apj7wFyddWDoxoHJi6UX2CuJ
+bevVoBHUiKaqRN8tsE0Ffaz1CvAJcSDn2XhAXGPCo0rT5GES///umEa32fvxNhOZ
+Ia2JyjIfzGG9n57mraimiyGep0CiigwEX393G/Im2q2h86mvIedRPCl6zSi9f3td
+FYE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec
new file mode 100644
index 0000000000..64f54b0441
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:int-limited-depth
+extension:basicConstraints:cA,0
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem
new file mode 100644
index 0000000000..b283219ac2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuTCCAaGgAwIBAgIUcaLqCVjHQF9LBa2AxD4jgbGxJrgwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHDEaMBgGA1UEAwwRaW50LW5vLWV4dGVuc2lvbnMwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZI
+hvcNAQELBQADggEBAKO52Cuun7/lbVm57hiFGhkFAITYz3tnIPfI5LHk0iax1K+x
+w/X3AoElGtU+/7wgUYzecNmLAs5MsHfxuzdjJ1NccZL/+X7Pfqqzgc0qhK/2l3ou
+NOutsawlnqEw0HWL2th71IcCZvD7SxeL635BzHvJckbpvmMLv6IU/4YgHwmvRTOA
+wYrzmBabL7kexVIss28bPX3Lg1uNWmqan+ZxBMXrN97eUUMm/rVetJlTJi1yPtie
+htsx4T8nVzeXyc8krQJ3r7xYAnCbEIH4Gr1DQ74HMy1wEqGxYOK9qso7Tm0mfwbs
+VRuE0QPnaqe19GC95YXYXen95ISOISnkV/iMp/o=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec
new file mode 100644
index 0000000000..c99626bd5a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:int-no-extensions
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem
new file mode 100644
index 0000000000..8045f66c50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUXVploRsp/hZMzGClfcQ4dRVNaOwwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LW5vLWt1LW5vLWVrdTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYD
+VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAhzPm8mP8EoZmB2TLj1oRwtwg
+aah2AD+zb+2Y/whKrs5y5YNriOajAt7zxXPIxlNe2T++ZRUiwPlmJZyDhKaTxjfE
+rWXgtm4fru3Pc972k8UxYkZdqOj5tnsFHJ7C/O9kwvkPUTvIcIJxVvtTLIypAaLs
+DRq/CTvtGZ2XUUqSsvzrMcl1npaq2JjhAOURBo4QftJlTcAfm5tNZc4Mu9B9QnZA
+7PyK4Ewv8CB66ZT6nRCnz7Bz2dhODqaVi7a92Gww1yCZTuTr7LkQY12V0bqyEBTc
+3uAgInlxZ3sCTCI2NlFrqWalF+v3bdZIYIzooSAYOVHcN7zVYXIUbte2Z3MHYQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..306a218db9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:int-no-ku-no-eku
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem
new file mode 100644
index 0000000000..dc4271d321
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUVdlklAPEUQebV/LWoHRUcE1itMAwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHzEdMBsGA1UEAwwUaW50LW5vLWt1LXNlcnZlci1la3UwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAt
+MAwGA1UdEwQFMAMBAf8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0G
+CSqGSIb3DQEBCwUAA4IBAQBo59TtYXo38fhbrYRtxnjeZeWUe6DFTlEf4zNHUFXz
+dsHmslSp938LiAR0fTRB0PbWWquZz70vGbhRC8hl5lJgf+/R6yGAjLxBpcRlQu2t
+MRvQjS7YDVGYafD5Mt7mUqkzw/Hb1fWAgOfUfSulv9c7gu7WUpSiuFlaHE8lOPR2
+aedPEcq1kza2Fc8xY3OidpJHtZq2jInQSnunu2hOkCRPXIvMvvbTio576QcfTPv4
+b/FNY7IqTC+DEh1VCkb5P9XFtHNGvZ2uYDuL3w1ekZFBL7Aq8hB+6UEb7WCIO6A/
+7vW9Ts+On4nZI11JCk3vRtn9dZYmJoJrJtHSzFaEkyVZ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..1482b627c7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-no-ku-server-eku
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem
new file mode 100644
index 0000000000..e6efeaa28a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwzCCAaugAwIBAgIUWa2mJPi/2cEfrq8RFVw70uO0JJ4wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LW5vdC1hLWNhMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNVHRME
+AjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBuRuMaGSuSHD9Vuvm4Ln4QkXaqWtiUSfvO
+d4LHv8NzZ8QTVaWZH5Q91yC/0EV82TmGP+YqCJ9e/ILqYCnNdUHfZ1+z1Jd/pwkL
+Ir0uLdCePRee9CPBHPuz6hzHsgyQavYWsrAujBgetYC5De1tFPTl0YgFKtrhxLM6
+H6425T9eFvhZ+B5Jz9/iUB0NjbgpaG0qq32tUUZP/aJkosWqmweq1h9HcDXEamxs
+y4azUVMtW2t6Hbtmn8lAFHz6iCzrbjVqXY/ZqHtrtnGFvcM044/VqjgU9jMlookh
+cSyWqk62xQcpMSuZy955OTEpMnlXXkW4tjUxztAahlJhZP+tal5y
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec
new file mode 100644
index 0000000000..3161680b1c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:int-not-a-ca
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem
new file mode 100644
index 0000000000..fdfcbd8ccb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2jCCAcKgAwIBAgIUBQhZeXfh8VRjz67JI9aGUjCi9/swDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHjEcMBoGA1UEAwwTaW50LXZhbGlkLWt1LW5vLWVrdTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBsw
+DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAEUa
+bjiSJtmAjz24jMQzwT9FDIKfYpuPjyff4TGhHh1+mKz4AtELFZE3IfS+TXaTwWHq
+Rmi5SmFusKP8MK85CRKkX47SB3kdvXe4JVXp2QmQ0LwCyLP50sdpzn+gs32lHJHm
+BXqe/fAfqvyAzjBwmkT6uPW6DFKcbrilBeQfX/D2B8LZ/8b74sWiGeBakocUzfNa
+El3nyhWuAsw5nNImZYWW4/pOJecT23WTda3EJ1+J9CEDlW/F6VBdk+9Eckis33rW
+BzoAc+gPS5eisilZsnDxEIVdpWif4IAON6Fh2bhHlrsMKR+gLqJ5g8NQrWkFO/0D
+veptxxVD08aLSmFiIBk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..d7f9b0387a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-valid-ku-no-eku
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem
new file mode 100644
index 0000000000..db3a11431e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIUM0xZKEt3/nPLSqS+U75xn0zoKhwwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowIjEgMB4GA1UEAwwXaW50LXZhbGlkLWt1LXNlcnZlci1la3UwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+PDA6MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgIEMB0GA1UdJQQWMBQGCCsGAQUF
+BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAMLbdKU+1y7AV2h9hiMZw
+vCxzBNcPr11o83mCP4eBrO9NQ+TZ/IDLWqWmfog80CA+VrKoEApsVce+1T/PZQ/S
+nNYxawlBDkHD2lcKn929H2G53xhD+U6j69ZesfPiE83sR48fuzOUdpEDpQdR8yol
+9UAVckFK00/6RQwF2YiyyHZDj37ft4mxkV2Y2l0oowgIRm1C5ZUU7BQUxTGbg6K8
+3Is575EyHAfMmeSMDTjWUDn0vT4saa77oG9tbwIhoauku2gwiX+ZIX0hvmaLyzed
+R12GeOm2qgDKi99S4CTibgo4puF+AgiQYmeNwtHha+5XmGKCf6k8IIF5FQy9QNmj
+sg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..84314bfa40
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-valid-ku-server-eku
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads.js b/security/manager/ssl/tests/unit/test_intermediate_preloads.js
new file mode 100644
index 0000000000..6d4cf205e4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads.js
@@ -0,0 +1,528 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const { RemoteSecuritySettings } = ChromeUtils.import(
+ "resource://gre/modules/psm/RemoteSecuritySettings.jsm"
+);
+const { TestUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/TestUtils.sys.mjs"
+);
+const { IntermediatePreloadsClient } = RemoteSecuritySettings.init();
+
+let server;
+
+const INTERMEDIATES_DL_PER_POLL_PREF =
+ "security.remote_settings.intermediates.downloads_per_poll";
+const INTERMEDIATES_ENABLED_PREF =
+ "security.remote_settings.intermediates.enabled";
+
+function getHashCommon(aStr, useBase64) {
+ let hasher = Cc["@mozilla.org/security/hash;1"].createInstance(
+ Ci.nsICryptoHash
+ );
+ hasher.init(Ci.nsICryptoHash.SHA256);
+ let stringStream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+ Ci.nsIStringInputStream
+ );
+ stringStream.data = aStr;
+ hasher.updateFromStream(stringStream, -1);
+
+ return hasher.finish(useBase64);
+}
+
+// Get a hexified SHA-256 hash of the given string.
+function getHash(aStr) {
+ return hexify(getHashCommon(aStr, false));
+}
+
+function getSubjectBytes(certDERString) {
+ let bytes = stringToArray(certDERString);
+ let cert = new X509.Certificate();
+ cert.parse(bytes);
+ return arrayToString(cert.tbsCertificate.subject._der._bytes);
+}
+
+function getSPKIBytes(certDERString) {
+ let bytes = stringToArray(certDERString);
+ let cert = new X509.Certificate();
+ cert.parse(bytes);
+ return arrayToString(cert.tbsCertificate.subjectPublicKeyInfo._der._bytes);
+}
+
+/**
+ * Simulate a Remote Settings synchronization by filling up the
+ * local data with fake records.
+ *
+ * @param {*} filenames List of pem files for which we will create
+ * records.
+ * @param {*} options Options for records to generate.
+ */
+async function syncAndDownload(filenames, options = {}) {
+ const {
+ hashFunc = getHash,
+ lengthFunc = arr => arr.length,
+ clear = true,
+ } = options;
+
+ const localDB = await IntermediatePreloadsClient.client.db;
+ if (clear) {
+ await localDB.clear();
+ }
+
+ let count = 1;
+ for (const filename of filenames) {
+ const file = do_get_file(`test_intermediate_preloads/${filename}`);
+ const certBytes = readFile(file);
+ const certDERBytes = atob(pemToBase64(certBytes));
+
+ const record = {
+ details: {
+ who: "",
+ why: "",
+ name: "",
+ created: "",
+ },
+ derHash: getHashCommon(certDERBytes, true),
+ subject: "",
+ subjectDN: btoa(getSubjectBytes(certDERBytes)),
+ attachment: {
+ hash: hashFunc(certBytes),
+ size: lengthFunc(certBytes),
+ filename: `intermediate certificate #${count}.pem`,
+ location: `security-state-workspace/intermediates/${filename}`,
+ mimetype: "application/x-pem-file",
+ },
+ whitelist: false,
+ pubKeyHash: getHashCommon(getSPKIBytes(certDERBytes), true),
+ crlite_enrolled: true,
+ };
+
+ await localDB.create(record);
+ count++;
+ }
+ // This promise will wait for the end of downloading.
+ const updatedPromise = TestUtils.topicObserved(
+ "remote-security-settings:intermediates-updated"
+ );
+ // Simulate polling for changes, trigger the download of attachments.
+ Services.obs.notifyObservers(null, "remote-settings:changes-poll-end");
+ const results = await updatedPromise;
+ return results[1]; // topicObserved gives back a 2-array
+}
+
+/**
+ * Return the list of records whose attachment was downloaded.
+ */
+async function locallyDownloaded() {
+ return IntermediatePreloadsClient.client.get({
+ filters: { cert_import_complete: true },
+ syncIfEmpty: false,
+ });
+}
+
+add_task(async function test_preload_empty() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ // load the first root and end entity, ignore the initial intermediate
+ addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+ let ee_cert = constructCertFromFile(
+ "test_intermediate_preloads/default-ee.pem"
+ );
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+ equal(
+ await syncAndDownload([]),
+ "success",
+ "Preloading update should have run"
+ );
+
+ equal(
+ (await locallyDownloaded()).length,
+ 0,
+ "There should have been no downloads"
+ );
+
+ // check that ee cert 1 is unknown
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+});
+
+add_task(async function test_preload_disabled() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, false);
+
+ equal(
+ await syncAndDownload(["int.pem"]),
+ "disabled",
+ "Preloading update should not have run"
+ );
+
+ equal(
+ (await locallyDownloaded()).length,
+ 0,
+ "There should have been no downloads"
+ );
+});
+
+add_task(async function test_preload_invalid_hash() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+ const invalidHash =
+ "6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d";
+
+ const result = await syncAndDownload(["int.pem"], {
+ hashFunc: () => invalidHash,
+ });
+ equal(result, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 0,
+ "There should be no local entry"
+ );
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ // load the first root and end entity, ignore the initial intermediate
+ addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+ let ee_cert = constructCertFromFile(
+ "test_intermediate_preloads/default-ee.pem"
+ );
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+ // We should still have a missing intermediate.
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+});
+
+add_task(async function test_preload_invalid_length() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+ const result = await syncAndDownload(["int.pem"], {
+ lengthFunc: () => 42,
+ });
+ equal(result, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 0,
+ "There should be no local entry"
+ );
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ // load the first root and end entity, ignore the initial intermediate
+ addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+ let ee_cert = constructCertFromFile(
+ "test_intermediate_preloads/default-ee.pem"
+ );
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+ // We should still have a missing intermediate.
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+});
+
+add_task(async function test_preload_basic() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+ Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+
+ // load the first root and end entity, ignore the initial intermediate
+ addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+ let ee_cert = constructCertFromFile(
+ "test_intermediate_preloads/default-ee.pem"
+ );
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+ // load the second end entity, ignore both intermediate and root
+ let ee_cert_2 = constructCertFromFile("test_intermediate_preloads/ee2.pem");
+ notEqual(ee_cert_2, null, "EE cert 2 should have successfully loaded");
+
+ // check that the missing intermediate causes an unknown issuer error, as
+ // expected, in both cases
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert_2,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+
+ let intermediateBytes = readFile(
+ do_get_file("test_intermediate_preloads/int.pem")
+ );
+ let intermediateDERBytes = atob(pemToBase64(intermediateBytes));
+ let intermediateCert = new X509.Certificate();
+ intermediateCert.parse(stringToArray(intermediateDERBytes));
+
+ const result = await syncAndDownload(["int.pem", "int2.pem"]);
+ equal(result, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 2,
+ "There should have been 2 downloads"
+ );
+
+ // check that ee cert 1 verifies now the update has happened and there is
+ // an intermediate
+
+ // First verify by connecting to a server that uses that end-entity
+ // certificate but doesn't send the intermediate.
+ await asyncStartTLSTestServer(
+ "BadCertAndPinningServer",
+ "test_intermediate_preloads"
+ );
+ // This ensures the test server doesn't include the intermediate in the
+ // handshake.
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append("test_intermediate_preloads");
+ Assert.ok(certDir.exists(), "test_intermediate_preloads should exist");
+ let args = ["-D", "-n", "int"];
+ // If the certdb is cached from a previous run, the intermediate will have
+ // already been deleted, so this may "fail".
+ run_certutil_on_directory(certDir.path, args, false);
+ let certsCachedPromise = TestUtils.topicObserved(
+ "psm:intermediate-certs-cached"
+ );
+ await asyncConnectTo("ee.example.com", PRErrorCodeSuccess);
+ let subjectAndData = await certsCachedPromise;
+ Assert.equal(subjectAndData.length, 2, "expecting [subject, data]");
+ // Since the intermediate is preloaded, we don't save it to the profile's
+ // certdb.
+ Assert.equal(subjectAndData[1], "0", `expecting "0" certs imported`);
+
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+
+ let localDB = await IntermediatePreloadsClient.client.db;
+ let data = await localDB.list();
+ ok(!!data.length, "should have some entries");
+ // simulate a sync (syncAndDownload doesn't actually... sync.)
+ await IntermediatePreloadsClient.client.emit("sync", {
+ data: {
+ current: data,
+ created: data,
+ deleted: [],
+ updated: [],
+ },
+ });
+
+ // check that ee cert 2 does not verify - since we don't know the issuer of
+ // this certificate
+ await checkCertErrorGeneric(
+ certDB,
+ ee_cert_2,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer
+ );
+});
+
+add_task(async function test_preload_200() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+ Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+ const files = [];
+ for (let i = 0; i < 200; i++) {
+ files.push(["int.pem", "int2.pem"][i % 2]);
+ }
+
+ let result = await syncAndDownload(files);
+ equal(result, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 100,
+ "There should have been only 100 downloaded"
+ );
+
+ // Re-run
+ result = await syncAndDownload([], { clear: false });
+ equal(result, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 200,
+ "There should have been 200 downloaded"
+ );
+});
+
+add_task(async function test_delete() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+ Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+ let syncResult = await syncAndDownload(["int.pem", "int2.pem"]);
+ equal(syncResult, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 2,
+ "There should have been 2 downloads"
+ );
+
+ let localDB = await IntermediatePreloadsClient.client.db;
+ let data = await localDB.list();
+ ok(!!data.length, "should have some entries");
+ let subject = data[0].subjectDN;
+ let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+ Ci.nsICertStorage
+ );
+ let resultsBefore = certStorage.findCertsBySubject(
+ stringToArray(atob(subject))
+ );
+ equal(
+ resultsBefore.length,
+ 1,
+ "should find the intermediate in cert storage before"
+ );
+ // simulate a sync where we deleted the entry
+ await IntermediatePreloadsClient.client.emit("sync", {
+ data: {
+ current: [],
+ created: [],
+ deleted: [data[0]],
+ updated: [],
+ },
+ });
+ let resultsAfter = certStorage.findCertsBySubject(
+ stringToArray(atob(subject))
+ );
+ equal(
+ resultsAfter.length,
+ 0,
+ "shouldn't find intermediate in cert storage now"
+ );
+});
+
+function findCertByCommonName(certDB, commonName) {
+ for (let cert of certDB.getCerts()) {
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
+add_task(async function test_healer() {
+ Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+ Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ // Add an intermediate as if it had previously been cached.
+ addCertFromFile(certDB, "test_intermediate_preloads/int.pem", ",,");
+ // Add an intermediate with non-default trust settings as if it had been added by the user.
+ addCertFromFile(certDB, "test_intermediate_preloads/int2.pem", "CTu,,");
+
+ let syncResult = await syncAndDownload(["int.pem", "int2.pem"]);
+ equal(syncResult, "success", "Preloading update should have run");
+
+ equal(
+ (await locallyDownloaded()).length,
+ 2,
+ "There should have been 2 downloads"
+ );
+
+ let healerRanPromise = TestUtils.topicObserved(
+ "psm:intermediate-preloading-healer-ran"
+ );
+ Services.prefs.setIntPref(
+ "security.intermediate_preloading_healer.timer_interval_ms",
+ 500
+ );
+ Services.prefs.setBoolPref(
+ "security.intermediate_preloading_healer.enabled",
+ true
+ );
+ await healerRanPromise;
+ Services.prefs.setBoolPref(
+ "security.intermediate_preloading_healer.enabled",
+ false
+ );
+
+ let intermediate = findCertByCommonName(
+ certDB,
+ "intermediate-preloading-intermediate"
+ );
+ equal(intermediate, null, "should not find intermediate in NSS");
+ let intermediate2 = findCertByCommonName(
+ certDB,
+ "intermediate-preloading-intermediate2"
+ );
+ notEqual(intermediate2, null, "should find second intermediate in NSS");
+});
+
+function run_test() {
+ server = new HttpServer();
+ server.start(-1);
+ registerCleanupFunction(() => server.stop(() => {}));
+
+ server.registerDirectory(
+ "/cdn/security-state-workspace/intermediates/",
+ do_get_file("test_intermediate_preloads")
+ );
+
+ server.registerPathHandler("/v1/", (request, response) => {
+ response.write(
+ JSON.stringify({
+ capabilities: {
+ attachments: {
+ base_url: `http://localhost:${server.identity.primaryPort}/cdn/`,
+ },
+ },
+ })
+ );
+ response.setHeader("Content-Type", "application/json; charset=UTF-8");
+ response.setStatusLine(null, 200, "OK");
+ });
+
+ Services.prefs.setCharPref(
+ "services.settings.server",
+ `http://localhost:${server.identity.primaryPort}/v1`
+ );
+
+ Services.prefs.setCharPref("browser.policies.loglevel", "debug");
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem
new file mode 100644
index 0000000000..680b068f34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAeGgAwIBAgIUN/Y56TvJcL2liqk2Feh/QfKrlLwwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EwIhgPMjAx
+MDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowJTEjMCEGA1UEAwwaaW50ZXJt
+ZWRpYXRlLXByZWxvYWRpbmctY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBSPwr2BfSHT3saxwx6YGEautZx
+w/sdM9AJAubFLqDd3MYHtzCZcQXaeDGbAzvo8m/PKA4Yt+UYbKyDnRR8sLA4f/iu
+z1zHeenlzBWpRVHu/++ZSk/ESwn0zLprIsOcXjaYkbfrqcEGNWvLJzpT4T36Gr9t
+DvxHnpsaMsJviZS3WHzTSoioWkcRyF78bYa51ZJWYJHFKZQppqhJ+jcoJhiomRlc
+WwhI8NAU3dOOFJuEg/z+vQpcEQi0rRW9J6X/15BUZRQlF5Hs2wilGa8ViNX2+B5I
+kjbmNrdT5hcnGEfR7JpHFuihFdxQc4CFY87u1chI8yaHLhhriUP6Jq0+J5ur
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec
new file mode 100644
index 0000000000..4ccabc25b3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:intermediate-preloading-ca
+subject:intermediate-preloading-ca
+validity:20100101-20500101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem
new file mode 100644
index 0000000000..4a69166215
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDDCCAfSgAwIBAgIUcx7CbjSZKlPaTqjk1pXt0w+fswUwDQYJKoZIhvcNAQEL
+BQAwLzEtMCsGA1UEAwwkaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRp
+YXRlMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBkxFzAVBgNV
+BAMMDmVlLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozIwMDATBgNVHSUEDDAKBggrBgEFBQcD
+ATAZBgNVHREEEjAQgg5lZS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
+gNr8S/J6CJLQu56YUxksBCLxvcrJw82G9X7rdZ0sXZ4CCHTQjQZbnuc+rJTuGPJX
+36f0m3EPkNa1UepfTtZWe364ATju/F2TUg0XWEm634NI4F8Hy7jXBsYaTVN6yBoK
+cvRSdvko3BbcKXMQfq5zbdRvs1VtSC9cPPyrZYdQxpMar4+JhN1sPx7C3g0hn84C
+VnVpgZlrh+CnSwUiq7I3Q44el2j453GEbKCbXDMxooSq+gD3rMTPsOCsk4GmeH3R
+ILMtaJ/zFd6C7lSkGQPSLNarTqcIudXACWWbzEqZ8uS4GoyaEIYiUf00YMquS4Cu
+xTG8+QNSp9tIoUw48chxjw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec
new file mode 100644
index 0000000000..e9decb76dc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:intermediate-preloading-intermediate
+subject:ee.example.com
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:ee.example.com
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem
new file mode 100644
index 0000000000..a1394d56db
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUI6lFTWQgzUkUf/0bE/nqjn1SLNYwDQYJKoZIhvcNAQEL
+BQAwMDEuMCwGA1UEAwwlaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRp
+YXRlMjAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAOMQwwCgYD
+VQQDDANlZTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W
+1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq
+ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx
+0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV
+t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo
+4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx
+1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3
+DQEBCwUAA4IBAQBDTPaqjguUw5J5Jh7p0NdZK6A2XxBRxUcrQqvT3FsnO5sauXHU
+2y7BJNDilPs+A8edIPLezio6aCijg2uZpIKc0Le0L/AeyWYoObiuQ+Lcs9NkhQMm
+3Jqnjw8lbKLO4ojOHEgJqW7VWDCyTCsLDFkZBSC0cAxr79mRdrvPF89Q27xHrBo2
+UgwKuffODwmgNJCznpvkYvvrZQ2WxO8JZk9eAy/mSn6vlyD41nqI8CYQhGKwdxLT
+Xwip+uag1KQup6dgD3cNSRTBDeBL2z9m9HziPNlOTY9SyFxt32YxO1DOaSHy7kCi
+o82rGqU5p8VbGlS2RvzQvMEhptxt+GKLC/6c
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec
new file mode 100644
index 0000000000..089ac63831
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec
@@ -0,0 +1,3 @@
+issuer:intermediate-preloading-intermediate2
+subject:ee2
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem
new file mode 100644
index 0000000000..480a18002a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUIRWUrRSEgMYUudCmgeB863e4mK4wDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowLzEtMCsGA1UEAwwkaW50ZXJt
+ZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAuEbrWJmimyJJ
+XQr4efjCRdNUaZ9b/7MihnpISIPvVQFrQ1XmDEG+9zy1IDaNNZ14s8NCEl0S12mI
+vWxKtU91UAJttFH8idip6s2kC9Mfxw8wTbgsGcUnJhszS6emJ8TnEPMaovFwet2m
+bjwjzvPoFohsupHz+FXMxHgaErzxIh08y6DzU+N9DctKcZkNGg5TTwfzYrcJo3MV
+Xx1uxLHTRMdQHfve2g53kKzAJIThls7NdHoD8DcK54lns05tO7CD2vdtNXMc1M8q
+DnofGLcaGBtPbB8RbwCSQme7G5ICvbxNDC3i6/LAjvKSAsUL2gCExFjaN7UK/qN+
+PklUW8438Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec
new file mode 100644
index 0000000000..5863b3131f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:intermediate-preloading-ca
+subject:intermediate-preloading-intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem
new file mode 100644
index 0000000000..2e2791ac00
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAe2gAwIBAgIUEyGPTx1+eoN9OVa+vKQz//tVlfYwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EyMCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMDAxLjAsBgNVBAMMJWludGVy
+bWVkaWF0ZS1wcmVsb2FkaW5nLWludGVybWVkaWF0ZTIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAeX4/JsyHg
+0g8S+om/H4zuEgGntF1nqpcAFejMJfl7DJe8ukzTzlQF/IcDQEtv264xjMWaVssn
+kV/va8vVkYIJqc/FIrkuxrFLNFGNOrV6KL14sR0+TlJ/FEOyig+Yt5+RPC2HZZBS
+4n5VUxxK/U52dM6jonbFOcqZXpPAJDYcfg2MThkg/oupcXW7v00EUOL6QEdAMlzY
+wZk5PEIgQckDVr4hwygdmpmAYfD98ru0gqNp5KYdR5uqskQlfHjrIuUNEUpehPGX
+KF9Fqo8Gu1G0dmI4poOxGarKum8nd+b/Cjo1rgQYTBwWMhFzS4zVK4CfgzgUCjNb
+ykTwaGJf7EwV
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec
new file mode 100644
index 0000000000..27e9a008df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec
@@ -0,0 +1,4 @@
+issuer:intermediate-preloading-ca2
+subject:intermediate-preloading-intermediate2
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_keysize.js b/security/manager/ssl/tests/unit/test_keysize.js
new file mode 100644
index 0000000000..b9a1412819
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize.js
@@ -0,0 +1,204 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks that RSA certs with key sizes below 1024 bits are rejected.
+// Checks that ECC certs using curves other than the NIST P-256, P-384 or P-521
+// curves are rejected.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+/**
+ * Tests a cert chain.
+ *
+ * @param {string} rootKeyType
+ * The key type of the root certificate, or the name of an elliptic
+ * curve, as output by the 'openssl ecparam -list_curves' command.
+ * @param {number} rootKeySize
+ * @param {string} intKeyType
+ * @param {number} intKeySize
+ * @param {string} eeKeyType
+ * @param {number} eeKeySize
+ * @param {PRErrorCode} eeExpectedError
+ * @returns {Promise} a promise that will resolve when the verification has
+ * completed
+ */
+function checkChain(
+ rootKeyType,
+ rootKeySize,
+ intKeyType,
+ intKeySize,
+ eeKeyType,
+ eeKeySize,
+ eeExpectedError
+) {
+ let rootName = "root_" + rootKeyType + "_" + rootKeySize;
+ let intName = "int_" + intKeyType + "_" + intKeySize;
+ let eeName = "ee_" + eeKeyType + "_" + eeKeySize;
+
+ let intFullName = intName + "-" + rootName;
+ let eeFullName = eeName + "-" + intName + "-" + rootName;
+
+ addCertFromFile(certdb, `test_keysize/${rootName}.pem`, "CTu,CTu,CTu");
+ addCertFromFile(certdb, `test_keysize/${intFullName}.pem`, ",,");
+ let eeCert = constructCertFromFile(`test_keysize/${eeFullName}.pem`);
+
+ info("cert o=" + eeCert.organization);
+ info("cert issuer o=" + eeCert.issuerOrganization);
+ return checkCertErrorGeneric(
+ certdb,
+ eeCert,
+ eeExpectedError,
+ certificateUsageSSLServer
+ );
+}
+
+/**
+ * Tests various RSA chains.
+ *
+ * @param {number} inadequateKeySize
+ * @param {number} adequateKeySize
+ */
+async function checkRSAChains(inadequateKeySize, adequateKeySize) {
+ // Chain with certs that have adequate sizes for DV
+ await checkChain(
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ adequateKeySize,
+ PRErrorCodeSuccess
+ );
+
+ // Chain with a root cert that has an inadequate size for DV
+ await checkChain(
+ "rsa",
+ inadequateKeySize,
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ adequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+ );
+
+ // Chain with an intermediate cert that has an inadequate size for DV
+ await checkChain(
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ inadequateKeySize,
+ "rsa",
+ adequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+ );
+
+ // Chain with an end entity cert that has an inadequate size for DV
+ await checkChain(
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ adequateKeySize,
+ "rsa",
+ inadequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+ );
+}
+
+async function checkECCChains() {
+ await checkChain(
+ "secp256r1",
+ 256,
+ "secp384r1",
+ 384,
+ "secp521r1",
+ 521,
+ PRErrorCodeSuccess
+ );
+ await checkChain(
+ "secp256r1",
+ 256,
+ "secp224r1",
+ 224,
+ "secp256r1",
+ 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+ await checkChain(
+ "secp256r1",
+ 256,
+ "secp256r1",
+ 256,
+ "secp224r1",
+ 224,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+ await checkChain(
+ "secp224r1",
+ 224,
+ "secp256r1",
+ 256,
+ "secp256r1",
+ 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+ await checkChain(
+ "secp256r1",
+ 256,
+ "secp256r1",
+ 256,
+ "secp256k1",
+ 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+ await checkChain(
+ "secp256k1",
+ 256,
+ "secp256r1",
+ 256,
+ "secp256r1",
+ 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+}
+
+async function checkCombinationChains() {
+ await checkChain(
+ "rsa",
+ 2048,
+ "secp256r1",
+ 256,
+ "secp384r1",
+ 384,
+ PRErrorCodeSuccess
+ );
+ await checkChain(
+ "rsa",
+ 2048,
+ "secp256r1",
+ 256,
+ "secp224r1",
+ 224,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+ );
+ await checkChain(
+ "secp256r1",
+ 256,
+ "rsa",
+ 1016,
+ "secp256r1",
+ 256,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+ );
+}
+
+add_task(async function() {
+ await checkRSAChains(1016, 1024);
+ await checkECCChains();
+ await checkCombinationChains();
+});
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem
new file mode 100644
index 0000000000..1514e2afe0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4DCCAUmgAwIBAgIUVwxpwbAz8P34bpOsh6+QbP2ojSAwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh
+XzEwMTYtaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwgZ4wDQYJKoZIhvcNAQEB
+BQADgYwAMIGIAoGAANKbsS+4T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDr
+kgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drX
+zLSF2BouGdUNTwtoVKyvbXvmnZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEA
+ATANBgkqhkiG9w0BAQsFAAOBgQAJBfYK3k9MPwwgr5XUjo2GDsMyWL/rrF6qud/Q
+vRhdgfPZYWXZ70dHdZEH3iEOub4z049/Jpvz4CkW+mxV1JTwzJn/t/t/UNWlhovX
+rrRAUTid2ePG2AnceiuGRNj6DLMyIriMURnVj1imscyamATg2t6bIHEzsvmUheaA
+3fDiMw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..7b86ef7861
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1024-root_rsa_1024
+subject:ee_rsa_1016-int_rsa_1024-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1016
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem
new file mode 100644
index 0000000000..42daa0757b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4DCCAUqgAwIBAgIUfx3llLPabDFECt89htHl5RT/8dgwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDE2LXJvb3RfcnNhXzEwMjQwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh
+XzEwMjQtaW50X3JzYV8xMDE2LXJvb3RfcnNhXzEwMjQwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANOpdEAQHrqMXflQPm+TXrUv/rPr6dDcXKzib5c8qUy8DZwx
+1mwMATvOnILQ1IAyjfBftrzXmQpTEt2uYVKtbuYcjBvdhmPGi9NiJKmIKueOifVW
+39vm9R2mESy/wnyKSTNrQa/bdTIbUrJKc0TRNI5kY1GlUcdXHM2guP419hp1AgMB
+AAEwDQYJKoZIhvcNAQELBQADgYAAu75m62DkOU7ZXkCVpF1Qu6IZ3Kxpw+JCKDmm
+jDyrtW7VyVadDnpcXeXsfoWgpWICGNgS/nYHPW/Sb8VmIdSkYZz0WZ4LrnJR+ReM
+WYnShnhMnfVDZ+2ei5gFrNMlGy9VESyZpHMtK069v4y2Krj28CAQ5PLtK56MrlcW
+KuGqsQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..326d665dcc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1016-root_rsa_1024
+subject:ee_rsa_1024-int_rsa_1016-root_rsa_1024
+issuerKey:rsa1016
+subjectKey:rsa1024
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem
new file mode 100644
index 0000000000..5e3c2b7616
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRjCCAa+gAwIBAgIUbSYmFjBHNggSogoGtlUuasRUNUMwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMTYwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowEjEQMA4GA1UEAwwHcnNhMTAy
+NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOBgQBPmmqHLLrGqankJL7agjYMNnN4zUnH
+i03p3WOQHfI58xRjBev0xoLBIf7pD/N4+RyB2zGyhfUBN7DAcFxwr3n4If4Z1bo3
+KLjDe4vQx/cxU1iUod7VDB/FoDrKGG9otpUakgBURLmi/2sdfg5VyedmzfINJYso
+Fx7U2rKFpkBTzA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec
new file mode 100644
index 0000000000..c44a089ed6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1024-root_rsa_1016
+subject:ee_rsa_1024-int_rsa_1024-root_rsa_1016
+issuerKey:rsa1024
+subject:rsa1024
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem
new file mode 100644
index 0000000000..2f05523a61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4TCCAUqgAwIBAgIUf88bfQzu3egYcqR2nozsNhooSEEwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh
+XzEwMjQtaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANOpdEAQHrqMXflQPm+TXrUv/rPr6dDcXKzib5c8qUy8DZwx
+1mwMATvOnILQ1IAyjfBftrzXmQpTEt2uYVKtbuYcjBvdhmPGi9NiJKmIKueOifVW
+39vm9R2mESy/wnyKSTNrQa/bdTIbUrJKc0TRNI5kY1GlUcdXHM2guP419hp1AgMB
+AAEwDQYJKoZIhvcNAQELBQADgYEAl0O2IIX5cI8wtLbjxrwrIxPq04WSzUHA0/MM
+UKTvB544MDje/rjg88UKuQ/JbPWYCrK/8kKpriQKFSwx9y8aL32j2jD6u/QkPdE2
+ow/P2ycHJlgdrROCrWiByfaXullQRR2e7dxWgHXINcIeokdDeOlh6rORQWySaSdm
+kYpjObw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..a6ee408ec9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1024-root_rsa_1024
+subject:ee_rsa_1024-int_rsa_1024-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1024
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem
new file mode 100644
index 0000000000..f3a5ab79b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBXDCCAQOgAwIBAgIUXYvHjg0MUxqF2X6hrh/dJbT805AwCgYIKoZIzj0EAwIw
+KjEoMCYGA1UEAwwfaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9yc2FfMjA0ODAiGA8y
+MDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA7MTkwNwYDVQQDDDBlZV9z
+ZWNwMjI0cjFfMjI0LWludF9zZWNwMjU2cjFfMjU2LXJvb3RfcnNhXzIwNDgwTTAQ
+BgcqhkjOPQIBBgUrgQQAIQM5AARmjXLMpv1qGzVXtTZhBNhECOy2N/COjIa7/4LM
+6I8AZtevY8Mpi6N3NIoSArA7N/1rH/QVqjEeMAoGCCqGSM49BAMCA0cAMEQCIFx1
+UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiB0nTf5BbTdtJmD7a1JRbHC
+tQ5dVzRgseqLk/nFu2/0cg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..87d2f67339
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_rsa_2048
+subject:ee_secp224r1_224-int_secp256r1_256-root_rsa_2048
+issuerKey:secp256r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem
new file mode 100644
index 0000000000..c0894db548
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBZzCCAQ2gAwIBAgIUb5c9bUbBr5F+ODFobDbjzKYl6ZwwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyMjRyMV8yMjQtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2
+cjFfMjU2ME0wEAYHKoZIzj0CAQYFK4EEACEDOQAEZo1yzKb9ahs1V7U2YQTYRAjs
+tjfwjoyGu/+CzOiPAGbXr2PDKYujdzSKEgKwOzf9ax/0FaoxHjAKBggqhkjOPQQD
+AgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctCgApw5gIhALwxNSek
+yl4Ve2/JszqMa7k+C2Q4tuZChCZYvNqQp99f
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..1aadce0765
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp256r1_256
+subject:ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem
new file mode 100644
index 0000000000..4ca0497642
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbzCCARagAwIBAgIUa1MOcQgjz0GXbvb/nNSJWQo7Y9MwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZrMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2
+cjFfMjU2MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAENe58conY/veoav5dpm2Lwuu2
+qFQ/0v6tCJ9FznrND6ZDgqlQDEHa13D/1LURv0tJLrEjiADDLE92xzo/MpTnxTAK
+BggqhkjOPQQDAgNHADBEAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctCgApw
+5gIgdRmR9h7EWLJiw/HOA4VI/+aCQTQ74ywcJc6m1v8bxcc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..ba999e8f14
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp256r1_256
+subject:ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp256k1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem
new file mode 100644
index 0000000000..f9b3563ce6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqDCCARKgAwIBAgIUQXmjIgDMGJMlxFe7ZCL7DCwTTOwwDQYJKoZIhvcNAQEL
+BQAwKjEoMCYGA1UEAwwfaW50X3JzYV8xMDE2LXJvb3Rfc2VjcDI1NnIxXzI1NjAi
+GA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA7MTkwNwYDVQQDDDBl
+ZV9zZWNwMjU2cjFfMjU2LWludF9yc2FfMTAxNi1yb290X3NlY3AyNTZyMV8yNTYw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAMA0GCSqG
+SIb3DQEBCwUAA4GAAHF+Lr1T0H2jrjkcXLUsXkVPjNZjy1NRRr6WJyjhF6FKnetP
+SAMZx1oTY9Sql2mgfWJqJA7vx7t8074hsyjbPt4SHozNdoRw8UhDTIhYZf+pH5pf
+u7D/l0d3zwTm2rHy4PBBJRnJYPES9Gdh5XnQWX08zsPU50Y6NGQm/WS2b1Q=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..1e2e0a3759
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1016-root_secp256r1_256
+subject:ee_secp256r1_256-int_rsa_1016-root_secp256r1_256
+issuerKey:rsa1016
+subjectKey:secp256r1
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem
new file mode 100644
index 0000000000..4403f731cc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBazCCARmgAwIBAgIUJ2KRkxVMwamWLnZIQF6ghanSUzIwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyMjRyMV8yMjQtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyMjRyMV8yMjQtcm9vdF9zZWNwMjU2
+cjFfMjU2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE
+4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm
+wDAKBggqhkjOPQQDAgNAADA9Ah0Amjxv8EbbcPJV9S/WmFIc1y28BSBjT5W2S7JS
+VAIcT8yypPbHzh/icArRyNdIkahxBc/+5tX8YsY/OA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..bd7bc770c7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp224r1_224-root_secp256r1_256
+subject:ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256
+issuerKey:secp224r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem
new file mode 100644
index 0000000000..6ee2ed1f2f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBcjCCARmgAwIBAgIUDQfZ3zvs9qJa/PtD+Zsr5myOCYYwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjI0cjFfMjI0
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjI0
+cjFfMjI0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE
+4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm
+wDAKBggqhkjOPQQDAgNHADBEAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctC
+gApw5gIgJDWD1/nBx/6dIMlHHa07N2IDyTwYFzltWBXmgrigTjQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec
new file mode 100644
index 0000000000..fe7b7f7482
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp224r1_224
+subject:ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem
new file mode 100644
index 0000000000..e273ce5525
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBczCCARmgAwIBAgIUATe62fX5Ze+WwA3r3INkBmZ2No0wCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2azFfMjU2
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2
+azFfMjU2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE
+4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm
+wDAKBggqhkjOPQQDAgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctC
+gApw5gIhAKOvAfyNhAtngfvVMxAw2Ql34vGZccVGQDS59AWW93RV
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec
new file mode 100644
index 0000000000..aefffd9810
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp256k1_256
+subject:ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem
new file mode 100644
index 0000000000..0e44de8e33
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBhTCCASygAwIBAgIUWfAaaiXGBAuskGffwQ+qApfqSwowCgYIKoZIzj0EAwIw
+KjEoMCYGA1UEAwwfaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9yc2FfMjA0ODAiGA8y
+MDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA7MTkwNwYDVQQDDDBlZV9z
+ZWNwMzg0cjFfMzg0LWludF9zZWNwMjU2cjFfMjU2LXJvb3RfcnNhXzIwNDgwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAAShaHJDNitcexiJ83kVRhWhxz+0je6GPgIpFdtg
+jiUt5LcTLajOmOgxU05qnAwLCcjWOa3oMgbluoE0c6EfozDgXajJbkOD/ieHPalx
+A74oiM/wAvBa9xof3cyDdKpuqc4wCgYIKoZIzj0EAwIDRwAwRAIgXHVRnxMRUM1d
+it4go7wGMJH/snN1XzFk7P3LQoAKcOYCIDpgUEiNKL+ntNWMucP0wHDNTDIxEg4v
+Bjem251RNI7f
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..615818d08b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_rsa_2048
+subject:ee_secp384r1_384-int_secp256r1_256-root_rsa_2048
+issuerKey:secp256r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem
new file mode 100644
index 0000000000..6d7ec9003f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAVygAwIBAgIUOd3+Ig6xQ1VYRGT/6xjAv5tiQnEwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AzODRyMV8zODQtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3A1MjFyMV81MjEtaW50X3NlY3AzODRyMV8zODQtcm9vdF9zZWNwMjU2
+cjFfMjU2MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBTNycrMR5QQlrycxmdS7C
+f1l3NPpmxit5L4jFGdbTfw0W6hxIOhgnoBC5Eo46CAcMoz719Xg1t8G6JR9sw1Id
+xCsBBlNFGYG0RdND7tN4KjXWz/D/SE9aiD0gnxuQQrcmcDVosvMm4YuDO92KoHND
+krzRlQHhDWmKefU+EeCiK90qrZAwCgYIKoZIzj0EAwIDaQAwZgIxAO0GJz6haDpU
+tNgaQ3SESJY85j6+gRcD7Nc9cvCiVAZZ1OxFRuhW515lVbeTqfcA8wIxAOzP94f9
+No4Fk3LsupP5uGkSyi5QDAQ0o8uGQV9AzwOZ+qWIbTU5dtSscvjhskLAXQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..b2ae9d0c8f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp384r1_384-root_secp256r1_256
+subject:ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256
+issuerKey:secp384r1
+subjectKey:secp521r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem
new file mode 100644
index 0000000000..b8374730a6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5jCCAU+gAwIBAgIUEUvOHnMPiL7M+vsW3nuLxaEea2kwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMTYtcm9vdF9y
+c2FfMTAyNDCBnjANBgkqhkiG9w0BAQEFAAOBjAAwgYgCgYAA0puxL7hP3c0ps6UZ
+y2bEO42Pi+VFunk4TOZj7QPfdZkWAOuSB5DSUwzs5UTbmacfBYlqPtIHFlU0qpkF
+fkfEfjvIGtpvoeEuNyaLUEalUmj52tfMtIXYGi4Z1Q1PC2hUrK9te+admggxNuFa
++o9TwcjIT8YHcnndDlXXNppb3QIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOBgQCoCuy8BladR/PAVrgOOf4Ph9dFe2MV
+Yq6EKOWVU/PuYqZRssLh2CQX3v0vhfDzurD/zgj4+UEzJmm5B3knMFcBedPwW+0k
+5KGSdI5Q+gROdkwNx5bGqfnWd+RApjnI8Ykf/HhfO7yFJNzxxr4NANGvt3+M+0rh
+WlaGiJ8uWV02gg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..c6e77116b7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1024
+subject:int_rsa_1016-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1016
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem
new file mode 100644
index 0000000000..7358d4358b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVagAwIBAgIUW50MunLFoD4GAqoirchzeiePUZcwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMCoxKDAmBgNVBAMMH2ludF9yc2FfMTAxNi1yb290
+X3NlY3AyNTZyMV8yNTYwgZ4wDQYJKoZIhvcNAQEBBQADgYwAMIGIAoGAANKbsS+4
+T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7S
+BxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvm
+nZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAaMdMBswDAYDVR0TBAUwAwEB
+/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIgXHVRnxMRUM1dit4go7wG
+MJH/snN1XzFk7P3LQoAKcOYCIQD5W4T/b85G2u0prFnlPiVMZ0Wjw0rvAFjBUcDV
+Y8l0kQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..27728ca374
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_rsa_1016-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:rsa1016
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem
new file mode 100644
index 0000000000..7228823bd3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5jCCAVCgAwIBAgIUY2vK8QUP90UMoUqSZytNypfMOnwwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAxNjAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMjQtcm9vdF9y
+c2FfMTAxNjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA06l0QBAeuoxd+VA+
+b5NetS/+s+vp0NxcrOJvlzypTLwNnDHWbAwBO86cgtDUgDKN8F+2vNeZClMS3a5h
+Uq1u5hyMG92GY8aL02IkqYgq546J9Vbf2+b1HaYRLL/CfIpJM2tBr9t1MhtSskpz
+RNE0jmRjUaVRx1cczaC4/jX2GnUCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNV
+HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYAAINNXc+CjW72JwEYkt+uf23lsrKPb
+FujBh35bnHAJJ1UurBdOrr6D1tujWdF+jiixRUeBxfhvn6o6k5UQmNvq8cs7YoJs
+ZQNb6+VK849E09vhtE6/xo2GQI8Muyh/8+D9ujGlgWRWQsJmKuUTca02yLfD+Lcx
+MHypk9mRS3CDPw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec
new file mode 100644
index 0000000000..fafb393bf9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1016
+subject:int_rsa_1024-root_rsa_1016
+issuerKey:rsa1016
+subjectKey:rsa1024
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem
new file mode 100644
index 0000000000..a0dc860b28
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5zCCAVCgAwIBAgIUQQZXnXSEQFy9H8+KvR29mhZL8CkwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMjQtcm9vdF9y
+c2FfMTAyNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA06l0QBAeuoxd+VA+
+b5NetS/+s+vp0NxcrOJvlzypTLwNnDHWbAwBO86cgtDUgDKN8F+2vNeZClMS3a5h
+Uq1u5hyMG92GY8aL02IkqYgq546J9Vbf2+b1HaYRLL/CfIpJM2tBr9t1MhtSskpz
+RNE0jmRjUaVRx1cczaC4/jX2GnUCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNV
+HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAqL9M3IKj2oB7xmb5/kj/ljVzawt0
+rlcBTewr4diSiuuJtzR4FGhe7+Sdd8bt9iyOXfdTANOs4hwwuykMtLmNNQ6FT209
+XDzv9NP95kBu/Jc+cF12gYulgbBkFkx9D4zd7W5TTVjyr75Xs+wISSOFGNssNwBn
+jOwDWk2JGPCL+sw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..66891f9793
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1024
+subject:int_rsa_1024-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1024
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem
new file mode 100644
index 0000000000..2f7ca90151
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBYjCCAQmgAwIBAgIUa0XXUQa7LlU9/NCMU/UvW1p5/r8wCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjI0cjFfMjI0
+LXJvb3Rfc2VjcDI1NnIxXzI1NjBNMBAGByqGSM49AgEGBSuBBAAhAzkABGaNcsym
+/WobNVe1NmEE2EQI7LY38I6Mhrv/gszojwBm169jwymLo3c0ihICsDs3/Wsf9BWq
+MR6jHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cA
+MEQCIFx1UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiB6OW49o/Plw34E
+llpmo3clMwUoC5zINELSPN3uKMElUw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..89d77d3b89
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_secp224r1_224-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem
new file mode 100644
index 0000000000..91bba98392
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICJjCCAQ6gAwIBAgIULfRIJwqhrTgphLCOMhBD3HMzZoIwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMjA0ODAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAqMSgwJgYDVQQDDB9pbnRfc2VjcDI1NnIxXzI1Ni1y
+b290X3JzYV8yMDQ4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+Pmx
+pgpZrIcE4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0H
+owTqoEqmwKMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
+AQELBQADggEBALnX/gmXf0oTbESNYaBQ3w0fo/GMNfXFQJJicnstxFt510GGQnM6
+k+mCmtWB3e3w5LMClRz1irAVWEhp+xqaH9a0T7LkmziVv3Iz3YzqDOUkMVFIrWWr
+jPX3O/HUV52UF/YNE3pbDD0w72Zbe6BFS0NzXgdBDZiBM9/GAE9Bepsg5pKGcjea
+PpHcWIbxOJvzLAKrQdjHjoaYWTukL21kspsBw7dIaYgMo69f/JhY8suakh4Y45g9
+uD2S6A4lw2E+ITOi0V+EQU//OUFgynIt7kfB8kVyKTflHw2UpVCwu1XICGvPxDZU
+7OKLAp/2Y18qqGbmVGEf9nZ4zojcCdtAsAU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..44a65ef5a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec
@@ -0,0 +1,5 @@
+issuer:root_rsa_2048
+subject:int_secp256r1_256-root_rsa_2048
+subjectKey:secp256r1
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem
new file mode 100644
index 0000000000..14178a22d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBZzCCARWgAwIBAgIUS9UDyDRw6jcSIVOE3Jd/25HnZKUwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjI0cjFfMjI0MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2
+LXJvb3Rfc2VjcDIyNHIxXzIyNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/
+u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT
+kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA0AAMD0CHQCaPG/wRttw8lX1L9aYUhzXLbwFIGNPlbZLslJUAhwR
+QjtGEs8T4jEfvTzExNDStQ07IOzgazIlFtfw
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec
new file mode 100644
index 0000000000..66ebc1b93e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp224r1_224
+subject:int_secp256r1_256-root_secp224r1_224
+issuerKey:secp224r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem
new file mode 100644
index 0000000000..d8ee88f643
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbjCCARWgAwIBAgIUbfWsobapssVY8KJM2yCX2ixKnPswCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2azFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2
+LXJvb3Rfc2VjcDI1NmsxXzI1NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/
+u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT
+kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA0cAMEQCIFuwodUwyOUnIR4KN5ZCSrU7y4iz4/1EWRdHm5kWKi8d
+AiAPwQROIzfXlMFBuhspsRKzB5bfRlK3JAQUSCN5CsmfEw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec
new file mode 100644
index 0000000000..c7e190ab0b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256k1_256
+subject:int_secp256r1_256-root_secp256k1_256
+issuerKey:secp256k1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem
new file mode 100644
index 0000000000..6eca3f2b9b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbjCCARWgAwIBAgIUa0D2PJJTJo9PXI+vG9zQ1xsBn/owCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2
+LXJvb3Rfc2VjcDI1NnIxXzI1NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/
+u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT
+kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA0cAMEQCIFx1UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDm
+AiA4ISAfKF73X9PGnyvy/moXFGmSVwofC5A9v2X5+huJHQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..6854d21876
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_secp256r1_256-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem
new file mode 100644
index 0000000000..a30df8f600
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBizCCATKgAwIBAgIUE3rMvYbUkYGloXh1cHBH2bCZyBcwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMzg0cjFfMzg0
+LXJvb3Rfc2VjcDI1NnIxXzI1NjB2MBAGByqGSM49AgEGBSuBBAAiA2IABKFockM2
+K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMtqM6Y6DFTTmqcDAsJyNY5regy
+BuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC8Fr3Gh/dzIN0qm6pzqMdMBsw
+DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDRwAwRAIgXHVR
+nxMRUM1dit4go7wGMJH/snN1XzFk7P3LQoAKcOYCIEwCzXhoYODip/jtMmkCe36I
+IIHXI7fafiAbVaadub6I
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..de8e851981
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_secp384r1_384-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem
new file mode 100644
index 0000000000..4d1522bb8b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAUKgAwIBAgIUfXnvTK9B9FK+1IelCwSO1Mf5UTwwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAxNjAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8xMDE2MIGeMA0G
+CSqGSIb3DQEBAQUAA4GMADCBiAKBgADSm7EvuE/dzSmzpRnLZsQ7jY+L5UW6eThM
+5mPtA991mRYA65IHkNJTDOzlRNuZpx8FiWo+0gcWVTSqmQV+R8R+O8ga2m+h4S43
+JotQRqVSaPna18y0hdgaLhnVDU8LaFSsr2175p2aCDE24Vr6j1PByMhPxgdyed0O
+Vdc2mlvdAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
+SIb3DQEBCwUAA4GAAD8C2t9CPWsOkjh/CLrrCa+4TXvZ08h8W/8IhqdQAfCv7dti
+9bEvHqR9zQOFDeahFe7z5PkQcy4muoEYycBEod7MmacIDz8Mp3tZ3z2dHlaGxYIN
+zAhQa8PShkltJw9+whOhPyLFVd4sExO6GSJU616wDCO0XSsk82Akrp3b22E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec
new file mode 100644
index 0000000000..b0b5ba8e5e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1016
+subject:root_rsa_1016
+issuerKey:rsa1016
+subjectKey:rsa1016
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem
new file mode 100644
index 0000000000..de4451ce56
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2jCCAUOgAwIBAgIUMVucrt/selpf3q8amlrvDqneZmEwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8xMDI0MIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTqXRAEB66jF35UD5vk161L/6z6+nQ3Fys
+4m+XPKlMvA2cMdZsDAE7zpyC0NSAMo3wX7a815kKUxLdrmFSrW7mHIwb3YZjxovT
+YiSpiCrnjon1Vt/b5vUdphEsv8J8ikkza0Gv23UyG1KySnNE0TSOZGNRpVHHVxzN
+oLj+NfYadQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOBgQAmXbjjKelajwlEDMtahrBCsERFd6+ROiGkWPd2f7DrcbM0
+4XTeBJMOk0JUHRNelafp7s+B/Na/gA6tF7DwbBff6CroFMA08AtT6CaGGshyym4e
+v1gLXMZRAw7Ql0vHwp5+62umXMYQZRsxc7+evlm4BQKsIkVG20R9P39/f2DErg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..09cd420f70
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1024
+subject:root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1024
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem
new file mode 100644
index 0000000000..76c11d0c5d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUHc/POtVpyiofkS90PJVYOJh6zpcwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMjA0ODAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8yMDQ4MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAk5wQl5Buy92gRlkSDZ2zDu4l4vELd6YC+ObqOe6ixuUf4Y7rGMWiHtbyrhh1
+4IXAD8ZAhZQhdrhl6YX9QsLwIMSowkzhnDLgO7vBJrIw1PsQlyonMFk+A09sbFvk
+iLo6gAo+8Vb83DrkJWp9uoIqSIhJTTRFz4MbWh82oNqpQZeARFZ6TzsJK2cekmL5
+sdIkC5Sh7nnDPQvH4pc+k+AwjAJIyj3ysDelxpvzVoVVhHJCdzVVaN25Kd3pAByL
+nUhQ/r7z2tdg6I/7CijIuRVD8sPKAhrTT8Xo+fIcrqqXnuHEIgNcRpLaR3zgpVRV
+G4p5aG3iXXviN44uwz7abs+l1A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..cebc2f8e6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec
@@ -0,0 +1,4 @@
+issuer:root_rsa_2048
+subject:root_rsa_2048
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem
new file mode 100644
index 0000000000..6475f8ef91
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBSDCB96ADAgECAhQHiZOs85zvfLeFMhsh68xncNi5wzAKBggqhkjOPQQDAjAd
+MRswGQYDVQQDDBJyb290X3NlY3AyMjRyMV8yMjQwIhgPMjAyMTExMjcwMDAwMDBa
+GA8yMDI0MDIwNTAwMDAwMFowHTEbMBkGA1UEAwwScm9vdF9zZWNwMjI0cjFfMjI0
+ME0wEAYHKoZIzj0CAQYFK4EEACEDOQAEZo1yzKb9ahs1V7U2YQTYRAjstjfwjoyG
+u/+CzOiPAGbXr2PDKYujdzSKEgKwOzf9ax/0FaoxHqMdMBswDAYDVR0TBAUwAwEB
+/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDQAAwPQIdAJo8b/BG23DyVfUv1phS
+HNctvAUgY0+VtkuyUlQCHHjzlIZKE3ktC+mtNDdM57lQZsqdPCUo2IehzBo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec
new file mode 100644
index 0000000000..31370f6f73
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp224r1_224
+subject:root_secp224r1_224
+issuerKey:secp224r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem
new file mode 100644
index 0000000000..a062c78eb2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBWjCCAQCgAwIBAgIUfUU3FkeasPqniKMpSraSUECrlnowCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2azFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMB0xGzAZBgNVBAMMEnJvb3Rfc2VjcDI1NmsxXzI1
+NjBWMBAGByqGSM49AgEGBSuBBAAKA0IABDXufHKJ2P73qGr+XaZti8LrtqhUP9L+
+rQifRc56zQ+mQ4KpUAxB2tdw/9S1Eb9LSS6xI4gAwyxPdsc6PzKU58WjHTAbMAwG
+A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0gAMEUCIFuwodUw
+yOUnIR4KN5ZCSrU7y4iz4/1EWRdHm5kWKi8dAiEA75wpo6AToMf20m7rvmTKnlK8
+FGo2xq0TYVCCcCEfkcM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec
new file mode 100644
index 0000000000..c78aa61bba
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256k1_256
+subject:root_secp256k1_256
+issuerKey:secp256k1
+subjectKey:secp256k1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem
new file mode 100644
index 0000000000..f0fa1a3298
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBXDCCAQOgAwIBAgIUB5NlTHpszJgjDr4BNFqeBut30O8wCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMB0xGzAZBgNVBAMMEnJvb3Rfc2VjcDI1NnIxXzI1
+NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLsBQtC
+Pjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCjHTAb
+MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cAMEQCIFx1
+UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiAwSXG3ZAwdTkc4IYrNr7A3
+PwsFyeNA6J5MEWhUHVzgTw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..4447fc4b47
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev.js b/security/manager/ssl/tests/unit/test_keysize_ev.js
new file mode 100644
index 0000000000..30d02f7adb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@@ -0,0 +1,169 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Checks that RSA certs with key sizes below 2048 bits when verifying for EV
+// are rejected.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function getOCSPResponder(expectedCertNames) {
+ let expectedPaths = expectedCertNames.slice();
+ return startOCSPResponder(
+ SERVER_PORT,
+ "www.example.com",
+ "test_keysize_ev/",
+ expectedCertNames,
+ expectedPaths
+ );
+}
+
+function loadCert(certName, trustString) {
+ let certFilename = "test_keysize_ev/" + certName + ".pem";
+ addCertFromFile(certDB, certFilename, trustString);
+ return constructCertFromFile(certFilename);
+}
+
+/**
+ * Asynchronously runs a single EV key size test.
+ *
+ * @param {Array} expectedNamesForOCSP
+ * An array of nicknames of the certs to be responded to.
+ * @param {string} rootCertFileName
+ * The file name of the root cert. Can begin with ".." to reference
+ * certs in folders other than "test_keysize_ev/".
+ * @param {Array} intCertFileNames
+ * An array of file names of any intermediate certificates.
+ * @param {string} endEntityCertFileName
+ * The file name of the end entity cert.
+ * @param {boolean} expectedResult
+ * Whether the chain is expected to validate as EV.
+ */
+async function keySizeTestForEV(
+ expectedNamesForOCSP,
+ rootCertFileName,
+ intCertFileNames,
+ endEntityCertFileName,
+ expectedResult
+) {
+ clearOCSPCache();
+ let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+
+ loadCert(rootCertFileName, "CTu,CTu,CTu");
+ for (let intCertFileName of intCertFileNames) {
+ loadCert(intCertFileName, ",,");
+ }
+ await checkEVStatus(
+ certDB,
+ constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`),
+ certificateUsageSSLServer,
+ expectedResult
+ );
+
+ await stopOCSPResponder(ocspResponder);
+}
+
+/**
+ * For debug builds which have the test EV roots compiled in, checks RSA chains
+ * which contain certs with key sizes adequate for EV are validated as such,
+ * while chains that contain any cert with an inadequate key size fail EV and
+ * validate as DV.
+ * For opt builds which don't have the test EV roots compiled in, checks that
+ * none of the chains validate as EV.
+ *
+ * Note: This function assumes that the key size requirements for EV are greater
+ * than the requirements for DV.
+ *
+ * @param {number} inadequateKeySize
+ * The inadequate key size of the generated certs.
+ * @param {number} adequateKeySize
+ * The adequate key size of the generated certs.
+ */
+async function checkRSAChains(inadequateKeySize, adequateKeySize) {
+ // Reuse the existing test RSA EV root
+ let rootOKCertFileName = "../test_ev_certs/evroot";
+ let rootOKName = "evroot";
+ let rootNotOKName = "ev_root_rsa_" + inadequateKeySize;
+ let intOKName = "ev_int_rsa_" + adequateKeySize;
+ let intNotOKName = "ev_int_rsa_" + inadequateKeySize;
+ let eeOKName = "ev_ee_rsa_" + adequateKeySize;
+ let eeNotOKName = "ev_ee_rsa_" + inadequateKeySize;
+
+ // Chain with certs that have adequate sizes for EV and DV
+ // In opt builds, this chain is only validated for DV. Hence, an OCSP fetch
+ // will for example not be done for the "ev_int_rsa_2048-evroot" intermediate
+ // in such a build.
+ let intFullName = intOKName + "-" + rootOKName;
+ let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName;
+ let expectedNamesForOCSP = [eeFullName];
+ await keySizeTestForEV(
+ expectedNamesForOCSP,
+ rootOKCertFileName,
+ [intFullName],
+ eeFullName,
+ gEVExpected
+ );
+
+ // Chain with a root cert that has an inadequate size for EV, but
+ // adequate size for DV
+ intFullName = intOKName + "-" + rootNotOKName;
+ eeFullName = eeOKName + "-" + intOKName + "-" + rootNotOKName;
+ expectedNamesForOCSP = [eeFullName];
+ await keySizeTestForEV(
+ expectedNamesForOCSP,
+ rootNotOKName,
+ [intFullName],
+ eeFullName,
+ false
+ );
+
+ // Chain with an intermediate cert that has an inadequate size for EV, but
+ // adequate size for DV
+ intFullName = intNotOKName + "-" + rootOKName;
+ eeFullName = eeOKName + "-" + intNotOKName + "-" + rootOKName;
+ expectedNamesForOCSP = [eeFullName];
+ await keySizeTestForEV(
+ expectedNamesForOCSP,
+ rootOKCertFileName,
+ [intFullName],
+ eeFullName,
+ false
+ );
+
+ // Chain with an end entity cert that has an inadequate size for EV, but
+ // adequate size for DV
+ intFullName = intOKName + "-" + rootOKName;
+ eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName;
+ expectedNamesForOCSP = [eeFullName];
+ await keySizeTestForEV(
+ expectedNamesForOCSP,
+ rootOKCertFileName,
+ [intFullName],
+ eeFullName,
+ false
+ );
+}
+
+add_task(async function() {
+ Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+ let smallKeyEVRoot = constructCertFromFile(
+ "test_keysize_ev/ev_root_rsa_2040.pem"
+ );
+ equal(
+ smallKeyEVRoot.sha256Fingerprint,
+ "40:AB:5D:A5:89:15:A9:4B:82:87:B8:A6:9A:84:B1:DB:" +
+ "7A:9D:DB:B8:4E:E1:23:E3:C6:64:E7:50:DC:35:8C:68",
+ "test sanity check: the small-key EV root must have the same " +
+ "fingerprint as the corresponding entry in ExtendedValidation.cpp"
+ );
+
+ await checkRSAChains(2040, 2048);
+});
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem
new file mode 100644
index 0000000000..394cb6caea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAk+gAwIBAgIUVZYfMEsZbV/AnYHYi9fRg/e/buYwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQ4LWV2cm9vdDAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff
+MjA0MC1ldl9pbnRfcnNhXzIwNDgtZXZyb290MIIBITANBgkqhkiG9w0BAQEFAAOC
+AQ4AMIIBCQKCAQAAusBlL9+8AFWIL/uurO7Ij6LQg8KX3V1AZk3T2Q9S+aoCvYpQ
++6FuD9mRh470dfmzUNn44+sqvXF84yewl4hTHxPfjj5OO51ha7ikHlMG7tJHIWMW
+EFEYASdqTrZvBzMbXLyLyucBao+bPU8qxFU8Ykz1JjvLNI6IQN5mEocJYKeSGRsT
+j7IX92XOx7/46U8Ws5QZv3UExZp+T3m9bRc+nHvz2dKk5zzBgLBZCnPVhPt/ybVP
+pURgflP8aFx6Vf1EqB1BQravUepvps6lKWWi6MXYTzygJNb7ubAFuWUc5dny7PQO
+1ASYGp/8AmNuMRsJXGMyoMh9w5JxtVUUgXdLAgMBAAGjgYQwgYEwXgYIKwYBBQUH
+AQEEUjBQME4GCCsGAQUFBzABhkJodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgv
+ZXZfZWVfcnNhXzIwNDAtZXZfaW50X3JzYV8yMDQ4LWV2cm9vdC8wHwYDVR0gBBgw
+FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEBADEl0bWl
+HI7w8k4AN2yIxDMFCzd4AJBqtqanL5JVkPFl4VCzmmK2okwdGq5TZYvbDRaQK4nQ
+FECjTuxDGY95BVd4brca/JKvaCk8HBXFbh4iv9OZJbr6gm+N2LiV78P8V8nz1RVw
+WfGB9T5TZAhsMBF8nMum9p3bPj5IJXA2IpQswtfAx19so9D7i+vt++F8g2M8MjHC
+FIwH5961OYBUvd1c+CAjE8ekZ/ajQnrEuayPVGacBwWmqJ8Lz6viyXIfPdRIWlvn
+0+rJB20eBXnoSW3k2kp0QwzTxuD/5RwRiTgGphGta0wHtaVCwrkdkWTH1u7R/OxW
+I+X16RQo8Ayto3o=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec
new file mode 100644
index 0000000000..e64c651bc7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_rsa_2048-evroot
+subject:ev_ee_rsa_2040-ev_int_rsa_2048-evroot
+subjectKey:rsa2040
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2040-ev_int_rsa_2048-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem
new file mode 100644
index 0000000000..c7b6b0ddab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAlCgAwIBAgIUZfXrSpbPemyhfINT4zz1d30Ek2wwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQwLWV2cm9vdDAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff
+MjA0OC1ldl9pbnRfcnNhXzIwNDAtZXZyb290MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GEMIGBMF4GCCsGAQUF
+BwEBBFIwUDBOBggrBgEFBQcwAYZCaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4
+L2V2X2VlX3JzYV8yMDQ4LWV2X2ludF9yc2FfMjA0MC1ldnJvb3QvMB8GA1UdIAQY
+MBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAAA0bpkI
+YZXUPMUehztpOIlqHZyliVXpt5P2KpBG/3lSwkomGszQZT4+mvZqGS7Hy/gIJNnF
+vE0Obol+2LT8WOsJuqlOZz2Q04ckggp+HsgwBZYTAvgSSPVbiXwsAVq9aMHcw9l1
+usGJC8Y3rEsQYdGx01/SBP/jAfq882yOSX/MmE0DElDDygLkpynttd60XBwUNiuM
+RdvE9HmQ1g8teQjXoZiOctgSmYeNGcjx0Tabr96ONhf1ol7tf0lVECweWl32G0PL
+Z9PnXtatiH4wcItb3S4P3jlCjEcaK6iq0PntcarxICyraOkWXvD+cAecptFSEhRh
+TGE7OM/RblZ1waQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec
new file mode 100644
index 0000000000..0b7bfd4269
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_rsa_2040-evroot
+subject:ev_ee_rsa_2048-ev_int_rsa_2040-evroot
+issuerKey:rsa2040
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2040-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem
new file mode 100644
index 0000000000..6743c1859a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhjCCAm6gAwIBAgIUSwd9p0zHyco2QXDr8tpsJc2ljTwwDQYJKoZIhvcNAQEL
+BQAwKzEpMCcGA1UEAwwgZXZfaW50X3JzYV8yMDQ4LWV2X3Jvb3RfcnNhXzIwNDAw
+IhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowOjE4MDYGA1UEAwwv
+ZXZfZWVfcnNhXzIwNDgtZXZfaW50X3JzYV8yMDQ4LWV2X3Jvb3RfcnNhXzIwNDAw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjgY4wgYswaAYIKwYBBQUHAQEEXDBaMFgGCCsGAQUFBzABhkxodHRwOi8v
+d3d3LmV4YW1wbGUuY29tOjg4ODgvZXZfZWVfcnNhXzIwNDgtZXZfaW50X3JzYV8y
+MDQ4LWV2X3Jvb3RfcnNhXzIwNDAvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqF
+GgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAQBuSOtnkDe3ob+sBv9AIEUi4Rysxb3N
+Xhg3sAR6RFNP0kZnuROdWloSSfA9+H6f7l1w/LFTVFZhdQG2PqmJJ7vVzZYbgKXQ
+bWFri8W5Moj75f+Q3hpOczTqgBZfKl07gQp15/BfaUxsvmiw0IZBZHpaggYGerC3
+stamAyLWYI4hvQacoVz/2wRLa/NMs2qWElZ8+AjR10cCevvC15HD/U48s5NdLhGZ
+63x9dz7DCWQcrxz+eIS+S1qEeU7N4DTMYR5QRxPWM7s37hAZGASZlDmiL5fs3DRv
+IbynUqPgLPELvM+BvZN6edALZxGC2ngcqxVVmg/j8nl5Xcjqvq0cO1VH
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
new file mode 100644
index 0000000000..a36acf887d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ev_int_rsa_2048-ev_root_rsa_2040
+subject:ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem
new file mode 100644
index 0000000000..753a39f0e7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIUWW7gg8Czo9BnB6ui50M3Xu6ivEcwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQ4LWV2cm9vdDAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff
+MjA0OC1ldl9pbnRfcnNhXzIwNDgtZXZyb290MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GEMIGBMF4GCCsGAQUF
+BwEBBFIwUDBOBggrBgEFBQcwAYZCaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4
+L2V2X2VlX3JzYV8yMDQ4LWV2X2ludF9yc2FfMjA0OC1ldnJvb3QvMB8GA1UdIAQY
+MBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAQAZ6F/Z
+4Alyl3Mc7/QcrKEbu1BWIWt4e5wvWqAw3evX36OsFrkAD+26FHLgkjyMVxeX6g95
+LAbbQN2K48mIHGLdK8fAnLmNJpBJpetAEfIpcQzKf4BuNsCAB+TVRfAt0yeDDagQ
+va7jy8kzC+UG/OX2KW0SG5Zn6OwJTAIq6LLnGeyeMGqleBVW8HUsQBB4waPFfejJ
+AuPPiIuHh+6lOcSpjLel/xcEnnmMJFjO8zoOW32HuR02iUsrkZqPvIeRm6sVjQEs
+HWd0d+mAtzUWN4YkFqDdBJ71iK0ZZDlx4wPdjhshdDFLg/g0PW6sUEeUak6e3WQ4
+oNA9ie/2y779fkX6
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec
new file mode 100644
index 0000000000..0b34be6db8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ev_int_rsa_2048-evroot
+subject:ev_ee_rsa_2048-ev_int_rsa_2048-evroot
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem
new file mode 100644
index 0000000000..cf632da080
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjygAwIBAgIUAcFzVqJIY35fm8QGImTLo+kRhoowDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCExHzAdBgNVBAMMFmV2X2ludF9yc2FfMjA0MC1ldnJvb3QwggEh
+MA0GCSqGSIb3DQEBAQUAA4IBDgAwggEJAoIBAAC6wGUv37wAVYgv+66s7siPotCD
+wpfdXUBmTdPZD1L5qgK9ilD7oW4P2ZGHjvR1+bNQ2fjj6yq9cXzjJ7CXiFMfE9+O
+Pk47nWFruKQeUwbu0kchYxYQURgBJ2pOtm8HMxtcvIvK5wFqj5s9TyrEVTxiTPUm
+O8s0johA3mYShwlgp5IZGxOPshf3Zc7Hv/jpTxazlBm/dQTFmn5Peb1tFz6ce/PZ
+0qTnPMGAsFkKc9WE+3/JtU+lRGB+U/xoXHpV/USoHUFCtq9R6m+mzqUpZaLoxdhP
+PKAk1vu5sAW5ZRzl2fLs9A7UBJgan/wCY24xGwlcYzKgyH3DknG1VRSBd0sCAwEA
+AaOBkDCBjTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBPBggrBgEFBQcBAQRD
+MEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9ldl9p
+bnRfcnNhXzIwNDAtZXZyb290LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoB
+g3QJATANBgkqhkiG9w0BAQsFAAOCAQEAXXKAxLkrQ+U2XlsV87bacCpbpSpRsdps
+EGFUEZ1h1Pmlcea7I4tgLhavwnP48zSa3J15dCacXlupHlKspILYbWvkSM3P+64s
+MAo2Nt0av/eQsXZrasMNhLPPkvWXtA7MUB57eQm+2pKyy0hmNaZC2cOWsJw+FqXB
+9Nw2tPpo/rSXr5jkqEMKSUrA/B8dDNjl1QNe0nbr6pS2Ux3Eayuc57xg8envOkn+
+nTm6Wf9oJeE/+0D7Y4whiRJWDv/ANYW5b982sn4BA48jtxYDP1M8UZ/ZzWfMG7tE
+xtYL6EBZbZ9KOmPkPEzzKwM2IdFRexTAzVrid3VHbBYOQOfQBDP4pg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec
new file mode 100644
index 0000000000..80be711742
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec
@@ -0,0 +1,8 @@
+issuer:evroot
+subject:ev_int_rsa_2040-evroot
+issuerKey:ev
+subjectKey:rsa2040
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2040-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key
new file mode 100644
index 0000000000..63b267865f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEtwIBADANBgkqhkiG9w0BAQEFAASCBKEwggSdAgEAAoIBAAC6wGUv37wAVYgv
++66s7siPotCDwpfdXUBmTdPZD1L5qgK9ilD7oW4P2ZGHjvR1+bNQ2fjj6yq9cXzj
+J7CXiFMfE9+OPk47nWFruKQeUwbu0kchYxYQURgBJ2pOtm8HMxtcvIvK5wFqj5s9
+TyrEVTxiTPUmO8s0johA3mYShwlgp5IZGxOPshf3Zc7Hv/jpTxazlBm/dQTFmn5P
+eb1tFz6ce/PZ0qTnPMGAsFkKc9WE+3/JtU+lRGB+U/xoXHpV/USoHUFCtq9R6m+m
+zqUpZaLoxdhPPKAk1vu5sAW5ZRzl2fLs9A7UBJgan/wCY24xGwlcYzKgyH3DknG1
+VRSBd0sCAwEAAQKB/2A9smffl1VcvthrjfNVA0ryjx638+eCnSObzCc6fHppoQvo
+8h8bbEsCxrrjcxwxWLW7/0YF9Xq3t7Kgy6LsAFottbHqbgrO6lvHRdzS0OnWuA1+
+sOorwIEnvONfpQxCzEEYcbpZHiO6ajhISjPv8TR/kH7ppakqIxG7C0NVEAIPeOO7
+AAmdtNEYKSgJZQX8uoTzyhI4/R66XuofORu7zFQksWgGP8F+HKbhkSzLpE+dApIw
+ih/tuAYSUps59Z0KP4GAtbogETIZf5OlgV3tk43459k8mxV2ZYjzObtZEAr9pJSn
+5FLX3UyaGc4uw6M6GLIPC02t4XK+4Z8m8Ny+QQKBgA7Dhpy5LUBsrd96MZqylEi8
+UFoFkTcHhzNh/FuYakmftl7rgVp+N2h9GfEoCHKJ2buIGOe8ylAsSQCtmuzhF5vh
+L/PkZ9YG/IIOqPB6yev/4iNuOBaEEgKIIj5C2+aN/ZcqhaZEflFpXyNNp5EcZ8mr
+lTHzPfO5lDLU7ojJpO+7AoGADKY5NFSehf6sjg9WBDA/0YSf6Ir0t/fhITKDu8ei
+wqUJ+Sc8Qoxo3j25PmFF8bQAvW1KJiYU6QQ602LU66SmuZU5nIk0o5mRIZnoQdjo
+2/8EifaeZjeWcwspgFMLMctwaVohYl6irczAnZMFFvqHIhGpHiLdif2et9qFdLci
+NbECgYANfTp14X9l+KZYpIXECVwQpPZpeeK3O8qc+O8hJT4frKxtR5H1g5LOhlb4
+jxJAzJDCllPjEAxtejjtRLFjsznl87bjiRISbGmzzv8uUZJCbZZJtv/KGrt10rou
+1tmiaqODxZc9ViFv8u25DM+Id0Kg8YOskslM8YdldkXHdy2a1wKBgAP1UBlMEX8k
+vqKFsgkFgDL0KYX/Vazr6IsW35o3UntOYdyRpo28mmRRNFKM5fJIvaKJPJbLe+ee
+5zmWx8Ild/bC95BAbzRyrbOyEbfpRJTzLFxvzAl4g5/kckwxsGMYokiVZ7T8oDN6
+yxuEEieqpfbHSACiMGkp8CzgOLrZQ99BAoGACAp9v6jCWEgUxxZkxW62LOTK8Wr+
+iNRJkVnWdHdKOj7N3xJWwC/JFSXFJ2kkItCrqU5cQe4S3HG7Zvhnn6F+CW8oCAhR
+ugRusxiFwUFOiYWt5ZnZB68XRT0cyuosDQZEP4Nnpr4VSxJeOQ7g2Q90bwiAHdP1
+Nn9Z+6LlpnwF83U=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec
new file mode 100644
index 0000000000..f488e73a94
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec
@@ -0,0 +1 @@
+rsa2040
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem
new file mode 100644
index 0000000000..3460534a0b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcjCCAlugAwIBAgIUZSpbli3rGt5J38O5lKUHT1lCyUEwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZXZfcm9vdF9yc2FfMjA0MDAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjArMSkwJwYDVQQDDCBldl9pbnRfcnNhXzIwNDgt
+ZXZfcm9vdF9yc2FfMjA0MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBmjCBlzAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIBBjBZBggrBgEFBQcBAQRNMEswSQYIKwYBBQUHMAGGPWh0dHA6Ly93d3cu
+ZXhhbXBsZS5jb206ODg4OC9ldl9pbnRfcnNhXzIwNDgtZXZfcm9vdF9yc2FfMjA0
+MC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQEL
+BQADggEAABBuxXUR0hyJquyO21vDSVBAfJxZzfanX2HTra0RQuHKsMJT+stYBaW5
+dyxwmRtOnWgn4FOYqVppLZe1jSws6zUoWgSBiAxKJiX3RvQ4aR5bSIm9DueBDR8u
+d/vwQOWR1+qqZb7FRvFkXkzFyBP9C5cT/INjmFiRzidMIWIPuoS3kSzIIcyLr4Gj
+CPb/TDGTL3pc5xdSIiQ3i43f1u17yeurjzbN8yzjIX3CuoeaOrBUWsBxnNgFhmVm
+KY8AP4GHKg0/If0cY1O+cVJ33meKLLxoV9sH98tAbBUs/jQ7mAH+lGQRBUtp5WxJ
+hIPwSS31RIFglSm9FVEraLU+dl+mzA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
new file mode 100644
index 0000000000..5bc5674b2c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ev_root_rsa_2040
+subject:ev_int_rsa_2048-ev_root_rsa_2040
+issuerKey:evRSA2040
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-ev_root_rsa_2040/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem
new file mode 100644
index 0000000000..982eb60fd4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVTCCAj2gAwIBAgIUaQnDkiefXQWH/NTUbBlfx7LtXIMwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCExHzAdBgNVBAMMFmV2X2ludF9yc2FfMjA0OC1ldnJvb3QwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT
+2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV
+JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N
+jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA
+BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh
+He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB
+AAGjgZAwgY0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEE
+QzBBMD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvZXZf
+aW50X3JzYV8yMDQ4LWV2cm9vdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUa
+AYN0CQEwDQYJKoZIhvcNAQELBQADggEBAFr4zW09JSWiZyP/xLgjaSwybNjNy844
++RveDtS0i9k3MgNI4pmG82CqfaMDdQYUSdiIDFLLZMbKYNU9pBG0WUr2AlPAMsU4
+Pt1I4/IT6xAQvB9reuKeHdM7r99W1r5IYmRFf4YHcGTeNOTBExaQCsnAwk1nWj4+
++dNQidDkzcvb2CMcp5DvILtYyFam9irx1K2u/pzH4naBeXjvuCk2gE+nK9nBZUuD
+Ot0Lg/hHNK/ultREiFoBXkEyuLHbUxfNug6SfUvppXy2tCR+bA98QkwM25LflG4J
+/Bej2fWYhDcO1keGO9A9STb6S/4T64AVbqDZNILRwFENWKoarvcE3YA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec
new file mode 100644
index 0000000000..a0cb6250dc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:ev_int_rsa_2048-evroot
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key
new file mode 100644
index 0000000000..bcd996ab23
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEuQIBADANBgkqhkiG9w0BAQEFAASCBKMwggSfAgEAAoIBAADKcCDcIV9XkU00
+P65KAVERaXr5l6Xs6RhmSZ/CPxuIoRjL0wsQ2Rx7mg1O6JcvyuVsr1fyX8EnWipN
+vLmCQowy71h78jh0EDMKD/sWuAKb14OWnvZ19t44wY9nGTy2wHL4sj0LM3QRJiel
+e5AFV3HZ5iYD9TeI1/Y6+nJPXRCAlt8x+J8msetffENXmA4Aj81V2CfdJiOVyi9S
+ageJfMQMWTs4cW68DKpZZxnG8prJtzp6lEdIo6o+CenrTUYeoAJ+VAkmYUcoudJD
+l1z5oFQb79JedrUflREQsOdkT8fjhEF5G20iJzhMuABOIzQjcrHPXMPnPjG3u++h
+YOaGLrsCAwEAAQKCAQAAstt0vOkjYqv3KVWmOK6HILowM7t/lxyvORiNdULqocGr
+tdIFseIRH0eRwIkRouFB6M/XBUcC0jEAtWQsBuGjGxGK/R+aLzlsztQlxQHZFDXK
+hlZ2bO0rk7u4Zp/Om6zXJ9Hayz2vq8MpPjU4nu+OoLWOGusaIOamH5/NRT91Z/4x
+0SO2FqJv703x1sn3SQER0Cju/R2XIEWxokInPdemfr8RHbJ0GlqTx7IonMSiNvWp
+mm7HqCBv2uHB0EvbsZgNSimMWhfa5BhkdKX3g12IK87ySu9O1vFJ+U2WyffXjmR/
+x3ipAX/yCNO0oXaLGCFiECzasDL6u6s41SAKMkZJAoGADzhE0NTU1qIazXam/DcL
+hVDh1+xaYjQXLnkPACmuZR9tXFkzCrGYArnXogfeeh+3eON3T9vcQRdQYz2NGz/g
+dQBv/P0dEOdjx6kifS1fDC2t4cnmWcNQoVnTa7mG8SY21PmUKyiLwP4h2oeZR3Fz
+FEJJyi44nmxcJap4yMrX1N8CgYANTQvt0ZYvB6Hq1rI6TtZ66vEnDwUqbSm6B0lF
+xjYaXE+PB7+FngZ67T9ObjI+8qqKas00CwvcfP5P0ynjyX+HDH93NXksaqnQ9+dU
+KijtbwGw5VorjZwkplxtoxTJVIT1x8OVSoG7AWsH7RfumwYDlpW8oFmnn43CQj0y
+jVJlpQKBgAnymi/wW+ipbWFLoxsIk1QgqGxrxCuZpmkuoNpXY/AeWWlZt93Oc++c
+Lk9uW0BxCIdQDUS6DDzTEyy6J0dfOcLfdVLi0SOiSXpPlwZAKHaaSKNiRlf3K/U5
+89DeI0/szTvooKqQxr9umwvtQwcKJNBh/z7RdRo+8v9/a5C529X7AoGAAaZZ4XDK
+wSCgO+HPj53xyqNTsDWTvXR25YU72HTChziGAcbDQc6dHShKXu8aOmadMrgWpers
+2LeET+BwZLm8oMKzGNVAJ3s/fxUQ04a7NuA7BHceXSKeiIk+E7dTv7lFGLtjjiQE
+vW5qmTwWaNk/wLgv8IqvNDR9P+g5cQjIfKUCgYAEAlfA1KIcC5hDKXxlZS22YwT7
+Jjdz1yi2q/oG03rAymLGKAI+CeN9wKkB5M4SJBgOJYKjqktqGnuY4r1wB3rsFKyK
+tmp1XHHg/BAkcfm7wbRqlaoLZF8sOOdkUCiWGeo/XormEDe//PgknyKqTnbioBkJ
+8/6ykM6T7fV7EOvnlg==
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec
new file mode 100644
index 0000000000..a85e16858b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec
@@ -0,0 +1 @@
+evRSA2040
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem
new file mode 100644
index 0000000000..fe3abd78a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAcygAwIBAgIUJ7nCMgtzNcSPG7jAh3CWzlTGHQgwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZXZfcm9vdF9yc2FfMjA0MDAiGA8yMDE1MDEwMTAwMDAw
+MFoYDzIwMzUwMTAxMDAwMDAwWjAbMRkwFwYDVQQDDBBldl9yb290X3JzYV8yMDQw
+MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAAynAg3CFfV5FNND+uSgFR
+EWl6+Zel7OkYZkmfwj8biKEYy9MLENkce5oNTuiXL8rlbK9X8l/BJ1oqTby5gkKM
+Mu9Ye/I4dBAzCg/7FrgCm9eDlp72dfbeOMGPZxk8tsBy+LI9CzN0ESYnpXuQBVdx
+2eYmA/U3iNf2OvpyT10QgJbfMfifJrHrX3xDV5gOAI/NVdgn3SYjlcovUmoHiXzE
+DFk7OHFuvAyqWWcZxvKaybc6epRHSKOqPgnp601GHqACflQJJmFHKLnSQ5dc+aBU
+G+/SXna1H5URELDnZE/H44RBeRttIic4TLgATiM0I3Kxz1zD5z4xt7vvoWDmhi67
+AgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
+CwUAA4IBAAA/4/YVyeRLPr05Uw5j0JOCx5WNUv2HxemfvTZgF4QEg4vDt8ba3VDR
+Xj3Z8hiGYG+s2Wz4k+82wCNRTglm3iutCJ/LbwOAZIa8dFyQUa03EssS0BBvVNhx
+uu6+kYMqGteIX5Q94daqZe+0KM9xKbydNCQJKSMD8IV1YHKvotF91MFQHDdnVAZX
+anpqDnw0j4YGknFHA1i++0GZC0aWxhRn6Epfza+bYCVogC5BviY6xYIg2kZE8kII
+msQ6iUrKQ2OV7HmZ03BdpsGADorycyJ/wRGR3xDDg8RYUur80jU/D0eBq8BX1md8
+Rc+IyDmcFcs7hYRUaJAoxuLPvQ+/vy4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec
new file mode 100644
index 0000000000..fd1ade8dea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ev_root_rsa_2040
+subject:ev_root_rsa_2040
+issuerKey:evRSA2040
+subjectKey:evRSA2040
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_logoutAndTeardown.js b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js
new file mode 100644
index 0000000000..c3299a47c1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js
@@ -0,0 +1,195 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+
+"use strict";
+
+// This test ensures that in-progress https connections are cancelled when the
+// user logs out of a PKCS#11 token.
+
+// Get a profile directory and ensure PSM initializes NSS.
+do_get_profile();
+Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports);
+
+function getTestServerCertificate() {
+ const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ const certFile = do_get_file("test_certDB_import/encrypted_with_aes.p12");
+ certDB.importPKCS12File(certFile, "password");
+ for (const cert of certDB.getCerts()) {
+ if (cert.commonName == "John Doe") {
+ return cert;
+ }
+ }
+ return null;
+}
+
+class InputStreamCallback {
+ constructor(output) {
+ this.output = output;
+ this.stopped = false;
+ }
+
+ onInputStreamReady(stream) {
+ info("input stream ready");
+ if (this.stopped) {
+ info("input stream callback stopped - bailing");
+ return;
+ }
+ let available = 0;
+ try {
+ available = stream.available();
+ } catch (e) {
+ // onInputStreamReady may fire when the stream has been closed.
+ equal(
+ e.result,
+ Cr.NS_BASE_STREAM_CLOSED,
+ "error should be NS_BASE_STREAM_CLOSED"
+ );
+ }
+ if (available > 0) {
+ let request = NetUtil.readInputStreamToString(stream, available, {
+ charset: "utf8",
+ });
+ ok(
+ request.startsWith("GET / HTTP/1.1\r\n"),
+ "Should get a simple GET / HTTP/1.1 request"
+ );
+ let response =
+ "HTTP/1.1 200 OK\r\n" +
+ "Content-Length: 2\r\n" +
+ "Content-Type: text/plain\r\n" +
+ "\r\nOK";
+ let written = this.output.write(response, response.length);
+ equal(
+ written,
+ response.length,
+ "should have been able to write entire response"
+ );
+ }
+ this.output.close();
+ info("done with input stream ready");
+ }
+
+ stop() {
+ this.stopped = true;
+ this.output.close();
+ }
+}
+
+class TLSServerSecurityObserver {
+ constructor(input, output) {
+ this.input = input;
+ this.output = output;
+ this.callbacks = [];
+ this.stopped = false;
+ }
+
+ onHandshakeDone(socket, status) {
+ info("TLS handshake done");
+ info(`TLS version used: ${status.tlsVersionUsed}`);
+
+ if (this.stopped) {
+ info("handshake done callback stopped - bailing");
+ return;
+ }
+
+ let callback = new InputStreamCallback(this.output);
+ this.callbacks.push(callback);
+ this.input.asyncWait(callback, 0, 0, Services.tm.currentThread);
+
+ // We've set up everything needed for a successful request/response,
+ // but calling logoutAndTeardown should cause the request to be cancelled.
+ Cc["@mozilla.org/security/sdr;1"]
+ .getService(Ci.nsISecretDecoderRing)
+ .logoutAndTeardown();
+ }
+
+ stop() {
+ this.stopped = true;
+ this.input.close();
+ this.output.close();
+ this.callbacks.forEach(callback => {
+ callback.stop();
+ });
+ }
+}
+
+class ServerSocketListener {
+ constructor() {
+ this.securityObservers = [];
+ }
+
+ onSocketAccepted(socket, transport) {
+ info("accepted TLS client connection");
+ let connectionInfo = transport.securityCallbacks.getInterface(
+ Ci.nsITLSServerConnectionInfo
+ );
+ let input = transport.openInputStream(0, 0, 0);
+ let output = transport.openOutputStream(0, 0, 0);
+ let securityObserver = new TLSServerSecurityObserver(input, output);
+ this.securityObservers.push(securityObserver);
+ connectionInfo.setSecurityObserver(securityObserver);
+ }
+
+ // For some reason we get input stream callback events after we've stopped
+ // listening, so this ensures we just drop those events.
+ onStopListening() {
+ info("onStopListening");
+ this.securityObservers.forEach(observer => {
+ observer.stop();
+ });
+ }
+}
+
+function getStartedServer(cert) {
+ let tlsServer = Cc["@mozilla.org/network/tls-server-socket;1"].createInstance(
+ Ci.nsITLSServerSocket
+ );
+ tlsServer.init(-1, true, -1);
+ tlsServer.serverCert = cert;
+ tlsServer.setSessionTickets(false);
+ tlsServer.asyncListen(new ServerSocketListener());
+ return tlsServer;
+}
+
+const hostname = "example.com";
+
+function storeCertOverride(port, cert) {
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.rememberValidityOverride(hostname, port, {}, cert, true);
+}
+
+function startClient(port) {
+ let req = new XMLHttpRequest();
+ req.open("GET", `https://${hostname}:${port}`);
+ return new Promise((resolve, reject) => {
+ req.onload = () => {
+ ok(false, "should not have gotten load event");
+ resolve();
+ };
+ req.onerror = () => {
+ ok(true, "should have gotten an error");
+ resolve();
+ };
+
+ req.send();
+ });
+}
+
+add_task(async function() {
+ Services.prefs.setCharPref("network.dns.localDomains", hostname);
+ let cert = getTestServerCertificate();
+
+ let server = getStartedServer(cert);
+ storeCertOverride(server.port, cert);
+ await startClient(server.port);
+ server.close();
+});
+
+registerCleanupFunction(function() {
+ Services.prefs.clearUserPref("network.dns.localDomains");
+});
diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate.js b/security/manager/ssl/tests/unit/test_missing_intermediate.js
new file mode 100644
index 0000000000..2a723b2a0f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_missing_intermediate.js
@@ -0,0 +1,92 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that if a server does not send a complete certificate chain, we can
+// make use of cached intermediates to build a trust path.
+
+const { TestUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/TestUtils.sys.mjs"
+);
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+registerCleanupFunction(() => {
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append("bad_certs");
+ Assert.ok(certDir.exists(), "bad_certs should exist");
+ let args = ["-D", "-n", "manually-added-missing-intermediate"];
+ run_certutil_on_directory(certDir.path, args, false);
+});
+
+function run_test() {
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+ // If we don't know about the intermediate, we'll get an unknown issuer error.
+ add_connection_test(
+ "ee-from-missing-intermediate.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+
+ // Make BadCertAndPinningServer aware of the intermediate.
+ add_test(() => {
+ let args = [
+ "-A",
+ "-n",
+ "manually-added-missing-intermediate",
+ "-i",
+ "test_missing_intermediate/missing-intermediate.pem",
+ "-a",
+ "-t",
+ ",,",
+ ];
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append("bad_certs");
+ Assert.ok(certDir.exists(), "bad_certs should exist");
+ run_certutil_on_directory(certDir.path, args);
+ run_next_test();
+ });
+
+ // We have to start observing the topic before there's a chance it gets
+ // emitted.
+ add_test(() => {
+ TestUtils.topicObserved("psm:intermediate-certs-cached").then(
+ subjectAndData => {
+ Assert.equal(subjectAndData.length, 2, "expecting [subject, data]");
+ Assert.equal(subjectAndData[1], "1", `expecting "1" cert imported`);
+ run_next_test();
+ }
+ );
+ run_next_test();
+ });
+ // Connect and cache the intermediate.
+ add_connection_test(
+ "ee-from-missing-intermediate.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // Add a dummy test so that the only way we advance from here is by observing
+ // "psm:intermediate-certs-cached".
+ add_test(() => {});
+
+ // Delete the intermediate on the server again.
+ add_test(() => {
+ clearSessionCache();
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append("bad_certs");
+ Assert.ok(certDir.exists(), "bad_certs should exist");
+ let args = ["-D", "-n", "manually-added-missing-intermediate"];
+ run_certutil_on_directory(certDir.path, args);
+ run_next_test();
+ });
+
+ // Since we cached the intermediate in gecko, this should succeed.
+ add_connection_test(
+ "ee-from-missing-intermediate.example.com",
+ PRErrorCodeSuccess
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem
new file mode 100644
index 0000000000..3ba4cc67d1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUXVqax21Zg1E4snLU25SGHPmGws8wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRNaXNzaW5nIEludGVybWVkaWF0ZTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQAD
+ggEBAJU1u07/x6ATZrK4/Cq6cqTbdkoUJRfZERwJBx4mBnQTbQXBhuo2y4qF+J7U
+SA3LKtfAHRJGkH7nBwRIlAxfN87saJcVXMA8n6WRHNjrDzhK7bZtt1sS23tBCtbs
+TxrMCmfrR2tVZApuGa3lwz8gWhzZkZvoENuqqFAM5nMroKjpKVDFRDAn/Ub7lsvQ
+vQqXti0EqMcg7e6rmBQEvwD0L9sagFLyIqtQM2n901vDlLUfnWrddVH3pA0O3KAr
+ft079b4Lh7RPyeocSU++xGtQ+jkx1WjNtNhVSUNjrmxQMhqAgFPONhJOTo3FqeYO
+T/Rt5MdiZpnMuD2C3VF2r9rTURU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec
new file mode 100644
index 0000000000..c21e757449
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Missing Intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_name_constraints.js b/security/manager/ssl/tests/unit/test_name_constraints.js
new file mode 100644
index 0000000000..e04eb93b0c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -0,0 +1,71 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// This test tests two specific items:
+// 1. Are name constraints properly enforced across the entire constructed
+// certificate chain? This makes use of a certificate hierarchy like so:
+// - (trusted) root CA with permitted subtree dNSName example.com
+// - intermediate CA with permitted subtree dNSName example.org
+// a. end-entity with dNSNames example.com and example.org
+// (the first entry is allowed by the root but not by the intermediate,
+// and the second entry is allowed by the intermediate but not by the
+// root)
+// b. end-entity with dNSName example.com (not allowed by the intermediate)
+// c. end-entity with dNSName examle.org (not allowed by the root)
+// d. end-entity with dNSName example.test (not allowed by either)
+// All of these cases should fail to verify with the error that the
+// end-entity is not in the name space permitted by the hierarchy.
+//
+// 2. Are externally-imposed name constraints properly enforced? This makes use
+// of a certificate hierarchy rooted by a certificate with the same DN as an
+// existing hierarchy that has externally-imposed name constraints (DCISS).
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function certFromFile(name) {
+ return constructCertFromFile(`test_name_constraints/${name}.pem`);
+}
+
+function loadCertWithTrust(certName, trustString) {
+ addCertFromFile(certdb, `test_name_constraints/${certName}.pem`, trustString);
+}
+
+function checkCertNotInNameSpace(cert) {
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
+ certificateUsageSSLServer
+ );
+}
+
+function checkCertInNameSpace(cert) {
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+}
+
+add_task(async function() {
+ // Test that name constraints from the entire certificate chain are enforced.
+ loadCertWithTrust("ca-example-com-permitted", "CTu,,");
+ loadCertWithTrust("int-example-org-permitted", ",,");
+ await checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
+ await checkCertNotInNameSpace(certFromFile("ee-example-com"));
+ await checkCertNotInNameSpace(certFromFile("ee-example-org"));
+ await checkCertNotInNameSpace(certFromFile("ee-example-test"));
+
+ // Test that externally-imposed name constraints are enforced (DCISS tests).
+ loadCertWithTrust("dciss", "CTu,,");
+ await checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
+ await checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
+});
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem
new file mode 100644
index 0000000000..8058f77b23
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVzCCAj+gAwIBAgIUByfcws/1BsAT11Q4PQoblWadQD0wDQYJKoZIhvcNAQEL
+BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh
+cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF
+SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEExCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJDQTEMMAoGA1UECgwDRm9vMRcwFQYDVQQDDA5mb28uZXhhbXBsZS5m
+cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADR+2W/J/dKAwAf8I06e89ZBKd0H5
+yxJqgpwCZfhtjT200R0KUy3Idml1TVdvM1J/hLKu5dMtQ6ewGZIEpf9A+TQ/CN8U
+0D1m94HUAIZDMt+I/9FjXff9OrLOBxU1AQtlK9dunE0751bqq2aIvdMYcD3D3sHQ
+jj1gxmsdoxWmoE7vTcwXzkTOX6s9SsylGmqWDuoNl2gioyAU0MFIgTkNRxuUOfSR
+0LtBHsqEmWYXAjLFqRwa09NZ49jRq+n64svv65gdkKeuecvdYEnFQPKhQJHh0UE8
+oq3T7HWiGkaPgQ2FfFwIXGSQD+jJTDV+hzH5wuWbnxW5bl/Tq1olAh0S+w==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec
new file mode 100644
index 0000000000..1a02a0cc1a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec
@@ -0,0 +1,2 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:/C=US/ST=CA/O=Foo/CN=foo.example.fr
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem
new file mode 100644
index 0000000000..4b29717d91
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWDCCAkCgAwIBAgIUeThptwYWQpW7Kmc4xj2lLpzdjfIwDQYJKoZIhvcNAQEL
+BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh
+cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF
+SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEIxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJDQTEMMAoGA1UECgwDRm9vMRgwFgYDVQQDDA9mb28uZXhhbXBsZS5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHG3W9MHDLoH+PtllciSci7+QaNX
+lSb/+OyqCpx/XkjS2/Bd8+c4Pbn7GdrR/Nf17f/KZ5qgY+uO6NExeh3LrGvTKkig
+Kpt+Uij0iVBd9XTzTnHZdU3EW1Y3539TBT0ABilG1YlKlpJWA+fzUWRo9vHPcETm
+KJRH3eKtyXTHeRPpOSG2afJKzqfkiGSK/zvWe5YjTKLhJGRRnX37SG7GIA7l1kX7
+1UPJs2Wtr05qrUmSBSgP0k+T7pi4+94/TgMjai//E802m7EdfSfRsvUEnh6Lv1Mk
+iY8C6RsPQIhTr4dsp04TazciE42TfsPZ/zpgf5AHF+Xrz1AoFdNABpXAcNk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec
new file mode 100644
index 0000000000..eabee87e83
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec
@@ -0,0 +1,2 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:/C=US/ST=CA/O=Foo/CN=foo.example.com
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem
new file mode 100644
index 0000000000..f96b43db09
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIUI3lD7Re7UzKxqghLVnq19q1yxakwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2EtZXhhbXBsZS1jb20tcGVybWl0dGVkMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGNhLWV4YW1w
+bGUtY29tLXBlcm1pdHRlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM5MDcwDAYDVR0TBAUwAwEB/zALBgNVHQ8E
+BAMCAQYwGgYDVR0eBBMwEaAPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUA
+A4IBAQCqe0psTB+mMNH5u+5ZNGy27aYGpl4hegtWQtNUYmNWL6xnSJwLB+4tKtHG
+I6HKMNQ9so3l0x28jitBbcnbSSkVV+Q2upVziZX8uNgg2613O//loKhvvSeJqeVw
+vGfPNnIkwcSpTMqDyYuY1tSA2dW3fMeX6kqnP5nupmERt60Xqxd56XZaAC4ZI0vY
+FVIbxCrxuBHDi/hcGCDFUB3gnwE+CNqTnNOh95w1nRLuBJxyrUF3SFrLVdlbSO9Q
+YXD20E7e79ZdGCcIZFIvCG5AKDzd0amEVJ/GGNuqZGa3+ScP5PVd571KcFB0nl7s
+hGWiQsC/9yJg0eZNZ64hlWLofeYf
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec
new file mode 100644
index 0000000000..1cc3c1d81b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-example-com-permitted
+subject:ca-example-com-permitted
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:example.com
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem
new file mode 100644
index 0000000000..632d60fd51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIULcsHU0vMF8j+8wH20P0dJztPKgEwDQYJKoZIhvcNAQEL
+BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh
+cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF
+SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMIGFMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczEQMA4GA1UEChMHUE0vU0dE
+TjEOMAwGA1UECxMFRENTU0kxDjAMBgNVBAMTBUlHQy9BMSMwIQYJKoZIhvcNAQkB
+FhRpZ2NhQHNnZG4ucG0uZ291di5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zAL
+BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABMUv/zQZiMOGUd8VhQ2Bpct
+bFy+LXpRmPZKuaxAeXWJOOO6YzXKWu5Ozvy1B0+2+OpS7eTWO/4p/sBcqmHuIf45
+jCPDm6RhRDXe+9zGKqv9dt0hXpZwUx7q9nUIlDsyVKrJ2XRd70EAvrpqbJBN2ztF
+dGwvVFXYINyOFVBfMbdUnbqtwUMUoYQ8UgoTAoJTA09nfIv6YXIebX553u/ZOcpk
+wQbyl69r8hc5pYxKdEBqjqfy6rrl7/h6ptTSJDp+z0EBCG592WVClVu3cpaRlnQt
+/gSHxGH+ZTFKqjrf2pP9a34DtepJL1K/LNHv+XpnmUK6hSLkW9aR+MtK5A7lROg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec
new file mode 100644
index 0000000000..5d53706bc5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem
new file mode 100644
index 0000000000..f49fe5ebcc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIUa3sb3Kmjzf4Q38n9GGzgAluQs3UwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAhMR8wHQYDVQQDDBZlZS1leGFt
+cGxlLWNvbS1hbmQtb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABoycwJTAjBgNVHREEHDAaggtleGFtcGxlLmNv
+bYILZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADggEBAEp9KUBTRs8erSIiiAj1
+HVtbJyvBipgvWQHG/4G7A3tm6E0ZGZRofhovLspsDCdoaEiHSmLpxAjzAcYNA68v
+OPloyfV8H0p/V0h/PzQKjJYcx4oQ5xt/TVo7oUgDL2ap37rMDYzXevSFJ/hFRJjX
+IWrWoCwweGJrXlyRyF84SmC1oMWDfwOxNpDDOc1qW/+6Rhftx361B3GBe7A9Xb5g
+X6I4xCFYSLnHMMBSfqsfLZkTb+rqpeLy1k0BBpJWZP1Dbgy3BCmWhyzMG1n6IYwr
+Nqg35i2YhCFlr/lNvwy+Jix9EjAmrYVl8rJ0eOHUoFGyphzv331kO4B8MiZo33rY
+Ci4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec
new file mode 100644
index 0000000000..904ca65955
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-com-and-org
+extension:subjectAlternativeName:example.com,example.org
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem
new file mode 100644
index 0000000000..e1872fb869
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUNyYkQhaojroU27Ob3YEOgU/gSIowDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAZMRcwFQYDVQQDDA5lZS1leGFt
+cGxlLWNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAEbqCfq2MUMQ9/Y3GYVUCJZOTQd6LFbk7edj/d5B0MLialsm
+xZ9+4/hv98hiL3V3rJPsZNLMgaZjE10Yer+HdwC8do2OsuIO85UA4oWJKKjjLbUO
+Mek36zrzcgrbWqGEthXgnUwvUGKedEgeIoPzhN4UT3Ifkf1u0L308kc+0bnhQlEJ
+V49YCMoyrIX/mzYs5D3zd1IxlWN3WNVfzF+pmQQ6LSfI8OtppCgRuNYDY3Md7Lqc
+x+QITmjJYZJJN2hpRJPMoUagF89M3XUj/6w4oLNBJmF02VrU/4JChEyKqmAqNCi/
+Z0nDqmRwXyO8tnTIzx7XJcb9CDIoaBCzgoP2nCc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec
new file mode 100644
index 0000000000..46630c4a1a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-com
+extension:subjectAlternativeName:example.com
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem
new file mode 100644
index 0000000000..9b820e9a3f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUK/q+41F1BJ5V5yLuTubosg8UyzowDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAZMRcwFQYDVQQDDA5lZS1leGFt
+cGxlLW9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwDQYJKoZI
+hvcNAQELBQADggEBAK38zSQwGdXOtrm9KyhDC2iUXdL+bmQyVPXqxgOsc39oG4kK
+yQ49cmkrdTfrOccrXVK80mJaSlMccQkv7++BlWhxE0yJw4nU5PGfGZ1wbKdYgTXx
+YYrqk7WTEZ28jvf42MXtz+YPceGLFI5jm4CACE4+RFjBUydRmadbIQytp5wz+rDX
+90RAHw6K5niEylXpkaqIUjZj27qQRHX7X/2N9rFj0Z8c7wSrCA4RsG9RPWtDgoE8
+NtgqMrRqDwbIzxWw4RtnirErgk+1aFAleNJ8bS3QBTO/a5PWFwUi5/ZePpI+7+Gf
+flEWX+zxAOdQCLNWRnk8BMjnuBN8rL9cj3s1okw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec
new file mode 100644
index 0000000000..6a24090e51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-org
+extension:subjectAlternativeName:example.org
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem
new file mode 100644
index 0000000000..53cd45391e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAdOgAwIBAgIULd4A5nOUpfcpueUvavcnGwnza44wDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9lZS1leGFt
+cGxlLXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W
+1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq
+ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx
+0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV
+t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo
+4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx
+1QOs2hgKNe2NAgMBAAGjGzAZMBcGA1UdEQQQMA6CDGV4YW1wbGUudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAGclmIUn18xP9ZBL5dIZ6SDS1tYgwbDdczT6Lxe1QWILy
+QxM5cL30hxf/O9dOBqCnv1px72RemKx9H0S5dr1JSaq4q+cuwtIqWlIiBAF3APoj
+HpOct+VsLI+UxyfvTKVSvWXKgXdlvKYQ4FMu1CUI90dmRNP2fQbEMYqkbAoQXz47
+2Qk19gMhmTGah0RXE5cBfMf+3VD508dJejyzA+yA9hw5HUsH3tvSIX9JhP7s+wyu
+cyMUfovHS20ML1VQ+Lzf2YQO0lhxmS3UMSEg2h4MBUcgLaJEeGpDt2WCJKliISk5
+TaJDaiQBTrd6eupMegUQcVn0UrBD4hxrPiAg1ibU3Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec
new file mode 100644
index 0000000000..0926ce477a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-test
+extension:subjectAlternativeName:example.test
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem
new file mode 100644
index 0000000000..715ee48d57
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEjCCAfqgAwIBAgIUC12ZLFrh+TExo/zOUHTYqBfd0ZMwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2EtZXhhbXBsZS1jb20tcGVybWl0dGVkMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCQxIjAgBgNVBAMMGWludC1leGFt
+cGxlLW9yZy1wZXJtaXR0ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOTA3MAwGA1UdEwQFMAMBAf8wCwYDVR0P
+BAQDAgEGMBoGA1UdHgQTMBGgDzANggtleGFtcGxlLm9yZzANBgkqhkiG9w0BAQsF
+AAOCAQEAlnz9bttQ1SXr8R9fYrSQPPHXCQ2KfQNm3WWVj/jZwwcLokG3U8o9qpMn
+0LZ8AW9726SK2YzkBEHsCA58Vi+4Sh/m4GGue6RKx02w2H3r+D9U+oB2VvqK71ga
+HoS9FAy+Wy8f9dceZpJbteCpz/e7UTM+6BPXOp5F+VZoCk0jKhzhYEYqONTIL0Xk
+/1IhkUT5jf3WNbAuGXhgUMc4Q6UdXj4GcYM1rx3r3YOb+wX1Zh0rjgkIEyBT5JFH
+yBqBDWG9xhMoftQYkLb1VGIms/HcaEsP6ckz2sev6ZDRrhRQS+SU44X6bpKddqYo
+xRRqtHKbc7bjutoBFGxNzJNRPvzCLg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec
new file mode 100644
index 0000000000..87e2cf8a56
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-example-com-permitted
+subject:int-example-org-permitted
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:example.org
diff --git a/security/manager/ssl/tests/unit/test_nonascii_path.js b/security/manager/ssl/tests/unit/test_nonascii_path.js
new file mode 100644
index 0000000000..3c31640d05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nonascii_path.js
@@ -0,0 +1,52 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests to make sure that the certificate DB works with non-ASCII paths.
+
+// Append a single quote and non-ASCII characters to the profile path.
+let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR");
+let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
+file.initWithPath(profd);
+file.append("'÷1");
+Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path);
+
+file = do_get_profile(); // must be called before getting nsIX509CertDB
+Assert.ok(
+ /[^\x20-\x7f]/.test(file.path),
+ "the profile path should contain a non-ASCII character"
+);
+
+// Restore the original value.
+Services.env.set("XPCSHELL_TEST_PROFILE_DIR", profd);
+
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function load_cert(cert_name, trust_string) {
+ let cert_filename = cert_name + ".pem";
+ return addCertFromFile(
+ certdb,
+ "test_cert_trust/" + cert_filename,
+ trust_string
+ );
+}
+
+function run_test() {
+ let certList = ["ca", "int", "ee"];
+ let loadedCerts = [];
+ for (let certName of certList) {
+ loadedCerts.push(load_cert(certName, ",,"));
+ }
+
+ let ca_cert = loadedCerts[0];
+ notEqual(ca_cert, null, "CA cert should have successfully loaded");
+ let int_cert = loadedCerts[1];
+ notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
+ let ee_cert = loadedCerts[2];
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+}
diff --git a/security/manager/ssl/tests/unit/test_nsCertType.js b/security/manager/ssl/tests/unit/test_nsCertType.js
new file mode 100644
index 0000000000..8341575473
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nsCertType.js
@@ -0,0 +1,32 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+//
+// While the Netscape certificate type extension is not a standard and has been
+// discouraged from use for quite some time, it is still encountered. Thus, we
+// handle it slightly differently from other unknown extensions.
+// If it is not marked critical, we ignore it.
+// If it is marked critical:
+// If the basic constraints and extended key usage extensions are also
+// present, we ignore it, because they are standardized and should convey the
+// same information.
+// Otherwise, we reject it with an error indicating an unknown critical
+// extension.
+
+"use strict";
+
+function run_test() {
+ do_get_profile();
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+ add_connection_test("nsCertTypeNotCritical.example.com", PRErrorCodeSuccess);
+ add_connection_test(
+ "nsCertTypeCriticalWithExtKeyUsage.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "nsCertTypeCritical.example.com",
+ SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION
+ );
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js b/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js
new file mode 100644
index 0000000000..8650409df7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js
@@ -0,0 +1,25 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// This file tests the nsIX509CertValidity implementation.
+
+function run_test() {
+ // Date.parse("2013-01-01T00:00:00Z")
+ const NOT_BEFORE_IN_MS = 1356998400000;
+ // Date.parse("2014-01-01T00:00:00Z")
+ const NOT_AFTER_IN_MS = 1388534400000;
+ let cert = constructCertFromFile("bad_certs/expired-ee.pem");
+
+ equal(
+ cert.validity.notBefore,
+ NOT_BEFORE_IN_MS * 1000,
+ "Actual and expected notBefore should be equal"
+ );
+ equal(
+ cert.validity.notAfter,
+ NOT_AFTER_IN_MS * 1000,
+ "Actual and expected notAfter should be equal"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js b/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js
new file mode 100644
index 0000000000..6305b878b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js
@@ -0,0 +1,96 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks that various nsIX509Cert attributes correctly handle UTF-8.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function run_test() {
+ let cert = certDB.constructX509FromBase64(
+ "MIIF3DCCBMSgAwIBAgIEAJiZbzANBgkqhkiG9w0BAQUFADCCAQ0xYTBfBgNVBAMM" +
+ "WEkuQ0EgLSBRdWFsaWZpZWQgcm9vdCBjZXJ0aWZpY2F0ZSAoa3ZhbGlmaWtvdmFu" +
+ "w70gY2VydGlmaWvDoXQgcG9za3l0b3ZhdGVsZSkgLSBQU0VVRE9OWU0xCzAJBgNV" +
+ "BAYTAkNaMS8wLQYDVQQHDCZQb2R2aW5uw70gbWzDvW4gMjE3OC82LCAxOTAgMDAg" +
+ "UHJhaGEgOTEsMCoGA1UECgwjUHJ2bsOtIGNlcnRpZmlrYcSNbsOtIGF1dG9yaXRh" +
+ "IGEucy4xPDA6BgNVBAsMM0FrcmVkaXRvdmFuw70gcG9za3l0b3ZhdGVsIGNlcnRp" +
+ "ZmlrYcSNbsOtY2ggc2x1xb5lYjAeFw0wMjEyMTIxMzMzNDZaFw0wMzEyMTIxMzMz" +
+ "NDZaMIIBFDELMAkGA1UEBhMCQ1oxHzAdBgNVBAMeFgBMAHUAZAEbAGsAIABSAGEB" +
+ "YQBlAGsxGTAXBgNVBAgeEABWAHkAcwBvAQ0AaQBuAGExLzAtBgNVBAceJgBQAGEA" +
+ "YwBvAHYALAAgAE4A4QBkAHIAYQF+AG4A7QAgADcANgA5MSUwIwYJKoZIhvcNAQkB" +
+ "FhZsdWRlay5yYXNla0BjZW50cnVtLmN6MRMwEQYDVQQqHgoATAB1AGQBGwBrMQ0w" +
+ "CwYDVQQrHgQATABSMR8wHQYDVQQpHhYATAB1AGQBGwBrACAAUgBhAWEAZQBrMRMw" +
+ "EQYDVQQEHgoAUgBhAWEAZQBrMRcwFQYDVQQFEw5JQ0EgLSAxMDAwMzc2OTCBnzAN" +
+ "BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxc7dGd0cNlHZ7tUUl5k30bfYlY3lnOD0" +
+ "49JGbTXSt4jNFMRLj6s/777W3kcIdcIwdKxjQULBKgryDvZJ1DAWp2TwzhPDVYj3" +
+ "sU4Niqb7mOUcp/4ckteUxGF6FmXtJR9+XHTuLZ+omF9HOUefheBKnXvZuqrLM16y" +
+ "nbJn4sPwwdcCAwEAAaOCAbswggG3MCUGA1UdEQQeMBygGgYKKwMGAQQB3BkCAaAM" +
+ "DAoxNzYyODk2ODgzMGkGA1UdHwRiMGAwHqAcoBqGGGh0dHA6Ly9xLmljYS5jei9x" +
+ "aWNhLmNybDAeoBygGoYYaHR0cDovL2IuaWNhLmN6L3FpY2EuY3JsMB6gHKAahhho" +
+ "dHRwOi8vci5pY2EuY3ovcWljYS5jcmwwHwYDVR0jBBgwFoAUK1oKfvvlDYUsZTBy" +
+ "vGN701mca/UwHQYDVR0OBBYEFPAs70DB+LS0PnA6niPUfJ5wdQH5MIG4BgNVHSAE" +
+ "gbAwga0wgaoGCysGAQQBs2EBAQQEMIGaMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3" +
+ "LmljYS5jei9xY3AvY3BxcGljYTAyLnBkZjBnBggrBgEFBQcCAjBbGllUZW50byBj" +
+ "ZXJ0aWZpa2F0IGplIHZ5ZGFuIGpha28gS3ZhbGlmaWtvdmFueSBjZXJ0aWZpa2F0" +
+ "IHYgc291bGFkdSBzZSB6YWtvbmVtIDIyNy8yMDAwIFNiLjAYBggrBgEFBQcBAwQM" +
+ "MAowCAYGBACORgEBMA4GA1UdDwEB/wQEAwIE8DANBgkqhkiG9w0BAQUFAAOCAQEA" +
+ "v2V+nnYYMIgabmmgHx49CtlZIHdGS3TuWKXw130xFhbXDnNhEbx3alaskNsvjQQR" +
+ "Lqs1ZwKy58yynse+eJYHqenmHDACpAfVpCF9PXC/mDarVsoQw7NTcUpsAFhSd/zT" +
+ "v9jIf3twECyxx/RVzONVcob7nPePESHiKoG4FbtcuUh0wSHvCmTwRIQqPDCIuHcF" +
+ "StSt3Jr9iXcbXEhe4mSccOZ8N+r7Rv3ncKcevlRl7uFfDKDTyd43SZeRS/7J8KRf" +
+ "hD/h2nawrCFwc5gJW10aLJGFL/mcS7ViAIT9HCVk23j4TuBjsVmnZ0VKxB5edux+" +
+ "LIEqtU428UVHZWU/I5ngLw=="
+ );
+
+ equal(
+ cert.emailAddress,
+ "ludek.rasek@centrum.cz",
+ "Actual and expected emailAddress should match"
+ );
+ equal(
+ cert.subjectName,
+ 'serialNumber=ICA - 10003769,SN=RaÅ¡ek,name=LudÄ›k RaÅ¡ek,initials=LR,givenName=LudÄ›k,E=ludek.rasek@centrum.cz,L="Pacov, Nádražní 769",ST=VysoÄina,CN=LudÄ›k RaÅ¡ek,C=CZ',
+ "Actual and expected subjectName should match"
+ );
+ equal(
+ cert.commonName,
+ "Luděk Rašek",
+ "Actual and expected commonName should match"
+ );
+ equal(cert.organization, "", "Actual and expected organization should match");
+ equal(
+ cert.organizationalUnit,
+ "",
+ "Actual and expected organizationalUnit should match"
+ );
+ equal(
+ cert.displayName,
+ "Luděk Rašek",
+ "Actual and expected displayName should match"
+ );
+ equal(
+ cert.issuerName,
+ 'OU=Akreditovaný poskytovatel certifikaÄních služeb,O=První certifikaÄní autorita a.s.,L="Podvinný mlýn 2178/6, 190 00 Praha 9",C=CZ,CN=I.CA - Qualified root certificate (kvalifikovaný certifikát poskytovatele) - PSEUDONYM',
+ "Actual and expected issuerName should match"
+ );
+ equal(
+ cert.issuerCommonName,
+ "I.CA - Qualified root certificate (kvalifikovaný certifikát poskytovatele) - PSEUDONYM",
+ "Actual and expected issuerCommonName should match"
+ );
+ equal(
+ cert.issuerOrganization,
+ "První certifikaÄní autorita a.s.",
+ "Actual and expected issuerOrganization should match"
+ );
+ equal(
+ cert.issuerOrganizationUnit,
+ "Akreditovaný poskytovatel certifikaÄních služeb",
+ "Actual and expected issuerOrganizationUnit should match"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_caching.js b/security/manager/ssl/tests/unit/test_ocsp_caching.js
new file mode 100644
index 0000000000..8d742e14da
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -0,0 +1,479 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks various aspects of the OCSP cache, mainly to to ensure we do not fetch
+// responses more than necessary.
+
+var gFetchCount = 0;
+var gGoodOCSPResponse = null;
+var gResponsePattern = [];
+
+function respondWithGoodOCSP(request, response) {
+ info("returning 200 OK");
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Content-Type", "application/ocsp-response");
+ response.write(gGoodOCSPResponse);
+}
+
+function respondWithSHA1OCSP(request, response) {
+ info("returning 200 OK with sha-1 delegated response");
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Content-Type", "application/ocsp-response");
+
+ let args = [["good-delegated", "default-ee", "delegatedSHA1Signer", 0]];
+ let responses = generateOCSPResponses(args, "ocsp_certs");
+ response.write(responses[0]);
+}
+
+function respondWithError(request, response) {
+ info("returning 500 Internal Server Error");
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ let body = "Refusing to return a response";
+ response.bodyOutputStream.write(body, body.length);
+}
+
+function generateGoodOCSPResponse(thisUpdateSkew) {
+ let args = [["good", "default-ee", "unused", thisUpdateSkew]];
+ let responses = generateOCSPResponses(args, "ocsp_certs");
+ return responses[0];
+}
+
+function add_ocsp_test(
+ aHost,
+ aExpectedResult,
+ aResponses,
+ aMessage,
+ aOriginAttributes
+) {
+ add_connection_test(
+ aHost,
+ aExpectedResult,
+ function() {
+ clearSessionCache();
+ gFetchCount = 0;
+ gResponsePattern = aResponses;
+ },
+ function() {
+ // check the number of requests matches the size of aResponses
+ equal(gFetchCount, aResponses.length, aMessage);
+ },
+ null,
+ aOriginAttributes
+ );
+}
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ let ocspResponder = new HttpServer();
+ ocspResponder.registerPrefixHandler("/", function(request, response) {
+ info("gFetchCount: " + gFetchCount);
+ let responseFunction = gResponsePattern[gFetchCount];
+ Assert.notEqual(undefined, responseFunction);
+
+ ++gFetchCount;
+ responseFunction(request, response);
+ });
+ ocspResponder.start(8888);
+
+ add_tests();
+
+ add_test(function() {
+ ocspResponder.stop(run_next_test);
+ });
+ run_next_test();
+}
+
+function add_tests() {
+ // Test that verifying a certificate with a "short lifetime" doesn't result
+ // in OCSP fetching. Due to longevity requirements in our testing
+ // infrastructure, the certificate we encounter is valid for a very long
+ // time, so we have to define a "short lifetime" as something very long.
+ add_test(function() {
+ Services.prefs.setIntPref(
+ "security.pki.cert_short_lifetime_in_days",
+ 12000
+ );
+ run_next_test();
+ });
+
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "expected zero OCSP requests for a short-lived certificate"
+ );
+
+ add_test(function() {
+ Services.prefs.setIntPref("security.pki.cert_short_lifetime_in_days", 100);
+ run_next_test();
+ });
+
+ // If a "short lifetime" is something more reasonable, ensure that we do OCSP
+ // fetching for this long-lived certificate.
+
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithError],
+ "expected one OCSP request for a long-lived certificate"
+ );
+ add_test(function() {
+ Services.prefs.clearUserPref("security.pki.cert_short_lifetime_in_days");
+ run_next_test();
+ });
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function() {
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // This test assumes that OCSPStaplingServer uses the same cert for
+ // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
+
+ // Get an Unknown response for the *.example.com cert and put it in the
+ // OCSP cache.
+ add_ocsp_test(
+ "ocsp-stapling-unknown.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ [],
+ "Stapled Unknown response -> a fetch should not have been attempted"
+ );
+
+ // A failure to retrieve an OCSP response must result in the cached Unknown
+ // response being recognized and honored.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ [respondWithError, respondWithError],
+ "No stapled response -> a fetch should have been attempted"
+ );
+
+ // A valid Good response from the OCSP responder must override the cached
+ // Unknown response.
+ //
+ // Note that We need to make sure that the Unknown response and the Good
+ // response have different thisUpdate timestamps; otherwise, the Good
+ // response will be seen as "not newer" and it won't replace the existing
+ // entry.
+ add_test(function() {
+ gGoodOCSPResponse = generateGoodOCSPResponse(1200);
+ run_next_test();
+ });
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "Cached Unknown response, no stapled response -> a fetch" +
+ " should have been attempted"
+ );
+
+ // The Good response retrieved from the previous fetch must have replaced
+ // the Unknown response in the cache, resulting in the catched Good response
+ // being returned and no fetch.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Cached Good response -> a fetch should not have been attempted"
+ );
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function() {
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // A failure to retrieve an OCSP response will result in an error entry being
+ // added to the cache.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithError],
+ "No stapled response -> a fetch should have been attempted"
+ );
+
+ // The error entry will prevent a fetch from happening for a while.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure -> a fetch should not have been attempted"
+ );
+
+ // The error entry must not prevent a stapled OCSP response from being
+ // honored.
+ add_ocsp_test(
+ "ocsp-stapling-revoked.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ [],
+ "Stapled Revoked response -> a fetch should not have been attempted"
+ );
+
+ // ---------------------------------------------------------------------------
+
+ // Ensure OCSP responses from signers with SHA1 certificates are OK. This
+ // is included in the OCSP caching tests since there were OCSP cache-related
+ // regressions when sha-1 telemetry probes were added.
+ add_test(function() {
+ clearOCSPCache();
+ // set security.OCSP.require so that checking the OCSP signature fails
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+ run_next_test();
+ });
+
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ [respondWithSHA1OCSP],
+ "OCSP signing cert was issued with sha1 - should fail"
+ );
+
+ add_test(function() {
+ Services.prefs.setBoolPref("security.OCSP.require", false);
+ run_next_test();
+ });
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function() {
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // This test makes sure that OCSP cache are isolated by firstPartyDomain.
+
+ let gObservedCnt = 0;
+ let protocolProxyService = Cc[
+ "@mozilla.org/network/protocol-proxy-service;1"
+ ].getService(Ci.nsIProtocolProxyService);
+
+ // Observe all channels and make sure the firstPartyDomain in their loadInfo's
+ // origin attributes are aFirstPartyDomain.
+ function startObservingChannels(aFirstPartyDomain) {
+ // We use a dummy proxy filter to catch all channels, even those that do not
+ // generate an "http-on-modify-request" notification.
+ let proxyFilter = {
+ applyFilter(aChannel, aProxy, aCallback) {
+ // We have the channel; provide it to the callback.
+ if (aChannel.originalURI.spec == "http://localhost:8888/") {
+ gObservedCnt++;
+ equal(
+ aChannel.loadInfo.originAttributes.firstPartyDomain,
+ aFirstPartyDomain,
+ "firstPartyDomain should match"
+ );
+ }
+ // Pass on aProxy unmodified.
+ aCallback.onProxyFilterResult(aProxy);
+ },
+ };
+ protocolProxyService.registerChannelFilter(proxyFilter, 0);
+ // Return the stop() function:
+ return () => protocolProxyService.unregisterChannelFilter(proxyFilter);
+ }
+
+ let stopObservingChannels;
+ add_test(function() {
+ stopObservingChannels = startObservingChannels("foo.com");
+ run_next_test();
+ });
+
+ // A good OCSP response will be cached.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (firstPartyDomain = foo.com) -> a fetch " +
+ "should have been attempted",
+ { firstPartyDomain: "foo.com" }
+ );
+
+ // The cache will prevent a fetch from happening.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure (firstPartyDomain = foo.com) -> a " +
+ "fetch should not have been attempted",
+ { firstPartyDomain: "foo.com" }
+ );
+
+ add_test(function() {
+ stopObservingChannels();
+ equal(gObservedCnt, 1, "should have observed only 1 OCSP requests");
+ gObservedCnt = 0;
+ run_next_test();
+ });
+
+ add_test(function() {
+ stopObservingChannels = startObservingChannels("bar.com");
+ run_next_test();
+ });
+
+ // But using a different firstPartyDomain should result in a fetch.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (firstPartyDomain = bar.com) -> a fetch " +
+ "should have been attempted",
+ { firstPartyDomain: "bar.com" }
+ );
+
+ add_test(function() {
+ stopObservingChannels();
+ equal(gObservedCnt, 1, "should have observed only 1 OCSP requests");
+ gObservedCnt = 0;
+ run_next_test();
+ });
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function() {
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // Test that the OCSP cache is not isolated by userContextId.
+
+ // A good OCSP response will be cached.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (userContextId = 1) -> a fetch " +
+ "should have been attempted",
+ { userContextId: 1 }
+ );
+
+ // The cache will prevent a fetch from happening.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure (userContextId = 1) -> a " +
+ "fetch should not have been attempted",
+ { userContextId: 1 }
+ );
+
+ // Fetching is prevented even if in a different userContextId.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure (userContextId = 2) -> a " +
+ "fetch should not have been attempted",
+ { userContextId: 2 }
+ );
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function() {
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // This test makes sure that OCSP cache are isolated by partitionKey.
+
+ add_test(function() {
+ Services.prefs.setBoolPref(
+ "privacy.partition.network_state.ocsp_cache",
+ true
+ );
+ run_next_test();
+ });
+
+ // A good OCSP response will be cached.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (partitionKey = (https,foo.com)) -> a fetch " +
+ "should have been attempted",
+ { partitionKey: "(https,foo.com)" }
+ );
+
+ // The cache will prevent a fetch from happening.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure (partitionKey = (https,foo.com)) -> a " +
+ "fetch should not have been attempted",
+ { partitionKey: "(https,foo.com)" }
+ );
+
+ // Using a different partitionKey should result in a fetch.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "Noted OCSP server failure (partitionKey = (https,bar.com)) -> a " +
+ "fetch should have been attempted",
+ { partitionKey: "(https,bar.com)" }
+ );
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function() {
+ Services.prefs.clearUserPref("privacy.partition.network_state.ocsp_cache");
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ // This test makes sure that OCSP cache are isolated by partitionKey in
+ // private mode.
+
+ // A good OCSP response will be cached.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (partitionKey = (https,foo.com)) -> a fetch " +
+ "should have been attempted",
+ { partitionKey: "(https,foo.com)", privateBrowsingId: 1 }
+ );
+
+ // The cache will prevent a fetch from happening.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [],
+ "Noted OCSP server failure (partitionKey = (https,foo.com)) -> a " +
+ "fetch should not have been attempted",
+ { partitionKey: "(https,foo.com)", privateBrowsingId: 1 }
+ );
+
+ // Using a different partitionKey should result in a fetch.
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "Noted OCSP server failure (partitionKey = (https,bar.com)) -> a " +
+ "fetch should have been attempted",
+ { partitionKey: "(https,bar.com)", privateBrowsingId: 1 }
+ );
+
+ // ---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function() {
+ clearOCSPCache();
+ run_next_test();
+ });
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
new file mode 100644
index 0000000000..ee6af780c8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
@@ -0,0 +1,146 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Checks that the security.OCSP.enabled pref correctly controls OCSP fetching
+// behavior.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function certFromFile(filename) {
+ return constructCertFromFile(`test_ev_certs/${filename}.pem`);
+}
+
+function loadCert(certName, trustString) {
+ addCertFromFile(gCertDB, `test_ev_certs/${certName}.pem`, trustString);
+}
+
+function getFailingOCSPResponder() {
+ return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
+}
+
+function getOCSPResponder(expectedCertNames) {
+ return startOCSPResponder(
+ SERVER_PORT,
+ "www.example.com",
+ "test_ev_certs",
+ expectedCertNames,
+ []
+ );
+}
+
+// Tests that in ocspOff mode, OCSP fetches are never done.
+async function testOff() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 0);
+ info("Setting security.OCSP.enabled to 0");
+
+ // EV chains should verify successfully but never get EV status.
+ clearOCSPCache();
+ let ocspResponder = getFailingOCSPResponder();
+ await checkEVStatus(
+ gCertDB,
+ certFromFile("test-oid-path-ee"),
+ certificateUsageSSLServer,
+ false
+ );
+ await stopOCSPResponder(ocspResponder);
+
+ // A DV chain should verify successfully.
+ clearOCSPCache();
+ ocspResponder = getFailingOCSPResponder();
+ await checkCertErrorGeneric(
+ gCertDB,
+ certFromFile("non-ev-root-path-ee"),
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await stopOCSPResponder(ocspResponder);
+}
+
+// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
+async function testOn() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ info("Setting security.OCSP.enabled to 1");
+
+ // If a successful OCSP response is fetched, then an EV chain should verify
+ // successfully and get EV status as well.
+ clearOCSPCache();
+ let ocspResponder = getOCSPResponder(["test-oid-path-ee"]);
+ await checkEVStatus(
+ gCertDB,
+ certFromFile("test-oid-path-ee"),
+ certificateUsageSSLServer,
+ gEVExpected
+ );
+ await stopOCSPResponder(ocspResponder);
+
+ // If a successful OCSP response is fetched, then a DV chain should verify
+ // successfully.
+ clearOCSPCache();
+ ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
+ await checkCertErrorGeneric(
+ gCertDB,
+ certFromFile("non-ev-root-path-ee"),
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await stopOCSPResponder(ocspResponder);
+}
+
+// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
+async function testEVOnly() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 2);
+ info("Setting security.OCSP.enabled to 2");
+
+ // If a successful OCSP response is fetched, then an EV chain should verify
+ // successfully and get EV status as well.
+ clearOCSPCache();
+ let ocspResponder = gEVExpected
+ ? getOCSPResponder(["test-oid-path-ee"])
+ : getFailingOCSPResponder();
+ await checkEVStatus(
+ gCertDB,
+ certFromFile("test-oid-path-ee"),
+ certificateUsageSSLServer,
+ gEVExpected
+ );
+ await stopOCSPResponder(ocspResponder);
+
+ // A DV chain should verify successfully even without doing OCSP fetches.
+ clearOCSPCache();
+ ocspResponder = getFailingOCSPResponder();
+ await checkCertErrorGeneric(
+ gCertDB,
+ certFromFile("non-ev-root-path-ee"),
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await stopOCSPResponder(ocspResponder);
+}
+
+add_task(async function() {
+ registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("network.dns.localDomains");
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+ Services.prefs.clearUserPref("security.OCSP.require");
+ });
+ Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+ // Enable hard fail to ensure chains that should only succeed because they get
+ // a good OCSP response do not succeed due to soft fail leniency.
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+
+ loadCert("evroot", "CTu,,");
+ loadCert("test-oid-path-int", ",,");
+ loadCert("non-evroot-ca", "CTu,,");
+ loadCert("non-ev-root-path-int", ",,");
+
+ await testOff();
+ await testOn();
+ await testEVOnly();
+});
diff --git a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
new file mode 100644
index 0000000000..46f6127c50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
@@ -0,0 +1,160 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests OCSP Must Staple handling by connecting to various domains (as faked by
+// a server running locally) that correspond to combinations of whether the
+// extension is present in intermediate and end-entity certificates.
+
+var gExpectOCSPRequest;
+
+function add_ocsp_test(
+ aHost,
+ aExpectedResult,
+ aStaplingEnabled,
+ aExpectOCSPRequest = false,
+ aWithSecurityInfo = undefined
+) {
+ add_connection_test(
+ aHost,
+ aExpectedResult,
+ function() {
+ gExpectOCSPRequest = aExpectOCSPRequest;
+ clearOCSPCache();
+ clearSessionCache();
+ Services.prefs.setBoolPref(
+ "security.ssl.enable_ocsp_stapling",
+ aStaplingEnabled
+ );
+ },
+ aWithSecurityInfo
+ );
+}
+
+function add_tests() {
+ // Next, a case where it's present in the intermediate, not the ee
+ add_ocsp_test(
+ "ocsp-stapling-plain-ee-with-must-staple-int.example.com",
+ MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+ true
+ );
+
+ // We disable OCSP stapling in the next two tests so we can perform checks
+ // on TLS Features in the chain without needing to support the TLS
+ // extension values used.
+ // Test an issuer with multiple TLS features in matched in the EE
+ add_ocsp_test(
+ "multi-tls-feature-good.example.com",
+ PRErrorCodeSuccess,
+ false
+ );
+
+ // Finally, an issuer with multiple TLS features not matched by the EE.
+ add_ocsp_test(
+ "multi-tls-feature-bad.example.com",
+ MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+ false
+ );
+
+ // Now a bunch of operations with only a must-staple ee
+ add_ocsp_test(
+ "ocsp-stapling-must-staple.example.com",
+ PRErrorCodeSuccess,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-revoked.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-missing.example.com",
+ MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+ true,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-empty.example.com",
+ SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-missing.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+
+ // If the stapled response is expired, we will try to fetch a new one.
+ // If that fails, we should report the original error.
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-expired.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ true,
+ true
+ );
+ // Similarly with a "try server later" response.
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-try-later.example.com",
+ SEC_ERROR_OCSP_TRY_SERVER_LATER,
+ true,
+ true
+ );
+ // And again with an invalid OCSP response signing certificate.
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-invalid-signer.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+
+ // check that disabling must-staple works
+ add_test(function() {
+ clearSessionCache();
+ Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false);
+ run_next_test();
+ });
+
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-missing.example.com",
+ PRErrorCodeSuccess,
+ true,
+ true
+ );
+}
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true);
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ // This test may sometimes fail on android due to an OCSP request timing out.
+ // That aspect of OCSP requests is not what we're testing here, so we can just
+ // bump the timeout and hopefully avoid these failures.
+ Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
+
+ let fakeOCSPResponder = new HttpServer();
+ fakeOCSPResponder.registerPrefixHandler("/", function(request, response) {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ ok(
+ gExpectOCSPRequest,
+ "Should be getting an OCSP request only when expected"
+ );
+ });
+ fakeOCSPResponder.start(8888);
+
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ add_tests();
+
+ add_test(function() {
+ fakeOCSPResponder.stop(run_next_test);
+ });
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
new file mode 100644
index 0000000000..855ccb15fb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
@@ -0,0 +1,58 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Test that if an OCSP request is made to a domain that (erroneously)
+// has HSTS status, the request is not upgraded from HTTP to HTTPS.
+
+function run_test() {
+ do_get_profile();
+ // OCSP required means this test will only pass if the request succeeds.
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+
+ // We don't actually make use of stapling in this test. This is just how we
+ // get a TLS connection.
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ let args = [["good", "default-ee", "unused", 0]];
+ let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
+ let goodOCSPResponse = ocspResponses[0];
+
+ let ocspResponder = new HttpServer();
+ ocspResponder.registerPrefixHandler("/", function(request, response) {
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Content-Type", "application/ocsp-response");
+ response.write(goodOCSPResponse);
+ });
+ ocspResponder.start(8888);
+
+ // ocsp-stapling-none.example.com does not staple an OCSP response in the
+ // handshake, so the revocation checking code will attempt to fetch one.
+ // Since the domain of the certificate's OCSP AIA URI is an HSTS host
+ // (as added in the setup of this test, below), a buggy implementation would
+ // upgrade the OCSP request to HTTPS. We specifically prevent this. This
+ // test demonstrates that our implementation is correct in this regard.
+ add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess);
+ add_test(function() {
+ run_next_test();
+ });
+
+ add_test(function() {
+ ocspResponder.stop(run_next_test);
+ });
+
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ let uri = Services.io.newURI("http://localhost");
+ SSService.processHeader(uri, "max-age=10000");
+ ok(
+ SSService.isSecureURI(uri),
+ "Domain for the OCSP AIA URI should be considered a HSTS host, otherwise" +
+ " we wouldn't be testing what we think we're testing"
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
new file mode 100644
index 0000000000..47b976cf71
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
@@ -0,0 +1,115 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// In which we connect to a host and encounter OCSP responses with the
+// Cache-Control header set, which normally Necko would cache. This test
+// ensures that these responses aren't cached. PSM has its own OCSP cache, so
+// Necko shouldn't also be caching them.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const SERVER_PORT = 8888;
+
+function add_flush_cache() {
+ add_test(() => {
+ // This appears to either fire multiple times or fire once for every
+ // observer that has ever been passed to flush. To prevent multiple calls to
+ // run_next_test, keep track of if this observer has already called it.
+ let observed = false;
+ let observer = {
+ observe: () => {
+ if (!observed) {
+ observed = true;
+ run_next_test();
+ }
+ },
+ };
+ Services.cache2.QueryInterface(Ci.nsICacheTesting).flush(observer);
+ });
+}
+
+function add_ocsp_necko_cache_test(loadContext) {
+ // Pre-testcase cleanup/setup.
+ add_test(() => {
+ Services.cache2.clear();
+ run_next_test();
+ });
+ add_flush_cache();
+
+ let responder;
+ add_test(() => {
+ clearOCSPCache();
+ clearSessionCache();
+ responder = startOCSPResponder(
+ SERVER_PORT,
+ "localhost",
+ "ocsp_certs",
+ ["default-ee"],
+ [],
+ [],
+ [],
+ [["Cache-Control", "max-age=1000"]]
+ );
+ run_next_test();
+ });
+
+ // Prepare a connection that will cause an OCSP request.
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ null,
+ null,
+ null,
+ loadContext.originAttributes
+ );
+
+ add_flush_cache();
+
+ // Traverse the cache and ensure the response was not cached.
+ add_test(() => {
+ let foundEntry = false;
+ let visitor = {
+ onCacheStorageInfo() {},
+ onCacheEntryInfo(
+ aURI,
+ aIdEnhance,
+ aDataSize,
+ aFetchCount,
+ aLastModifiedTime,
+ aExpirationTime,
+ aPinned,
+ aInfo
+ ) {
+ Assert.equal(
+ aURI.spec,
+ "http://localhost:8888/",
+ "expected OCSP request URI should match"
+ );
+ foundEntry = true;
+ },
+ onCacheEntryVisitCompleted() {
+ Assert.ok(!foundEntry, "should not find a cached entry");
+ run_next_test();
+ },
+ QueryInterface: ChromeUtils.generateQI(["nsICacheStorageVisitor"]),
+ };
+ Services.cache2.asyncVisitAllStorages(visitor, true);
+ });
+
+ // Clean up (stop the responder).
+ add_test(() => {
+ responder.stop(run_next_test);
+ });
+}
+
+function run_test() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+ add_ocsp_necko_cache_test(Services.loadContextInfo.private);
+ add_ocsp_necko_cache_test(Services.loadContextInfo.default);
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_required.js b/security/manager/ssl/tests/unit/test_ocsp_required.js
new file mode 100644
index 0000000000..17f471d66c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -0,0 +1,95 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a domain (as faked by a server running locally) and
+// start up an OCSP responder (also basically faked) that gives a response with
+// a bad signature (and later, an empty response). With security.OCSP.require
+// set to true, these connections should fail (but they also shouldn't cause
+// assertion failures).
+
+var gOCSPRequestCount = 0;
+var gOCSPResponse;
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+ // We don't actually make use of stapling in this test. This is just how we
+ // get a TLS connection.
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ let args = [["bad-signature", "default-ee", "unused", 0]];
+ let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
+ // Start by replying with a response with a bad signature.
+ gOCSPResponse = ocspResponses[0];
+
+ let ocspResponder = new HttpServer();
+ ocspResponder.registerPrefixHandler("/", function(request, response) {
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Content-Type", "application/ocsp-response");
+ response.write(gOCSPResponse);
+ gOCSPRequestCount++;
+ });
+ ocspResponder.start(8888);
+
+ add_tests();
+
+ add_test(function() {
+ ocspResponder.stop(run_next_test);
+ });
+
+ run_next_test();
+}
+
+function add_tests() {
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ SEC_ERROR_OCSP_BAD_SIGNATURE,
+ function() {},
+ function(aTransportSecurityInfo) {
+ Assert.ok(
+ aTransportSecurityInfo.madeOCSPRequests,
+ "An OCSP Request should have been made."
+ );
+ }
+ );
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ SEC_ERROR_OCSP_BAD_SIGNATURE,
+ function() {},
+ function(aTransportSecurityInfo) {
+ Assert.ok(
+ !aTransportSecurityInfo.madeOCSPRequests,
+ "An OCSP Request should not have been made."
+ );
+ }
+ );
+ add_test(function() {
+ equal(
+ gOCSPRequestCount,
+ 1,
+ "OCSP request count should be 1 due to OCSP response caching"
+ );
+ gOCSPRequestCount = 0;
+ // Now set the OCSP responder to reply with 200 OK but empty content.
+ gOCSPResponse = "";
+ clearOCSPCache();
+ run_next_test();
+ });
+
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+ function() {},
+ function(aTransportSecurityInfo) {
+ Assert.ok(
+ aTransportSecurityInfo.madeOCSPRequests,
+ "An OCSP Request should have been made."
+ );
+ }
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling.js b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
new file mode 100644
index 0000000000..a41610392b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -0,0 +1,393 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a number of domains (as faked by a server running
+// locally) with and without OCSP stapling enabled to determine that good
+// things happen and bad things don't.
+
+var gExpectOCSPRequest;
+
+function add_ocsp_test(
+ aHost,
+ aExpectedResult,
+ aStaplingEnabled,
+ aExpectOCSPRequest = false
+) {
+ add_connection_test(aHost, aExpectedResult, function() {
+ gExpectOCSPRequest = aExpectOCSPRequest;
+ clearOCSPCache();
+ clearSessionCache();
+ Services.prefs.setBoolPref(
+ "security.ssl.enable_ocsp_stapling",
+ aStaplingEnabled
+ );
+ });
+}
+
+function add_tests() {
+ // In the absence of OCSP stapling, these should actually all work.
+ add_ocsp_test(
+ "ocsp-stapling-good.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-revoked.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-good-other-ca.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-malformed.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-srverr.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-trylater.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-needssig.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unauthorized.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unknown.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-good-other.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-skip-responseBytes.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-critical-extension.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-noncritical-extension.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-empty-extensions.example.com",
+ PRErrorCodeSuccess,
+ false,
+ true
+ );
+
+ // Now test OCSP stapling
+ // The following error codes are defined in security/nss/lib/util/SECerrs.h
+
+ add_ocsp_test("ocsp-stapling-good.example.com", PRErrorCodeSuccess, true);
+
+ add_ocsp_test(
+ "ocsp-stapling-revoked.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ true
+ );
+
+ // This stapled response is from a CA that is untrusted and did not issue
+ // the server's certificate.
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let otherTestCA = constructCertFromFile("ocsp_certs/other-test-ca.pem");
+ add_test(function() {
+ certDB.setCertTrust(
+ otherTestCA,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.UNTRUSTED
+ );
+ run_next_test();
+ });
+ add_ocsp_test(
+ "ocsp-stapling-good-other-ca.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+
+ // The stapled response is from a CA that is trusted but did not issue the
+ // server's certificate.
+ add_test(function() {
+ certDB.setCertTrust(
+ otherTestCA,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL
+ );
+ run_next_test();
+ });
+ // TODO(bug 979055): When using ByName instead of ByKey, the error here is
+ // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases.
+ add_ocsp_test(
+ "ocsp-stapling-good-other-ca.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+
+ // TODO: Test the case where the signing cert can't be found at all, which
+ // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case.
+
+ add_ocsp_test(
+ "ocsp-stapling-malformed.example.com",
+ SEC_ERROR_OCSP_MALFORMED_REQUEST,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-srverr.example.com",
+ SEC_ERROR_OCSP_SERVER_ERROR,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-trylater.example.com",
+ SEC_ERROR_OCSP_TRY_SERVER_LATER,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-needssig.example.com",
+ SEC_ERROR_OCSP_REQUEST_NEEDS_SIG,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unauthorized.example.com",
+ SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unknown.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-good-other.example.com",
+ MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING,
+ true
+ );
+ // If the server doesn't staple an OCSP response, we continue as normal
+ // (this means that even though stapling is enabled, we expect an OCSP
+ // request).
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ PRErrorCodeSuccess,
+ function() {
+ gExpectOCSPRequest = true;
+ clearOCSPCache();
+ clearSessionCache();
+ Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+ }
+ );
+ add_ocsp_test(
+ "ocsp-stapling-empty.example.com",
+ SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-skip-responseBytes.example.com",
+ SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-critical-extension.example.com",
+ SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-noncritical-extension.example.com",
+ PRErrorCodeSuccess,
+ true
+ );
+ // TODO(bug 997994): Disallow empty Extensions in responses
+ add_ocsp_test(
+ "ocsp-stapling-empty-extensions.example.com",
+ PRErrorCodeSuccess,
+ true
+ );
+
+ add_ocsp_test(
+ "ocsp-stapling-delegated-included.example.com",
+ PRErrorCodeSuccess,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-included-last.example.com",
+ PRErrorCodeSuccess,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-missing.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-missing-multiple.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-no-extKeyUsage.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-from-intermediate.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+ add_ocsp_test(
+ "ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+
+ // ocsp-stapling-expired.example.com and
+ // ocsp-stapling-expired-fresh-ca.example.com are handled in
+ // test_ocsp_stapling_expired.js
+
+ // Check that OCSP responder certificates with key sizes below 1024 bits are
+ // rejected, even when the main certificate chain keys are at least 1024 bits.
+ add_ocsp_test(
+ "keysize-ocsp-delegated.example.com",
+ SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+ true,
+ true
+ );
+
+ add_ocsp_test(
+ "revoked-ca-cert-used-as-end-entity.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ true
+ );
+}
+
+function check_ocsp_stapling_telemetry() {
+ let histogram = Services.telemetry
+ .getHistogramById("SSL_OCSP_STAPLING")
+ .snapshot();
+ equal(
+ histogram.values[0],
+ 0,
+ "Should have 0 connections for unused histogram bucket 0"
+ );
+ equal(
+ histogram.values[1],
+ 5,
+ "Actual and expected connections with a good response should match"
+ );
+ equal(
+ histogram.values[2],
+ 18,
+ "Actual and expected connections with no stapled response should match"
+ );
+ equal(
+ histogram.values[3] || 0,
+ 0,
+ "Actual and expected connections with an expired response should match"
+ );
+ equal(
+ histogram.values[4],
+ 21,
+ "Actual and expected connections with bad responses should match"
+ );
+ run_next_test();
+}
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ // This test may sometimes fail on android due to an OCSP request timing out.
+ // That aspect of OCSP requests is not what we're testing here, so we can just
+ // bump the timeout and hopefully avoid these failures.
+ Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
+
+ let fakeOCSPResponder = new HttpServer();
+ fakeOCSPResponder.registerPrefixHandler("/", function(request, response) {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ ok(
+ gExpectOCSPRequest,
+ "Should be getting an OCSP request only when expected"
+ );
+ });
+ fakeOCSPResponder.start(8888);
+
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ add_tests();
+
+ add_test(function() {
+ fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);
+ });
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
new file mode 100644
index 0000000000..d7ee169011
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -0,0 +1,317 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a number of domains (as faked by a server running
+// locally) with OCSP stapling enabled to determine that good things happen
+// and bad things don't, specifically with respect to various expired OCSP
+// responses (stapled and otherwise).
+// According to RFC 6066, if a stapled OCSP response can't be satisfactorilly
+// verified, the client should terminate the connection. Unfortunately, due to
+// some bugs where servers will staple any old garbage without verifying it, we
+// can't be this strict in practice. Originally this caveat only applied to
+// expired responses, but recent high-profile failures have caused us to expand
+// this to "try later" responses and responses where the signing certificate
+// doesn't verify successfully.
+
+var gCurrentOCSPResponse = null;
+var gOCSPRequestCount = 0;
+
+function add_ocsp_test(
+ aHost,
+ aExpectedResult,
+ aOCSPResponseToServe,
+ aExpectedRequestCount
+) {
+ add_connection_test(
+ aHost,
+ aExpectedResult,
+ function() {
+ clearOCSPCache();
+ clearSessionCache();
+ gCurrentOCSPResponse = aOCSPResponseToServe;
+ gOCSPRequestCount = 0;
+ },
+ function() {
+ equal(
+ gOCSPRequestCount,
+ aExpectedRequestCount,
+ "Should have made " +
+ aExpectedRequestCount +
+ " fallback OCSP request" +
+ (aExpectedRequestCount == 1 ? "" : "s")
+ );
+ }
+ );
+}
+
+do_get_profile();
+Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+// Sometimes this test will fail on android due to an OCSP request timing out.
+// That aspect of OCSP requests is not what we're testing here, so we can just
+// bump the timeout and hopefully avoid these failures.
+Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
+var args = [
+ ["good", "default-ee", "unused", 0],
+ ["expiredresponse", "default-ee", "unused", 0],
+ ["oldvalidperiod", "default-ee", "unused", 0],
+ ["revoked", "default-ee", "unused", 0],
+ ["unknown", "default-ee", "unused", 0],
+ ["good", "must-staple-ee", "unused", 0],
+];
+var ocspResponses = generateOCSPResponses(args, "ocsp_certs");
+// Fresh response, certificate is good.
+var ocspResponseGood = ocspResponses[0];
+// Expired response, certificate is good.
+var expiredOCSPResponseGood = ocspResponses[1];
+// Fresh signature, old validity period, certificate is good.
+var oldValidityPeriodOCSPResponseGood = ocspResponses[2];
+// Fresh signature, certificate is revoked.
+var ocspResponseRevoked = ocspResponses[3];
+// Fresh signature, certificate is unknown.
+var ocspResponseUnknown = ocspResponses[4];
+var ocspResponseGoodMustStaple = ocspResponses[5];
+
+// sometimes we expect a result without re-fetch
+var willNotRetry = 1;
+// but sometimes, since a bad response is in the cache, OCSP fetch will be
+// attempted for each validation - in practice, for these test certs, this
+// means 2 requests because various key sizes are tried.
+var willRetry = 2;
+
+function run_test() {
+ let ocspResponder = new HttpServer();
+ ocspResponder.registerPrefixHandler("/", function(request, response) {
+ if (gCurrentOCSPResponse) {
+ response.setStatusLine(request.httpVersion, 200, "OK");
+ response.setHeader("Content-Type", "application/ocsp-response");
+ response.write(gCurrentOCSPResponse);
+ } else {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ response.write("Internal Server Error");
+ }
+ gOCSPRequestCount++;
+ });
+ ocspResponder.start(8888);
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ // In these tests, the OCSP stapling server gives us a stapled
+ // response based on the host name ("ocsp-stapling-expired" or
+ // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
+ // properly falling back to fetching revocation information.
+ // For ocsp-stapling-expired.example.com, the OCSP stapling server
+ // staples an expired OCSP response. The certificate has not expired.
+ // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling
+ // server staples an OCSP response with a recent signature but with an
+ // out-of-date validity period. The certificate has not expired.
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGood,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGood,
+ willNotRetry
+ );
+ // if we can't fetch a more recent response when
+ // given an expired stapled response, we terminate the connection.
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ expiredOCSPResponseGood,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ expiredOCSPResponseGood,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ oldValidityPeriodOCSPResponseGood,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ oldValidityPeriodOCSPResponseGood,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ null,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_OCSP_OLD_RESPONSE,
+ null,
+ willNotRetry
+ );
+ // Of course, if the newer response indicates Revoked or Unknown,
+ // that status must be returned.
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ ocspResponseRevoked,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ ocspResponseRevoked,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ ocspResponseUnknown,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-expired-fresh-ca.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ ocspResponseUnknown,
+ willRetry
+ );
+
+ // If the response is expired but indicates Revoked or Unknown and a
+ // newer status can't be fetched, the Revoked or Unknown status will
+ // be returned.
+ add_ocsp_test(
+ "ocsp-stapling-revoked-old.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ null,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unknown-old.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ null,
+ willNotRetry
+ );
+ // If the response is expired but indicates Revoked or Unknown and
+ // a newer status can be fetched and successfully verified, this
+ // should result in a successful certificate verification.
+ add_ocsp_test(
+ "ocsp-stapling-revoked-old.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGood,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unknown-old.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGood,
+ willNotRetry
+ );
+ // If a newer status can be fetched but it fails to verify, the
+ // Revoked or Unknown status of the expired stapled response
+ // should be returned.
+ add_ocsp_test(
+ "ocsp-stapling-revoked-old.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ expiredOCSPResponseGood,
+ willRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-unknown-old.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ expiredOCSPResponseGood,
+ willRetry
+ );
+
+ // These tests are verifying that an valid but very old response
+ // is rejected as a valid stapled response, requiring a fetch
+ // from the ocsp responder.
+ add_ocsp_test(
+ "ocsp-stapling-ancient-valid.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGood,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-ancient-valid.example.com",
+ SEC_ERROR_REVOKED_CERTIFICATE,
+ ocspResponseRevoked,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-ancient-valid.example.com",
+ SEC_ERROR_OCSP_UNKNOWN_CERT,
+ ocspResponseUnknown,
+ willRetry
+ );
+
+ // Test how OCSP-must-staple (i.e. TLS feature) interacts with stapled OCSP
+ // responses that don't successfully verify.
+ // A strict reading of the relevant RFCs might say that these connections
+ // should all fail because a satisfactory stapled OCSP response is not
+ // present, but for compatibility reasons we fall back to active OCSP fetching
+ // in these situations. If the fetch succeeds, then connection succeeds.
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-expired.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGoodMustStaple,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-try-later.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGoodMustStaple,
+ willNotRetry
+ );
+ add_ocsp_test(
+ "ocsp-stapling-must-staple-invalid-signer.example.com",
+ PRErrorCodeSuccess,
+ ocspResponseGoodMustStaple,
+ willNotRetry
+ );
+
+ add_test(function() {
+ ocspResponder.stop(run_next_test);
+ });
+ add_test(check_ocsp_stapling_telemetry);
+ run_next_test();
+}
+
+function check_ocsp_stapling_telemetry() {
+ let histogram = Services.telemetry
+ .getHistogramById("SSL_OCSP_STAPLING")
+ .snapshot();
+ equal(
+ histogram.values[0] || 0,
+ 0,
+ "Should have 0 connections for unused histogram bucket 0"
+ );
+ equal(
+ histogram.values[1] || 0,
+ 0,
+ "Actual and expected connections with a good response should match"
+ );
+ equal(
+ histogram.values[2] || 0,
+ 0,
+ "Actual and expected connections with no stapled response should match"
+ );
+ equal(
+ histogram.values[3],
+ 22,
+ "Actual and expected connections with an expired response should match"
+ );
+ equal(
+ histogram.values[4],
+ 2,
+ "Actual and expected connections with bad responses should match"
+ );
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
new file mode 100644
index 0000000000..4fc8013ea9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
@@ -0,0 +1,48 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a server that staples an OCSP response for a
+// certificate signed by an intermediate that has an OCSP AIA to ensure
+// that an OCSP request is not made for the intermediate.
+
+var gOCSPRequestCount = 0;
+
+function add_ocsp_test(aHost, aExpectedResult) {
+ add_connection_test(aHost, aExpectedResult, function() {
+ clearOCSPCache();
+ clearSessionCache();
+ });
+}
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+
+ let ocspResponder = new HttpServer();
+ ocspResponder.registerPrefixHandler("/", function(request, response) {
+ gOCSPRequestCount++;
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ let body = "Refusing to return a response";
+ response.bodyOutputStream.write(body, body.length);
+ });
+ ocspResponder.start(8888);
+
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ add_ocsp_test(
+ "ocsp-stapling-with-intermediate.example.com",
+ PRErrorCodeSuccess
+ );
+
+ add_test(function() {
+ ocspResponder.stop(run_next_test);
+ });
+ add_test(function() {
+ equal(gOCSPRequestCount, 0, "No OCSP requests should have been made");
+ run_next_test();
+ });
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_timeout.js b/security/manager/ssl/tests/unit/test_ocsp_timeout.js
new file mode 100644
index 0000000000..e06f064d04
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js
@@ -0,0 +1,100 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// This test connects to ocsp-stapling-none.example.com to test that OCSP
+// requests are cancelled if they're taking too long.
+// ocsp-stapling-none.example.com doesn't staple an OCSP response, so
+// connecting to it will cause a request to the OCSP responder. As with all of
+// these tests, the OCSP AIA (i.e. the url of the responder) in the certificate
+// is http://localhost:8888. Since this test opens a TCP socket listening on
+// port 8888 that just accepts connections and then ignores them (with
+// connect/read/write timeouts of 30 seconds), the OCSP requests should cancel
+// themselves. When OCSP hard-fail is enabled, connections will be terminated.
+// Otherwise, they will succeed.
+
+var gSocketListener = {
+ onSocketAccepted(serverSocket, socketTransport) {
+ socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_CONNECT, 30);
+ socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_READ_WRITE, 30);
+ },
+
+ onStopListening(serverSocket, status) {},
+};
+
+function run_test() {
+ do_get_profile();
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+ add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+ let socket = Cc["@mozilla.org/network/server-socket;1"].createInstance(
+ Ci.nsIServerSocket
+ );
+ socket.init(8888, true, -1);
+ socket.asyncListen(gSocketListener);
+
+ add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 1000);
+ add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 2000);
+ add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 4000);
+
+ add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 3000);
+ add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 10000);
+ add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 15000);
+
+ add_test(function() {
+ socket.close();
+ run_next_test();
+ });
+ run_next_test();
+}
+
+function add_one_test(useHardFail, timeoutPrefName, timeoutMilliseconds) {
+ let startTime;
+ add_test(function() {
+ Services.prefs.setBoolPref("security.OCSP.require", useHardFail);
+ Services.prefs.setIntPref(timeoutPrefName, timeoutMilliseconds);
+ startTime = new Date();
+ run_next_test();
+ });
+
+ add_connection_test(
+ "ocsp-stapling-none.example.com",
+ useHardFail ? SEC_ERROR_OCSP_SERVER_ERROR : PRErrorCodeSuccess,
+ clearSessionCache
+ );
+
+ add_test(function() {
+ let endTime = new Date();
+ let timeDifference = endTime - startTime;
+ info(`useHardFail = ${useHardFail}`);
+ info(`startTime = ${startTime.getTime()} (${startTime})`);
+ info(`endTime = ${endTime.getTime()} (${endTime})`);
+ info(`timeDifference = ${timeDifference}ms`);
+ // Date() is not guaranteed to be monotonic, so add extra fuzz time to
+ // prevent intermittent failures (this only appeared to be a problem on
+ // Windows XP). See Bug 1121117.
+ const FUZZ_MS = 300;
+ ok(
+ timeDifference + FUZZ_MS > timeoutMilliseconds,
+ `OCSP timeout should be ~${timeoutMilliseconds}s for ` +
+ `${useHardFail ? "hard" : "soft"}-fail`
+ );
+ // Make sure we didn't wait too long.
+ // (Unfortunately, we probably can't have a tight upper bound on
+ // how long is too long for this test, because we might be running
+ // on slow hardware.)
+ ok(
+ timeDifference < 60000,
+ "Automatic OCSP timeout shouldn't be more than 60s"
+ );
+
+ // Reset state
+ clearOCSPCache();
+ Services.prefs.clearUserPref("security.OCSP.require");
+ Services.prefs.clearUserPref(timeoutPrefName);
+ run_next_test();
+ });
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url.js b/security/manager/ssl/tests/unit/test_ocsp_url.js
new file mode 100644
index 0000000000..b26d74b3b3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -0,0 +1,122 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// In which we try to validate several ocsp responses, checking in particular
+// if the ocsp url is valid and the path expressed is correctly passed to
+// the caller.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function failingOCSPResponder() {
+ return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
+}
+
+function start_ocsp_responder(expectedCertNames, expectedPaths) {
+ return startOCSPResponder(
+ SERVER_PORT,
+ "www.example.com",
+ "test_ocsp_url",
+ expectedCertNames,
+ expectedPaths
+ );
+}
+
+function check_cert_err(cert_name, expected_error) {
+ let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem");
+ return checkCertErrorGeneric(
+ certdb,
+ cert,
+ expected_error,
+ certificateUsageSSLServer
+ );
+}
+
+add_task(async function() {
+ addCertFromFile(certdb, "test_ocsp_url/ca.pem", "CTu,CTu,CTu");
+ addCertFromFile(certdb, "test_ocsp_url/int.pem", ",,");
+
+ // Enabled so that we can force ocsp failure responses.
+ Services.prefs.setBoolPref("security.OCSP.require", true);
+
+ Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+ // Note: We don't test the case of a well-formed HTTP URL with an empty port
+ // because the OCSP code would then send a request to port 80, which we
+ // can't use in tests.
+
+ clearOCSPCache();
+ let ocspResponder = failingOCSPResponder();
+ await check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
+ await check_cert_err("hTTp-url", PRErrorCodeSuccess);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("no-host-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = start_ocsp_responder(["no-path-url"], [""]);
+ await check_cert_err("no-path-url", PRErrorCodeSuccess);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err(
+ "no-scheme-host-port",
+ SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ );
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
+
+ // Note: We currently don't have anything that ensures user:pass sections
+ // weren't sent. The following test simply checks that such sections
+ // don't cause failures.
+ clearOCSPCache();
+ ocspResponder = start_ocsp_responder(["user-pass"], [""]);
+ await check_cert_err("user-pass", PRErrorCodeSuccess);
+ await stopOCSPResponder(ocspResponder);
+});
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
new file mode 100644
index 0000000000..4d31ad30e2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUcxiMVENAraxc4sbSRTxsifEGHjQwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBUxEzARBgNVBAMMCmJhZC1zY2hlbWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMTAvMC0GCCsGAQUF
+BwEBBCEwHzAdBggrBgEFBQcwAYYRL3d3dy5leGFtcGxlLmNvbS8wDQYJKoZIhvcN
+AQELBQADggEBADf/rIlagOSOthTQAOg21ESO5SKZuH/hOQkdagoSupiui6BX2E8d
+1wMoZPGGOQBwEo8XT3ak+0ANlznoFLCvac4UQlLEiN6TR5ODJTep/8vTMDxBguRd
+WoCIHtFFpcs8HGWvyZtoh+pr8UH38Csw9g8mqX3L6g5QcpDUIfVhPEOSK46HapVM
+15BBqYsOpM5B0Yd+7AiIhiZZiNRojPxSN8DT55J+sRGiXunzP4BV2GwOI2ldjRJ5
+yJYJfUF4D+hmM37/QsLocV3AnWzSegY8xc372bkaHc3jOgo+9DJPliOOhrWNLEDk
+1cM5IXNP+fQxkCCm6VMO5dUx/mM2OXPVldc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
new file mode 100644
index 0000000000..12cc072792
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:bad-scheme
+extension:authorityInformationAccess:/www.example.com/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem
new file mode 100644
index 0000000000..54b436cdab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUbd6irDfViDg0hGYGrBFpSOiAgmswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBa/UJSVAkS4R5UUprUZ+VETh+G
+TbLf+xbhyhpXn39i7Rk0/U7IelYJN3qalF3eIL7ab4qij3jWLrdOJz1ERkxVWXeX
+a9rjQC7nQQqnOrdcEPvq297cHuwtKb+jTTKDI4ATy7UVeE3DDW6VWewmAz8VA7FH
+SxAwdLWgqKzAqLEhhrg6l0JtpDmCfoBZ5yVA9gPdcSouaQ+6WnL0TFmNtriZPZI5
+Sq7Ua1aM1X/Ca3kQLo1DD06lgR7bJbjH+2j0uRYbB7NeB5aeYYnnxRdXcbXtM2Wl
+dPg/8WETAK3hjbaY0Xq5UFP9tLkLbq3a1lew5BEz9xFz7P+offg8hSAONOZu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec
new file mode 100644
index 0000000000..d809dbd635
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem
new file mode 100644
index 0000000000..9e014e046a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUfXZLX886ys6oYF2hFTD113w25vIwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBsxGTAXBgNVBAMMEGVtcHR5LXNjaGVtZS11cmwwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjODA2MDQG
+CCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYOi8vd3d3LmV4YW1wbGUuY29tOjg4
+ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB/FqFwqO/trl/aSBpjWE9+jPLtnJOUxWRt
+J0lx/7SREoxDlltp+qrDcpKgA4uEz2xeo/AVHpcEd8V1mjFJhiFCQR3IGuCIkBtX
+/fanzlYl49XTtGDHmVZOOgok3Q3NwV+qwv/Qah/PzL7C2z8QD9UDDSu5jeGUC5vP
+wSe8pr+LFMSB4Koe13biFiHZ2rerLuRrHXPCwlHytFXr6MeZyk8DrjBpQ4Qa0I6P
+tMXFRLIXm30dKxKZefY4Cxqce2M5iUhTJQ7AH6NDtV7SClbi8Px7yFeIAIBcGTbQ
+HauxBJ189pnzGpMTAZ7dheZW/tK++MCzu+oy1tGbjWEeSpFFD+92
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec
new file mode 100644
index 0000000000..e8959653f3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:empty-scheme-url
+extension:authorityInformationAccess:://www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem
new file mode 100644
index 0000000000..0e76de6922
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUP6gYyih9vcQFEmw6jInzA0Lcx5owDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBIxEDAOBgNVBAMMB2Z0cC11cmwwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOzA5MDcGCCsGAQUFBwEB
+BCswKTAnBggrBgEFBQcwAYYbZnRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvMA0G
+CSqGSIb3DQEBCwUAA4IBAQB8Ts6atwiom8QSkIVDayT7fMWo6Qu0M/Uhd60/M8cI
+it4KBFBN1IimF8768ZmX/CPx0BaUopC5aOnkrZ69bJYrVao8nZ4Iv46IY1S1Xroa
+ty+lej25NkVKVJe6Vlc73rbt36nc9xW8hl/mXV63tXmbm7SXUIWOiYuZIa4HwmGw
+FkDexshf5QFoe8FfMix1ZiVj8oKr2Ah5Tpmc8oHOI1CfbKK4OACvA3zWSrfNRUL3
+QysUc8a5ivjRXNAerBdCUsCD0AGqxNKMKksAehaGw7QoH0lpsV0nhnB7sAfo3g23
+azcOr1kugLtYVU9zLjqXHXp85WQQNW6u7jjN7rZ7O27V
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec
new file mode 100644
index 0000000000..9f50a7d792
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:ftp-url
+extension:authorityInformationAccess:ftp://www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem
new file mode 100644
index 0000000000..0e9765db26
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIUPyIl+CW63MemORS1mNNtzeYU1PYwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBMxETAPBgNVBAMMCGhUVHAtdXJsMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0QwQjBABggrBgEFBQcB
+AQQ0MDIwMAYIKwYBBQUHMAGGJGhUVHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9o
+VFRwLXVybDANBgkqhkiG9w0BAQsFAAOCAQEATB54EtpZ1EK2bz1gy9khuT9HJHqZ
+UvBlzz3wto/NXvq9Cd79bW93sydmKiNveiVrGuYJG5WX3VdxzHBlcTzpm+9ObsgH
+FRLu5KP4fLRhL49dix48k9Gl5VBgZfZSjjzpb/tpPjUvPnE2UPtDa8kC1Is9xN4m
+bL6hbwVpcusFBiRQWq37tzCCV1oce0S/MvvEMinnp6daLwI3BYAcmWexq0JdpRV+
+ixu3IL0chOIjM4W2Zv0WHPXtz0q9/rU7HbJ9X7k3e7lYmoU297tM5r3MKw2T8D/h
+9McUjgTMwqdcoUUM8iwCphbjmFO3yPLILiAMdXV/4OvhognLpL6wViD+Kw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec
new file mode 100644
index 0000000000..10b1504b29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:hTTp-url
+extension:authorityInformationAccess:hTTp://www.example.com:8888/hTTp-url
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem
new file mode 100644
index 0000000000..233c7dbbb4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIUcYnrnPrivVifCZHI3B1RI9yhpcUwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBQxEjAQBgNVBAMMCWh0dHBzLXVybDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNGMEQwQgYIKwYBBQUH
+AQEENjA0MDIGCCsGAQUFBzABhiZodHRwczovL3d3dy5leGFtcGxlLmNvbTo4ODg4
+L2h0dHBzLXVybDANBgkqhkiG9w0BAQsFAAOCAQEAjx5EcBAumCFK8/lj8vr6N88i
+G6vq8vkUMFXjlqrxw4ODbajVVFnGBIfzG7usDajQr2f3Rvl6huLm1P4ljLfHwu60
+d7uJKExnjTXzxEjC6mrupOG8t3VvIjv4C9MgaD6P4I96opG0V1V22YDC+fHuRZgb
+7I0+9EwUqrM3BqBSob3AFkcl7oyjIovG/KU26GlMbtLBbt1F6UpI5DAiOsb/UfY9
+bhEevyv7L9Sn07CYRbLFXUy47D5MhJk9XLZJQmgalnAtWxK6G+i8Y6s9DDDz6g0n
+AYiRmOQydYgVMt8+h5KYzOnNO/vES41ATBgGPrp5J0LAxNvofme02+nU0sFQPw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec
new file mode 100644
index 0000000000..891005bf5c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:https-url
+extension:authorityInformationAccess:https://www.example.com:8888/https-url
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.key b/security/manager/ssl/tests/unit/test_ocsp_url/int.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec b/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.pem b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem
new file mode 100644
index 0000000000..f12ebf91fd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUS7UFd8kviZT6AzkUw+zBza2WxxcwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
+A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAXr6DXGOqX+xkzyNm1YZc+wtm
+6yFQo2jgeCMxgOv4j07wEEgGPP4adgyHjAhqTtYNbdBCuPtEbMInVRHdJooWNGk7
+MeoyTmJLlEJlnzVHdCUDi0mb+E7w2vVWNeirXnUSBN8qStok8vNoHJDT7pX3QEQs
+zRRNHw5qs/xxZKxzxeBiljYlh1d1zVgqNWTx9LP5IOEKOQ9OzxpzsCpJtPZRxh/d
+gip6TZT9srCndY2jCFUEYdSFRWOjsb6ni9TGC2o4SUxxJvC8jmrLjgGqPGNdTMiX
+DOxuAjt1gue4kqK6r6nMqxOZ04TEe0c/M5+hF4dhQaxqga6vvGBl0oF2QMxXGA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec
new file mode 100644
index 0000000000..a7f6d81419
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
new file mode 100644
index 0000000000..07b3eece77
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgIUI+NlsiPCC51FapO6j10d1zhvVkYwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBgxFjAUBgNVBAMMDW5lZ2F0aXZlLXBvcnQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOjA4MDYGCCsG
+AQUFBwEBBCowKDAmBggrBgEFBQcwAYYaaHR0cDovL3d3dy5leGFtcGxlLmNvbTot
+MS8wDQYJKoZIhvcNAQELBQADggEBABCPXr4pvTLeDOPJ9G/A06wTpyoTAUa925GG
+hRTuEeEw5o83Uzgm/fT2bO6+RJCfdR0wA95897l/p6vzybobZe8w2GM4RYWzkzkL
+xMHrJQtzSdgG7tLRaxZ58A+Q1l8mRGtYpyAb14hwEsKY+8phG3XGP2w7ekQxODhM
+gTgaICYNoQaBlz4PqVdqhDv7ZgmF9QQyG0C3H5Hma0jinr5YcCYRkzPciZTwS8DP
+Jv7n+/9WbTK0rOc1n5omFwb0fPs64rpVgWqGmySPPT7G8aUo89a9ma8XJMoaHjzE
+T1TZL03SoOxxEN3NBB4+9i14qHfmiWu+pOFlcDxCnVkRACMk2d0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
new file mode 100644
index 0000000000..fce6d43848
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:negative-port
+extension:authorityInformationAccess:http://www.example.com:-1/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem
new file mode 100644
index 0000000000..0358a13a65
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAcugAwIBAgIUJ/hWC/IA8OSkpAm4v2bLiFq5xlMwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBYxFDASBgNVBAMMC25vLWhvc3QtdXJsMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoy0wKzApBggrBgEF
+BQcBAQQdMBswGQYIKwYBBQUHMAGGDWh0dHA6Ly86ODg4OC8wDQYJKoZIhvcNAQEL
+BQADggEBAK4Fk3641sIxflNan2/JobCNeV8UoDpVn9ZaU9sUOfXHnVVPjUAnlzKj
+SdhI9Z9bVqsEt787B2UIGQeqYnot5x7Gu9hGSeGz7kfp/xURyx4CHmIC33n9jwKZ
+daWaiWvqHfbRljd6Mvm9lJYWx3w8Ggci61N+GeeRAmBhPJvpe6gzo/vCmO6rnSqG
+0AxiEb98DHaes4ofL/DTgDlHWryB5UByyf9FEenHFFizr/YuYEKc8FMf19nvbQiN
+VJFP6LMmIlmg4Xq7ED97U5VhDal1e6vro12d5Cv9EZkkTxaTQMKhG4W8iNHZlwFB
+BsQX7n6BT1Lg/MqVCUt265qDF3c7Pvc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec
new file mode 100644
index 0000000000..4ac76e7eb3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-host-url
+extension:authorityInformationAccess:http://:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem
new file mode 100644
index 0000000000..f7b346e338
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUaz9vziBHmRLkLlxVoF1xxTuiNH4wDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBYxFDASBgNVBAMMC25vLXBhdGgtdXJsMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozswOTA3BggrBgEF
+BQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4
+ODANBgkqhkiG9w0BAQsFAAOCAQEAlMdLsu6jig7c3TW2eYVzA8uAuANVDpE49XXf
+6KJI/RCGjJZa5h6SEPRnvhmruc3TsY/3Tt1U8i9QqEgFTkFmFmFI+twqJGH/F2KM
+Ied4MBF970tkTVYRRUI0RCOdhBUfx1kDuA1D00YdDA3v5mYTcdsSIB7U6lqah/28
+Rga+PhQX6Yu2VVcQF48sO51vsa2Q3hhZEqyGwezWDml1IAgr5EXT3hDdVKTXtZpM
+g6lzAfcdF/vhDVtmABvDpyWhMcfTQ/nNel2/7ICJvukP5v1VW15XYzL4tsyMx4K7
+8CL1Ol6XMixU7Ov0liwN3s4ltvJqpVoyOrMWLoa3Qn7F4XHJMg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec
new file mode 100644
index 0000000000..497bb28796
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-path-url
+extension:authorityInformationAccess:http://www.example.com:8888
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem
new file mode 100644
index 0000000000..2e4b35203d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUc6pGAyMLd73M5wLzGIk7VHQ1UGgwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMB4xHDAaBgNVBAMME25vLXNjaGVtZS1ob3N0LXBvcnQwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjITAf
+MB0GCCsGAQUFBwEBBBEwDzANBggrBgEFBQcwAYYBLzANBgkqhkiG9w0BAQsFAAOC
+AQEAoNZDLXjNXKUumNMieyWv67kOH/uoDS9tsX4+LIuZRgKLeb4xjstHxxKkaWWy
+HJCjBwHYjbndWXSqE+6NPm8oHTypPc0+vZOStKnj/OzxHWfxbEzqsy27qoWKFpxA
+HNzyt4/EWmSdoDRiCoXTYP4KuIPGrtqUS2wnJAoEcNa52wazsqSRJPfiK02r+N96
+N/z8+Olyudbgkl6QNMNaxmzYejENLfwxS1nH5R3orxEH2/L+6Mr3vKDMq9IQc3Ou
+vrHHtW7XiOaYNV+8p4ChaGe6yEEbnz53G7TwjoDKvxD1tV0AGqRqMxdCJ+CDQ7Ev
+xwxHLNIXGsaQs2H7m7eE9OpN/Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec
new file mode 100644
index 0000000000..42a555e411
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-scheme-host-port
+extension:authorityInformationAccess:/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem
new file mode 100644
index 0000000000..9a7530baa9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUccG45Puc/if4zk65IRFmiwMkTyowDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBgxFjAUBgNVBAMMDW5vLXNjaGVtZS11cmwwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjNTAzMDEGCCsG
+AQUFBwEBBCUwIzAhBggrBgEFBQcwAYYVd3d3LmV4YW1wbGUuY29tOjg4ODgvMA0G
+CSqGSIb3DQEBCwUAA4IBAQBTjpqXEXFANWFs+cs4nu2rUFEnvXkZzmkoRlPbWaKw
+naVdEJ5xetaX79sh5N3vSNPCsArAF1iCnv8jmgnQRzXRKWxrZGVrUGm+5a74O/99
+vvy7CIj90A7OytXUwyAhrz6hGxmWYrnJUY5RjZTmjxvr4wgiXXZuHc+/uZRn84RK
+sJnh+XDS3hFz0M78FQOSTgdwEI/hC/QFh0CIycrc4qR6xY+fwdfLvk8GepC6ABCG
+6hn9bEpt1POO7O7UmBtIYuiyHx/32hwVrCXFbD7sgnLvz0iQYvnO4gg4Cb42pK2N
+gBeej4JDWaxq3HOBCKEARgdpWML2E94Vx7a484EuLI0h
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec
new file mode 100644
index 0000000000..a82196a6d1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-scheme-url
+extension:authorityInformationAccess:www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
new file mode 100644
index 0000000000..798afe22d3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUNW/IeKC4Vw2JT/VDNXHrYgCqKegwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBkxFzAVBgNVBAMMDnVua25vd24tc2NoZW1lMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozYwNDAyBggr
+BgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFnR0cDovL3d3dy5leGFtcGxlLmNvbS8w
+DQYJKoZIhvcNAQELBQADggEBALT6AXU+U5IK7KxE2FW8F719+2Solmn3WcbLP9z+
+klThJ2HcNlxZBxuV+DwS3kBhsocZDneuOvUfSMilswGrGi9pGNgdhQWN2gO41LUy
+QavfjRuSbGJghAZJSN5dVWBkF8kuv19ZiLMiM53C5vQo92/+Vww+Ue5S1HSagybI
+3mmBUyf+8nvVO5mDsfDL8OnH4ON66sxqgu6Kuwlr2wc3inZo7ZOW24m75KLJG2Ah
+KOs0sksn7DsG2VFUIJJj/qN9Co8ZjrnJbLYec57MBM8V8l1wIfVdqM/a7wof4tE3
+DVKvFl7uGK/u1nh4lRYQx7/MH1GU4ItULEbOZ2kCIpnozpU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
new file mode 100644
index 0000000000..0089455398
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:unknown-scheme
+extension:authorityInformationAccess:ttp://www.example.com/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem
new file mode 100644
index 0000000000..ab104a9f45
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIUJ7gBTm0Yo/h/kQT3ggLP9jbM3yIwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBQxEjAQBgNVBAMMCXVzZXItcGFzczCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNGMEQwQgYIKwYBBQUH
+AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vdXNlcjpwYXNzQHd3dy5leGFtcGxl
+LmNvbTo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAatrdhzPYl8dtK3j+q0F2cD0M
+QpgNpBZeRa+9puQK/mLlSNEI1ottNU+DbukELLpwAtS0YzN02qf48MptuWkyudT0
+3bDNWIGMmzXpGgD7OCE2iwuiWJD6URahLoCew0eByIhaywaexEtqiNFIBtD3xPJr
+vqxAJ7JvXpTNpE90dbnHCXlXQU6h9HFIfj8pIPDc/hXACjqVmqetwzK6d5XPLUaG
+D4Jxy+lHN90JvH9+oApumJj/i2g7Bpjbn1SFwg5UKamAFc4SsDbV/DsXy91rqpSJ
+Wtrq6EP8cPNQ5cTQ3nzs/cO7nSVrVXllxkcUpOo1JnAARmWlyePioomaqf1fKA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec
new file mode 100644
index 0000000000..337e67e5f9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:user-pass
+extension:authorityInformationAccess:http://user:pass@www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem
new file mode 100644
index 0000000000..74a9711cf6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIBHzANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0
+IEludGVybWVkaWF0ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAw
+WjAwMS4wLAYDVQQDDCVBbm90aGVyIEVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMu
+dHh0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB2pHWaL4x9Z6EwRI54eDjBvbhW
+Nckc9QFYHdheA91DnlSkyeAIHcXe+fW0nvoCZ9xfnSjPlsXgs/qQyOHg+w6LgfhM
+3UaGRRRouIqOMMko1DgbrJRm2YFrUhCjmsnnKq99rp4eShc2kwBSd0Az6OGhBnE6
++CcU7a6wfOV/enX/KGiiWeQON5+jh9bBBDRO1trvFd7CDSMyAEkg+CEu6Mb53QlK
+cOBuev+Bc5GV6gng+I/X7vh3DsMIbsfOAU6llpqx0VO/evp4SFExSQI4zbjxQEqv
+/38YQAhJ7j97kupgPXL98q27TQaUZvOCok/Go8j0ZQZ1dlJFwRNZE6ZT393R
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec
new file mode 100644
index 0000000000..d3ba461104
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate
+subject:Another EE Revoked by revocations.txt
+serialNumber:31
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem
new file mode 100644
index 0000000000..f118e94dd3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIBTjANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0
+IEludGVybWVkaWF0ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAw
+WjAwMS4wLAYDVQQDDCVBbm90aGVyIEVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMu
+dHh0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAD1fjkHeUSNoIXuGDYRYn2rZJS
+5oV2caQaXRv7FaB4M7oGx5FNTaooSJLr+M6yC+0dxkfU8316vJ4d2DAKyL1sVrpw
+QMhndYCKQXpJ/06F59khzZnsPVAdnuXJ99aLGVjiebN+NYWzLDPUQw9sERvw+lep
+wNWJAgBsjdc/9iyLR7Tj5Y72zB4tV961GLSX6WztKyuLhIHCFueU3IvbDe4NWLyT
+CNZOohGcpdAzGH18gPOJnuVKLzND629qUZrr8/orh0xk989/uk97Kg1oF5Wd6LaT
+4CuH3CIVA5ijYj6jwPbj6gkV5IdxW4QVYefH47G9xum7RDF/IVEs3rzwybPj
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec
new file mode 100644
index 0000000000..10f8f07cce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate
+subject:Another EE Revoked by revocations.txt
+serialNumber:78
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem
new file mode 100644
index 0000000000..566f6f227d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtzCCAZ+gAwIBAgIBKjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
+IENBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCgxJjAkBgNV
+BAMMHUVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMudHh0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3
+DQEBCwUAA4IBAQBXENg6gQp2CVGvs2e5SFpj+9K0Df6qICkQeIsEsqL/loRbBhdf
+kRudVBVaXANEWdInLppGGfv8tk3VAre2Trlq8Owt3RuP4mdyrlSt3ZTNPbK3lPCU
+K51iqEX/URBvwo+dZpOZqBy+NQ1ZdLlWWTzABiXfQNnsg1z0U/laGYNvNoGxWmg0
+YDU/moLw4EOh8akvTRdoZ6WaSTRCwNISTPCUrwj4RvKeSlsuat+MsxCA4oQqquni
+iDD1Aq2MLDXAsMfCz7fB+FJ8hMA8nGOTNd4eRXsJIFRcIRSiPo6eADZaex88z84b
+NlE/N5/6MQ7EDsiumkHO35B1Nr2hKSnygrCl
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec
new file mode 100644
index 0000000000..a2a67d909c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:EE Revoked by revocations.txt
+serialNumber:42
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem
new file mode 100644
index 0000000000..eb6db83ff8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzTCCAbWgAwIBAgIUF0SQAekyqW5LqQAmYGwNQpn7o18wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjArMSkwJwYDVQQDDCBFRSBSZXZva2VkIEJ5IFN1YmplY3QgYW5k
+IFB1YktleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAtqoXX2PHLaQdil4gzPbg
+vONLbChJFeN/rBwenDrYYvyyw/x7hEov3pedjiapzjQHZiEINFICipArwEkN3hBK
+5eSSdfRbHrfzZ3XIRwkgRlPkVSN0DPv1QXvRbym3OuKZLmDHYNLr0g4siTB9QT/X
+KuCCnJazaBrNclz2DmZq7tMjKi/82i5aMot7fCJ8Rc+TSOMgTGCS2BnvoM/F4+0e
+q3Nd7XfSrdEgd2qfzKON4qrJyDK8v9RnY3c1kG+JbpQHby70JPz9YBO8sa2Yuy1U
+Vxnh2zhmPBUWPNwDYefkGfA+Mw2cW48+6vvFxigWjoLyNAGVEH8zrYhgSGY67P1l
+2g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec
new file mode 100644
index 0000000000..cadbcf9038
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec
@@ -0,0 +1,2 @@
+issuer:Test CA
+subject:EE Revoked By Subject and PubKey
diff --git a/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem
new file mode 100644
index 0000000000..d524b4480b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDITCCAgmgAwIBAgIUKU+OMvdur/GbuU28D3WfX/xbV9AwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdBbm90aGVyIFRlc3QgRW5kLWVudGl0eTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaNbMFkwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMDIG
+CCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4
+LzANBgkqhkiG9w0BAQsFAAOCAQEAReIPRx+jafffXyK50Ig6Juzjs51zXX3IrdA2
+HYcXGZsdsLL8CvlnwHJhrMBP+Eh/bs8u9UgfmC9rxDX2gLxfIDlbidryYGzONAQq
+jWiFlVzq30fz28uatwFYzUzKODtsCM+47Qg0Y+HY9506Bj7TNmPB/a9JBY76SSw0
+Rwk1LSaMEuzu62XXuT+jjVGWqQZktAAUCtpM39UlC8aazrk6ipfh6iKHcJCN5+U1
++IM4BOErevre0SxKTz7cNKr04lghxFFGUKm/jkoZeF/6Hm73Ke75EhKlfS3D1YAY
+rm3DuUnGaWn/00X6lAWrm/dCfq1uepp+Xmgsc27jFPnVAccuMw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec
new file mode 100644
index 0000000000..8b20f03f59
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Another Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt b/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt
new file mode 100644
index 0000000000..8983eb65c7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt
@@ -0,0 +1,41 @@
+# a sample revocations.txt for tests
+# Lines starting with '#' are ignored - as are empty lines like this:
+
+# otherwise:
+# non-empty lines are treated as base-64 encoded DER DN data (e.g. issuer or
+# subject)
+# ...unless the line starts with a ' ' (space) character, in which case it's
+# assumed to be base-64 encoded DER serial data, or
+# the line starts with a '\t' (tab) character, in which case it's assumed to
+# be a base-64 encoded SHA256 hash of a public key
+
+# First a serial with no issuer to ensure this doesn't cause parsing to fail
+# (there should be an issuer first, but we need to test this won't fail)
+ dGVzdA==
+# next, let's ensure data that isn't valid base64 doesn't cause breakage.
+ this serial isn't valid base64 (but then there's no issuer anyway)
+Neither is this issuer, though the serial is fine
+ dGVzdA==
+dGVzdA==
+ in this case, issuer is fine but not the serial
+# Next two entries; we can add valid base-64 encoded data for some basic tests:
+# issuer is the base-64 encoded subject DN for the shared Test CA
+# serial is the base-64 encoded integer 42
+MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=
+ Kg==
+# issuer is the base-64 encoded subject DN for the shared Test Intermediate
+# the first serial is the base-64 encoded integer 78
+# the second serial is the base-64 encoded integer 31
+MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl
+ Tg==
+ Hw==
+ c2VyaWFsMi4=
+# subject is base-64 encoded subject DN "CN=EE Revoked By Subject and PubKey"
+# pubKeyHash is the base-64 encoded sha256 hash of the shared RSA SPKI
+MCsxKTAnBgNVBAMMIEVFIFJldm9rZWQgQnkgU3ViamVjdCBhbmQgUHViS2V5
+ VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8
+# and some more data to ensure that mixed items don't cause parsing failure
+a DN
+ a serial
+ a hash
+ another serial
diff --git a/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem
new file mode 100644
index 0000000000..525cd71c47
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCAdKgAwIBAgIUa4ks0VUTyrp6BlZyCB65lVeSFDgwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowJDEiMCAGA1UEAwwZRUUgaXNzdWVkIGJ5IGlu
+dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMYMBYwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqG
+SIb3DQEBCwUAA4IBAQA1n1VzCy6MJBHPaZlsuILBLkNqd7Bhzalhp6ubI05DGgfq
+yIYSyEn7ALTwo0bsp9kndmijyB3T8BJoDekEHjcKRpnDuuBGKGVrvOWquIJ1YFRf
+1r+VxI7n0wC9RF953+rTgsyPYPS5q1DJrMx+q1PCzga4mP5Tm3OxTyMXsHpM7uxN
+9/imDY0gLndSUYjx0S5EADhmXul+SCLxzh+9TfdQPRSiDhFsNrUen31Ajh/5Iu34
+e0wc4UEEUJftqbmbFMk7OJiUi2UcezCJdt7WYZQJGLWHLQFugJmsE6sLy0fDXHVX
+65VKh/HrXYQ5xemJtJaQfImoHV5+SGkVxdyYFKwO
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec
new file mode 100644
index 0000000000..24792d540a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate
+subject:EE issued by intermediate
+extension:subjectAlternativeName:localhost
diff --git a/security/manager/ssl/tests/unit/test_osclientcerts_module.js b/security/manager/ssl/tests/unit/test_osclientcerts_module.js
new file mode 100644
index 0000000000..69f812a90e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_osclientcerts_module.js
@@ -0,0 +1,63 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that the platform can load the osclientcerts module.
+
+// Ensure that the appropriate initialization has happened.
+Services.prefs.setBoolPref("security.osclientcerts.autoload", false);
+do_get_profile();
+
+const { TestUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/TestUtils.sys.mjs"
+);
+
+async function check_osclientcerts_module_loaded() {
+ // Loading happens asynchronously, so we have to wait for the notification.
+ await TestUtils.topicObserved("psm:load-os-client-certs-module-task-ran");
+ let testModule = checkPKCS11ModuleExists(
+ "OS Client Cert Module",
+ "osclientcerts"
+ );
+
+ // Check that listing the slots for the osclientcerts module works.
+ let testModuleSlotNames = Array.from(
+ testModule.listSlots(),
+ slot => slot.name
+ );
+ testModuleSlotNames.sort();
+ const expectedSlotNames = [
+ "OS Client Cert Slot (Legacy)",
+ "OS Client Cert Slot (Modern)",
+ ];
+ deepEqual(
+ testModuleSlotNames,
+ expectedSlotNames,
+ "Actual and expected slot names should be equal"
+ );
+}
+
+add_task(async function run_test() {
+ // Check that if we haven't loaded the osclientcerts module, we don't find it
+ // in the module list.
+ checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts");
+
+ // Check that enabling the pref that loads the osclientcerts module makes it
+ // appear in the module list.
+ Services.prefs.setBoolPref("security.osclientcerts.autoload", true);
+ await check_osclientcerts_module_loaded();
+
+ // Check that disabling the pref that loads the osclientcerts module (thus
+ // unloading the module) makes it disappear from the module list.
+ Services.prefs.setBoolPref("security.osclientcerts.autoload", false);
+ checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts");
+
+ // Check that loading the module again succeeds.
+ Services.prefs.setBoolPref("security.osclientcerts.autoload", true);
+ await check_osclientcerts_module_loaded();
+
+ // And once more check that unloading succeeds.
+ Services.prefs.setBoolPref("security.osclientcerts.autoload", false);
+ checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts");
+});
diff --git a/security/manager/ssl/tests/unit/test_oskeystore.js b/security/manager/ssl/tests/unit/test_oskeystore.js
new file mode 100644
index 0000000000..a5ef0f9172
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_oskeystore.js
@@ -0,0 +1,413 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with nsIOSKeyStore.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+const LABELS = ["mylabel1", "mylabel2", "mylabel3"];
+
+async function delete_all_secrets() {
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+ for (let label of LABELS) {
+ if (await keystore.asyncSecretAvailable(label)) {
+ await keystore.asyncDeleteSecret(label);
+ ok(
+ !(await keystore.asyncSecretAvailable(label)),
+ label + " should be deleted now."
+ );
+ }
+ }
+}
+
+// Test that Firefox handles locking and unlocking of the OSKeyStore properly.
+// Does so by mocking out the actual dialog and "filling in" the
+// password. Also tests that providing an incorrect password will fail (well,
+// technically the user will just get prompted again, but if they then cancel
+// the dialog the overall operation will fail).
+
+var gMockPrompter = {
+ passwordToTry: null,
+ numPrompts: 0,
+
+ // This intentionally does not use arrow function syntax to avoid an issue
+ // where in the context of the arrow function, |this != gMockPrompter| due to
+ // how objects get wrapped when going across xpcom boundaries.
+ promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+ this.numPrompts++;
+ equal(
+ text,
+ "Please enter your Primary Password.",
+ "password prompt text should be as expected"
+ );
+ equal(checkMsg, null, "checkMsg should be null");
+ ok(this.passwordToTry, "passwordToTry should be non-null");
+ if (this.passwordToTry == "DontTryThisPassword") {
+ // Cancel the prompt in this case.
+ return false;
+ }
+ password.value = this.passwordToTry;
+ return true;
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+};
+
+// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
+// to call promptPassword. We return the mock one, above.
+var gWindowWatcher = {
+ getNewPrompter: () => gMockPrompter,
+ QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]),
+};
+
+async function encrypt_decrypt_test() {
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+ ok(
+ !(await keystore.asyncSecretAvailable(LABELS[0])),
+ "The secret should not be available yet."
+ );
+
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(recoveryPhrase, "A recovery phrase should've been created.");
+ let recoveryPhrase2 = await keystore.asyncGenerateSecret(LABELS[1]);
+ ok(recoveryPhrase2, "A recovery phrase should've been created.");
+
+ let text = new Uint8Array([0x01, 0x00, 0x01]);
+ let ciphertext = "";
+ try {
+ ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+ ok(ciphertext, "We should have a ciphertext now.");
+ } catch (e) {
+ ok(false, "Error encrypting " + e);
+ }
+
+ // Decrypting should give us the plaintext bytes again.
+ try {
+ let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+ ok(
+ plaintext.toString() == text.toString(),
+ "Decrypted plaintext should be the same as text."
+ );
+ } catch (e) {
+ ok(false, "Error decrypting ciphertext " + e);
+ }
+
+ // Decrypting with a wrong key should throw an error.
+ try {
+ await keystore.asyncDecryptBytes(LABELS[1], ciphertext);
+ ok(false, "Decrypting with the wrong key should fail.");
+ } catch (e) {
+ ok(true, "Decrypting with the wrong key should fail " + e);
+ }
+}
+
+add_task(async function() {
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+ let windowWatcherCID;
+ if (keystore.isNSSKeyStore) {
+ windowWatcherCID = MockRegistrar.register(
+ "@mozilla.org/embedcomp/window-watcher;1",
+ gWindowWatcher
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(windowWatcherCID);
+ });
+ }
+
+ await delete_all_secrets();
+ await encrypt_decrypt_test();
+ await delete_all_secrets();
+
+ if (
+ AppConstants.platform == "macosx" ||
+ AppConstants.platform == "win" ||
+ AppConstants.platform == "linux"
+ ) {
+ ok(
+ !keystore.isNSSKeyStore,
+ "OS X, Windows, and Linux should use the non-NSS implementation"
+ );
+ }
+
+ if (keystore.isNSSKeyStore) {
+ // If we use the NSS key store implementation test that everything works
+ // when a master password is set.
+ // Set an initial password.
+ let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+ let token = tokenDB.getInternalKeyToken();
+ token.initPassword("hunter2");
+
+ // Lock the key store. This should be equivalent to token.logoutSimple()
+ await keystore.asyncLock();
+
+ // Set the correct password so that the test operations should succeed.
+ gMockPrompter.passwordToTry = "hunter2";
+ await encrypt_decrypt_test();
+ ok(
+ gMockPrompter.numPrompts == 1,
+ "There should've been one password prompt."
+ );
+ await delete_all_secrets();
+ }
+
+ // Check lock/unlock behaviour.
+ // Unfortunately we can only test this automatically for the NSS key store.
+ // Uncomment the outer keystore.isNSSKeyStore to test other key stores manually.
+ if (keystore.isNSSKeyStore) {
+ await delete_all_secrets();
+ await encrypt_decrypt_test();
+ await keystore.asyncLock();
+ info("Keystore should be locked. Cancel the login request.");
+ try {
+ if (keystore.isNSSKeyStore) {
+ gMockPrompter.passwordToTry = "DontTryThisPassword";
+ }
+ await keystore.asyncUnlock();
+ ok(false, "Unlock should've rejected.");
+ } catch (e) {
+ ok(
+ e.result == Cr.NS_ERROR_FAILURE || e.result == Cr.NS_ERROR_ABORT,
+ "Rejected login prompt."
+ );
+ }
+ // clean up
+ if (keystore.isNSSKeyStore) {
+ gMockPrompter.passwordToTry = "hunter2";
+ }
+ await delete_all_secrets();
+ }
+});
+
+// Test that if we kick off a background operation and then call a synchronous function on the
+// keystore, we don't deadlock.
+add_task(async function() {
+ await delete_all_secrets();
+
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(recoveryPhrase, "A recovery phrase should've been created.");
+
+ try {
+ let text = new Uint8Array(8192);
+ let promise = keystore.asyncEncryptBytes(LABELS[0], text);
+ /* eslint-disable no-unused-expressions */
+ keystore.isNSSKeyStore; // we don't care what this is - we just need to access it
+ /* eslint-enable no-unused-expressions */
+ let ciphertext = await promise;
+ ok(ciphertext, "We should have a ciphertext now.");
+ } catch (e) {
+ ok(false, "Error encrypting " + e);
+ }
+
+ await delete_all_secrets();
+});
+
+// Test that using a recovery phrase works.
+add_task(async function() {
+ await delete_all_secrets();
+
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(recoveryPhrase, "A recovery phrase should've been created.");
+
+ let text = new Uint8Array([0x01, 0x00, 0x01]);
+ let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+ ok(ciphertext, "We should have a ciphertext now.");
+
+ await keystore.asyncDeleteSecret(LABELS[0]);
+ // Decrypting should fail after deleting the secret.
+ await keystore
+ .asyncDecryptBytes(LABELS[0], ciphertext)
+ .then(() =>
+ ok(false, "decrypting didn't throw as expected after deleting the secret")
+ )
+ .catch(() =>
+ ok(true, "decrypting threw as expected after deleting the secret")
+ );
+
+ await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase);
+ let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+ ok(
+ plaintext.toString() == text.toString(),
+ "Decrypted plaintext should be the same as text."
+ );
+
+ await delete_all_secrets();
+});
+
+// Test that trying to use a non-base64 recovery phrase fails.
+add_task(async function() {
+ await delete_all_secrets();
+
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+ await keystore
+ .asyncRecoverSecret(LABELS[0], "@##$^&*()#$^&*(@#%&*_")
+ .then(() =>
+ ok(false, "base64-decoding non-base64 should have failed but didn't")
+ )
+ .catch(() => ok(true, "base64-decoding non-base64 failed as expected"));
+
+ ok(
+ !(await keystore.asyncSecretAvailable(LABELS[0])),
+ "we didn't recover a secret, so the secret shouldn't be available"
+ );
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(
+ recoveryPhrase && !!recoveryPhrase.length,
+ "we should be able to re-use that label to generate a new secret"
+ );
+ await delete_all_secrets();
+});
+
+// Test that re-using a label overwrites any previously-stored secret.
+add_task(async function() {
+ await delete_all_secrets();
+
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(recoveryPhrase, "A recovery phrase should've been created.");
+
+ let text = new Uint8Array([0x66, 0x6f, 0x6f, 0x66]);
+ let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+ ok(ciphertext, "We should have a ciphertext now.");
+
+ let newRecoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(newRecoveryPhrase, "A new recovery phrase should've been created.");
+
+ // The new secret replaced the old one so we shouldn't be able to decrypt the ciphertext now.
+ await keystore
+ .asyncDecryptBytes(LABELS[0], ciphertext)
+ .then(() =>
+ ok(false, "decrypting without the original key should have failed")
+ )
+ .catch(() =>
+ ok(true, "decrypting without the original key failed as expected")
+ );
+
+ await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase);
+ let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+ ok(
+ plaintext.toString() == text.toString(),
+ "Decrypted plaintext should be the same as text (once we have the original key again)."
+ );
+
+ await delete_all_secrets();
+});
+
+// Test that re-using a label (this time using a recovery phrase) overwrites any previously-stored
+// secret.
+add_task(async function() {
+ await delete_all_secrets();
+
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(recoveryPhrase, "A recovery phrase should've been created.");
+
+ let newRecoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(newRecoveryPhrase, "A new recovery phrase should've been created.");
+
+ let text = new Uint8Array([0x66, 0x6f, 0x6f, 0x66]);
+ let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+ ok(ciphertext, "We should have a ciphertext now.");
+
+ await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase);
+
+ // We recovered the old secret, so decrypting ciphertext that had been encrypted with the newer
+ // key should fail.
+ await keystore
+ .asyncDecryptBytes(LABELS[0], ciphertext)
+ .then(() => ok(false, "decrypting without the new key should have failed"))
+ .catch(() => ok(true, "decrypting without the new key failed as expected"));
+
+ await keystore.asyncRecoverSecret(LABELS[0], newRecoveryPhrase);
+ let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+ ok(
+ plaintext.toString() == text.toString(),
+ "Decrypted plaintext should be the same as text (once we have the new key again)."
+ );
+
+ await delete_all_secrets();
+});
+
+// Test that trying to use recovery phrases that are the wrong size fails.
+add_task(async function() {
+ await delete_all_secrets();
+
+ let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+ Ci.nsIOSKeyStore
+ );
+
+ await keystore
+ .asyncRecoverSecret(LABELS[0], "")
+ .then(() => ok(false, "'recovering' with an empty key should have failed"))
+ .catch(() => ok(true, "'recovering' with an empty key failed as expected"));
+ ok(
+ !(await keystore.asyncSecretAvailable(LABELS[0])),
+ "we didn't recover a secret, so the secret shouldn't be available"
+ );
+
+ await keystore
+ .asyncRecoverSecret(LABELS[0], "AAAAAA")
+ .then(() =>
+ ok(false, "recovering with a key that is too short should have failed")
+ )
+ .catch(() =>
+ ok(true, "recovering with a key that is too short failed as expected")
+ );
+ ok(
+ !(await keystore.asyncSecretAvailable(LABELS[0])),
+ "we didn't recover a secret, so the secret shouldn't be available"
+ );
+
+ await keystore
+ .asyncRecoverSecret(
+ LABELS[0],
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+ )
+ .then(() =>
+ ok(false, "recovering with a key that is too long should have failed")
+ )
+ .catch(() =>
+ ok(true, "recovering with a key that is too long failed as expected")
+ );
+ ok(
+ !(await keystore.asyncSecretAvailable(LABELS[0])),
+ "we didn't recover a secret, so the secret shouldn't be available"
+ );
+
+ let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+ ok(
+ recoveryPhrase && !!recoveryPhrase.length,
+ "we should be able to use that label to generate a new secret"
+ );
+ ok(
+ await keystore.asyncSecretAvailable(LABELS[0]),
+ "the generated secret should now be available"
+ );
+
+ await delete_all_secrets();
+});
diff --git a/security/manager/ssl/tests/unit/test_osreauthenticator.js b/security/manager/ssl/tests/unit/test_osreauthenticator.js
new file mode 100644
index 0000000000..01784a5fef
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_osreauthenticator.js
@@ -0,0 +1,27 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests nsIOSReauthenticator.asyncReauthenticateUser().
+// As this gets implemented on various platforms, running this test
+// will result in a prompt from the OS. Consequently, we won't be able
+// to run this in automation, but it will help in testing locally.
+add_task(async function test_asyncReauthenticateUser() {
+ const reauthenticator = Cc[
+ "@mozilla.org/security/osreauthenticator;1"
+ ].getService(Ci.nsIOSReauthenticator);
+ ok(reauthenticator, "nsIOSReauthenticator should be available");
+ const EXPECTED = false; // Change this variable to suit your needs while testing.
+ ok(
+ (
+ await reauthenticator.asyncReauthenticateUser(
+ "this is the prompt string",
+ "this is the caption string",
+ null
+ )
+ )[0] == EXPECTED,
+ "nsIOSReauthenticator.asyncReauthenticateUser should return a boolean array with the first item being the authentication result of: " +
+ EXPECTED
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_password_prompt.js b/security/manager/ssl/tests/unit/test_password_prompt.js
new file mode 100644
index 0000000000..cf4c6db7bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_password_prompt.js
@@ -0,0 +1,87 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that PSM can successfully ask for a password from the user and relay it
+// back to NSS. Does so by mocking out the actual dialog and "filling in" the
+// password. Also tests that providing an incorrect password will fail (well,
+// technically the user will just get prompted again, but if they then cancel
+// the dialog the overall operation will fail).
+
+var gMockPrompter = {
+ passwordToTry: null,
+ numPrompts: 0,
+
+ // This intentionally does not use arrow function syntax to avoid an issue
+ // where in the context of the arrow function, |this != gMockPrompter| due to
+ // how objects get wrapped when going across xpcom boundaries.
+ promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+ this.numPrompts++;
+ if (this.numPrompts > 1) {
+ // don't keep retrying a bad password
+ return false;
+ }
+ equal(
+ text,
+ "Please enter your Primary Password.",
+ "password prompt text should be as expected"
+ );
+ equal(checkMsg, null, "checkMsg should be null");
+ ok(this.passwordToTry, "passwordToTry should be non-null");
+ password.value = this.passwordToTry;
+ return true;
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+};
+
+// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
+// to call promptPassword. We return the mock one, above.
+var gWindowWatcher = {
+ getNewPrompter: () => gMockPrompter,
+ QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]),
+};
+
+function run_test() {
+ do_get_profile();
+
+ let windowWatcherCID = MockRegistrar.register(
+ "@mozilla.org/embedcomp/window-watcher;1",
+ gWindowWatcher
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(windowWatcherCID);
+ });
+
+ // Set an initial password.
+ let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+ let token = tokenDB.getInternalKeyToken();
+ token.initPassword("hunter2");
+ token.logoutSimple();
+
+ // Try with the correct password.
+ gMockPrompter.passwordToTry = "hunter2";
+ // Using nsISecretDecoderRing will cause the password prompt to come up if the
+ // token has a password and is logged out.
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+ sdr.encryptString("poke");
+ equal(gMockPrompter.numPrompts, 1, "should have prompted for password once");
+
+ // Reset state.
+ gMockPrompter.numPrompts = 0;
+ token.logoutSimple();
+
+ // Try with an incorrect password.
+ gMockPrompter.passwordToTry = "*******";
+ throws(
+ () => sdr.encryptString("poke2"),
+ /NS_ERROR_FAILURE/,
+ "logging in with the wrong password should fail"
+ );
+ equal(gMockPrompter.numPrompts, 2, "should have prompted for password twice");
+}
diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js
new file mode 100644
index 0000000000..fef2cd9358
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pinning.js
@@ -0,0 +1,311 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+//
+// For all cases, the acceptable pinset includes only certificates pinned to
+// Test End Entity Cert (signed by issuer testCA). Other certificates
+// are issued by otherCA, which is never in the pinset but is a user-specified
+// trust anchor. This test covers multiple cases:
+//
+// Pinned domain include-subdomains.pinning.example.com includes subdomains
+// - PASS: include-subdomains.pinning.example.com serves a correct cert
+// - PASS: good.include-subdomains.pinning.example.com serves a correct cert
+// - FAIL (strict): bad.include-subdomains.pinning.example.com serves a cert
+// not in the pinset
+// - PASS (mitm): bad.include-subdomains.pinning.example.com serves a cert not
+// in the pinset, but issued by a user-specified trust domain
+//
+// Pinned domain exclude-subdomains.pinning.example.com excludes subdomains
+// - PASS: exclude-subdomains.pinning.example.com serves a correct cert
+// - FAIL: exclude-subdomains.pinning.example.com serves an incorrect cert
+// (TODO: test using verifyCertNow)
+// - PASS: sub.exclude-subdomains.pinning.example.com serves an incorrect cert
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function add_clear_override(host) {
+ add_test(function() {
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride(host, 8443, {});
+ run_next_test();
+ });
+}
+
+function test_strict() {
+ // In strict mode, we always evaluate pinning data, regardless of whether the
+ // issuer is a built-in trust anchor. We only enforce pins that are not in
+ // test mode.
+ add_test(function() {
+ Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
+ run_next_test();
+ });
+
+ // Normally this is overridable. But, since we have pinning information for
+ // this host, we don't allow overrides.
+ add_prevented_cert_override_test(
+ "unknownissuer.include-subdomains.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+
+ // Issued by otherCA, which is not in the pinset for pinning.example.com.
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com",
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+ );
+
+ // Check that using a FQDN doesn't bypass pinning.
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com.",
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+ );
+ // For some reason this is also navigable (see bug 1118522).
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com..",
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+ );
+
+ // These domains serve certs that match the pinset.
+ add_connection_test(
+ "include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // This domain serves a cert that doesn't match the pinset, but subdomains
+ // are excluded.
+ add_connection_test(
+ "sub.exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // This domain's pinset is exactly the same as
+ // include-subdomains.pinning.example.com, serves the same cert as
+ // bad.include-subdomains.pinning.example.com, but it should pass because
+ // it's in test_mode.
+ add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
+ // Similarly, this pin is in test-mode, so it should be overridable.
+ add_cert_override_test(
+ "unknownissuer.test-mode.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function test_mitm() {
+ // In MITM mode, we allow pinning to pass if the chain resolves to any
+ // user-specified trust anchor, even if it is not in the pinset.
+ add_test(function() {
+ Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1);
+ run_next_test();
+ });
+
+ add_connection_test(
+ "include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // Normally this is overridable. But, since we have pinning information for
+ // this host, we don't allow overrides (since building a trusted chain fails,
+ // we have no reason to believe this was issued by a user-added trust
+ // anchor, so we can't allow overrides for it).
+ add_prevented_cert_override_test(
+ "unknownissuer.include-subdomains.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+
+ // In this case, even though otherCA is not in the pinset, it is a
+ // user-specified trust anchor and the pinning check succeeds.
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ add_connection_test(
+ "exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "sub.exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
+ add_cert_override_test(
+ "unknownissuer.test-mode.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function test_disabled() {
+ // Disable pinning.
+ add_test(function() {
+ Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 0);
+ run_next_test();
+ });
+
+ add_connection_test(
+ "include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "sub.exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
+
+ add_cert_override_test(
+ "unknownissuer.include-subdomains.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+ add_cert_override_test(
+ "unknownissuer.test-mode.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function test_enforce_test_mode() {
+ // In enforce test mode, we always enforce all pins, even test pins.
+ add_test(function() {
+ Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 3);
+ run_next_test();
+ });
+
+ // Normally this is overridable. But, since we have pinning information for
+ // this host, we don't allow overrides.
+ add_prevented_cert_override_test(
+ "unknownissuer.include-subdomains.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+
+ // Issued by otherCA, which is not in the pinset for pinning.example.com.
+ add_connection_test(
+ "bad.include-subdomains.pinning.example.com",
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+ );
+
+ // These domains serve certs that match the pinset.
+ add_connection_test(
+ "include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+ add_connection_test(
+ "exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // This domain serves a cert that doesn't match the pinset, but subdomains
+ // are excluded.
+ add_connection_test(
+ "sub.exclude-subdomains.pinning.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // This domain's pinset is exactly the same as
+ // include-subdomains.pinning.example.com, serves the same cert as
+ // bad.include-subdomains.pinning.example.com, is in test-mode, but we are
+ // enforcing test mode pins.
+ add_connection_test(
+ "test-mode.pinning.example.com",
+ MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+ );
+ // Normally this is overridable. But, since we have pinning information for
+ // this host (and since we're enforcing test mode), we don't allow overrides.
+ add_prevented_cert_override_test(
+ "unknownissuer.test-mode.pinning.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+ add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function check_pinning_telemetry() {
+ let prod_histogram = Services.telemetry
+ .getHistogramById("CERT_PINNING_RESULTS")
+ .snapshot();
+ let test_histogram = Services.telemetry
+ .getHistogramById("CERT_PINNING_TEST_RESULTS")
+ .snapshot();
+ // Because all of our test domains are pinned to user-specified trust
+ // anchors, effectively only strict mode and enforce test-mode get evaluated
+ equal(
+ prod_histogram.values[0],
+ 4,
+ "Actual and expected prod (non-Mozilla) failure count should match"
+ );
+ equal(
+ prod_histogram.values[1],
+ 6,
+ "Actual and expected prod (non-Mozilla) success count should match"
+ );
+ equal(
+ test_histogram.values[0],
+ 2,
+ "Actual and expected test (non-Mozilla) failure count should match"
+ );
+ equal(
+ test_histogram.values[1] || 0,
+ 0,
+ "Actual and expected test (non-Mozilla) success count should match"
+ );
+
+ run_next_test();
+}
+
+function run_test() {
+ // Ensure that static pinning works when HPKP is disabled.
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false);
+
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+ // Add a user-specified trust anchor.
+ addCertFromFile(certdb, "bad_certs/other-test-ca.pem", "CTu,u,u");
+
+ test_strict();
+ test_mitm();
+ test_disabled();
+ test_enforce_test_mode();
+
+ add_test(function() {
+ check_pinning_telemetry();
+ });
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_module.js b/security/manager/ssl/tests/unit/test_pkcs11_module.js
new file mode 100644
index 0000000000..abad2dbb54
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_module.js
@@ -0,0 +1,58 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with a PKCS #11 module and
+// the module database.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+const gModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+);
+
+function run_test() {
+ // Check that if we have never added the test module, that we don't find it
+ // in the module list.
+ checkPKCS11ModuleNotPresent("PKCS11 Test Module", "pkcs11testmodule");
+
+ // Check that adding the test module makes it appear in the module list.
+ let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ libraryFile.append("pkcs11testmodule");
+ libraryFile.append(ctypes.libraryName("pkcs11testmodule"));
+ loadPKCS11Module(libraryFile, "PKCS11 Test Module", true);
+ let testModule = checkPKCS11ModuleExists(
+ "PKCS11 Test Module",
+ "pkcs11testmodule"
+ );
+
+ // Check that listing the slots for the test module works.
+ let testModuleSlotNames = Array.from(
+ testModule.listSlots(),
+ slot => slot.name
+ );
+ testModuleSlotNames.sort();
+ const expectedSlotNames = [
+ "Empty PKCS11 Slot",
+ "Test PKCS11 Slot",
+ "Test PKCS11 Slot 二",
+ ];
+ deepEqual(
+ testModuleSlotNames,
+ expectedSlotNames,
+ "Actual and expected slot names should be equal"
+ );
+
+ // Check that deleting the test module makes it disappear from the module list.
+ let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ pkcs11ModuleDB.deleteModule("PKCS11 Test Module");
+ checkPKCS11ModuleNotPresent("PKCS11 Test Module", "pkcs11testmodule");
+
+ // Check miscellaneous module DB methods and attributes.
+ ok(!gModuleDB.canToggleFIPS, "It should NOT be possible to toggle FIPS");
+ ok(!gModuleDB.isFIPSEnabled, "FIPS should not be enabled");
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js b/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js
new file mode 100644
index 0000000000..e8cbf17abf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js
@@ -0,0 +1,46 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that adding modules with invalid names are prevented.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function run_test() {
+ let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ libraryFile.append("pkcs11testmodule");
+ libraryFile.append(ctypes.libraryName("pkcs11testmodule"));
+ ok(libraryFile.exists(), "The pkcs11testmodule file should exist");
+
+ let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ throws(
+ () => moduleDB.addModule("Root Certs", libraryFile.path, 0, 0),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "Adding a module named 'Root Certs' should fail."
+ );
+ throws(
+ () => moduleDB.addModule("", libraryFile.path, 0, 0),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "Adding a module with an empty name should fail."
+ );
+
+ let bundle = Services.strings.createBundle(
+ "chrome://pipnss/locale/pipnss.properties"
+ );
+ let rootsModuleName = bundle.GetStringFromName("RootCertModuleName");
+ let foundRootsModule = false;
+ for (let module of moduleDB.listModules()) {
+ if (module.name == rootsModuleName) {
+ foundRootsModule = true;
+ break;
+ }
+ }
+ ok(
+ foundRootsModule,
+ "Should be able to find builtin roots module by localized name."
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js b/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js
new file mode 100644
index 0000000000..e4e3467d79
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js
@@ -0,0 +1,58 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// In safe mode, PKCS#11 modules should not be loaded. This test tests this by
+// simulating starting in safe mode and then attempting to load a module.
+
+function run_test() {
+ do_get_profile();
+
+ // Simulate starting in safe mode.
+ let xulRuntime = {
+ inSafeMode: true,
+ logConsoleErrors: true,
+ OS: "XPCShell",
+ XPCOMABI: "noarch-spidermonkey",
+ invalidateCachesOnRestart: function invalidateCachesOnRestart() {
+ // Do nothing
+ },
+ QueryInterface: ChromeUtils.generateQI(["nsIXULRuntime"]),
+ };
+
+ let xulRuntimeFactory = {
+ createInstance(iid) {
+ return xulRuntime.QueryInterface(iid);
+ },
+ };
+
+ let registrar = Components.manager.QueryInterface(Ci.nsIComponentRegistrar);
+ const XULRUNTIME_CONTRACTID = "@mozilla.org/xre/runtime;1";
+ const XULRUNTIME_CID = Components.ID(
+ "{f0f0b230-5525-4127-98dc-7bca39059e70}"
+ );
+ registrar.registerFactory(
+ XULRUNTIME_CID,
+ "XULRuntime",
+ XULRUNTIME_CONTRACTID,
+ xulRuntimeFactory
+ );
+
+ // When starting in safe mode, the test module should fail to load.
+ let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ let libraryName = ctypes.libraryName("pkcs11testmodule");
+ let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ libraryFile.append("pkcs11testmodule");
+ libraryFile.append(libraryName);
+ ok(libraryFile.exists(), "The pkcs11testmodule file should exist");
+ throws(
+ () =>
+ pkcs11ModuleDB.addModule("PKCS11 Test Module", libraryFile.path, 0, 0),
+ /NS_ERROR_FAILURE/,
+ "addModule should throw when in safe mode"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_slot.js b/security/manager/ssl/tests/unit/test_pkcs11_slot.js
new file mode 100644
index 0000000000..dba2a4d3a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_slot.js
@@ -0,0 +1,161 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with a PKCS #11 slot.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function find_slot_by_name(module, name) {
+ for (let slot of module.listSlots()) {
+ if (slot.name == name) {
+ return slot;
+ }
+ }
+ return null;
+}
+
+function find_module_by_name(moduleDB, name) {
+ for (let slot of moduleDB.listModules()) {
+ if (slot.name == name) {
+ return slot;
+ }
+ }
+ return null;
+}
+
+var gPrompt = {
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+
+ // This intentionally does not use arrow function syntax to avoid an issue
+ // where in the context of the arrow function, |this != gPrompt| due to
+ // how objects get wrapped when going across xpcom boundaries.
+ alert(title, text) {
+ equal(
+ text,
+ "Please authenticate to the token “Test PKCS11 Tokeñ 2 Labelâ€. " +
+ "How to do so depends on the token (for example, using a fingerprint " +
+ "reader or entering a code with a keypad)."
+ );
+ },
+};
+
+const gPromptFactory = {
+ QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]),
+ getPrompt: (aWindow, aIID) => gPrompt,
+};
+
+function run_test() {
+ MockRegistrar.register("@mozilla.org/prompter;1", gPromptFactory);
+
+ let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ libraryFile.append("pkcs11testmodule");
+ libraryFile.append(ctypes.libraryName("pkcs11testmodule"));
+ loadPKCS11Module(libraryFile, "PKCS11 Test Module", false);
+
+ let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+ Ci.nsIPKCS11ModuleDB
+ );
+ let testModule = find_module_by_name(moduleDB, "PKCS11 Test Module");
+ notEqual(testModule, null, "should be able to find test module");
+ let testSlot = find_slot_by_name(testModule, "Test PKCS11 Slot 二");
+ notEqual(testSlot, null, "should be able to find 'Test PKCS11 Slot 二'");
+
+ equal(
+ testSlot.name,
+ "Test PKCS11 Slot 二",
+ "Actual and expected name should match"
+ );
+ equal(
+ testSlot.desc,
+ "Test PKCS11 Slot 二",
+ "Actual and expected description should match"
+ );
+ equal(
+ testSlot.manID,
+ "Test PKCS11 Manufacturer ID",
+ "Actual and expected manufacturer ID should match"
+ );
+ equal(
+ testSlot.HWVersion,
+ "0.0",
+ "Actual and expected hardware version should match"
+ );
+ equal(
+ testSlot.FWVersion,
+ "0.0",
+ "Actual and expected firmware version should match"
+ );
+ equal(
+ testSlot.status,
+ Ci.nsIPKCS11Slot.SLOT_NOT_LOGGED_IN,
+ "Actual and expected status should match"
+ );
+ equal(
+ testSlot.tokenName,
+ "Test PKCS11 Tokeñ 2 Label",
+ "Actual and expected token name should match"
+ );
+
+ let testToken = testSlot.getToken();
+ notEqual(testToken, null, "getToken() should succeed");
+ equal(
+ testToken.tokenName,
+ "Test PKCS11 Tokeñ 2 Label",
+ "Spot check: the actual and expected test token names should be equal"
+ );
+ ok(!testToken.isInternalKeyToken, "This token is not the internal key token");
+
+ testToken.login(true);
+ ok(testToken.isLoggedIn(), "Should have 'logged in' successfully");
+
+ testSlot = find_slot_by_name(testModule, "Empty PKCS11 Slot");
+ notEqual(testSlot, null, "should be able to find 'Empty PKCS11 Slot'");
+ equal(testSlot.tokenName, null, "Empty slot is empty");
+ equal(
+ testSlot.status,
+ Ci.nsIPKCS11Slot.SLOT_NOT_PRESENT,
+ "Actual and expected status should match"
+ );
+
+ let bundle = Services.strings.createBundle(
+ "chrome://pipnss/locale/pipnss.properties"
+ );
+ let internalModule = find_module_by_name(
+ moduleDB,
+ "NSS Internal PKCS #11 Module"
+ );
+ notEqual(internalModule, null, "should be able to find internal module");
+ let cryptoSlot = find_slot_by_name(
+ internalModule,
+ bundle.GetStringFromName("TokenDescription")
+ );
+ notEqual(cryptoSlot, "should be able to find internal crypto slot");
+ equal(
+ cryptoSlot.desc,
+ bundle.GetStringFromName("SlotDescription"),
+ "crypto slot should have expected 'desc'"
+ );
+ equal(
+ cryptoSlot.manID,
+ bundle.GetStringFromName("ManufacturerID"),
+ "crypto slot should have expected 'manID'"
+ );
+ let keySlot = find_slot_by_name(
+ internalModule,
+ bundle.GetStringFromName("PrivateTokenDescription")
+ );
+ notEqual(keySlot, "should be able to find internal key slot");
+ equal(
+ keySlot.desc,
+ bundle.GetStringFromName("PrivateSlotDescription"),
+ "key slot should have expected 'desc'"
+ );
+ equal(
+ keySlot.manID,
+ bundle.GetStringFromName("ManufacturerID"),
+ "key slot should have expected 'manID'"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_token.js b/security/manager/ssl/tests/unit/test_pkcs11_token.js
new file mode 100644
index 0000000000..575fc26b88
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_token.js
@@ -0,0 +1,149 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with a PKCS #11 token, using
+// the internal key token.
+// We don't use either of the test tokens in the test PKCS #11 module because:
+// 1. Test token 1 cyclically inserts and removes itself in a tight loop.
+// Using token 1 would complicate the test and introduce intermittent
+// failures.
+// 2. Neither test token implements login or password related functionality.
+// We want to test such functionality.
+// 3. Using the internal token lets us actually test the internal token works
+// as expected.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function checkBasicAttributes(token) {
+ let bundle = Services.strings.createBundle(
+ "chrome://pipnss/locale/pipnss.properties"
+ );
+
+ let expectedTokenName = bundle.GetStringFromName("PrivateTokenDescription");
+ equal(
+ token.tokenName,
+ expectedTokenName,
+ "Actual and expected name should match"
+ );
+ equal(
+ token.tokenManID,
+ bundle.GetStringFromName("ManufacturerID"),
+ "Actual and expected manufacturer ID should match"
+ );
+ equal(
+ token.tokenHWVersion,
+ "0.0",
+ "Actual and expected hardware version should match"
+ );
+ equal(
+ token.tokenFWVersion,
+ "0.0",
+ "Actual and expected firmware version should match"
+ );
+ equal(
+ token.tokenSerialNumber,
+ "0000000000000000",
+ "Actual and expected serial number should match"
+ );
+}
+
+/**
+ * Checks the various password related features of the given token.
+ * The token should already have been init with a password and be logged into.
+ * The password of the token will be reset after calling this function.
+ *
+ * @param {nsIPK11Token} token
+ * The token to test.
+ * @param {string} initialPW
+ * The password that the token should have been init with.
+ */
+function checkPasswordFeaturesAndResetPassword(token, initialPW) {
+ ok(
+ !token.needsUserInit,
+ "Token should not need user init after setting a password"
+ );
+ ok(
+ token.hasPassword,
+ "Token should have a password after setting a password"
+ );
+
+ ok(
+ token.checkPassword(initialPW),
+ "checkPassword() should succeed if the correct initial password is given"
+ );
+ token.changePassword(initialPW, "newPW ÿ 一二三");
+ ok(
+ token.checkPassword("newPW ÿ 一二三"),
+ "checkPassword() should succeed if the correct new password is given"
+ );
+
+ ok(
+ !token.checkPassword("wrongPW"),
+ "checkPassword() should fail if an incorrect password is given"
+ );
+ ok(
+ !token.isLoggedIn(),
+ "Token should be logged out after an incorrect password was given"
+ );
+ ok(
+ !token.needsUserInit,
+ "Token should still be init with a password even if an incorrect " +
+ "password was given"
+ );
+
+ token.reset();
+ ok(token.needsUserInit, "Token should need password init after reset");
+ ok(!token.hasPassword, "Token should not have a password after reset");
+ ok(!token.isLoggedIn(), "Token should be logged out of after reset");
+}
+
+function run_test() {
+ let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+ let token = tokenDB.getInternalKeyToken();
+ notEqual(token, null, "The internal token should be present");
+ ok(
+ token.isInternalKeyToken,
+ "The internal token should be represented as such"
+ );
+
+ checkBasicAttributes(token);
+
+ ok(!token.isLoggedIn(), "Token should not be logged into yet");
+ // Test that attempting to log out even when the token was not logged into
+ // does not result in an error.
+ token.logoutSimple();
+ ok(!token.isLoggedIn(), "Token should still not be logged into");
+ ok(
+ !token.hasPassword,
+ "Token should not have a password before it has been set"
+ );
+
+ let initialPW = "foo 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/? 一二三";
+ token.initPassword(initialPW);
+ token.login(/* force */ false);
+ ok(token.isLoggedIn(), "Token should now be logged into");
+
+ checkPasswordFeaturesAndResetPassword(token, initialPW);
+
+ // We reset the password previously, so we need to initialize again.
+ token.initPassword("arbitrary");
+ ok(
+ token.isLoggedIn(),
+ "Token should be logged into after initializing password again"
+ );
+ token.logoutSimple();
+ ok(
+ !token.isLoggedIn(),
+ "Token should be logged out after calling logoutSimple()"
+ );
+
+ ok(
+ token.needsLogin(),
+ "The internal token should always need authentication"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js b/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js
new file mode 100644
index 0000000000..127c533439
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js
@@ -0,0 +1,20 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods for interfacing with the PKCS #11 token database.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function run_test() {
+ let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+ Ci.nsIPK11TokenDB
+ );
+
+ notEqual(
+ tokenDB.getInternalKeyToken(),
+ null,
+ "The internal token should be non-null"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem b/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem
new file mode 100644
index 0000000000..8401bd3e87
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAsegAwIBAgIQDGdiB3elq8S6U12Nrc+a1zAKBggqhkjOPQQDAzBhMQsw
+CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
+ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe
+Fw0xODEyMjExMjAwMDBaFw0zMTA2MDgxMjAwMDBaMGIxHDAaBgNVBAMME0FwcGxl
+IElTVCBDQSA4IC0gRzExIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABC1UjmiwEBPv9C3b2AmyQ+idZZluNLjUl8mOydaoIjcyyHFg
+7rDx8sVk9rpHX/zmB3gyLfbKgCDJ/XD4cpMhiEWjggFeMIIBWjAdBgNVHQ4EFgQU
+w8SkWAVj14MGupaN3LKPMva7t0EwHwYDVR0jBBgwFoAUs9tIpPmhxdiuNkHMEWNp
+Yim8S8YwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+BQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEF
+BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEIGA1UdHwQ7MDkwN6A1oDOG
+MWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RHMy5j
+cmwwWwYDVR0gBFQwUjAMBgoqhkiG92NkBQsEMAgGBmeBDAECAjA4BgpghkgBhv1s
+AAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMw
+CgYIKoZIzj0EAwMDZwAwZAIwaMzTwP/37zR/ZM5T7OGnd9hYStUPL3QlqDXGhNUZ
+cUZM7UmDZWvBS97XS9wKCtxPAjAeetP564whYQw4g3yLIEqpXNiHCW1Pf1e+uXMa
+g1fK+AQr8p7TR2320C8NorVUcfM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem b/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem
new file mode 100644
index 0000000000..5e3054e80e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGnzCCBkWgAwIBAgIQVwXojWDvTZtfUY6TR9QUTDAKBggqhkjOPQQDAjBiMRww
+GgYDVQQDDBNBcHBsZSBJU1QgQ0EgOCAtIEcxMSAwHgYDVQQLDBdDZXJ0aWZpY2F0
+aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMw
+HhcNMTkwMzExMjEzMjQxWhcNMjEwNDA5MjEzMjQxWjB2MRYwFAYDVQQDDA1jZHMu
+YXBwbGUuY29tMSUwIwYDVQQLDBxtYW5hZ2VtZW50OmlkbXMuZ3JvdXAuNjY1MDM1
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYD
+VQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJHADA5vqarO+Cj0Ha6T
+uh/JhKmaIVuz0z7dVZUIBgVbxNOE3FW8zJTH20k4NBAnls3IXkJEiOWtt8GZbzlS
+cXijggTHMIIEwzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMPEpFgFY9eDBrqW
+jdyyjzL2u7dBMH4GCCsGAQUFBwEBBHIwcDA0BggrBgEFBQcwAoYoaHR0cDovL2Nl
+cnRzLmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmRlcjA4BggrBgEFBQcwAYYsaHR0
+cDovL29jc3AuYXBwbGUuY29tL29jc3AwMy1hcHBsZWlzdGNhOGcxMDUwGAYDVR0R
+BBEwD4INY2RzLmFwcGxlLmNvbTCB/gYDVR0gBIH2MIHzMIHwBgoqhkiG92NkBQsE
+MIHhMIGkBggrBgEFBQcCAjCBlwyBlFJlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNh
+dGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiBhbnkgYXBwbGlj
+YWJsZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UgYW5kL29yIGNlcnRpZmlj
+YXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wOAYIKwYBBQUHAgIwLAwqaHR0cDov
+L3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmNybDAdBgNVHQ4EFgQUtfKFXS+GsdSn
+im90n/2GX/X47rgwDgYDVR0PAQH/BAQDAgOIMIICbgYKKwYBBAHWeQIEAgSCAl4E
+ggJaAlgAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWlutS/9
+AAAEAwBHMEUCIQC7JOfynh9ir4vZfE39sB2b7b9u6hwSo3i1A0WMCsB2kwIgHnqJ
+dmGCaGHryIgFREBginRf879Km3zjdnCR4XjGTN4AdgDuS723dc5guuFCaR+r4Z5m
+ow9+X7By2IMAxHuJeqj9ywAAAWlutS/9AAAEAwBHMEUCIQD+dYvPDT3PQ6T4eqqF
+SSHsHU+ETeeMIhPWF1+5xxt0igIgbjEPNy+PV3wa0+dw4Umqvlp4padXYhF/zxKQ
+UVSF5u0AdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWlutTHE
+AAAEAwBHMEUCIQCsggeANxAqJffU5L8inc3QZCQpC5f3ILhwSymugYaelQIgOKLJ
+RmDt2rvI10G661L9MO0g4SHSbGZcTnkMVzUlSOUAdgBvU3asMfAxGdiZAKRRFf93
+FRwR2QLBACkGjbIImjfZEwAAAWlutTH/AAAEAwBHMEUCIFA7S1eyu7kxhvnAmVyB
+fJUi7cy2/bizaC0LLE0w35dNAiEA+aIKxhYy6VAAyGAmTiAOA/VU/pDtQp4uUIKF
+azgRpscAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWlutTA2
+AAAEAwBHMEUCIQDkm2/8xF0dSiyO/o8iwKPjEgYYhokUM03KLiSZWUSRzQIgMp5z
+ryZTqIHFLgbE0y7L8CCDvgZRRyoKbnBcCaGJJ1gwCgYIKoZIzj0EAwIDSAAwRQIh
+AKJgejWMoWWP42EQIPsvua2biHvRng0QcgA3+0GLzcjXAiBr2xfk0vGWinDLG3gz
+m73X42sCFxyMZrLDbgyeBQNI8A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.key b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem
new file mode 100644
index 0000000000..5dc7cf4ef8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti
+AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym
+qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc
+5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm
+lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo
+Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem
new file mode 100644
index 0000000000..95316b235e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUN+Dcp+HeMvZhIJ3BD5af4bwrj4IwDQYJKoZIhvcNAQEL
+BQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
+HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwIhgPMjAxNjA2MDEwMDAwMDBa
+GA8yMDUwMDEwMTAwMDAwMFowKTEnMCUGA1UEAwweZWUtZnJvbS1hbGxvd2xpc3Qt
+YWZ0ZXItY3V0b2ZmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABozowODA2BgNVHREELzAtgitzeW1hbnRlYy1hbGxv
+d2xpc3QtYWZ0ZXItY3V0b2ZmLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IB
+AQB/2Pgyyje+T4uKkibYZ537NZB6OUvef4nrGtswjxKbUnHzrLK1kJd3mtyNpydK
+fzW8WV1CR+nltFI5oaoOAf26FuQfaoCADmlmFlirgnm2fEH2xCokDCQHIgQxNwXr
+Ok6JTHWeuaOsu+verDPjkuUATnONY+FRTBxfPh5B3OA+aBO62bAeNCAjIya1U60S
+emAnleYtwhXs0Q9TLsR7O7aSYP3FgnqnWPuOkPF3wrUiE8Nrd3givz5OJW42IU63
+ijiojHtPpjAiudbzD8y1zuDcxTxiI4jEjTDS1kIqnvHd3f4bSxpgcQUPk44nu+wO
+j5+as/TRu5dC+xHmWCVT10yd
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec
new file mode 100644
index 0000000000..c8a4249dfc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-allowlist-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-allowlist-after-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem
new file mode 100644
index 0000000000..0c8a52b8d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIUVWP+EbM7hYQLOXoABvWpRwoPWJ0wDQYJKoZIhvcNAQEL
+BQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
+HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwIhgPMjAxNDA2MDEwMDAwMDBa
+GA8yMDUwMDEwMTAwMDAwMFowKjEoMCYGA1UEAwwfZWUtZnJvbS1hbGxvd2xpc3Qt
+YmVmb3JlLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaM7MDkwNwYDVR0RBDAwLoIsc3ltYW50ZWMtYWxs
+b3dsaXN0LWJlZm9yZS1jdXRvZmYuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD
+ggEBAFhn9xNv/Yp1Ua9OX7oXgbVgzxCIAm6/zDK7V4V37P5em/lI85OpbuuTO4ns
+9VB2/nijkELhSkiyCjmCaxQhlUBzA/2wJeNIfaWu9Mq5MR6jWShhNXND66lTCDIQ
+wGVQkBl8/3OqSD4IFI3pKAiPhCGsUnRIhGSARcrFMQpKssnN5XN1ump1YA7/u6Kv
+apNbKccgKvLekO8/kUpFrpHt+uQaNS2IeVrmOnNh4GtyD3DG1ZDcZ1VgLAnzbVUg
+xiUbs58mY0o1qumuzqJ0/ie5UPOjWnoXSNq6dd4jqsXcFeYXe106G6arV5BLN1Pa
+gNxxfOfBcebE1OwxZpfQwNy3JxI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec
new file mode 100644
index 0000000000..51cecd1f8e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-allowlist-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-allowlist-before-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem
new file mode 100644
index 0000000000..65eab919b5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUNWWgyC4I0/jmqdamoCRL0qhP3QQwDQYJKoZIhvcNAQEL
+BQAwTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5jLjEmMCQG
+A1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwIhgPMjAxNjA2MDEw
+MDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowKjEoMCYGA1UEAwwfZWUtbm90LWFsbG93
+bGlzdGVkLWFmdGVyLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNAMD4wPAYDVR0RBDUwM4Ixc3ltYW50
+ZWMtbm90LWFsbG93bGlzdGVkLWFmdGVyLWN1dG9mZi5leGFtcGxlLmNvbTANBgkq
+hkiG9w0BAQsFAAOCAQEARlQNYz+w2ekzdX8FKwlWoMX6Df5o4ZhXreRK9V4SuYJg
+SvAucL35TuTKkBz9C5VPjAL/Qts4n5DKWaWQfsvoCJOGtTMEKd1MEL9RbMFOewI0
+tN9sV9aMNsmhNPL4PB3A7lKJb8gi/tyoN3BXjsaZBxmyi5A6Vt3lyybgMOSTdzR6
+u2XAPm+zNDrOzc2tavZEyhEKzptaJuCQrefcnAM9JTHtJhvJp30WWighJyclqmRX
+bLDYaHRRuRI0jkgrrcUKolau8YKsSoIBoxP2aels8drZDH4UAC86GW2iF/tK+J65
++JJ2Mk9erdcLoYGLxHZqQySpRaFtciSF+Uym1nmNxA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec
new file mode 100644
index 0000000000..85edcf742d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-allowlisted-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-not-allowlisted-after-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem
new file mode 100644
index 0000000000..23d6fec107
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTTCCAjWgAwIBAgIUaxGuzjOrA/2qScMaz5tKQTUrvAYwDQYJKoZIhvcNAQEL
+BQAwTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5jLjEmMCQG
+A1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwIhgPMjAxNDA2MDEw
+MDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowKzEpMCcGA1UEAwwgZWUtbm90LWFsbG93
+bGlzdGVkLWJlZm9yZS1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjQTA/MD0GA1UdEQQ2MDSCMnN5bWFu
+dGVjLW5vdC1hbGxvd2xpc3RlZC1iZWZvcmUtY3V0b2ZmLmV4YW1wbGUuY29tMA0G
+CSqGSIb3DQEBCwUAA4IBAQBCkIIEXnX/3rv0JuF0FZEpROnQw8zoa4vZjwG1NmvH
++PwnTL7FvBg9QBK0n8ZKfCMqJU98jR5+x6V9Eo2amXEYRAsxCU6kY/Xz43OxGLQz
+5cbr9eDswWmt7h/LXl0tsprpgfBNaQ9512UbPMkDG4MSwLjkuTgdnM4dBsLURrAU
+5lcukutuNYJ7x92/Ah7hffouB6QHyP80onxqqQTQs2j/0MvJxlUWrnKBzk+B475W
+/1iMOCE3r2q6+TVp1sun9mcn7UvRHQRPvjSdjujjJ++5fqH5s4cF2Sv4lv+dEGJn
+xrr/a9GA3bUE6Iq9PbAeX3l7RaP+q/znSDBtaLYZ1Xau
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec
new file mode 100644
index 0000000000..b736169a04
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-allowlisted-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-not-allowlisted-before-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem
new file mode 100644
index 0000000000..70bfa802ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIUHayrfZ5YGkWYRPXIsNuGSemGyk8wDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv
+bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt
+YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMEkx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpHb29nbGUgSW5jMSUwIwYDVQQDExxHb29n
+bGUgSW50ZXJuZXQgQXV0aG9yaXR5IEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8EBAMCAQYw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUMbnz3c2Evfehzm1LU+L
+3UL3alL/C5jteDjrrNqkamAZF26klGAZ5AX2tW6yG4bOnmZMzqkW/NV8+ydE6HGW
+oVwm+qekOyR4nSPHS5mZRdHD3uBrVJ0PR2rUyk/6oIVBYEcNHY/vuHMorQ0q2plq
+Z+62i1SHuq5qxP9apKmhvmgwvna3ber9VH8DgiZLJRAuiDAXpanGZh37dm/e2ZVI
+OgVctvRIb7ETcDrSbj4oOKo4WwFaZHlsN1ee0hstxDnIVXWzu5cCdqGALlw2N1av
+RPUgDI0kshVojmvKFwnYptE1Ru+CYf403ZD7gt3ZvHueOTpEEKLRQp1QRELXIx/7
+XQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec
new file mode 100644
index 0000000000..518527b741
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+subject:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem
new file mode 100644
index 0000000000..819d8a30da
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIUBy1RVPb6jMqyBSQwtlK+jZftnKIwDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOVW5rbm93biBJc3N1ZXIwIhgPMjAxMDAxMDEwMDAwMDBa
+GA8yMDUwMDEwMTAwMDAwMFowTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3Ro
+ZXIgQ0EgSW5jLjEmMCQGA1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhl
+cnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQAs7dfRClCtgzMfYVRIciVqdjNR+jeFLmYFCDDqx5h6zve4VfxK
+AEQPWNsIVdPlu+djILHHd9+RvLSHh5HqeXKppBevnux2SxwfXJQ3T+ysqGxH4tEQ
+BCgXryt8v5q/DL9H2+T352NJCh7ZMkftEta3Hchtr4TSaT7udtib1uQ9JeLx97LJ
+A6aI8SpfI/as1Ku1LAAV9rfhkJgMyeC0ppMfTVGj/gjgq8fL52/9Su9Id8l+SeYD
+yLCXjPX0rhAjTeJyiOpAK9OPQgk7i3DRvdO/F+JCkTNE9V6PLX0J+30g+3YZND+a
+R81zibhRfa6Ki5cqRflHYhAY4GCFk7mhHLsL
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec
new file mode 100644
index 0000000000..fdcb287cd1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Unknown Issuer
+subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem
new file mode 100644
index 0000000000..9057a0a0dc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkzCCAnugAwIBAgIUSyQ/MON3PZLW/WEcsIuOIT0kUlQwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv
+bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt
+YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaME8x
+CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Bbm90aGVyIENBIEluYy4xJjAkBgNVBAMT
+HVNvbWUgT3RoZXIgQ0EgVGhhbiBUaGUgT3RoZXJzMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAfpCigqN5qPf/
+fD6N8a5taq4bsmggdNztYabFOFY8zIRNVYoVVAHd8a5FOlShKw1MTgRNEpzWcN4O
+rX16HCaKCJA6mGbkoE/XVqo/shQR1P0U8N75oeWgxd10IsWpJoYYtF38GIM+HZM4
+8NZ/aM2ViKWexlpa7KhmIjCNsP4U+VFXPwLLuKbegQ6miTwdyG5Sq2PLsjQEn4Xq
+/nHYyE3Nn+8H+dlyFuWn9XcJN9D9H3NqVGqAvnWWPR0Vz9Q5/iixw2Ym8NWNzlxa
+RXLC9Bfg1BDSJLttopU6qGPotuQkhlm1AElcauI9FaWATsdM82tNMK3hrHnTqV28
+C/BiYIunmA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec
new file mode 100644
index 0000000000..0c96819f94
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem
new file mode 100644
index 0000000000..77f5a05963
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUd4MA0Hhfw36r5rkFHdHo5/oSbTYwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv
+bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt
+YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMIGU
+MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
+BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxRTBDBgNVBAMTPFN5bWFudGVj
+IENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEGMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAKAdvWVDbB3GxOooXgqNElLvjYwmNcWk12CvQnwxglCRytY5
+DX4UhcCJ6TW8pcezPDEdqrkf4iR+UpgDyBUbVa4m5O5MHGYy3nRHfwT/js9hh2PH
+gcAmT0ivknTFlEcP4D0kp7HQr2kmlFuW64HOM+/3J7Zyvu3VNYAlqTlxgG7QyRaN
+3W3jfDvc5Ol0O0vyFmhHv0k1yOqLJiOmmOOujfltl4Grbvss+wsHjmP+WOH/BYRn
+ACDXdvGr9uu0Z2mymqP0Sy2ZKKrbA7dX5Q/RUr4p3EfyDuNgERx+pYXTUeQ3o9sL
+ynQmBa+9aWijUN2USC69EDX9zObn7lO8WV19dQM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec
new file mode 100644
index 0000000000..f84697130c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+subject:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js b/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js
new file mode 100644
index 0000000000..ce56714355
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js
@@ -0,0 +1,95 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+do_get_profile();
+
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+add_tls_server_setup(
+ "SanctionsTestServer",
+ "test_sanctions",
+ /* Don't try to load non-existent test-ca.pem */ false
+);
+
+addCertFromFile(certDB, "test_sanctions/symantec-test-ca.pem", "CTu,u,u");
+
+// Add the necessary intermediates. This is important because the test server,
+// though it will attempt to send along an intermediate, isn't able to reliably
+// pick between the intermediate-other-crossigned and intermediate-other.
+add_test(function() {
+ addCertFromFile(
+ certDB,
+ "test_sanctions/symantec-intermediate-allowlisted.pem",
+ ",,"
+ );
+ addCertFromFile(
+ certDB,
+ "test_sanctions/symantec-intermediate-other.pem",
+ ",,"
+ );
+ run_next_test();
+});
+
+add_connection_test(
+ "symantec-not-allowlisted-before-cutoff.example.com",
+ MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+ null,
+ null
+);
+
+add_connection_test(
+ "symantec-not-allowlisted-after-cutoff.example.com",
+ MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+ null,
+ null
+);
+
+// Add a cross-signed intermediate into the database, and ensure we still get
+// the expected error.
+add_test(function() {
+ addCertFromFile(
+ certDB,
+ "test_sanctions/symantec-intermediate-other-crossigned.pem",
+ ",,"
+ );
+ run_next_test();
+});
+
+add_connection_test(
+ "symantec-not-allowlisted-before-cutoff.example.com",
+ MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+ null,
+ null
+);
+
+// Load the Apple EE cert and its intermediate, then verify
+// it at a reasonable time and make sure the allowlists work
+add_task(async function() {
+ addCertFromFile(
+ certDB,
+ "test_sanctions/apple-ist-ca-8-g1-intermediate.pem",
+ ",,"
+ );
+ let allowlistedCert = constructCertFromFile(
+ "test_sanctions/cds-apple-com.pem"
+ );
+
+ // Since we don't want to actually try to fetch OCSP for this certificate,
+ // (as an external fetch is bad in the tests), disable OCSP first.
+ Services.prefs.setIntPref("security.OCSP.enabled", 0);
+
+ // (new Date("2020-01-01")).getTime() / 1000
+ const VALIDATION_TIME = 1577836800;
+
+ await checkCertErrorGenericAtTime(
+ certDB,
+ allowlistedCert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer,
+ VALIDATION_TIME
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_sdr.js b/security/manager/ssl/tests/unit/test_sdr.js
new file mode 100644
index 0000000000..e9e477efc5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr.js
@@ -0,0 +1,272 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests various aspects of the nsISecretDecoderRing implementation.
+
+do_get_profile();
+
+let gSetPasswordShownCount = 0;
+
+// Mock implementation of nsITokenPasswordDialogs.
+const gTokenPasswordDialogs = {
+ setPassword(ctx, tokenName) {
+ gSetPasswordShownCount++;
+ info(`setPassword() called; shown ${gSetPasswordShownCount} times`);
+ info(`tokenName: ${tokenName}`);
+ return false; // Returning false means "the user didn't cancel".
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsITokenPasswordDialogs"]),
+};
+
+let gMockPrompter = {
+ promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+ // Returning false simulates the user canceling the password prompt.
+ return false;
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+};
+
+// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
+// to call promptPassword. We return the mock one, above.
+let gWindowWatcher = {
+ getNewPrompter: () => gMockPrompter,
+ QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]),
+};
+
+add_task(function setup() {
+ let windowWatcherCID = MockRegistrar.register(
+ "@mozilla.org/embedcomp/window-watcher;1",
+ gWindowWatcher
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(windowWatcherCID);
+ });
+});
+
+add_task(function testEncryptString() {
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ // Test valid inputs for encryptString() and decryptString().
+ let inputs = [
+ "",
+ " ", // First printable latin1 character (code point 32).
+ "foo",
+ "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?",
+ "¡äöüÿ", // Misc + last printable latin1 character (code point 255).
+ "aaa 一二三", // Includes Unicode with code points outside [0, 255].
+ ];
+ for (let input of inputs) {
+ let converter = Cc[
+ "@mozilla.org/intl/scriptableunicodeconverter"
+ ].createInstance(Ci.nsIScriptableUnicodeConverter);
+ converter.charset = "UTF-8";
+
+ let convertedInput = converter.ConvertFromUnicode(input);
+ convertedInput += converter.Finish();
+
+ let encrypted = sdr.encryptString(convertedInput);
+
+ notEqual(
+ convertedInput,
+ encrypted,
+ "Encrypted input should not just be the input itself"
+ );
+
+ try {
+ atob(encrypted);
+ } catch (e) {
+ ok(false, `encryptString() should have returned Base64: ${e}`);
+ }
+
+ equal(
+ convertedInput,
+ sdr.decryptString(encrypted),
+ "decryptString(encryptString(input)) should return input"
+ );
+ }
+
+ // Test invalid inputs for decryptString().
+ throws(
+ () => sdr.decryptString("*"),
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "decryptString() should throw if given non-Base64 input"
+ );
+
+ // Test calling changePassword() pops up the appropriate dialog.
+ // Note: On Android, nsITokenPasswordDialogs is apparently not implemented,
+ // which also seems to prevent us from mocking out the interface.
+ if (AppConstants.platform != "android") {
+ let tokenPasswordDialogsCID = MockRegistrar.register(
+ "@mozilla.org/nsTokenPasswordDialogs;1",
+ gTokenPasswordDialogs
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(tokenPasswordDialogsCID);
+ });
+
+ equal(
+ gSetPasswordShownCount,
+ 0,
+ "changePassword() dialog should have been shown zero times"
+ );
+ sdr.changePassword();
+ equal(
+ gSetPasswordShownCount,
+ 1,
+ "changePassword() dialog should have been shown exactly once"
+ );
+ }
+});
+
+add_task(async function testAsyncEncryptStrings() {
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ // Test valid inputs for encryptString() and decryptString().
+ let inputs = [
+ "",
+ " ", // First printable latin1 character (code point 32).
+ "foo",
+ "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?",
+ "¡äöüÿ", // Misc + last printable latin1 character (code point 255).
+ "aaa 一二三", // Includes Unicode with code points outside [0, 255].
+ ];
+
+ let encrypteds = await sdr.asyncEncryptStrings(inputs);
+ for (let i = 0; i < inputs.length; i++) {
+ let encrypted = encrypteds[i];
+ let input = inputs[i];
+ let converter = Cc[
+ "@mozilla.org/intl/scriptableunicodeconverter"
+ ].createInstance(Ci.nsIScriptableUnicodeConverter);
+ converter.charset = "UTF-8";
+
+ let convertedInput = converter.ConvertFromUnicode(input);
+ convertedInput += converter.Finish();
+ notEqual(
+ convertedInput,
+ encrypted,
+ "Encrypted input should not just be the input itself"
+ );
+
+ try {
+ atob(encrypted);
+ } catch (e) {
+ ok(false, `encryptString() should have returned Base64: ${e}`);
+ }
+
+ equal(
+ convertedInput,
+ sdr.decryptString(encrypted),
+ "decryptString(encryptString(input)) should return input"
+ );
+ }
+});
+
+add_task(async function testAsyncDecryptStrings() {
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ // Test valid inputs for encryptString() and decryptString().
+ let testCases = [
+ "",
+ " ", // First printable latin1 character (code point 32).
+ "foo",
+ "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?",
+ "¡äöüÿ", // Misc + last printable latin1 character (code point 255).
+ "aaa 一二三", // Includes Unicode with code points outside [0, 255].
+ ];
+
+ let convertedTestCases = testCases.map(tc => {
+ let converter = Cc[
+ "@mozilla.org/intl/scriptableunicodeconverter"
+ ].createInstance(Ci.nsIScriptableUnicodeConverter);
+ converter.charset = "UTF-8";
+
+ let convertedInput = converter.ConvertFromUnicode(tc);
+ convertedInput += converter.Finish();
+ return convertedInput;
+ });
+
+ let encryptedStrings = convertedTestCases.map(tc => sdr.encryptString(tc));
+ let decrypteds = await sdr.asyncDecryptStrings(encryptedStrings);
+ for (let i = 0; i < encryptedStrings.length; i++) {
+ let decrypted = decrypteds[i];
+
+ equal(
+ decrypted,
+ testCases[i],
+ "decrypted string should match expected value"
+ );
+ equal(
+ sdr.decryptString(encryptedStrings[i]),
+ convertedTestCases[i],
+ "decryptString(encryptString(input)) should return the initial decrypted string value"
+ );
+ }
+});
+
+add_task(async function testAsyncDecryptInvalidStrings() {
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ // Test invalid inputs for sdr.asyncDecryptStrings
+ let testCases = [
+ "~bmV0cGxheQ==", // invalid base64 encoding
+ "bmV0cGxheQ==", // valid base64 characters but not encrypted
+ "https://www.example.com", // website address from erroneous migration
+ ];
+
+ let decrypteds = await sdr.asyncDecryptStrings(testCases);
+ equal(
+ decrypteds.length,
+ testCases.length,
+ "each testcase should still return a response"
+ );
+ for (let i = 0; i < decrypteds.length; i++) {
+ let decrypted = decrypteds[i];
+
+ equal(
+ decrypted,
+ "",
+ "decrypted string should be empty when trying to decrypt an invalid input with asyncDecryptStrings"
+ );
+
+ Assert.throws(
+ () => sdr.decryptString(testCases[i]),
+ /NS_ERROR_ILLEGAL_VALUE|NS_ERROR_FAILURE/,
+ `Check testcase would have thrown: ${testCases[i]}`
+ );
+ }
+});
+
+add_task(async function testAsyncDecryptLoggedOut() {
+ // Set a master password.
+ let token = Cc["@mozilla.org/security/pk11tokendb;1"]
+ .getService(Ci.nsIPK11TokenDB)
+ .getInternalKeyToken();
+ token.initPassword("password");
+ token.logoutSimple();
+
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ await Assert.rejects(
+ sdr.asyncDecryptStrings(["irrelevant"]),
+ /NS_ERROR_NOT_AVAILABLE/,
+ "Check error is thrown instead of returning empty strings"
+ );
+
+ token.reset();
+ token.initPassword("");
+});
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting.js b/security/manager/ssl/tests/unit/test_sdr_preexisting.js
new file mode 100644
index 0000000000..69b5c194df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting.js
@@ -0,0 +1,79 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that the SDR implementation is able to decrypt strings encrypted using
+// a preexisting NSS key database. Creating the database is straight-forward:
+// simply run Firefox (or xpcshell) and encrypt something using
+// nsISecretDecoderRing (e.g. by saving a password or directly using the
+// interface). The resulting key4.db file (in the profile directory) now
+// contains the private key used to encrypt the data.
+
+function run_test() {
+ const keyDBName = "key4.db";
+ let profile = do_get_profile();
+ let keyDBFile = do_get_file(`test_sdr_preexisting/${keyDBName}`);
+ keyDBFile.copyTo(profile, keyDBName);
+
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ let testcases = [
+ // a full padding block
+ {
+ ciphertext:
+ "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d",
+ plaintext: "password",
+ },
+ // 7 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==",
+ plaintext: "a",
+ },
+ // 6 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==",
+ plaintext: "bb",
+ },
+ // 1 byte of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==",
+ plaintext: "!seven!",
+ },
+ // 2 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==",
+ plaintext: "sixsix",
+ },
+ // long plaintext requiring more than two blocks
+ {
+ ciphertext:
+ "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+ plaintext: "thisismuchlongerandsotakesupmultipleblocks",
+ },
+ // this differs from the previous ciphertext by one bit and demonstrates
+ // that this implementation does not enforce message integrity
+ {
+ ciphertext:
+ "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+ plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks",
+ },
+ ];
+
+ for (let testcase of testcases) {
+ let decrypted = sdr.decryptString(testcase.ciphertext);
+ equal(
+ decrypted,
+ testcase.plaintext,
+ "decrypted ciphertext should match expected plaintext"
+ );
+ }
+}
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db
new file mode 100644
index 0000000000..8f320dfdbd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js
new file mode 100644
index 0000000000..5c1b2bb653
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js
@@ -0,0 +1,135 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that the SDR implementation is able to decrypt strings encrypted using
+// a preexisting NSS key database that has a password.
+// To create such a database, run Firefox (or xpcshell), set a primary
+// password, and then encrypt something using nsISecretDecoderRing.
+
+var gMockPrompter = {
+ passwordToTry: "password",
+ numPrompts: 0,
+
+ // This intentionally does not use arrow function syntax to avoid an issue
+ // where in the context of the arrow function, |this != gMockPrompter| due to
+ // how objects get wrapped when going across xpcom boundaries.
+ promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+ this.numPrompts++;
+ if (this.numPrompts > 1) {
+ // don't keep retrying a bad password
+ return false;
+ }
+ equal(
+ text,
+ "Please enter your Primary Password.",
+ "password prompt text should be as expected"
+ );
+ equal(checkMsg, null, "checkMsg should be null");
+ ok(this.passwordToTry, "passwordToTry should be non-null");
+ password.value = this.passwordToTry;
+ return true;
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+};
+
+// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
+// to call promptPassword. We return the mock one, above.
+var gWindowWatcher = {
+ getNewPrompter: () => gMockPrompter,
+ QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]),
+};
+
+function run_test() {
+ let windowWatcherCID = MockRegistrar.register(
+ "@mozilla.org/embedcomp/window-watcher;1",
+ gWindowWatcher
+ );
+ registerCleanupFunction(() => {
+ MockRegistrar.unregister(windowWatcherCID);
+ });
+
+ // Append a single quote and non-ASCII characters to the profile path.
+ let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR");
+ let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
+ file.initWithPath(profd);
+ file.append("'÷1");
+ Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path);
+
+ let profile = do_get_profile(); // must be called before getting nsIX509CertDB
+ Assert.ok(
+ /[^\x20-\x7f]/.test(profile.path),
+ "the profile path should contain a non-ASCII character"
+ );
+
+ let key4DBFile = do_get_file("test_sdr_preexisting_with_password/key4.db");
+ key4DBFile.copyTo(profile, "key4.db");
+
+ let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+ Ci.nsISecretDecoderRing
+ );
+
+ let testcases = [
+ // a full padding block
+ {
+ ciphertext:
+ "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d",
+ plaintext: "password",
+ },
+ // 7 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==",
+ plaintext: "a",
+ },
+ // 6 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==",
+ plaintext: "bb",
+ },
+ // 1 byte of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==",
+ plaintext: "!seven!",
+ },
+ // 2 bytes of padding
+ {
+ ciphertext:
+ "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==",
+ plaintext: "sixsix",
+ },
+ // long plaintext requiring more than two blocks
+ {
+ ciphertext:
+ "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+ plaintext: "thisismuchlongerandsotakesupmultipleblocks",
+ },
+ // this differs from the previous ciphertext by one bit and demonstrates
+ // that this implementation does not enforce message integrity
+ {
+ ciphertext:
+ "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+ plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks",
+ },
+ ];
+
+ for (let testcase of testcases) {
+ let decrypted = sdr.decryptString(testcase.ciphertext);
+ equal(
+ decrypted,
+ testcase.plaintext,
+ "decrypted ciphertext should match expected plaintext"
+ );
+ }
+ equal(
+ gMockPrompter.numPrompts,
+ 1,
+ "Should have been prompted for a password once"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db
new file mode 100644
index 0000000000..959718da34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs.js b/security/manager/ssl/tests/unit/test_self_signed_certs.js
new file mode 100644
index 0000000000..662cd59714
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs.js
@@ -0,0 +1,69 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// This test uses a specially-crafted NSS cert DB containing 12 self-signed certificates that all
+// have the same subject and issuer distinguished name. Since they all have different keys and none
+// of them are trust anchors, there are a large number of potential trust paths that could be
+// explored. If our trust domain were naive enough to allow mozilla::pkix to explore them all, it
+// would take a long time to perform (mozilla::pkix does have the concept of a path-building budget,
+// but even on a fast computer, it takes an unacceptable amount of time to exhaust). To prevent the
+// full exploration of this space, NSSCertDBTrustDomain skips searching through self-signed
+// certificates that aren't trust anchors, since those would never otherwise be essential to
+// complete a path (note that this is only true as long as the extensions we support are restrictive
+// rather than additive).
+// When we try to verify one of these certificates in this test, we should finish relatively
+// quickly, even on slow hardware.
+// Should these certificates ever need regenerating, they were produced with the following commands:
+// certutil -N -d . --empty-password
+// for num in 00 01 02 03 04 05 06 07 08 09 10 11; do
+// echo -ne "5\n6\n9\ny\ny\n\ny\n" | certutil -d . -S -s "CN=self-signed cert" -t ,, \
+// -q secp256r1 -x -k ec -z <(date +%s) -1 -2 -n cert$num; sleep 2;
+// done
+
+add_task(async function run_test_no_overlong_path_building() {
+ let profile = do_get_profile();
+ const CERT_DB_NAME = "cert9.db";
+ let srcCertDBFile = do_get_file(`test_self_signed_certs/${CERT_DB_NAME}`);
+ srcCertDBFile.copyTo(profile, CERT_DB_NAME);
+
+ let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+ );
+ let certToVerify = null;
+ for (let cert of certDB.getCerts()) {
+ if (cert.subjectName == "CN=self-signed cert") {
+ certToVerify = cert;
+ break;
+ }
+ }
+ notEqual(
+ certToVerify,
+ null,
+ "should have found one of the preloaded self-signed certs"
+ );
+ let timeBefore = Date.now();
+ // As mentioned above, mozilla::pkix limits how much it will search for a trusted path, even if a
+ // trust domain keeps providing potential issuers. So, if we only tried to verify a certificate
+ // once, this test could potentially pass on a fast computer even if we weren't properly skipping
+ // unnecessary paths. If we were to try and lower our time limit (the comparison with
+ // secondsElapsed, below), this test would intermittently fail on slow hardware. By trying to
+ // verify the certificate 10 times, we hopefully end up with a meaningful test (it should still
+ // fail on fast hardware if we don't properly skip unproductive paths) that won't intermittently
+ // time out on slow hardware.
+ for (let i = 0; i < 10; i++) {
+ let date = new Date("2019-05-15T00:00:00.000Z");
+ await checkCertErrorGenericAtTime(
+ certDB,
+ certToVerify,
+ SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLCA,
+ date.getTime() / 1000
+ );
+ }
+ let timeAfter = Date.now();
+ let secondsElapsed = (timeAfter - timeBefore) / 1000;
+ ok(secondsElapsed < 120, "verifications shouldn't take too long");
+});
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db b/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db
new file mode 100644
index 0000000000..5450fe82e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_session_resumption.js b/security/manager/ssl/tests/unit/test_session_resumption.js
new file mode 100644
index 0000000000..26d30dad6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_session_resumption.js
@@ -0,0 +1,291 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that PSM makes the correct determination of the security status of
+// loads involving session resumption (i.e. when a TLS handshake bypasses the
+// AuthCertificate callback).
+
+do_get_profile();
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+});
+
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+addCertFromFile(certdb, "bad_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "bad_certs/ev-test-intermediate.pem", ",,");
+
+// For expired.example.com, the platform will make a connection that will fail.
+// Using information gathered at that point, an override will be added and
+// another connection will be made. This connection will succeed. At that point,
+// as long as the session cache isn't cleared, subsequent new connections should
+// use session resumption, thereby bypassing the AuthCertificate hook. We need
+// to ensure that the correct security state is propagated to the new connection
+// information object.
+function add_resume_non_ev_with_override_test() {
+ // This adds the override and makes one successful connection.
+ add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE);
+
+ // This connects again, using session resumption. Note that we don't clear
+ // the TLS session cache between these operations (that would defeat the
+ // purpose).
+ add_connection_test(
+ "expired.example.com",
+ PRErrorCodeSuccess,
+ null,
+ transportSecurityInfo => {
+ ok(transportSecurityInfo.resumed, "connection should be resumed");
+ ok(
+ transportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+ "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag"
+ );
+ equal(
+ transportSecurityInfo.succeededCertChain.length,
+ 0,
+ "expired.example.com should not have succeededCertChain set"
+ );
+ equal(
+ transportSecurityInfo.failedCertChain.length,
+ 2,
+ "expired.example.com should have failedCertChain set"
+ );
+ equal(
+ transportSecurityInfo.overridableErrorCategory,
+ Ci.nsITransportSecurityInfo.ERROR_TIME,
+ "expired.example.com should have time overridable error category"
+ );
+ ok(
+ !transportSecurityInfo.isExtendedValidation,
+ "expired.example.com should not have isExtendedValidation set"
+ );
+
+ let certOverrideService = Cc[
+ "@mozilla.org/security/certoverride;1"
+ ].getService(Ci.nsICertOverrideService);
+ certOverrideService.clearValidityOverride(
+ "expired.example.com",
+ 8443,
+ {}
+ );
+ }
+ );
+}
+
+// Helper function that adds a test that connects to ev-test.example.com and
+// verifies that it validates as EV (or not, if we're running a non-debug
+// build). This assumes that an appropriate OCSP responder is running or that
+// good responses are cached.
+function add_one_ev_test(resumed) {
+ add_connection_test(
+ "ev-test.example.com",
+ PRErrorCodeSuccess,
+ null,
+ transportSecurityInfo => {
+ equal(
+ transportSecurityInfo.resumed,
+ resumed,
+ "connection should be resumed or not resumed as expected"
+ );
+ ok(
+ !(
+ transportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN
+ ),
+ "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag"
+ );
+ equal(
+ transportSecurityInfo.succeededCertChain.length,
+ 3,
+ "ev-test.example.com should have succeededCertChain set"
+ );
+ equal(
+ transportSecurityInfo.failedCertChain.length,
+ 0,
+ "ev-test.example.com should not have failedCertChain set"
+ );
+ equal(
+ transportSecurityInfo.overridableErrorCategory,
+ Ci.nsITransportSecurityInfo.ERROR_UNSET,
+ "ev-test.example.com should not have an overridable error category"
+ );
+ ok(
+ !gEVExpected || transportSecurityInfo.isExtendedValidation,
+ "ev-test.example.com should have isExtendedValidation set " +
+ "(or this is a non-debug build)"
+ );
+ }
+ );
+}
+
+// This test is similar, except with extended validation. We should connect
+// successfully, and the certificate should be EV in debug builds. Without
+// clearing the session cache, we should connect successfully again, this time
+// with session resumption. The certificate should again be EV in debug builds.
+function add_resume_ev_test() {
+ const SERVER_PORT = 8888;
+ let expectedRequestPaths = ["ev-test"];
+ let responseTypes = ["good"];
+ // Since we cache OCSP responses, we only ever actually serve one set.
+ let ocspResponder;
+ // If we don't wrap this in an `add_test`, the OCSP responder will be running
+ // while we are actually running unrelated testcases, which can disrupt them.
+ add_test(() => {
+ ocspResponder = startOCSPResponder(
+ SERVER_PORT,
+ "localhost",
+ "bad_certs",
+ expectedRequestPaths,
+ expectedRequestPaths.slice(),
+ null,
+ responseTypes
+ );
+ run_next_test();
+ });
+ // We should be able to connect and verify the certificate as EV (in debug
+ // builds).
+ add_one_ev_test(false);
+ // We should be able to connect again (using session resumption). In debug
+ // builds, the certificate should be noted as EV. Again, it's important that
+ // nothing clears the TLS cache in between these two operations.
+ add_one_ev_test(true);
+
+ add_test(() => {
+ ocspResponder.stop(run_next_test);
+ });
+}
+
+const GOOD_DOMAIN = "good.include-subdomains.pinning.example.com";
+
+// Helper function that adds a test that connects to a domain that should
+// succeed (but isn't EV) and verifies that its succeededCertChain gets set
+// appropriately.
+function add_one_non_ev_test() {
+ add_connection_test(
+ GOOD_DOMAIN,
+ PRErrorCodeSuccess,
+ null,
+ transportSecurityInfo => {
+ ok(
+ !(
+ transportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN
+ ),
+ `${GOOD_DOMAIN} should not have STATE_CERT_USER_OVERRIDDEN flag`
+ );
+ ok(
+ transportSecurityInfo.succeededCertChain,
+ `${GOOD_DOMAIN} should have succeededCertChain set`
+ );
+ equal(
+ transportSecurityInfo.overridableErrorCategory,
+ 0,
+ `${GOOD_DOMAIN} should not have an overridable error category set`
+ );
+ ok(
+ !transportSecurityInfo.isExtendedValidation,
+ `${GOOD_DOMAIN} should not have isExtendedValidation set`
+ );
+ }
+ );
+}
+
+// This test is similar, except with non-extended validation. We should connect
+// successfully, and the certificate should not be EV. Without clearing the
+// session cache, we should connect successfully again, this time with session
+// resumption. In this case, though, we want to ensure the succeededCertChain is
+// set.
+function add_resume_non_ev_test() {
+ add_one_non_ev_test();
+ add_one_non_ev_test();
+}
+
+const statsPtr = getSSLStatistics();
+const toInt32 = ctypes.Int64.lo;
+
+// Connect to the same domain with two origin attributes and check if any ssl
+// session is resumed.
+function add_origin_attributes_test(
+ originAttributes1,
+ originAttributes2,
+ resumeExpected
+) {
+ add_connection_test(
+ GOOD_DOMAIN,
+ PRErrorCodeSuccess,
+ clearSessionCache,
+ null,
+ null,
+ originAttributes1
+ );
+
+ let hitsBeforeConnect;
+ let missesBeforeConnect;
+ let expectedHits = resumeExpected ? 1 : 0;
+ let expectedMisses = 1 - expectedHits;
+
+ add_connection_test(
+ GOOD_DOMAIN,
+ PRErrorCodeSuccess,
+ function() {
+ // Add the hits and misses before connection.
+ let stats = statsPtr.contents;
+ hitsBeforeConnect = toInt32(stats.sch_sid_cache_hits);
+ missesBeforeConnect = toInt32(stats.sch_sid_cache_misses);
+ },
+ function() {
+ let stats = statsPtr.contents;
+ equal(
+ toInt32(stats.sch_sid_cache_hits),
+ hitsBeforeConnect + expectedHits,
+ "Unexpected cache hits"
+ );
+ equal(
+ toInt32(stats.sch_sid_cache_misses),
+ missesBeforeConnect + expectedMisses,
+ "Unexpected cache misses"
+ );
+ },
+ null,
+ originAttributes2
+ );
+}
+
+function add_resumption_tests() {
+ add_resume_ev_test();
+ add_resume_non_ev_test();
+ add_resume_non_ev_with_override_test();
+ add_origin_attributes_test({}, {}, true);
+ add_origin_attributes_test({ userContextId: 1 }, { userContextId: 2 }, false);
+ add_origin_attributes_test({ userContextId: 3 }, { userContextId: 3 }, true);
+ add_origin_attributes_test(
+ { firstPartyDomain: "foo.com" },
+ { firstPartyDomain: "bar.com" },
+ false
+ );
+ add_origin_attributes_test(
+ { firstPartyDomain: "baz.com" },
+ { firstPartyDomain: "baz.com" },
+ true
+ );
+}
+
+function run_test() {
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+ add_resumption_tests();
+ // Enable external session cache and reset the status.
+ add_test(function() {
+ Services.prefs.setBoolPref("network.ssl_tokens_cache_enabled", true);
+ certdb.clearOCSPCache();
+ run_next_test();
+ });
+ // Do tests again.
+ add_resumption_tests();
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_signed_apps.js b/security/manager/ssl/tests/unit/test_signed_apps.js
new file mode 100644
index 0000000000..f97edf350e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps.js
@@ -0,0 +1,1038 @@
+"use strict";
+
+// Tests the API nsIX509CertDB.openSignedAppFileAsync, which backs add-on
+// signature verification. Testcases include various ways of tampering with
+// add-ons as well as different hash algorithms used in the various
+// signature/metadata files.
+
+// from prio.h
+const PR_RDWR = 0x04;
+const PR_CREATE_FILE = 0x08;
+const PR_TRUNCATE = 0x20;
+const PR_USEC_PER_MSEC = 1000;
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+// Creates a new app package based in the inFilePath package, with a set of
+// modifications (including possibly deletions) applied to the existing entries,
+// and/or a set of new entries to be included.
+function tamper(inFilePath, outFilePath, modifications, newEntries) {
+ let writer = Cc["@mozilla.org/zipwriter;1"].createInstance(Ci.nsIZipWriter);
+ writer.open(outFilePath, PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE);
+ try {
+ let reader = Cc["@mozilla.org/libjar/zip-reader;1"].createInstance(
+ Ci.nsIZipReader
+ );
+ reader.open(inFilePath);
+ try {
+ for (let entryName of reader.findEntries("")) {
+ let inEntry = reader.getEntry(entryName);
+ let entryInput = reader.getInputStream(entryName);
+ try {
+ let f = modifications[entryName];
+ let outEntry, outEntryInput;
+ if (f) {
+ [outEntry, outEntryInput] = f(inEntry, entryInput);
+ delete modifications[entryName];
+ } else {
+ [outEntry, outEntryInput] = [inEntry, entryInput];
+ }
+ // if f does not want the input entry to be copied to the output entry
+ // at all (i.e. it wants it to be deleted), it will return null.
+ if (outEntryInput) {
+ try {
+ writer.addEntryStream(
+ entryName,
+ outEntry.lastModifiedTime,
+ outEntry.compression,
+ outEntryInput,
+ false
+ );
+ } finally {
+ if (entryInput != outEntryInput) {
+ outEntryInput.close();
+ }
+ }
+ }
+ } finally {
+ entryInput.close();
+ }
+ }
+ } finally {
+ reader.close();
+ }
+
+ // Any leftover modification means that we were expecting to modify an entry
+ // in the input file that wasn't there.
+ for (let name in modifications) {
+ if (modifications.hasOwnProperty(name)) {
+ throw new Error("input file was missing expected entries: " + name);
+ }
+ }
+
+ // Now, append any new entries to the end
+ newEntries.forEach(function(newEntry) {
+ let sis = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+ Ci.nsIStringInputStream
+ );
+ try {
+ sis.setData(newEntry.content, newEntry.content.length);
+ writer.addEntryStream(
+ newEntry.name,
+ new Date() * PR_USEC_PER_MSEC,
+ Ci.nsIZipWriter.COMPRESSION_BEST,
+ sis,
+ false
+ );
+ } finally {
+ sis.close();
+ }
+ });
+ } finally {
+ writer.close();
+ }
+}
+
+function removeEntry(entry, entryInput) {
+ return [null, null];
+}
+
+function truncateEntry(entry, entryInput) {
+ if (entryInput.available() == 0) {
+ throw new Error(
+ "Truncating already-zero length entry will result in " +
+ "identical entry."
+ );
+ }
+
+ let content = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+ Ci.nsIStringInputStream
+ );
+ content.data = "";
+
+ return [entry, content];
+}
+
+function check_open_result(name, expectedRv) {
+ return function openSignedAppFileCallback(rv, aZipReader, aSignerCert) {
+ info("openSignedAppFileCallback called for " + name);
+ equal(rv, expectedRv, "Actual and expected return value should match");
+ equal(
+ aZipReader != null,
+ Components.isSuccessCode(expectedRv),
+ "ZIP reader should be null only if the return value denotes failure"
+ );
+ equal(
+ aSignerCert != null,
+ Components.isSuccessCode(expectedRv),
+ "Signer cert should be null only if the return value denotes failure"
+ );
+ run_next_test();
+ };
+}
+
+function original_app_path(test_name) {
+ return do_get_file("test_signed_apps/" + test_name + ".zip", false);
+}
+
+function tampered_app_path(test_name) {
+ return new FileUtils.File(
+ PathUtils.join(
+ Services.dirsvc.get("TmpD", Ci.nsIFile).path,
+ `test_signed_app-${test_name}.zip`
+ )
+ );
+}
+
+var hashTestcases = [
+ // SHA-256 in PKCS#7 + SHA-256 present elsewhere => OK
+ { name: "app_mf-1-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1-256_sf-256_p7-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK },
+ { name: "app_mf-256_sf-256_p7-256", expectedResult: Cr.NS_OK },
+
+ // SHA-1 in PKCS#7 + SHA-1 present elsewhere => OK
+ { name: "app_mf-1-256_sf-1-256_p7-1", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1-256_sf-1_p7-1", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1_sf-1-256_p7-1", expectedResult: Cr.NS_OK },
+ { name: "app_mf-1_sf-1_p7-1", expectedResult: Cr.NS_OK },
+
+ // SHA-256 in PKCS#7 + SHA-256 not present elsewhere => INVALID
+ {
+ name: "app_mf-1-256_sf-1_p7-1-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1-256_sf-1_p7-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-1-256_p7-1-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-1-256_p7-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-1_p7-1-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-1_p7-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-256_p7-1-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-256_p7-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-256_sf-1_p7-1-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-256_sf-1_p7-256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+
+ // SHA-1 in PKCS#7 + SHA-1 not present elsewhere => INVALID
+ {
+ name: "app_mf-1-256_sf-256_p7-1",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-1_sf-256_p7-1",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-256_sf-1-256_p7-1",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-256_sf-1_p7-1",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+ {
+ name: "app_mf-256_sf-256_p7-1",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ },
+];
+
+// Policy values for the preference "security.signed_app_signatures.policy"
+const PKCS7WithSHA1OrSHA256 = 0b0;
+const PKCS7WithSHA256 = 0b1;
+const COSEAndPKCS7WithSHA1OrSHA256 = 0b10;
+const COSEAndPKCS7WithSHA256 = 0b11;
+const COSERequiredAndPKCS7WithSHA1OrSHA256 = 0b100;
+const COSERequiredAndPKCS7WithSHA256 = 0b101;
+const COSEOnly = 0b110;
+const COSEOnlyAgain = 0b111;
+
+function add_signature_test(policy, test) {
+ // First queue up a test to set the desired policy:
+ add_test(function() {
+ Services.prefs.setIntPref("security.signed_app_signatures.policy", policy);
+ run_next_test();
+ });
+ // Then queue up the test itself:
+ add_test(test);
+}
+
+for (let testcase of hashTestcases) {
+ add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path(testcase.name),
+ check_open_result(testcase.name, testcase.expectedResult)
+ );
+ });
+}
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("empty_signerInfos"),
+ check_open_result(
+ "the signerInfos in the PKCS#7 signature is empty",
+ Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("unsigned_app"),
+ check_open_result("unsigned", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("unknown_issuer_app"),
+ check_open_result(
+ "unknown_issuer",
+ getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)
+ )
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_signed_with_pkcs7"),
+ check_open_result("cose_signed_with_pkcs7", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-256_sf-256_p7-256"),
+ check_open_result("no COSE but correct PK#7", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-1_sf-256_p7-256"),
+ check_open_result(
+ "no COSE and wrong PK#7 hash",
+ Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+ )
+ );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-256_sf-256_p7-256"),
+ check_open_result(
+ "COSE signature missing (SHA1 or 256)",
+ Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+ )
+ );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-256_sf-256_p7-256"),
+ check_open_result(
+ "COSE signature missing (SHA256)",
+ Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+ )
+ );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_signed"),
+ check_open_result(
+ "COSE signature only (PK#7 allowed, not present)",
+ Cr.NS_OK
+ )
+ );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_signed"),
+ check_open_result(
+ "COSE signature only (PK#7 allowed, not present)",
+ Cr.NS_OK
+ )
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_multiple_signed_with_pkcs7"),
+ check_open_result("cose_multiple_signed_with_pkcs7", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_int_signed_with_pkcs7"),
+ check_open_result("COSE signed with an intermediate", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_signed"),
+ check_open_result(
+ "PK7 signature missing",
+ Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_multiple_signed_with_pkcs7"),
+ check_open_result(
+ "Expected only COSE signature",
+ Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_multiple_signed"),
+ check_open_result("only Multiple COSE signatures", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEOnly, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_signed"),
+ check_open_result("only_cose_signed", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEOnlyAgain, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("only_cose_signed"),
+ check_open_result("only_cose_signed (again)", Cr.NS_OK)
+ );
+});
+
+add_signature_test(COSEOnly, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_signed_with_pkcs7"),
+ check_open_result(
+ "COSE only expected but also PK#7 signed",
+ Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+ )
+ );
+});
+
+// Sanity check to ensure a no-op tampering gives a valid result
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ let tampered = tampered_app_path("identity_tampering");
+ tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, []);
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ check_open_result("identity_tampering", Cr.NS_OK)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ let tampered = tampered_app_path("missing_rsa");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/A.RSA": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("missing_rsa", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ let tampered = tampered_app_path("missing_sf");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/A.SF": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("missing_sf", Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ let tampered = tampered_app_path("missing_manifest_mf");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/MANIFEST.MF": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "missing_manifest_mf",
+ Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ let tampered = tampered_app_path("missing_entry");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "manifest.json": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("missing_entry", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ let tampered = tampered_app_path("truncated_entry");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "manifest.json": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("truncated_entry", Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ let tampered = tampered_app_path("truncated_manifestFile");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/MANIFEST.MF": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "truncated_manifestFile",
+ Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ let tampered = tampered_app_path("truncated_signatureFile");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/A.SF": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "truncated_signatureFile",
+ getXPCOMStatusFromNSS(SEC_ERROR_PKCS7_BAD_SIGNATURE)
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ let tampered = tampered_app_path("truncated_pkcs7File");
+ tamper(
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ tampered,
+ { "META-INF/A.RSA": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("truncated_pkcs7File", Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ let tampered = tampered_app_path("unsigned_entry");
+ tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, [
+ { name: "unsigned.txt", content: "unsigned content!" },
+ ]);
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("unsigned_entry", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY)
+ );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ let tampered = tampered_app_path("unsigned_metainf_entry");
+ tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, [
+ { name: "META-INF/unsigned.txt", content: "unsigned content!" },
+ ]);
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "unsigned_metainf_entry",
+ Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA256, function testSHA1Disabled() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-1_sf-1_p7-1"),
+ check_open_result(
+ "SHA-1 should not be accepted if disabled by policy",
+ Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+ )
+ );
+});
+
+add_signature_test(PKCS7WithSHA256, function testSHA256WorksWithSHA1Disabled() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-256_sf-256_p7-256"),
+ check_open_result(
+ "SHA-256 should work if SHA-1 is disabled by policy",
+ Cr.NS_OK
+ )
+ );
+});
+
+add_signature_test(
+ PKCS7WithSHA256,
+ function testMultipleSignaturesWorkWithSHA1Disabled() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("app_mf-1-256_sf-1-256_p7-1-256"),
+ check_open_result(
+ "Multiple signatures should work if SHA-1 is " +
+ "disabled by policy (if SHA-256 signature verifies)",
+ Cr.NS_OK
+ )
+ );
+ }
+);
+
+var cosePolicies = [
+ COSEAndPKCS7WithSHA1OrSHA256,
+ COSERequiredAndPKCS7WithSHA1OrSHA256,
+];
+
+// PS256 is not yet supported.
+var coseTestcasesStage = [
+ {
+ name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384",
+ expectedResult: Cr.NS_OK,
+ root: Ci.nsIX509CertDB.AddonsStageRoot,
+ },
+ {
+ name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ root: Ci.nsIX509CertDB.AddonsStageRoot,
+ },
+ {
+ name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256",
+ expectedResult: Cr.NS_OK,
+ root: Ci.nsIX509CertDB.AddonsStageRoot,
+ },
+ {
+ name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ root: Ci.nsIX509CertDB.AddonsStageRoot,
+ },
+];
+
+var coseTestcasesProd = [
+ {
+ name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384",
+ expectedResult: Cr.NS_OK,
+ root: Ci.nsIX509CertDB.AddonsPublicRoot,
+ },
+ {
+ name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ root: Ci.nsIX509CertDB.AddonsPublicRoot,
+ },
+ {
+ name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256",
+ expectedResult: Cr.NS_OK,
+ root: Ci.nsIX509CertDB.AddonsPublicRoot,
+ },
+ {
+ name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256",
+ expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+ root: Ci.nsIX509CertDB.AddonsPublicRoot,
+ },
+];
+
+for (let policy of cosePolicies) {
+ for (let testcase of [...coseTestcasesStage, ...coseTestcasesProd]) {
+ add_signature_test(policy, function() {
+ certdb.openSignedAppFileAsync(
+ testcase.root,
+ original_app_path(testcase.name),
+ check_open_result(testcase.name, testcase.expectedResult)
+ );
+ });
+ }
+}
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigTampered() {
+ let tampered = tampered_app_path("cose_sig_tampered");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "META-INF/cose.sig": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "cose_sig_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+// PKCS7 is processed before COSE, so if a COSE signature file is removed or
+// tampered with, this appears as a PKCS7 signature verification failure.
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigRemoved() {
+ let tampered = tampered_app_path("cose_sig_removed");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "META-INF/cose.sig": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("cose_sig_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestTampered() {
+ let tampered = tampered_app_path("cose_manifest_tampered");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "META-INF/cose.manifest": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "cose_manifest_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestRemoved() {
+ let tampered = tampered_app_path("cose_manifest_removed");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "META-INF/cose.manifest": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "cose_manifest_removed",
+ Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING
+ )
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileAdded() {
+ let tampered = tampered_app_path("cose_file_added");
+ tamper(original_app_path("cose_signed_with_pkcs7"), tampered, {}, [
+ { name: "unsigned.txt", content: "unsigned content!" },
+ ]);
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("cose_file_added", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileRemoved() {
+ let tampered = tampered_app_path("cose_file_removed");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "manifest.json": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result("cose_file_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING)
+ );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileTampered() {
+ let tampered = tampered_app_path("cose_file_tampered");
+ tamper(
+ original_app_path("cose_signed_with_pkcs7"),
+ tampered,
+ { "manifest.json": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "cose_file_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSESigTampered() {
+ let tampered = tampered_app_path("only_cose_sig_tampered");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "META-INF/cose.sig": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_sig_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSESigRemoved() {
+ let tampered = tampered_app_path("only_cose_sig_removed");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "META-INF/cose.sig": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_sig_removed",
+ Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEManifestTampered() {
+ let tampered = tampered_app_path("only_cose_manifest_tampered");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "META-INF/cose.manifest": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_manifest_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEManifestRemoved() {
+ let tampered = tampered_app_path("only_cose_manifest_removed");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "META-INF/cose.manifest": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_manifest_removed",
+ Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEFileAdded() {
+ let tampered = tampered_app_path("only_cose_file_added");
+ tamper(original_app_path("only_cose_signed"), tampered, {}, [
+ { name: "unsigned.txt", content: "unsigned content!" },
+ ]);
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_file_added",
+ Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEFileRemoved() {
+ let tampered = tampered_app_path("only_cose_file_removed");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "manifest.json": removeEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_file_removed",
+ Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEFileTampered() {
+ let tampered = tampered_app_path("only_cose_file_tampered");
+ tamper(
+ original_app_path("only_cose_signed"),
+ tampered,
+ { "manifest.json": truncateEntry },
+ []
+ );
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ tampered,
+ check_open_result(
+ "only_cose_file_tampered",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+// This was signed with only COSE first, and then the contents were tampered
+// with (making the signature invalid). Then, the file was signed with
+// PKCS7/SHA1. We need to ensure that if we're configured to process COSE, this
+// verification fails.
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_tampered_good_pkcs7"),
+ check_open_result(
+ "tampered COSE with good PKCS7 signature should fail " +
+ "when COSE and PKCS7 is processed",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+add_signature_test(COSEOnly, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_tampered_good_pkcs7"),
+ check_open_result(
+ "tampered COSE with good PKCS7 signature should fail " +
+ "when only COSE is processed",
+ Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+ )
+ );
+});
+
+// If we're not processing COSE, this should verify successfully.
+add_signature_test(PKCS7WithSHA1OrSHA256, function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("cose_tampered_good_pkcs7"),
+ check_open_result(
+ "tampered COSE with good PKCS7 signature should succeed" +
+ "when COSE is not processed",
+ Cr.NS_OK
+ )
+ );
+});
+
+add_test(function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("bug_1411458"),
+ check_open_result("bug 1411458", Cr.NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO)
+ );
+});
+
+// This has a big manifest file (~2MB). It should verify correctly.
+add_test(function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("big_manifest"),
+ check_open_result("add-on with big manifest file", Cr.NS_OK)
+ );
+});
+
+// This has a huge manifest file (~10MB). Manifest files this large are not
+// supported (8MB is the limit). It should not verify correctly.
+add_test(function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("huge_manifest"),
+ check_open_result(
+ "add-on with huge manifest file",
+ Cr.NS_ERROR_SIGNED_JAR_ENTRY_INVALID
+ )
+ );
+});
+
+// Verification should pass despite a not-yet-valid EE certificate.
+// Regression test for bug 1713628
+add_test(function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("validity_not_yet_valid"),
+ check_open_result("validity_not_yet_valid", Cr.NS_OK)
+ );
+});
+
+// Verification should pass despite an expired EE certificate.
+// Regression test for bug 1267318 and bug 1548973
+add_test(function() {
+ certdb.openSignedAppFileAsync(
+ Ci.nsIX509CertDB.AppXPCShellRoot,
+ original_app_path("validity_expired"),
+ check_open_result("validity_expired", Cr.NS_OK)
+ );
+});
+
+// TODO: tampered MF, tampered SF
+// TODO: too-large MF, too-large RSA, too-large SF
+// TODO: MF and SF that end immediately after the last main header
+// (no CR nor LF)
+// TODO: broken headers to exercise the parser
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/README b/security/manager/ssl/tests/unit/test_signed_apps/app/README
new file mode 100644
index 0000000000..4f4db4f73e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app/README
@@ -0,0 +1 @@
+This is the readme for the test extension.
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png b/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png
new file mode 100644
index 0000000000..f4a62faddf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json b/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json
new file mode 100644
index 0000000000..eacaedfa7a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json
@@ -0,0 +1,5 @@
+{
+ "manifest_version": 2,
+ "name": "Test Extension",
+ "version": "0.0.1"
+}
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest
new file mode 100644
index 0000000000..be5069f57b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest
@@ -0,0 +1,10 @@
+Manifest-Version: 1.0
+
+Name: README
+SHA256-Digest: bY0l9xqGJYCpqYeJ0K6q4DWUQqu0mNBFM4H4emhjiJg=
+
+Name: manifest.json
+SHA256-Digest: BTnCpT154N26RZm8bhdD43WXd0tj5bg6ofM19NLI0OE=
+
+Name: data/image.png
+SHA256-Digest: EPjkNZwya9X+pruLlxG+FACLwGC48XU4S9oZOA0lVVQ=
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig
new file mode 100644
index 0000000000..ee9f3e2ce9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README
new file mode 100644
index 0000000000..46217087d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README
@@ -0,0 +1,2 @@
+This is the readme for the test extension.
+This app was created by unzipping only_cose_signed.zip and adding this line (thus invalidating the COSE signature).
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png
new file mode 100644
index 0000000000..f4a62faddf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json
new file mode 100644
index 0000000000..eacaedfa7a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json
@@ -0,0 +1,5 @@
+{
+ "manifest_version": 2,
+ "name": "Test Extension",
+ "version": "0.0.1"
+}
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip
new file mode 100644
index 0000000000..e8643ae4a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip
new file mode 100644
index 0000000000..c796b05d89
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip
new file mode 100644
index 0000000000..65b1e7be43
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip
new file mode 100644
index 0000000000..eb6bbee0d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip
new file mode 100644
index 0000000000..1efcaf4408
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip
new file mode 100644
index 0000000000..1554349f31
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip
new file mode 100644
index 0000000000..3beaf11361
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip
new file mode 100644
index 0000000000..7f2e5386bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip
new file mode 100644
index 0000000000..8bd0938986
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip
new file mode 100644
index 0000000000..6021fd3aa9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip
new file mode 100644
index 0000000000..54211eb519
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip
new file mode 100644
index 0000000000..704504a448
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip
new file mode 100644
index 0000000000..68941bf6e3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip
new file mode 100644
index 0000000000..727b148130
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip
new file mode 100644
index 0000000000..2bed33dce4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip
new file mode 100644
index 0000000000..d57b44b6e2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip
new file mode 100644
index 0000000000..6f17528f8b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip
new file mode 100644
index 0000000000..243113b8a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip
new file mode 100644
index 0000000000..6735f81499
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip
new file mode 100644
index 0000000000..f213ac0990
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip
new file mode 100644
index 0000000000..7a0f561196
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip
new file mode 100644
index 0000000000..ce8a55dfa4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip
new file mode 100644
index 0000000000..0fc2f9368e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip
new file mode 100644
index 0000000000..79bd0249c3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip
new file mode 100644
index 0000000000..c7c76f6a6c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip
new file mode 100644
index 0000000000..9ed61ff6a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip
new file mode 100644
index 0000000000..75e6434188
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
new file mode 100644
index 0000000000..40b4fc7857
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
new file mode 100644
index 0000000000..d364e590e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip
new file mode 100644
index 0000000000..a4353bba19
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip
new file mode 100644
index 0000000000..51ae592ee9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
new file mode 100644
index 0000000000..b74e087620
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
new file mode 100644
index 0000000000..772c42e494
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip
new file mode 100644
index 0000000000..b1d1999551
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip
new file mode 100644
index 0000000000..0ce563680d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip b/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip
new file mode 100644
index 0000000000..1daed90236
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip b/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip
new file mode 100644
index 0000000000..0b296945ab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip
new file mode 100644
index 0000000000..bb70811185
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip
new file mode 100644
index 0000000000..105f2be712
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip
new file mode 100644
index 0000000000..8edd1bd7c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip
new file mode 100644
index 0000000000..a1565eb9f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip b/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip
new file mode 100644
index 0000000000..53744b4a8e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip b/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip
new file mode 100644
index 0000000000..845c39c8b8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/moz.build b/security/manager/ssl/tests/unit/test_signed_apps/moz.build
new file mode 100644
index 0000000000..8680c8d457
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/moz.build
@@ -0,0 +1,78 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+@template
+def SignedAppFile(name, flags, app_directory="app/"):
+ if not CONFIG["COMPILE_ENVIRONMENT"]:
+ return
+
+ GENERATED_FILES += [name]
+ props = GENERATED_FILES[name]
+ props.script = "/security/manager/ssl/tests/unit/sign_app.py"
+ props.inputs = [app_directory]
+ props.flags = flags
+ # Turn RELATIVEDIR into list entry: like
+ # 'security/manager/ssl/tests/unit/test_signed_apps' ->
+ # TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_signed_apps.
+ files = TEST_HARNESS_FILES.xpcshell
+ for part in RELATIVEDIR.split("/"):
+ files = files[part]
+ files += ["!%s" % name]
+
+
+# Except for unusual testcases (unknown issuer, unsigned app, empty
+# signerInfos), the naming scheme is as follows:
+# app_mf{-1,-256}_sf{-1,-256}_p7{-1,-256}.zip, where:
+# "mf" refers to the manifest file, "sf" refers to the signature file,
+# and "p7" refers to the pkcs#7 file. The "{-1,-256}" indicates which
+# hash algorithms are present in the corresponding file (both may be
+# present).
+# For example, "app_mf-1_sf-1-256_p7-256.zip" means that the manifest
+# file has sha-1 hashes, the signature file has sha-1 hashes and sha-256
+# hashes, and the pkcs#7 file only has sha-256.
+#
+# Temporarily disabled. See bug 1256495.
+# signed_app_files = (
+# ['unknown_issuer_app.zip', '-i', 'unknown issuer', '-p', 'sha256'],
+# ['unsigned_app.zip'],
+# ['empty_signerInfos.zip', '-e'],
+# )
+#
+# for signed_app_file_params in signed_app_files:
+# SignedAppFile(signed_app_file_params[0], signed_app_file_params[1:])
+#
+# for mf_algs in [['1'], ['256'], ['1', '256']]:
+# for sf_algs in [['1'], ['256'], ['1', '256']]:
+# for p7_algs in [['1'], ['256'], ['1', '256']]:
+# filename = "app_mf-%s_sf-%s_p7-%s.zip" % ('-'.join(mf_algs), '-'.join(sf_algs), '-'.join(p7_algs))
+# args = []
+# for mf_alg in mf_algs:
+# args.append('-m')
+# args.append('sha%s' % mf_alg)
+# for sf_alg in sf_algs:
+# args.append('-s')
+# args.append('sha%s' % sf_alg)
+# for p7_alg in p7_algs:
+# args.append('-p')
+# args.append('sha%s' % p7_alg)
+# SignedAppFile(filename, args)
+#
+# COSE test-cases
+# SignedAppFile('cose_signed_with_pkcs7.zip', ['-c', 'ES256', '-p', 'sha256'])
+# SignedAppFile('cose_int_signed_with_pkcs7.zip', ['-c', 'ES256', '-r', 'xpcshell signed apps test root', '-p', 'sha256'])
+# SignedAppFile('cose_multiple_signed_with_pkcs7.zip', ['-c', 'ES256', '-c', 'ES384', '-p', 'sha256'])
+# SignedAppFile('only_cose_signed.zip', ['-c', 'ES256'])
+# SignedAppFile('only_cose_multiple_signed.zip', ['-c', 'ES384', '-c', 'ES256'])
+# SignedAppFile('cose_tampered_good_pkcs7.zip', ['-m', 'sha1', '-s', 'sha1', '-p', 'sha1'], 'app_cose_tampered/')
+# SignedAppFile('big_manifest.zip', ['-p', 'sha256', '--pad-headers', '2'])
+# SignedAppFile('huge_manifest.zip', ['-p', 'sha256', '--pad-headers', '10'])
+# SignedAppFile('validity_expired.zip', ['-c', 'ES256', '-p', 'sha256', '--cert-validity', '19700101-19701212'])
+# SignedAppFile('validity_not_yet_valid.zip', ['-c', 'ES256', '-p', 'sha256', '--cert-validity', '99990101-99991212'])
+
+# To generate a new entry, add SignedAppFile, run mach build and copy from
+# objdir/_tests/xpcshell/security/manager/ssl/tests/unit/test_signed_apps/
+# to this directory.
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip
new file mode 100644
index 0000000000..4befbcd47f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip
new file mode 100644
index 0000000000..70ec223475
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip b/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip
new file mode 100644
index 0000000000..03f59a20bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip b/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip
new file mode 100644
index 0000000000..162b1107fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip b/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip
new file mode 100644
index 0000000000..4b160fe736
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip b/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip
new file mode 100644
index 0000000000..82a8b4836a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der
new file mode 100644
index 0000000000..3c1869b13b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der
Binary files differ
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec
new file mode 100644
index 0000000000..500c4185cd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec
@@ -0,0 +1,6 @@
+issuer:xpcshell signed apps test root
+subject:xpcshell signed apps test root
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyEncipherment,keyCertSign
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/test_ssl_status.js b/security/manager/ssl/tests/unit/test_ssl_status.js
new file mode 100644
index 0000000000..8e9aad40e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ssl_status.js
@@ -0,0 +1,75 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+do_get_profile();
+
+function run_test() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+ let fakeOCSPResponder = new HttpServer();
+ fakeOCSPResponder.registerPrefixHandler("/", function(request, response) {
+ response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+ });
+ fakeOCSPResponder.start(8888);
+
+ // Test successful connection (failedCertChain should be null,
+ // succeededCertChain should be set as expected)
+ add_connection_test(
+ "good.include-subdomains.pinning.example.com",
+ PRErrorCodeSuccess,
+ null,
+ function withSecurityInfo(aSecInfo) {
+ equal(
+ aSecInfo.failedCertChain.length,
+ 0,
+ "failedCertChain for a successful connection should be empty"
+ );
+ ok(
+ areCertArraysEqual(
+ aSecInfo.succeededCertChain,
+ build_cert_chain(["default-ee", "test-ca"])
+ ),
+ "succeededCertChain for a successful connection should be as expected"
+ );
+ }
+ );
+
+ // Test failed connection (failedCertChain should be set as expected,
+ // succeededCertChain should be null)
+ add_connection_test(
+ "expired.example.com",
+ SEC_ERROR_EXPIRED_CERTIFICATE,
+ null,
+ function withSecurityInfo(aSecInfo) {
+ equal(
+ aSecInfo.succeededCertChain.length,
+ 0,
+ "succeededCertChain for a failed connection should be null"
+ );
+ ok(
+ areCertArraysEqual(
+ aSecInfo.failedCertChain,
+ build_cert_chain(["expired-ee", "test-ca"])
+ ),
+ "failedCertChain for a failed connection should be as expected"
+ );
+ }
+ );
+
+ // Ensure the correct failed cert chain is set on cert override
+ let overrideStatus = {
+ failedCertChain: build_cert_chain(["expired-ee", "test-ca"]),
+ };
+ add_cert_override_test(
+ "expired.example.com",
+ SEC_ERROR_EXPIRED_CERTIFICATE,
+ undefined,
+ overrideStatus
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_enumerate.js b/security/manager/ssl/tests/unit/test_sss_enumerate.js
new file mode 100644
index 0000000000..a785e31cdf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_enumerate.js
@@ -0,0 +1,79 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+do_get_profile(); // must be done before instantiating nsIX509CertDB
+
+const SECS_IN_A_WEEK = 7 * 24 * 60 * 60 * 1000;
+const TESTCASES = [
+ {
+ hostname: "a.pinning.example.com",
+ includeSubdomains: true,
+ expireTime: Date.now() + 12 * SECS_IN_A_WEEK * 1000,
+ },
+ {
+ hostname: "b.pinning.example.com",
+ includeSubdomains: false,
+ expireTime: Date.now() + 13 * SECS_IN_A_WEEK * 1000,
+ },
+].sort((a, b) => a.expireTime - b.expireTime);
+
+let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
+
+function getEntries() {
+ return Array.from(sss.enumerate());
+}
+
+function checkSiteSecurityStateAttrs(entries) {
+ entries.sort((a, b) => a.expireTime - b.expireTime);
+ equal(
+ entries.length,
+ TESTCASES.length,
+ "Should get correct number of entries"
+ );
+ for (let i = 0; i < TESTCASES.length; i++) {
+ equal(entries[i].hostname, TESTCASES[i].hostname, "Hostnames should match");
+ equal(
+ entries[i].securityPropertyState,
+ Ci.nsISiteSecurityState.SECURITY_PROPERTY_SET,
+ "Entries should have security property set"
+ );
+ equal(
+ entries[i].includeSubdomains,
+ TESTCASES[i].includeSubdomains,
+ "IncludeSubdomains should match"
+ );
+ // There's a delay from our "now" and the "now" that the implementation uses.
+ less(
+ Math.abs(entries[i].expireTime - TESTCASES[i].expireTime),
+ 60000,
+ "ExpireTime should be within 60-second error"
+ );
+ }
+}
+
+function run_test() {
+ sss.clearAll();
+
+ for (const testcase of TESTCASES) {
+ const uri = Services.io.newURI(`https://${testcase.hostname}`);
+
+ // MaxAge is in seconds.
+ let maxAge = Math.round((testcase.expireTime - Date.now()) / 1000);
+ let header = `max-age=${maxAge}`;
+ if (testcase.includeSubdomains) {
+ header += "; includeSubdomains";
+ }
+ sss.processHeader(uri, header);
+ }
+
+ let hstsEntries = getEntries();
+
+ checkSiteSecurityStateAttrs(hstsEntries);
+
+ sss.clearAll();
+ hstsEntries = getEntries();
+
+ equal(hstsEntries.length, 0, "Should clear all HSTS entries");
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_eviction.js b/security/manager/ssl/tests/unit/test_sss_eviction.js
new file mode 100644
index 0000000000..eee9e00e22
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_eviction.js
@@ -0,0 +1,88 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to check that a frequently visited site
+// will not be evicted over an infrequently visited site.
+
+var gSSService = null;
+var gProfileDir = null;
+
+function do_state_written(aSubject, aTopic, aData) {
+ if (aData == CLIENT_AUTH_FILE_NAME) {
+ return;
+ }
+
+ equal(aData, SSS_STATE_FILE_NAME);
+
+ let stateFile = gProfileDir.clone();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ ok(stateFile.exists());
+ let stateFileContents = readFile(stateFile);
+ // the last part is removed because it's the empty string after the final \n
+ let lines = stateFileContents.split("\n").slice(0, -1);
+ // We can receive multiple data-storage-written events. In particular, we
+ // may receive one where DataStorage wrote out data before we were done
+ // processing all of our headers. In this case, the data may not be
+ // as we expect. We only care about the final one being correct, however,
+ // so we return and wait for the next event if things aren't as we expect.
+ // There should be 1024 entries.
+ if (lines.length != 1024) {
+ return;
+ }
+
+ let foundLegitSite = false;
+ for (let line of lines) {
+ if (line.startsWith("frequentlyused.example.com:HSTS")) {
+ foundLegitSite = true;
+ break;
+ }
+ }
+
+ ok(foundLegitSite);
+ do_test_finished();
+}
+
+function do_state_read(aSubject, aTopic, aData) {
+ if (aData == CLIENT_AUTH_FILE_NAME) {
+ return;
+ }
+
+ equal(aData, SSS_STATE_FILE_NAME);
+
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://frequentlyused.example.com")
+ )
+ );
+ for (let i = 0; i < 2000; i++) {
+ let uri = Services.io.newURI("http://bad" + i + ".example.com");
+ gSSService.processHeader(uri, "max-age=1000");
+ }
+ do_test_pending();
+ Services.obs.addObserver(do_state_written, "data-storage-written");
+ do_test_finished();
+}
+
+function run_test() {
+ Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100);
+ gProfileDir = do_get_profile();
+ let stateFile = gProfileDir.clone();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!stateFile.exists());
+ let outputStream = FileUtils.openFileOutputStream(stateFile);
+ let now = new Date().getTime();
+ let line =
+ "frequentlyused.example.com:HSTS\t4\t0\t" + (now + 100000) + ",1,0\n";
+ outputStream.write(line, line.length);
+ outputStream.close();
+ Services.obs.addObserver(do_state_read, "data-storage-ready");
+ do_test_pending();
+ gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ notEqual(gSSService, null);
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_originAttributes.js b/security/manager/ssl/tests/unit/test_sss_originAttributes.js
new file mode 100644
index 0000000000..280b0df5a6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_originAttributes.js
@@ -0,0 +1,99 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ * vim: sw=2 ts=2 sts=2
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// Ensures nsISiteSecurityService APIs respects origin attributes.
+
+const GOOD_MAX_AGE_SECONDS = 69403;
+const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
+
+do_get_profile(); // must be done before instantiating nsIX509CertDB
+
+let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
+let host = "a.pinning.example.com";
+let uri = Services.io.newURI("https://" + host);
+
+// Check if originAttributes1 and originAttributes2 are isolated with respect
+// to HSTS storage.
+function doTest(originAttributes1, originAttributes2, shouldShare) {
+ sss.clearAll();
+ let header = GOOD_MAX_AGE;
+ // Set HSTS for originAttributes1.
+ sss.processHeader(uri, header, originAttributes1);
+ ok(
+ sss.isSecureURI(uri, originAttributes1),
+ "URI should be secure given original origin attributes"
+ );
+ equal(
+ sss.isSecureURI(uri, originAttributes2),
+ shouldShare,
+ "URI should be secure given different origin attributes if and " +
+ "only if shouldShare is true"
+ );
+
+ if (!shouldShare) {
+ // Remove originAttributes2 from the storage.
+ sss.resetState(uri, originAttributes2);
+ ok(
+ sss.isSecureURI(uri, originAttributes1),
+ "URI should still be secure given original origin attributes"
+ );
+ }
+
+ // Remove originAttributes1 from the storage.
+ sss.resetState(uri, originAttributes1);
+ ok(
+ !sss.isSecureURI(uri, originAttributes1),
+ "URI should not be secure after removeState"
+ );
+
+ sss.clearAll();
+}
+
+function testInvalidOriginAttributes(originAttributes) {
+ let header = GOOD_MAX_AGE;
+
+ let callbacks = [
+ () => sss.processHeader(uri, header, originAttributes),
+ () => sss.isSecureURI(uri, originAttributes),
+ () => sss.resetState(uri, originAttributes),
+ ];
+
+ for (let callback of callbacks) {
+ throws(
+ callback,
+ /NS_ERROR_ILLEGAL_VALUE/,
+ "Should get an error with invalid origin attributes"
+ );
+ }
+}
+
+function run_test() {
+ sss.clearAll();
+
+ let originAttributesList = [];
+ for (let userContextId of [0, 1, 2]) {
+ for (let firstPartyDomain of ["", "foo.com", "bar.com"]) {
+ originAttributesList.push({ userContextId, firstPartyDomain });
+ }
+ }
+ for (let attrs1 of originAttributesList) {
+ for (let attrs2 of originAttributesList) {
+ // SSS storage is not isolated by userContext
+ doTest(
+ attrs1,
+ attrs2,
+ attrs1.firstPartyDomain == attrs2.firstPartyDomain
+ );
+ }
+ }
+
+ testInvalidOriginAttributes(undefined);
+ testInvalidOriginAttributes(null);
+ testInvalidOriginAttributes(1);
+ testInvalidOriginAttributes("foo");
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate.js b/security/manager/ssl/tests/unit/test_sss_readstate.js
new file mode 100644
index 0000000000..689df13495
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate.js
@@ -0,0 +1,123 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create a site security service state file
+// and see that the site security service reads it properly.
+
+var gSSService = null;
+
+function checkStateRead(aSubject, aTopic, aData) {
+ if (aData == CLIENT_AUTH_FILE_NAME) {
+ return;
+ }
+
+ equal(aData, SSS_STATE_FILE_NAME);
+
+ ok(
+ !gSSService.isSecureURI(Services.io.newURI("https://expired.example.com"))
+ );
+ ok(
+ gSSService.isSecureURI(Services.io.newURI("https://notexpired.example.com"))
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://sub.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://incsubdomain.example.com")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://sub.incsubdomain.example.com")
+ )
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains2.preloaded.test")
+ )
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://sub.includesubdomains2.preloaded.test")
+ )
+ );
+
+ // Clearing the data should make everything go back to default.
+ gSSService.clearAll();
+ ok(
+ !gSSService.isSecureURI(Services.io.newURI("https://expired.example.com"))
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://notexpired.example.com")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://sub.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://incsubdomain.example.com")
+ )
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://sub.incsubdomain.example.com")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains2.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://sub.includesubdomains2.preloaded.test")
+ )
+ );
+ do_test_finished();
+}
+
+function run_test() {
+ let profileDir = do_get_profile();
+ let stateFile = profileDir.clone();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!stateFile.exists());
+ let outputStream = FileUtils.openFileOutputStream(stateFile);
+ let now = Date.now();
+ let lines = [
+ `expired.example.com:HSTS\t0\t0\t${now - 100000},1,0`,
+ `notexpired.example.com:HSTS\t0\t0\t${now + 100000},1,0`,
+ // This overrides an entry on the preload list.
+ `includesubdomains.preloaded.test:HSTS\t0\t0\t${now + 100000},1,0`,
+ `incsubdomain.example.com:HSTS\t0\t0\t${now + 100000},1,1`,
+ // This overrides an entry on the preload list.
+ "includesubdomains2.preloaded.test:HSTS\t0\t0\t0,2,0",
+ ];
+ writeLinesAndClose(lines, outputStream);
+ Services.obs.addObserver(checkStateRead, "data-storage-ready");
+ do_test_pending();
+ gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ notEqual(gSSService, null);
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_empty.js b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
new file mode 100644
index 0000000000..83d96f5245
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
@@ -0,0 +1,50 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create an empty site security service state
+// file and see that the site security service doesn't fail when reading it.
+
+var gSSService = null;
+
+function checkStateRead(aSubject, aTopic, aData) {
+ // nonexistent.example.com should never be an HSTS host
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://nonexistent.example.com")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ // notexpired.example.com is an HSTS host in a different test - we
+ // want to make sure that test hasn't interfered with this one.
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://notexpired.example.com")
+ )
+ );
+ do_test_finished();
+}
+
+function run_test() {
+ let profileDir = do_get_profile();
+ let stateFile = profileDir.clone();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!stateFile.exists());
+ stateFile.create(Ci.nsIFile.NORMAL_FILE_TYPE, 0x1a4); // 0x1a4 == 0o644
+ ok(stateFile.exists());
+ // Initialize nsISiteSecurityService after do_get_profile() so it
+ // can read the state file.
+ Services.obs.addObserver(checkStateRead, "data-storage-ready");
+ do_test_pending();
+ gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ notEqual(gSSService, null);
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
new file mode 100644
index 0000000000..00c79756d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
@@ -0,0 +1,95 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create a mostly bogus site security service
+// state file and see that the site security service handles it properly.
+
+var gSSService = null;
+
+function checkStateRead(aSubject, aTopic, aData) {
+ if (aData == CLIENT_AUTH_FILE_NAME) {
+ return;
+ }
+
+ equal(aData, SSS_STATE_FILE_NAME);
+
+ const HSTS_HOSTS = [
+ "https://example1.example.com",
+ "https://example2.example.com",
+ ];
+ for (let host of HSTS_HOSTS) {
+ ok(
+ gSSService.isSecureURI(Services.io.newURI(host)),
+ `${host} should be HSTS enabled`
+ );
+ }
+
+ const NOT_HSTS_HOSTS = [
+ "https://example.com",
+ "https://example3.example.com",
+ "https://extra.comma.example.com",
+ "https://empty.statestring.example.com",
+ "https://rubbish.statestring.example.com",
+ "https://spaces.statestring.example.com",
+ "https://invalid.expirytime.example.com",
+ "https://text.securitypropertystate.example.com",
+ "https://invalid.securitypropertystate.example.com",
+ "https://text.includesubdomains.example.com",
+ "https://invalid.includesubdomains.example.com",
+ ];
+ for (let host of NOT_HSTS_HOSTS) {
+ ok(
+ !gSSService.isSecureURI(Services.io.newURI(host)),
+ `${host} should not be HSTS enabled`
+ );
+ }
+
+ do_test_finished();
+}
+
+function run_test() {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
+ let profileDir = do_get_profile();
+ let stateFile = profileDir.clone();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!stateFile.exists());
+ let outputStream = FileUtils.openFileOutputStream(stateFile);
+ let expiryTime = Date.now() + 100000;
+ let lines = [
+ // General state file entry tests.
+ `example1.example.com:HSTS\t0\t0\t${expiryTime},1,0`,
+ "I'm a lumberjack and I'm okay; I work all night and I sleep all day!",
+ "This is a totally bogus entry\t",
+ "0\t0\t0\t0\t",
+ "\t\t\t\t\t\t\t",
+ "example.com:HSTS\t\t\t\t\t\t\t",
+ "example3.example.com:HSTS\t0\t\t\t\t\t\t",
+ `example2.example.com:HSTS\t0\t0\t${expiryTime},1,0`,
+ // HSTS state string parsing tests
+ `extra.comma.example.com:HSTS\t0\t0\t${expiryTime},,1,0`,
+ "empty.statestring.example.com:HSTS\t0\t0\t",
+ "rubbish.statestring.example.com:HSTS\t0\t0\tfoobar",
+ `spaces.statestring.example.com:HSTS\t0\t0\t${expiryTime}, 1,0 `,
+ `invalid.expirytime.example.com:HSTS\t0\t0\t${expiryTime}foo123,1,0`,
+ `text.securitypropertystate.example.com:HSTS\t0\t0\t${expiryTime},1foo,0`,
+ `invalid.securitypropertystate.example.com:HSTS\t0\t0\t${expiryTime},999,0`,
+ `text.includesubdomains.example.com:HSTS\t0\t0\t${expiryTime},1,1foo`,
+ `invalid.includesubdomains.example.com:HSTS\t0\t0\t${expiryTime},1,0foo`,
+ ];
+ writeLinesAndClose(lines, outputStream);
+ Services.obs.addObserver(checkStateRead, "data-storage-ready");
+ do_test_pending();
+ gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ notEqual(gSSService, null);
+
+ Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
+ registerCleanupFunction(() => {
+ Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
+ });
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_huge.js b/security/manager/ssl/tests/unit/test_sss_readstate_huge.js
new file mode 100644
index 0000000000..079fd598b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_huge.js
@@ -0,0 +1,80 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create a site security service state file
+// that is too large and see that the site security service reads it properly
+// (this means discarding all entries after the 1024th).
+
+var gSSService = null;
+
+function checkStateRead(aSubject, aTopic, aData) {
+ if (aData == CLIENT_AUTH_FILE_NAME) {
+ return;
+ }
+
+ equal(aData, SSS_STATE_FILE_NAME);
+
+ ok(
+ gSSService.isSecureURI(Services.io.newURI("https://example0.example.com"))
+ );
+ ok(
+ gSSService.isSecureURI(Services.io.newURI("https://example423.example.com"))
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://example1023.example.com")
+ )
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://example1024.example.com")
+ )
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://example1025.example.com")
+ )
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://example9000.example.com")
+ )
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://example99999.example.com")
+ )
+ );
+ do_test_finished();
+}
+
+function run_test() {
+ let profileDir = do_get_profile();
+ let stateFile = profileDir.clone();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ // Assuming we're working with a clean slate, the file shouldn't exist
+ // until we create it.
+ ok(!stateFile.exists());
+ let outputStream = FileUtils.openFileOutputStream(stateFile);
+ let expiryTime = Date.now() + 100000;
+ let lines = [];
+ for (let i = 0; i < 10000; i++) {
+ // The 0s will all get squashed down into one 0 when they are read.
+ // This is just to make the file size large (>2MB).
+ lines.push(
+ `example${i}.example.com:HSTS\t` +
+ "0000000000000000000000000000000000000000000000000\t" +
+ "00000000000000000000000000000000000000\t" +
+ `${expiryTime},1,0000000000000000000000000000000000000000000000000000000000000000000000000`
+ );
+ }
+ writeLinesAndClose(lines, outputStream);
+ Services.obs.addObserver(checkStateRead, "data-storage-ready");
+ do_test_pending();
+ gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ notEqual(gSSService, null);
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_resetState.js b/security/manager/ssl/tests/unit/test_sss_resetState.js
new file mode 100644
index 0000000000..4a667c05f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_resetState.js
@@ -0,0 +1,62 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that resetting HSTS state in the way the "forget about this site"
+// functionality does works as expected for preloaded and non-preloaded sites.
+
+do_get_profile();
+
+var gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+);
+
+function test_removeState(originAttributes) {
+ info(`running test_removeState(originAttributes=${originAttributes})`);
+ // Simulate visiting a non-preloaded site by processing an HSTS header check
+ // that the HSTS bit gets set, simulate "forget about this site" (call
+ // removeState), and then check that the HSTS bit isn't set.
+ let notPreloadedURI = Services.io.newURI("https://not-preloaded.example.com");
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+ gSSService.processHeader(notPreloadedURI, "max-age=1000;", originAttributes);
+ ok(gSSService.isSecureURI(notPreloadedURI, originAttributes));
+ gSSService.resetState(notPreloadedURI, originAttributes);
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+
+ // Simulate visiting a non-preloaded site that unsets HSTS by processing
+ // an HSTS header with "max-age=0", check that the HSTS bit isn't
+ // set, simulate "forget about this site" (call removeState), and then check
+ // that the HSTS bit isn't set.
+ gSSService.processHeader(notPreloadedURI, "max-age=0;", originAttributes);
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+ gSSService.resetState(notPreloadedURI, originAttributes);
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+
+ // Simulate visiting a preloaded site by processing an HSTS header, check
+ // that the HSTS bit is still set, simulate "forget about this site"
+ // (call removeState), and then check that the HSTS bit is still set.
+ let preloadedHost = "includesubdomains.preloaded.test";
+ let preloadedURI = Services.io.newURI(`https://${preloadedHost}`);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+ gSSService.processHeader(preloadedURI, "max-age=1000;", originAttributes);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+ gSSService.resetState(preloadedURI, originAttributes);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+
+ // Simulate visiting a preloaded site that unsets HSTS by processing an
+ // HSTS header with "max-age=0", check that the HSTS bit is what we
+ // expect (see below), simulate "forget about this site" (call removeState),
+ // and then check that the HSTS bit is set.
+ gSSService.processHeader(preloadedURI, "max-age=0;", originAttributes);
+ ok(!gSSService.isSecureURI(preloadedURI, originAttributes));
+ gSSService.resetState(preloadedURI, originAttributes);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+}
+
+function run_test() {
+ test_removeState({});
+ test_removeState({ privateBrowsingId: 1 });
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js b/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js
new file mode 100644
index 0000000000..1c4d7d3ddc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js
@@ -0,0 +1,69 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to ensure that Firefox sanitizes site security
+// service data on shutdown if configured to do so.
+
+ChromeUtils.defineESModuleGetters(this, {
+ TestUtils: "resource://testing-common/TestUtils.sys.mjs",
+});
+
+XPCOMUtils.defineLazyModuleGetters(this, {
+ Sanitizer: "resource:///modules/Sanitizer.jsm",
+});
+
+Sanitizer.onStartup();
+
+// This helps us away from test timed out. If service worker manager(swm) hasn't
+// been initilaized before profile-change-teardown, this test would fail due to
+// the shutdown blocker added by swm. Normally, swm should be initialized before
+// that and the similar crash signatures are fixed. So, assume this cannot
+// happen in the real world and initilaize swm here as a workaround.
+Cc["@mozilla.org/serviceworkers/manager;1"].getService(
+ Ci.nsIServiceWorkerManager
+);
+
+function getStateFileContents() {
+ let stateFile = do_get_profile();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ ok(stateFile.exists());
+ return readFile(stateFile);
+}
+
+add_task(async function run_test() {
+ Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100);
+ do_get_profile();
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ let header = "max-age=50000";
+ SSService.processHeader(Services.io.newURI("http://example.com"), header);
+ await TestUtils.topicObserved(
+ "data-storage-written",
+ (_, data) => data == SSS_STATE_FILE_NAME
+ );
+ let stateFileContents = getStateFileContents();
+ ok(
+ stateFileContents.includes("example.com"),
+ "should have written out state file"
+ );
+
+ // Configure Firefox to clear this data on shutdown.
+ Services.prefs.setBoolPref(
+ Sanitizer.PREF_SHUTDOWN_BRANCH + "siteSettings",
+ true
+ );
+ Services.prefs.setBoolPref(Sanitizer.PREF_SANITIZE_ON_SHUTDOWN, true);
+
+ // Simulate shutdown.
+ Services.startup.advanceShutdownPhase(
+ Services.startup.SHUTDOWN_PHASE_APPSHUTDOWNTEARDOWN
+ );
+ Services.startup.advanceShutdownPhase(
+ Services.startup.SHUTDOWN_PHASE_APPSHUTDOWN
+ );
+
+ equal(getStateFileContents(), "", "state file should be empty");
+});
diff --git a/security/manager/ssl/tests/unit/test_sss_savestate.js b/security/manager/ssl/tests/unit/test_sss_savestate.js
new file mode 100644
index 0000000000..0e82abf2e3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_savestate.js
@@ -0,0 +1,126 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to see that the site security service properly
+// writes its state file.
+
+const EXPECTED_ENTRIES = 5;
+const EXPECTED_HSTS_COLUMNS = 3;
+
+var gProfileDir = null;
+var gExpectingWrites = true;
+
+// For reference, the format of the state file is a list of:
+// <domain name> <expiration time in milliseconds>,<sts status>,<includeSubdomains>
+// separated by newlines ('\n')
+
+function checkStateWritten(aSubject, aTopic, aData) {
+ if (aData == CLIENT_AUTH_FILE_NAME) {
+ return;
+ }
+
+ equal(aData, SSS_STATE_FILE_NAME);
+ ok(gExpectingWrites);
+
+ let stateFile = gProfileDir.clone();
+ stateFile.append(SSS_STATE_FILE_NAME);
+ ok(stateFile.exists());
+ let stateFileContents = readFile(stateFile);
+ // the last line is removed because it's just a trailing newline
+ let lines = stateFileContents.split("\n").slice(0, -1);
+ equal(lines.length, EXPECTED_ENTRIES);
+ let sites = {}; // a map of domain name -> [the entry in the state file]
+ for (let line of lines) {
+ let parts = line.split("\t");
+ let host = parts[0];
+ let entry = parts[3].split(",");
+ let expectedColumns = EXPECTED_HSTS_COLUMNS;
+ equal(entry.length, expectedColumns);
+ sites[host] = entry;
+ }
+
+ // While we're still processing headers, multiple writes of the backing data
+ // can be scheduled, and thus we can receive multiple data-storage-written
+ // notifications. In these cases, the data may not be as we expect. We only
+ // care about the final one being correct, however, so we return and wait for
+ // the next event if things aren't as we expect.
+ // each sites[url][1] should be SecurityPropertySet (i.e. 1).
+ // sites[url][2] corresponds to includeSubdomains, so every other one should
+ // be set (i.e. 1);
+ if (sites["includesubdomains.preloaded.test:HSTS"][1] != 1) {
+ return;
+ }
+ if (sites["includesubdomains.preloaded.test:HSTS"][2] != 0) {
+ return;
+ }
+ if (sites["a.example.com:HSTS"][1] != 1) {
+ return;
+ }
+ if (sites["a.example.com:HSTS"][2] != 1) {
+ return;
+ }
+ if (sites["b.example.com:HSTS"][1] != 1) {
+ return;
+ }
+ if (sites["b.example.com:HSTS"][2] != 0) {
+ return;
+ }
+ if (sites["c.c.example.com:HSTS"][1] != 1) {
+ return;
+ }
+ if (sites["c.c.example.com:HSTS"][2] != 1) {
+ return;
+ }
+ if (sites["d.example.com:HSTS"][1] != 1) {
+ return;
+ }
+ if (sites["d.example.com:HSTS"][2] != 0) {
+ return;
+ }
+
+ // If we get here, the file was as expected and we no longer expect any
+ // data-storage-written notifications.
+ gExpectingWrites = false;
+
+ // Process the headers again to test that seeing them again after such a
+ // short delay doesn't cause another write.
+ process_headers();
+
+ // Wait a bit before finishing the test, to see if another write happens.
+ do_timeout(2000, function() {
+ do_test_finished();
+ });
+}
+
+function process_headers() {
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+
+ let uris = [
+ Services.io.newURI("http://includesubdomains.preloaded.test"),
+ Services.io.newURI("http://a.example.com"),
+ Services.io.newURI("http://b.example.com"),
+ Services.io.newURI("http://c.c.example.com"),
+ Services.io.newURI("http://d.example.com"),
+ ];
+
+ for (let i = 0; i < 1000; i++) {
+ let uriIndex = i % uris.length;
+ // vary max-age, but have it be within one day of one year
+ let maxAge = "max-age=" + (i + 31536000);
+ // have every other URI set includeSubdomains
+ let includeSubdomains = uriIndex % 2 == 1 ? "; includeSubdomains" : "";
+ SSService.processHeader(uris[uriIndex], maxAge + includeSubdomains);
+ }
+}
+
+function run_test() {
+ Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100);
+ gProfileDir = do_get_profile();
+ process_headers();
+ do_test_pending();
+ Services.obs.addObserver(checkStateWritten, "data-storage-written");
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_fqdn.js b/security/manager/ssl/tests/unit/test_sts_fqdn.js
new file mode 100644
index 0000000000..3c136a9d99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_fqdn.js
@@ -0,0 +1,40 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+"use strict";
+
+function run_test() {
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ let uri = Services.io.newURI("https://example.com");
+ let uri1 = Services.io.newURI("https://example.com.");
+ let uri2 = Services.io.newURI("https://example.com..");
+ ok(!SSService.isSecureURI(uri));
+ ok(!SSService.isSecureURI(uri1));
+ // These cases are only relevant as long as bug 1118522 hasn't been fixed.
+ ok(!SSService.isSecureURI(uri2));
+
+ SSService.processHeader(uri, "max-age=1000;includeSubdomains");
+ ok(SSService.isSecureURI(uri));
+ ok(SSService.isSecureURI(uri1));
+ ok(SSService.isSecureURI(uri2));
+
+ SSService.resetState(uri);
+ ok(!SSService.isSecureURI(uri));
+ ok(!SSService.isSecureURI(uri1));
+ ok(!SSService.isSecureURI(uri2));
+
+ // Somehow creating this malformed URI succeeds - we need to handle it
+ // gracefully.
+ uri = Services.io.newURI("https://../foo");
+ equal(uri.host, "..");
+ throws(
+ () => {
+ SSService.isSecureURI(uri);
+ },
+ /NS_ERROR_UNEXPECTED/,
+ "Malformed URI should be rejected"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js b/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js
new file mode 100644
index 0000000000..4ffac59356
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js
@@ -0,0 +1,55 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+function check_ip(s, v, ip) {
+ let str = "https://";
+ if (v == 6) {
+ str += "[";
+ }
+ str += ip;
+ if (v == 6) {
+ str += "]";
+ }
+ str += "/";
+
+ let uri = Services.io.newURI(str);
+ ok(!s.isSecureURI(uri));
+
+ let parsedMaxAge = {};
+ let parsedIncludeSubdomains = {};
+ s.processHeader(
+ uri,
+ "max-age=1000;includeSubdomains",
+ {},
+ parsedMaxAge,
+ parsedIncludeSubdomains
+ );
+ ok(
+ !s.isSecureURI(uri),
+ "URI should not be secure if it contains an IP address"
+ );
+
+ /* Test that processHeader will ignore headers for an uri, if the uri
+ * contains an IP address not a hostname.
+ * If processHeader indeed ignore the header, then the output parameters will
+ * remain empty, and we shouldn't see the values passed as the header.
+ */
+ notEqual(parsedMaxAge.value, 1000);
+ notEqual(parsedIncludeSubdomains.value, true);
+ notEqual(parsedMaxAge.value, undefined);
+ notEqual(parsedIncludeSubdomains.value, undefined);
+}
+
+function run_test() {
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+
+ check_ip(SSService, 4, "127.0.0.1");
+ check_ip(SSService, 4, "10.0.0.1");
+ check_ip(SSService, 6, "2001:db8::1");
+ check_ip(SSService, 6, "1080::8:800:200C:417A");
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_parser.js b/security/manager/ssl/tests/unit/test_sts_parser.js
new file mode 100644
index 0000000000..4d689fede5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_parser.js
@@ -0,0 +1,123 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ * vim: sw=2 ts=2 sts=2
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// STS parser tests
+
+let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
+
+function testSuccess(header, expectedMaxAge, expectedIncludeSubdomains) {
+ let dummyUri = Services.io.newURI("https://foo.com/bar.html");
+ let maxAge = {};
+ let includeSubdomains = {};
+
+ sss.processHeader(dummyUri, header, {}, maxAge, includeSubdomains);
+
+ equal(maxAge.value, expectedMaxAge, "Did not correctly parse maxAge");
+ equal(
+ includeSubdomains.value,
+ expectedIncludeSubdomains,
+ "Did not correctly parse presence/absence of includeSubdomains"
+ );
+}
+
+function testFailure(header) {
+ let dummyUri = Services.io.newURI("https://foo.com/bar.html");
+ let maxAge = {};
+ let includeSubdomains = {};
+
+ throws(
+ () => {
+ sss.processHeader(dummyUri, header, {}, maxAge, includeSubdomains);
+ },
+ /NS_ERROR_FAILURE/,
+ "Parsed invalid header: " + header
+ );
+}
+
+function run_test() {
+ // SHOULD SUCCEED:
+ testSuccess("max-age=100", 100, false);
+ testSuccess("max-age =100", 100, false);
+ testSuccess(" max-age=100", 100, false);
+ testSuccess("max-age = 100 ", 100, false);
+ testSuccess('max-age = "100" ', 100, false);
+ testSuccess('max-age="100"', 100, false);
+ testSuccess(' max-age ="100" ', 100, false);
+ testSuccess('\tmax-age\t=\t"100"\t', 100, false);
+ testSuccess("max-age = 100 ", 100, false);
+
+ testSuccess("maX-aGe=100", 100, false);
+ testSuccess("MAX-age =100", 100, false);
+ testSuccess("max-AGE=100", 100, false);
+ testSuccess("Max-Age = 100 ", 100, false);
+ testSuccess("MAX-AGE = 100 ", 100, false);
+
+ testSuccess("max-age=100;includeSubdomains", 100, true);
+ testSuccess("max-age=100\t; includeSubdomains", 100, true);
+ testSuccess(" max-age=100; includeSubdomains", 100, true);
+ testSuccess("max-age = 100 ; includeSubdomains", 100, true);
+ testSuccess(
+ "max-age = 100 ; includeSubdomains",
+ 100,
+ true
+ );
+
+ testSuccess("maX-aGe=100; includeSUBDOMAINS", 100, true);
+ testSuccess("MAX-age =100; includeSubDomains", 100, true);
+ testSuccess("max-AGE=100; iNcLuDeSuBdoMaInS", 100, true);
+ testSuccess("Max-Age = 100; includesubdomains ", 100, true);
+ testSuccess("INCLUDESUBDOMAINS;MaX-AgE = 100 ", 100, true);
+ // Turns out, the actual directive is entirely optional (hence the
+ // trailing semicolon)
+ testSuccess("max-age=100;includeSubdomains;", 100, true);
+
+ // these are weird tests, but are testing that some extended syntax is
+ // still allowed (but it is ignored)
+ testSuccess("max-age=100 ; includesubdomainsSomeStuff", 100, false);
+ testSuccess(
+ "\r\n\t\t \tcompletelyUnrelated = foobar; max-age= 34520103" +
+ "\t \t; alsoUnrelated;asIsThis;\tincludeSubdomains\t\t \t",
+ 34520103,
+ true
+ );
+ testSuccess('max-age=100; unrelated="quoted \\"thingy\\""', 100, false);
+
+ // SHOULD FAIL:
+ // invalid max-ages
+ testFailure("max-age");
+ testFailure("max-age ");
+ testFailure("max-age=p");
+ testFailure("max-age=*1p2");
+ testFailure("max-age=.20032");
+ testFailure("max-age=!20032");
+ testFailure("max-age==20032");
+
+ // invalid headers
+ testFailure("foobar");
+ testFailure("maxage=100");
+ testFailure("maxa-ge=100");
+ testFailure("max-ag=100");
+ testFailure("includesubdomains");
+ testFailure(";");
+ testFailure('max-age="100');
+ // The max-age directive here doesn't conform to the spec, so it MUST
+ // be ignored. Consequently, the REQUIRED max-age directive is not
+ // present in this header, and so it is invalid.
+ testFailure("max-age=100, max-age=200; includeSubdomains");
+ testFailure("max-age=100 includesubdomains");
+ testFailure("max-age=100 bar foo");
+ testFailure("max-age=100randomstuffhere");
+ // All directives MUST appear only once in an STS header field.
+ testFailure("max-age=100; max-age=200");
+ testFailure("includeSubdomains; max-age=200; includeSubdomains");
+ testFailure("max-age=200; includeSubdomains; includeSubdomains");
+ // The includeSubdomains directive is valueless.
+ testFailure("max-age=100; includeSubdomains=unexpected");
+ // LWS must have at least one space or horizontal tab
+ testFailure("\r\nmax-age=200");
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
new file mode 100644
index 0000000000..f52605059f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
@@ -0,0 +1,266 @@
+"use strict";
+
+var gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+);
+
+function Observer() {}
+Observer.prototype = {
+ observe(subject, topic, data) {
+ if (topic == "last-pb-context-exited") {
+ run_next_test();
+ }
+ },
+};
+
+var gObserver = new Observer();
+
+function cleanup() {
+ Services.obs.removeObserver(gObserver, "last-pb-context-exited");
+ gSSService.clearAll();
+}
+
+function run_test() {
+ do_get_profile();
+
+ registerCleanupFunction(cleanup);
+ Services.obs.addObserver(gObserver, "last-pb-context-exited");
+
+ add_test(test_part1);
+ add_test(test_private_browsing1);
+ add_test(test_private_browsing2);
+
+ run_next_test();
+}
+
+function test_part1() {
+ // check that a host not in the list is not identified as an sts host
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://nonexistent.example.com")
+ )
+ );
+
+ // check that an ancestor domain is not identified as an sts host
+ ok(!gSSService.isSecureURI(Services.io.newURI("https://com")));
+
+ // check that the pref to toggle using the preload list works
+ Services.prefs.setBoolPref(
+ "network.stricttransportsecurity.preloadlist",
+ false
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ Services.prefs.setBoolPref(
+ "network.stricttransportsecurity.preloadlist",
+ true
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+
+ // check that a subdomain is an sts host (includeSubdomains is set)
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+ )
+ );
+
+ // check that another subdomain is an sts host (includeSubdomains is set)
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://a.b.c.def.includesubdomains.preloaded.test")
+ )
+ );
+
+ // check that a subdomain is not an sts host (includeSubdomains is not set)
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://subdomain.noincludesubdomains.preloaded.test")
+ )
+ );
+
+ // check that a host with a dot on the end won't break anything
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI("https://notsts.nonexistent.example.com.")
+ )
+ );
+
+ // check that processing a header with max-age: 0 will remove a preloaded
+ // site from the list
+ let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
+ let subDomainUri = Services.io.newURI(
+ "https://subdomain.includesubdomains.preloaded.test"
+ );
+ gSSService.processHeader(uri, "max-age=0");
+ ok(!gSSService.isSecureURI(uri));
+ ok(!gSSService.isSecureURI(subDomainUri));
+ // check that processing another header (with max-age non-zero) will
+ // re-enable a site's sts status
+ gSSService.processHeader(uri, "max-age=1000");
+ ok(gSSService.isSecureURI(uri));
+ // but this time include subdomains was not set, so test for that
+ ok(!gSSService.isSecureURI(subDomainUri));
+ gSSService.clearAll();
+
+ // check that processing a header with max-age: 0 from a subdomain of a site
+ // will not remove that (ancestor) site from the list
+ uri = Services.io.newURI(
+ "https://subdomain.noincludesubdomains.preloaded.test"
+ );
+ gSSService.processHeader(uri, "max-age=0");
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://noincludesubdomains.preloaded.test")
+ )
+ );
+ ok(!gSSService.isSecureURI(uri));
+
+ uri = Services.io.newURI(
+ "https://subdomain.includesubdomains.preloaded.test"
+ );
+ gSSService.processHeader(uri, "max-age=0");
+ // we received a header with "max-age=0", so we have "no information"
+ // regarding the sts state of subdomain.includesubdomains.preloaded.test specifically,
+ // but it is actually still an STS host, because of the preloaded
+ // includesubdomains.preloaded.test including subdomains.
+ // Here's a drawing:
+ // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host
+ // |-- subdomain.includesubdomains.preloaded.test IS sts host
+ // | `-- another.subdomain.includesubdomains.preloaded.test IS sts host
+ // `-- sibling.includesubdomains.preloaded.test IS sts host
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://sibling.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI(
+ "https://another.subdomain.includesubdomains.preloaded.test"
+ )
+ )
+ );
+
+ gSSService.processHeader(uri, "max-age=1000");
+ // Here's what we have now:
+ // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host
+ // |-- subdomain.includesubdomains.preloaded.test (include subdomains is false) IS sts host
+ // | `-- another.subdomain.includesubdomains.preloaded.test IS NOT sts host
+ // `-- sibling.includesubdomains.preloaded.test IS sts host
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://sibling.includesubdomains.preloaded.test")
+ )
+ );
+ ok(
+ !gSSService.isSecureURI(
+ Services.io.newURI(
+ "https://another.subdomain.includesubdomains.preloaded.test"
+ )
+ )
+ );
+
+ // Test that an expired non-private browsing entry results in correctly
+ // identifying a host that is on the preload list as no longer sts.
+ // (This happens when we're in regular browsing mode, we get a header from
+ // a site on the preload list, and that header later expires. We need to
+ // then treat that host as no longer an sts host.)
+ // (sanity check first - this should be in the preload list)
+ uri = Services.io.newURI("https://includesubdomains2.preloaded.test");
+ ok(gSSService.isSecureURI(uri));
+ gSSService.processHeader(uri, "max-age=1");
+ do_timeout(1250, function() {
+ ok(!gSSService.isSecureURI(uri));
+ run_next_test();
+ });
+}
+
+const PRIVATE_ORIGIN_ATTRIBUTES = { privateBrowsingId: 1 };
+
+function test_private_browsing1() {
+ gSSService.clearAll();
+ let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
+ let subDomainUri = Services.io.newURI(
+ "https://a.b.c.subdomain.includesubdomains.preloaded.test"
+ );
+ // sanity - includesubdomains.preloaded.test is preloaded, includeSubdomains set
+ ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ ok(gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+ gSSService.processHeader(uri, "max-age=0", PRIVATE_ORIGIN_ATTRIBUTES);
+ ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+ // check adding it back in
+ gSSService.processHeader(uri, "max-age=1000", PRIVATE_ORIGIN_ATTRIBUTES);
+ ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ // but no includeSubdomains this time
+ ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+ // do the hokey-pokey...
+ gSSService.processHeader(uri, "max-age=0", PRIVATE_ORIGIN_ATTRIBUTES);
+ ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+ // Test that an expired private browsing entry results in correctly
+ // identifying a host that is on the preload list as no longer sts.
+ // (This happens when we're in private browsing mode, we get a header from
+ // a site on the preload list, and that header later expires. We need to
+ // then treat that host as no longer an sts host.)
+ // (sanity check first - this should be in the preload list)
+ uri = Services.io.newURI("https://includesubdomains2.preloaded.test");
+ ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ gSSService.processHeader(uri, "max-age=1", PRIVATE_ORIGIN_ATTRIBUTES);
+ do_timeout(1250, function() {
+ ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+ // Simulate leaving private browsing mode
+ Services.obs.notifyObservers(null, "last-pb-context-exited");
+ });
+}
+
+function test_private_browsing2() {
+ // if this test gets this far, it means there's a private browsing service
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains.preloaded.test")
+ )
+ );
+ // the includesubdomains.preloaded.test entry has includeSubdomains set
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+ )
+ );
+
+ // Now that we're out of private browsing mode, we need to make sure
+ // we've "forgotten" that we "forgot" this site's sts status.
+ ok(
+ gSSService.isSecureURI(
+ Services.io.newURI("https://includesubdomains2.preloaded.test")
+ )
+ );
+
+ run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
new file mode 100644
index 0000000000..334fbf8a7b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
@@ -0,0 +1,22 @@
+"use strict";
+
+function run_test() {
+ let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+ );
+ let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
+
+ // check that a host on the preload list is identified as an sts host
+ ok(SSService.isSecureURI(uri));
+
+ // now simulate that it's 19 weeks later than it actually is
+ let offsetSeconds = 19 * 7 * 24 * 60 * 60;
+ Services.prefs.setIntPref("test.currentTimeOffsetSeconds", offsetSeconds);
+
+ // check that the preloaded host is no longer considered sts
+ ok(!SSService.isSecureURI(uri));
+
+ // just make sure we can get everything back to normal
+ Services.prefs.clearUserPref("test.currentTimeOffsetSeconds");
+ ok(SSService.isSecureURI(uri));
+}
diff --git a/security/manager/ssl/tests/unit/test_validity.js b/security/manager/ssl/tests/unit/test_validity.js
new file mode 100644
index 0000000000..ebdc66f9c5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity.js
@@ -0,0 +1,106 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that chains containing an end-entity cert with an overly long validity
+// period are rejected.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function getOCSPResponder(expectedCertNames) {
+ let expectedPaths = expectedCertNames.slice();
+ return startOCSPResponder(
+ SERVER_PORT,
+ "www.example.com",
+ "test_validity",
+ expectedCertNames,
+ expectedPaths
+ );
+}
+
+function certFromFile(filename) {
+ return constructCertFromFile(`test_validity/${filename}`);
+}
+
+function loadCert(certFilename, trustString) {
+ addCertFromFile(certDB, `test_validity/${certFilename}`, trustString);
+}
+
+/**
+ * Asynchronously runs a single EV test.
+ *
+ * @param {Array} expectedNamesForOCSP
+ * An array of nicknames of the certs to be responded to.
+ * @param {string} rootCertFileName
+ * The file name of the root cert. Can begin with ".." to reference
+ * certs in folders other than "test_validity/".
+ * @param {Array} intCertFileNames
+ * An array of file names of any intermediate certificates.
+ * @param {string} endEntityCertFileName
+ * The file name of the end entity cert.
+ * @param {boolean} expectedResult
+ * Whether the chain is expected to validate as EV.
+ */
+async function doEVTest(
+ expectedNamesForOCSP,
+ rootCertFileName,
+ intCertFileNames,
+ endEntityCertFileName,
+ expectedResult
+) {
+ clearOCSPCache();
+ let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+
+ loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu");
+ for (let intCertFileName of intCertFileNames) {
+ loadCert(`${intCertFileName}.pem`, ",,");
+ }
+ await checkEVStatus(
+ certDB,
+ certFromFile(`${endEntityCertFileName}.pem`),
+ certificateUsageSSLServer,
+ expectedResult
+ );
+
+ await stopOCSPResponder(ocspResponder);
+}
+
+async function checkEVChains() {
+ // Chain with an end entity cert with a validity period that is acceptable
+ // for EV.
+ const intFullName = "ev_int_60_months-evroot";
+ let eeFullName = `ev_ee_27_months-${intFullName}`;
+ let expectedNamesForOCSP = [eeFullName];
+ await doEVTest(
+ expectedNamesForOCSP,
+ "../test_ev_certs/evroot",
+ [intFullName],
+ eeFullName,
+ gEVExpected
+ );
+
+ // Chain with an end entity cert with a validity period that is too long
+ // for EV.
+ eeFullName = `ev_ee_28_months-${intFullName}`;
+ expectedNamesForOCSP = [eeFullName];
+ await doEVTest(
+ expectedNamesForOCSP,
+ "../test_ev_certs/evroot",
+ [intFullName],
+ eeFullName,
+ false
+ );
+}
+
+add_task(async function() {
+ Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+ await checkEVChains();
+});
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem
new file mode 100644
index 0000000000..cccff8d9eb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIUL3u0qxcophiFgaiJ2owryQeh3uwwDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZXZfaW50XzYwX21vbnRocy1ldnJvb3QwIhgPMjAyMTEx
+MTUxMjAwMDBaGA8yMDI0MDIxNjEyMDAwMFowMjEwMC4GA1UEAwwnZXZfZWVfMjdf
+bW9udGhzLWV2X2ludF82MF9tb250aHMtZXZyb290MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GGMIGDMGAGCCsG
+AQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4
+ODg4L2V2X2VlXzI3X21vbnRocy1ldl9pbnRfNjBfbW9udGhzLWV2cm9vdC8wHwYD
+VR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEB
+ABZH5/BLYkqjaKryxtGq1Yc6CbguhJUg4LfYfIT2ir/ehmvSOUAv0S8ZrLNmNmVn
+cDWDYehPoCuPlbuhgOpGM2+Oej+tWAA6k5SMZhOM0c/16x5Ljqc2ZtOL/JJwYV9z
+3YqW4TPWqdcARu7Ijf4cqonlZ+Uc398/wMiRlDQxOobtR+qN1QgyFri8Qnz22rBd
+JP+cRqjcyWAdhcHGT0c49dAk1fx7aO5zmithCJ6z+smrrruDms1aFb0kqi/TVkGv
+xYtvnkgdi09Pk6vXpX5JPwLBKPDawMBvZmlJSNfjCvDpoHhY6FCjyXFRQj6R7Uiq
+YP9z9sbvjS9D9lnYa3UjoGI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec
new file mode 100644
index 0000000000..d2c7fa1275
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_60_months-evroot
+subject:ev_ee_27_months-ev_int_60_months-evroot
+validity:823
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_27_months-ev_int_60_months-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem
new file mode 100644
index 0000000000..5baed71ca9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIUZf3qHuuMLRALksijM8PX7b+F3DQwDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZXZfaW50XzYwX21vbnRocy1ldnJvb3QwIhgPMjAyMTEw
+MzEwMDAwMDBaGA8yMDI0MDMwMzAwMDAwMFowMjEwMC4GA1UEAwwnZXZfZWVfMjhf
+bW9udGhzLWV2X2ludF82MF9tb250aHMtZXZyb290MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GGMIGDMGAGCCsG
+AQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4
+ODg4L2V2X2VlXzI4X21vbnRocy1ldl9pbnRfNjBfbW9udGhzLWV2cm9vdC8wHwYD
+VR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEB
+AGG25tskpdAYzSwgXWQ8hC8Z44pkYGVHpu7LfszA4WPM+17I8iczxqHa9vANvEfh
+g95QEuBbXVkp+W1aXvgDcA0ZyKumBRMrFFMapOapsqYMCSbMMjMtIhUwvAiJgPav
+nmyap+Q5Ds0PY1d+MCT3PZQBTfk6zfusUTWhgQIaNZxXG7b6pxZ8AvUuZoxG9AWh
+GuysraUJbUyFRfiM+YybbyldVDouFzaqSYh2Z6+/5bwf96AksVeepPLitNYibmsg
+qBQsFje/90X6FU+GcD1PV91cC2j7hdENgSkmAJilBMBl5LclXMSH/lN5lTpyYll4
+YPNbYKy+3n64n0+PfW/JTus=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec
new file mode 100644
index 0000000000..2dcfb2e29c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_60_months-evroot
+subject:ev_ee_28_months-ev_int_60_months-evroot
+validity:854
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_28_months-ev_int_60_months-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem
new file mode 100644
index 0000000000..e46a1bed99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVzCCAj+gAwIBAgIUEY63P4X1xogoyQ0ncUXjGGmc63YwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjAwNzAyMTIwMDAwWhgPMjAyNTA3
+MDExMjAwMDBaMCIxIDAeBgNVBAMMF2V2X2ludF82MF9tb250aHMtZXZyb290MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABo4GRMIGOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMFAGCCsGAQUFBwEB
+BEQwQjBABggrBgEFBQcwAYY0aHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2V2
+X2ludF82MF9tb250aHMtZXZyb290LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUa
+hRoBg3QJATANBgkqhkiG9w0BAQsFAAOCAQEAKiVH+FgOqh/HTMCPjgftKQ8icRJF
++TysMrjJTCZ+whi1uMtXNHZmWtckAd8xEjor4qhO3K8gaZv3wm56t6FPZp9zWNO2
+QYbNeWwex6Dd9uIl0h2/uCTnUAjBGjPcNZngYMVh5NANQ1vRcnZ4CalBew9oPQwG
+EEd2uerN+ikXUTAQD4Z1MuSZSoRaWw6vAB5sooFWc8TqDfWdAVtv+R7pKezIV76f
+3Pas+Tci+CeUkwSRCTKPAy3aqygtaD4ZGq9d6n9pBoxEHg8iJs7iMUaJCy7HTYUj
+t1Xou5AMJwEHm2OA+J9/okPxI1acDjTIxgkvLkmAYT6ieQsOXw5lpd2WxA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec
new file mode 100644
index 0000000000..e169514ffa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec
@@ -0,0 +1,8 @@
+issuer:evroot
+subject:ev_int_60_months-evroot
+issuerKey:ev
+validity:1825
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_60_months-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.key b/security/manager/ssl/tests/unit/test_validity/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.pem b/security/manager/ssl/tests/unit/test_validity/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_x509.js b/security/manager/ssl/tests/unit/test_x509.js
new file mode 100644
index 0000000000..73eb4ed97a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_x509.js
@@ -0,0 +1,142 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Tests X509.jsm functionality.
+
+function stringToArray(s) {
+ let b = [];
+ for (let i = 0; i < s.length; i++) {
+ b.push(s.charCodeAt(i));
+ }
+ return b;
+}
+
+function readPEMToBytes(filename) {
+ return stringToArray(atob(pemToBase64(readFile(do_get_file(filename)))));
+}
+
+function run_test() {
+ let certificate = new X509.Certificate();
+ // We use this certificate because it has a set validity period, which means that when
+ // the test certificates get regenerated each year, the values in this test won't change.
+ certificate.parse(readPEMToBytes("bad_certs/expired-ee.pem"));
+
+ equal(
+ certificate.tbsCertificate.version,
+ 3,
+ "expired-ee.pem should be x509v3"
+ );
+
+ // serialNumber
+ deepEqual(
+ certificate.tbsCertificate.serialNumber,
+ [
+ 0x63,
+ 0xd1,
+ 0x11,
+ 0x00,
+ 0x82,
+ 0xa3,
+ 0xd2,
+ 0x3b,
+ 0x3f,
+ 0x61,
+ 0xb8,
+ 0x49,
+ 0xa0,
+ 0xca,
+ 0xdc,
+ 0x2e,
+ 0x78,
+ 0xfe,
+ 0xfa,
+ 0xea,
+ ],
+ "expired-ee.pem should have expected serialNumber"
+ );
+
+ deepEqual(
+ certificate.tbsCertificate.signature.algorithm._values,
+ [1, 2, 840, 113549, 1, 1, 11], // sha256WithRSAEncryption
+ "expired-ee.pem should have sha256WithRSAEncryption signature"
+ );
+ deepEqual(
+ certificate.tbsCertificate.signature.parameters._contents,
+ [],
+ "expired-ee.pem should have NULL parameters for signature"
+ );
+
+ equal(
+ certificate.tbsCertificate.issuer.rdns.length,
+ 1,
+ "expired-ee.pem should have one RDN in issuer"
+ );
+ equal(
+ certificate.tbsCertificate.issuer.rdns[0].avas.length,
+ 1,
+ "expired-ee.pem should have one AVA in RDN in issuer"
+ );
+ deepEqual(
+ certificate.tbsCertificate.issuer.rdns[0].avas[0].value.value,
+ stringToArray("Test CA"),
+ "expired-ee.pem should have issuer 'Test CA'"
+ );
+
+ equal(
+ certificate.tbsCertificate.validity.notBefore.time.getTime(),
+ Date.parse("2013-01-01T00:00:00.000Z"),
+ "expired-ee.pem should have the correct value for notBefore"
+ );
+ equal(
+ certificate.tbsCertificate.validity.notAfter.time.getTime(),
+ Date.parse("2014-01-01T00:00:00.000Z"),
+ "expired-ee.pem should have the correct value for notAfter"
+ );
+
+ equal(
+ certificate.tbsCertificate.subject.rdns.length,
+ 1,
+ "expired-ee.pem should have one RDN in subject"
+ );
+ equal(
+ certificate.tbsCertificate.subject.rdns[0].avas.length,
+ 1,
+ "expired-ee.pem should have one AVA in RDN in subject"
+ );
+ deepEqual(
+ certificate.tbsCertificate.subject.rdns[0].avas[0].value.value,
+ stringToArray("Expired Test End-entity"),
+ "expired-ee.pem should have subject 'Expired Test End-entity'"
+ );
+
+ deepEqual(
+ certificate.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm._values,
+ [1, 2, 840, 113549, 1, 1, 1], // rsaEncryption
+ "expired-ee.pem should have a spki algorithm of rsaEncryption"
+ );
+
+ equal(
+ certificate.tbsCertificate.extensions.length,
+ 2,
+ "expired-ee.pem should have two extensions"
+ );
+
+ deepEqual(
+ certificate.signatureAlgorithm.algorithm._values,
+ [1, 2, 840, 113549, 1, 1, 11], // sha256WithRSAEncryption
+ "expired-ee.pem should have sha256WithRSAEncryption signatureAlgorithm"
+ );
+ deepEqual(
+ certificate.signatureAlgorithm.parameters._contents,
+ [],
+ "expired-ee.pem should have NULL parameters for signatureAlgorithm"
+ );
+
+ equal(
+ certificate.signatureValue.length,
+ 2048 / 8,
+ "length of signature on expired-ee.pem should be 2048 bits"
+ );
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
new file mode 100644
index 0000000000..1ccd5e876b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
@@ -0,0 +1,141 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that uses various bad certificates.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct BadCertAndPinningHost {
+ const char* mHostName;
+ const char* mCertName;
+};
+
+// Hostname, cert nickname pairs.
+const BadCertAndPinningHost sBadCertAndPinningHosts[] = {
+ {"expired.example.com", "expired-ee"},
+ {"notyetvalid.example.com", "notYetValid"},
+ {"before-epoch.example.com", "beforeEpoch"},
+ {"before-epoch-self-signed.example.com", "beforeEpochSelfSigned"},
+ {"selfsigned.example.com", "selfsigned"},
+ {"unknownissuer.example.com", "unknownissuer"},
+ {"mismatch.example.com", "mismatch"},
+ {"mismatch-CN.example.com", "mismatchCN"},
+ {"mitm.example.com", "mitm"},
+ {"expiredissuer.example.com", "expiredissuer"},
+ {"notyetvalidissuer.example.com", "notYetValidIssuer"},
+ {"before-epoch-issuer.example.com", "beforeEpochIssuer"},
+ {"md5signature.example.com", "md5signature"},
+ {"untrusted.example.com", "default-ee"},
+ {"untrustedissuer.example.com", "untrustedissuer"},
+ {"mismatch-expired.example.com", "mismatch-expired"},
+ {"mismatch-notYetValid.example.com", "mismatch-notYetValid"},
+ {"mismatch-untrusted.example.com", "mismatch-untrusted"},
+ {"untrusted-expired.example.com", "untrusted-expired"},
+ {"md5signature-expired.example.com", "md5signature-expired"},
+ {"mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired"},
+ {"inadequatekeyusage.example.com", "inadequatekeyusage-ee"},
+ {"selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU"},
+ {"self-signed-end-entity-with-cA-true.example.com",
+ "self-signed-EE-with-cA-true"},
+ {"ca-used-as-end-entity.example.com", "ca-used-as-end-entity"},
+ {"ca-used-as-end-entity-name-mismatch.example.com",
+ "ca-used-as-end-entity"},
+ // All of include-subdomains.pinning.example.com is pinned to End Entity
+ // Test Cert with nick default-ee. Any other nick will only
+ // pass pinning when security.cert_pinning.enforcement.level != strict and
+ // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h.
+ {"include-subdomains.pinning.example.com", "default-ee"},
+ {"good.include-subdomains.pinning.example.com", "default-ee"},
+ {"bad.include-subdomains.pinning.example.com", "other-issuer-ee"},
+ {"bad.include-subdomains.pinning.example.com.", "other-issuer-ee"},
+ {"bad.include-subdomains.pinning.example.com..", "other-issuer-ee"},
+ {"exclude-subdomains.pinning.example.com", "default-ee"},
+ {"sub.exclude-subdomains.pinning.example.com", "other-issuer-ee"},
+ {"test-mode.pinning.example.com", "other-issuer-ee"},
+ {"unknownissuer.include-subdomains.pinning.example.com", "unknownissuer"},
+ {"unknownissuer.test-mode.pinning.example.com", "unknownissuer"},
+ {"nsCertTypeNotCritical.example.com", "nsCertTypeNotCritical"},
+ {"nsCertTypeCriticalWithExtKeyUsage.example.com",
+ "nsCertTypeCriticalWithExtKeyUsage"},
+ {"nsCertTypeCritical.example.com", "nsCertTypeCritical"},
+ {"end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert"},
+ {"end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA"},
+ {"inadequate-key-size-ee.example.com", "inadequateKeySizeEE"},
+ {"badSubjectAltNames.example.com", "badSubjectAltNames"},
+ {"ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN"},
+ {"noValidNames.example.com", "noValidNames"},
+ {"bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate"},
+ {"emptyissuername.example.com", "emptyIssuerName"},
+ {"ev-test.example.com", "ev-test"},
+ {"ee-from-missing-intermediate.example.com",
+ "ee-from-missing-intermediate"},
+ {"imminently-distrusted.example.com", "ee-imminently-distrusted"},
+ {"localhost", "unknownissuer"},
+ {"a.pinning.example.com", "default-ee"},
+ {"b.pinning.example.com", "default-ee"},
+ {"not-preloaded.example.com", "default-ee"},
+ {"ee.example.com", "default-ee"},
+ {nullptr, nullptr}};
+
+int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
+ const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize) {
+ for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+ UniquePORTString name(
+ static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+ if (name) {
+ PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+ if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr,
+ nullptr) == SECSuccess) {
+ return 0;
+ }
+ }
+ }
+
+ return SSL_SNI_SEND_ALERT;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const BadCertAndPinningHost* host =
+ GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sBadCertAndPinningHosts);
+ if (!host) {
+ // No static cert <-> hostname mapping found. This happens when we use a
+ // collection of certificates in a given directory and build a cert DB at
+ // runtime, rather than using an NSS cert DB populated at build time.
+ // (This will be the default in the future.)
+ // For all given server names, check if the runtime-built cert DB contains
+ // a certificate with a matching subject CN.
+ return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+
+ UniqueCERTCertificate cert;
+ SSLKEAType certKEA;
+ if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+ &certKEA, nullptr)) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+int main(int argc, char* argv[]) {
+ return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp
new file mode 100644
index 0000000000..5f12756425
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp
@@ -0,0 +1,142 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server used to test Delegated Credentials
+// (see: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03).
+//
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <iostream>
+
+#include "TLSServer.h"
+
+#include "sslexp.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct DelegatedCertHost {
+ const char* mHostName;
+ const char* mCertName;
+ const char* mDCKeyNick;
+ bool mEnableDelegatedCredentials;
+};
+
+const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
+
+// {host, eeCert, dcCert, enableDC}
+const DelegatedCertHost sDelegatedCertHosts[] = {
+ {"delegated-enabled.example.com", "delegated-ee", "delegated.key", true},
+ {"standard-enabled.example.com", "default-ee", "delegated.key", true},
+ {"delegated-disabled.example.com", "delegated-ee",
+ /* anything non-null */ "delegated.key", false},
+ {nullptr, nullptr, nullptr, false}};
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const DelegatedCertHost* host =
+ GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sDelegatedCertHosts);
+ if (!host) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ std::cerr << "Identified host " << host->mHostName << std::endl;
+ }
+
+ UniqueCERTCertificate delegatorCert(
+ PK11_FindCertFromNickname(host->mCertName, nullptr));
+ if (!delegatorCert) {
+ PrintPRError("PK11_FindCertFromNickname failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ PrintPRError("PK11_GetInternalKeySlot failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ SSLExtraServerCertData extra_data = {ssl_auth_null,
+ /* Filled in by callee */ nullptr,
+ nullptr,
+ nullptr,
+ /* DC */ nullptr,
+ /* DC PrivKey */ nullptr};
+
+ UniqueSECKEYPrivateKey delegatorPriv(
+ PK11_FindKeyByDERCert(slot.get(), delegatorCert.get(), nullptr));
+ if (!delegatorPriv) {
+ PrintPRError("PK11_FindKeyByDERCert failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ // Find the DC keypair by the file (nick) name.
+ ScopedAutoSECItem dc;
+ UniqueSECKEYPrivateKey dcPriv;
+ if (host->mEnableDelegatedCredentials) {
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ std::cerr << "Enabling a delegated credential for host "
+ << host->mHostName << std::endl;
+ }
+
+ if (PK11_NeedLogin(slot.get())) {
+ SECStatus rv = PK11_Authenticate(slot.get(), PR_TRUE, nullptr);
+ if (rv != SECSuccess) {
+ PrintPRError("PK11_Authenticate failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+ }
+ UniqueSECKEYPrivateKeyList list(PK11_ListPrivKeysInSlot(
+ slot.get(), const_cast<char*>(host->mDCKeyNick), nullptr));
+ if (!list) {
+ PrintPRError("PK11_ListPrivKeysInSlot failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+ SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(list);
+
+ dcPriv.reset(SECKEY_CopyPrivateKey(node->key));
+ if (!dcPriv) {
+ PrintPRError("PK11_ListPrivKeysInSlot could not find dcPriv");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ UniqueSECKEYPublicKey dcPub(SECKEY_ConvertToPublicKey(dcPriv.get()));
+ if (!dcPub) {
+ PrintPRError("SECKEY_ConvertToPublicKey failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ // Create and set the DC.
+ if (SSL_DelegateCredential(delegatorCert.get(), delegatorPriv.get(),
+ dcPub.get(), ssl_sig_ecdsa_secp384r1_sha384,
+ kDCValidFor, PR_Now(), &dc) != SECSuccess) {
+ PrintPRError("SSL_DelegateCredential failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+ extra_data.delegCred = &dc;
+ extra_data.delegCredPrivKey = dcPriv.get();
+
+ // The list should only have a single key.
+ PORT_Assert(PRIVKEY_LIST_END(PRIVKEY_LIST_NEXT(node), list));
+ }
+
+ if (ConfigSecureServerWithNamedCert(aFd, host->mCertName, nullptr, nullptr,
+ &extra_data) != SECSuccess) {
+ PrintPRError("ConfigSecureServerWithNamedCert failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+int main(int argc, char* argv[]) {
+ return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp
new file mode 100644
index 0000000000..fd284874b3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp
@@ -0,0 +1,178 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that offers TLS 1.3 Encrypted
+// Client Hello support.
+
+#include <stdio.h>
+
+#include "nspr.h"
+#include "ScopedNSSTypes.h"
+#include "ssl.h"
+#include "sslexp.h"
+#include "TLSServer.h"
+#include <pk11pub.h>
+#include <vector>
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct EchHost {
+ const char* mHostName;
+ const char* mCertName;
+};
+
+const std::vector<uint32_t> kSuiteChaCha = {
+ (static_cast<uint32_t>(HpkeKdfHkdfSha256) << 16) |
+ HpkeAeadChaCha20Poly1305};
+
+// Hostname, cert nickname pairs.
+const EchHost sEchHosts[] = {{"ech-public.example.com", "default-ee"},
+ {"ech-private.example.com", "private-ee"},
+ {"selfsigned.example.com", "selfsigned"},
+ {nullptr, nullptr}};
+
+int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
+ const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize) {
+ for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+ UniquePORTString name(
+ static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+ if (name) {
+ PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+ if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr,
+ nullptr) == SECSuccess) {
+ return 0;
+ }
+ }
+ }
+
+ return SSL_SNI_SEND_ALERT;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const EchHost* host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sEchHosts);
+ if (!host) {
+ PrintPRError("No cert found for hostname");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+
+ UniqueCERTCertificate cert;
+ SSLKEAType certKEA;
+ if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+ &certKEA, nullptr)) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+int32_t SetAlpnOptions(PRFileDesc* aFd, uint8_t flags) {
+ const std::vector<uint8_t> http1 = {0x08, 0x68, 0x74, 0x74, 0x70,
+ 0x2f, 0x31, 0x2e, 0x31};
+ const std::vector<uint8_t> http2 = {0x02, 0x68, 0x32};
+ const std::vector<uint8_t> http3 = {0x02, 0x68, 0x33};
+ std::vector<uint8_t> alpnVec = {};
+ if (flags & 0b001) {
+ alpnVec.insert(alpnVec.end(), http1.begin(), http1.end());
+ }
+ if (flags & 0b010) {
+ alpnVec.insert(alpnVec.end(), http2.begin(), http2.end());
+ }
+ if (flags & 0b100) {
+ alpnVec.insert(alpnVec.end(), http3.begin(), http3.end());
+ }
+ fprintf(stderr, "ALPN Flags: %u\n", flags);
+ fprintf(stderr, "ALPN length: %zu\n", alpnVec.size());
+ if (SSL_SetNextProtoNego(aFd, alpnVec.data(), alpnVec.size()) != SECSuccess) {
+ fprintf(stderr, "Setting ALPN failed!\n");
+ return 1;
+ }
+
+ return 0;
+}
+
+SECStatus ConfigureServer(PRFileDesc* aFd) {
+ const char* alpnFlag = PR_GetEnv("MOZ_TLS_ECH_ALPN_FLAG");
+ if (alpnFlag) {
+ uint8_t flag = atoi(alpnFlag);
+ SetAlpnOptions(aFd, flag);
+ }
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ PrintPRError("PK11_GetInternalKeySlot failed");
+ return SECFailure;
+ }
+
+ UniqueSECKEYPublicKey pubKey;
+ UniqueSECKEYPrivateKey privKey;
+ SECKEYPublicKey* tmpPubKey = nullptr;
+ SECKEYPrivateKey* tmpPrivKey = nullptr;
+
+ static const std::vector<uint8_t> pkcs8{
+ 0x30, 0x67, 0x02, 0x01, 0x00, 0x30, 0x14, 0x06, 0x07, 0x2a, 0x86, 0x48,
+ 0xce, 0x3d, 0x02, 0x01, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xda,
+ 0x47, 0x0f, 0x01, 0x04, 0x4c, 0x30, 0x4a, 0x02, 0x01, 0x01, 0x04, 0x20,
+ 0x8c, 0x49, 0x0e, 0x5b, 0x0c, 0x7d, 0xbe, 0x0c, 0x6d, 0x21, 0x92, 0x48,
+ 0x4d, 0x2b, 0x7a, 0x04, 0x23, 0xb3, 0xb4, 0x54, 0x4f, 0x24, 0x81, 0x09,
+ 0x5a, 0x99, 0xdb, 0xf2, 0x38, 0xfb, 0x35, 0x0f, 0xa1, 0x23, 0x03, 0x21,
+ 0x00, 0x8a, 0x07, 0x56, 0x39, 0x49, 0xfa, 0xc6, 0x23, 0x29, 0x36, 0xed,
+ 0x6f, 0x36, 0xc4, 0xfa, 0x73, 0x59, 0x30, 0xec, 0xde, 0xae, 0xf6, 0x73,
+ 0x4e, 0x31, 0x4a, 0xea, 0xc3, 0x5a, 0x56, 0xfd, 0x0a};
+
+ SECItem pkcs8Item = {siBuffer, const_cast<uint8_t*>(pkcs8.data()),
+ static_cast<unsigned int>(pkcs8.size())};
+ SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
+ slot.get(), &pkcs8Item, nullptr, nullptr, false, false, KU_ALL,
+ &tmpPrivKey, nullptr);
+
+ if (rv != SECSuccess) {
+ PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed");
+ return SECFailure;
+ }
+ privKey.reset(tmpPrivKey);
+ tmpPubKey = SECKEY_ConvertToPublicKey(privKey.get());
+ pubKey.reset(tmpPubKey);
+
+ if (!privKey || !pubKey) {
+ PrintPRError("ECH/HPKE Public or Private key is null!");
+ return SECFailure;
+ }
+
+ std::vector<uint8_t> echConfig(1000, 0);
+ unsigned int len = 0;
+ const PRUint8 configId = 77;
+ const HpkeSymmetricSuite echCipherSuite = {HpkeKdfHkdfSha256,
+ HpkeAeadChaCha20Poly1305};
+ rv = SSL_EncodeEchConfigId(configId, "ech-public.example.com", 100,
+ HpkeDhKemX25519Sha256, pubKey.get(),
+ &echCipherSuite, 1, echConfig.data(), &len,
+ echConfig.size());
+ if (rv != SECSuccess) {
+ PrintPRError("SSL_EncodeEchConfig failed");
+ return rv;
+ }
+
+ rv = SSL_SetServerEchConfigs(aFd, pubKey.get(), privKey.get(),
+ echConfig.data(), len);
+ if (rv != SECSuccess) {
+ PrintPRError("SSL_SetServerEchConfigs failed");
+ return rv;
+ }
+
+ return SECSuccess;
+}
+
+int main(int argc, char* argv[]) {
+ int rv = StartServer(argc, argv, DoSNISocketConfig, nullptr, ConfigureServer);
+ if (rv < 0) {
+ return rv;
+ }
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp
new file mode 100644
index 0000000000..4d30f8a87a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp
@@ -0,0 +1,206 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdio.h>
+
+#include "nspr.h"
+#include "ScopedNSSTypes.h"
+#include "ssl.h"
+#include "ssl3prot.h"
+#include "sslexp.h"
+#include "sslimpl.h"
+#include "TLSServer.h"
+
+#include "mozilla/Sprintf.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+enum FaultType {
+ None = 0,
+ ZeroRtt,
+ UnknownSNI,
+};
+
+struct FaultyServerHost {
+ const char* mHostName;
+ const char* mCertName;
+ FaultType mFaultType;
+};
+
+const char* kHostOk = "ok.example.com";
+const char* kHostUnknown = "unknown.example.com";
+const char* kHostZeroRttAlertBadMac = "0rtt-alert-bad-mac.example.com";
+const char* kHostZeroRttAlertVersion =
+ "0rtt-alert-protocol-version.example.com";
+const char* kHostZeroRttAlertUnexpected = "0rtt-alert-unexpected.example.com";
+const char* kHostZeroRttAlertDowngrade = "0rtt-alert-downgrade.example.com";
+
+const char* kCertWildcard = "default-ee";
+
+/* Each type of failure gets a different SNI.
+ * the "default-ee" cert has a SAN for *.example.com
+ * the "no-san-ee" cert is signed by the test-ca, but it doesn't have any SANs.
+ */
+const FaultyServerHost sFaultyServerHosts[]{
+ {kHostOk, kCertWildcard, None},
+ {kHostUnknown, kCertWildcard, UnknownSNI},
+ {kHostZeroRttAlertBadMac, kCertWildcard, ZeroRtt},
+ {kHostZeroRttAlertVersion, kCertWildcard, ZeroRtt},
+ {kHostZeroRttAlertUnexpected, kCertWildcard, ZeroRtt},
+ {kHostZeroRttAlertDowngrade, kCertWildcard, ZeroRtt},
+ {nullptr, nullptr},
+};
+
+nsresult SendAll(PRFileDesc* aSocket, const char* aData, size_t aDataLen) {
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "sending '%s'\n", aData);
+ }
+
+ int32_t len = static_cast<int32_t>(aDataLen);
+ while (len > 0) {
+ int32_t bytesSent = PR_Send(aSocket, aData, len, 0, PR_INTERVAL_NO_TIMEOUT);
+ if (bytesSent == -1) {
+ PrintPRError("PR_Send failed");
+ return NS_ERROR_FAILURE;
+ }
+
+ len -= bytesSent;
+ aData += bytesSent;
+ }
+
+ return NS_OK;
+}
+
+// returns 0 on success, non-zero on error
+int DoCallback(const char* path) {
+ UniquePRFileDesc socket(PR_NewTCPSocket());
+ if (!socket) {
+ PrintPRError("PR_NewTCPSocket failed");
+ return 1;
+ }
+
+ uint32_t port = 0;
+ const char* callbackPort = PR_GetEnv("FAULTY_SERVER_CALLBACK_PORT");
+ if (callbackPort) {
+ port = atoi(callbackPort);
+ }
+ if (!port) {
+ return 0;
+ }
+
+ PRNetAddr addr;
+ PR_InitializeNetAddr(PR_IpAddrLoopback, port, &addr);
+ if (PR_Connect(socket.get(), &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) {
+ PrintPRError("PR_Connect failed");
+ return 1;
+ }
+
+ char request[512];
+ SprintfLiteral(request, "GET %s HTTP/1.0\r\n\r\n", path);
+ SendAll(socket.get(), request, strlen(request));
+ char buf[4096];
+ memset(buf, 0, sizeof(buf));
+ int32_t bytesRead =
+ PR_Recv(socket.get(), buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT);
+ if (bytesRead < 0) {
+ PrintPRError("PR_Recv failed 1");
+ return 1;
+ }
+ if (bytesRead == 0) {
+ fprintf(stderr, "PR_Recv eof 1\n");
+ return 1;
+ }
+ // fprintf(stderr, "%s\n", buf);
+ return 0;
+}
+
+/* These are very rough examples. In practice the `arg` parameter to a callback
+ * might need to be an object that holds some state, like the various traffic
+ * secrets. */
+
+/* An SSLSecretCallback is called after every key derivation step in the TLS
+ * 1.3 key schedule.
+ *
+ * Epoch 1 is for the early traffic secret.
+ * Epoch 2 is for the handshake traffic secrets.
+ * Epoch 3 is for the application traffic secrets.
+ */
+void SecretCallbackFailZeroRtt(PRFileDesc* fd, PRUint16 epoch,
+ SSLSecretDirection dir, PK11SymKey* secret,
+ void* arg) {
+ fprintf(stderr, "0RTT handler epoch=%d dir=%d\n", epoch, (uint32_t)dir);
+ FaultyServerHost* host = static_cast<FaultyServerHost*>(arg);
+
+ if (epoch == 1 && dir == ssl_secret_read) {
+ sslSocket* ss = ssl_FindSocket(fd);
+ if (!ss) {
+ fprintf(stderr, "0RTT handler, no ss!\n");
+ return;
+ }
+
+ char path[256];
+ SprintfLiteral(path, "/callback/%d", epoch);
+ DoCallback(path);
+
+ fprintf(stderr, "0RTT handler, configuring alert\n");
+ if (!strcmp(host->mHostName, kHostZeroRttAlertBadMac)) {
+ SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+ } else if (!strcmp(host->mHostName, kHostZeroRttAlertVersion)) {
+ SSL3_SendAlert(ss, alert_fatal, protocol_version);
+ } else if (!strcmp(host->mHostName, kHostZeroRttAlertUnexpected)) {
+ SSL3_SendAlert(ss, alert_fatal, no_alert);
+ }
+ }
+}
+
+/* An SSLRecordWriteCallback can replace the TLS record layer. */
+SECStatus WriteCallbackExample(PRFileDesc* fd, PRUint16 epoch,
+ SSLContentType contentType, const PRUint8* data,
+ unsigned int len, void* arg) {
+ /* do something */
+ return SECSuccess;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const FaultyServerHost* host =
+ GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sFaultyServerHosts);
+ if (!host || host->mFaultType == UnknownSNI) {
+ PrintPRError("No cert found for hostname");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+
+ switch (host->mFaultType) {
+ case ZeroRtt:
+ SSL_SecretCallback(aFd, &SecretCallbackFailZeroRtt, (void*)host);
+ break;
+ case None:
+ break;
+ default:
+ break;
+ }
+
+ UniqueCERTCertificate cert;
+ SSLKEAType certKEA;
+ if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+ &certKEA, nullptr)) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+SECStatus ConfigureServer(PRFileDesc* aFd) { return SECSuccess; }
+
+int main(int argc, char* argv[]) {
+ int rv = StartServer(argc, argv, DoSNISocketConfig, nullptr, ConfigureServer);
+ if (rv < 0) {
+ return rv;
+ }
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp
new file mode 100644
index 0000000000..113e668f89
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp
@@ -0,0 +1,168 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 sw=2 tw=80 et: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* This simple program takes a database directory, and one or more tuples like
+ * <typeOfResponse> <CertNick> <ExtraCertNick> <outPutFilename>
+ * to generate (one or more) ocsp responses.
+ */
+
+#include <stdio.h>
+#include <string>
+#include <vector>
+
+#include "mozilla/ArrayUtils.h"
+
+#include "cert.h"
+#include "nspr.h"
+#include "nss.h"
+#include "plarenas.h"
+#include "prerror.h"
+#include "ssl.h"
+#include "secerr.h"
+
+#include "OCSPCommon.h"
+#include "ScopedNSSTypes.h"
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct OCSPResponseName {
+ const char* mTypeString;
+ const OCSPResponseType mORT;
+};
+
+const static OCSPResponseName kOCSPResponseNameList[] = {
+ {"good", ORTGood}, // the certificate is good
+ {"good-delegated", ORTDelegatedIncluded}, // the certificate is good, using
+ // a delegated signer
+ {"revoked", ORTRevoked}, // the certificate has been revoked
+ {"unknown", ORTUnknown}, // the responder doesn't know if the
+ // cert is good
+ {"goodotherca", ORTGoodOtherCA}, // the wrong CA has signed the
+ // response
+ {"expiredresponse", ORTExpired}, // the signature on the response has
+ // expired
+ {"oldvalidperiod", ORTExpiredFreshCA}, // fresh signature, but old validity
+ // period
+ {"empty", ORTEmpty}, // an empty stapled response
+
+ {"malformed", ORTMalformed}, // the response from the responder
+ // was malformed
+ {"serverr", ORTSrverr}, // the response indicates there was a
+ // server error
+ {"trylater", ORTTryLater}, // the responder replied with
+ // "try again later"
+ {"resp-unsigned", ORTNeedsSig}, // the response needs a signature
+ {"unauthorized", ORTUnauthorized}, // the responder does not know about
+ // the cert
+ {"bad-signature", ORTBadSignature}, // the response has a bad signature
+ {"longvalidityalmostold",
+ ORTLongValidityAlmostExpired}, // the response is
+ // still valid, but the generation
+ // is almost a year old
+ {"ancientstillvalid", ORTAncientAlmostExpired}, // The response is still
+ // valid but the generation
+ // is almost two years old
+};
+
+bool StringToOCSPResponseType(const char* respText,
+ /*out*/ OCSPResponseType* OCSPType) {
+ if (!OCSPType) {
+ return false;
+ }
+ for (auto ocspResponseName : kOCSPResponseNameList) {
+ if (strcmp(respText, ocspResponseName.mTypeString) == 0) {
+ *OCSPType = ocspResponseName.mORT;
+ return true;
+ }
+ }
+ return false;
+}
+
+bool WriteResponse(const char* filename, const SECItem* item) {
+ if (!filename || !item || !item->data) {
+ PR_fprintf(PR_STDERR, "invalid parameters to WriteResponse");
+ return false;
+ }
+
+ UniquePRFileDesc outFile(
+ PR_Open(filename, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0644));
+ if (!outFile) {
+ PrintPRError("cannot open file for writing");
+ return false;
+ }
+ int32_t rv = PR_Write(outFile.get(), item->data, item->len);
+ if (rv < 0 || (uint32_t)rv != item->len) {
+ PrintPRError("File write failure");
+ return false;
+ }
+
+ return true;
+}
+
+int main(int argc, char* argv[]) {
+ if (argc < 7 || (argc - 7) % 5 != 0) {
+ PR_fprintf(
+ PR_STDERR,
+ "usage: %s <NSS DB directory> <responsetype> "
+ "<cert_nick> <extranick> <this_update_skew> <outfilename> [<resptype> "
+ "<cert_nick> <extranick> <this_update_skew> <outfilename>]* \n",
+ argv[0]);
+ exit(EXIT_FAILURE);
+ }
+ SECStatus rv = InitializeNSS(argv[1]);
+ if (rv != SECSuccess) {
+ PR_fprintf(PR_STDERR, "Failed to initialize NSS\n");
+ exit(EXIT_FAILURE);
+ }
+ UniquePLArenaPool arena(PORT_NewArena(256 * argc));
+ if (!arena) {
+ PrintPRError("PORT_NewArena failed");
+ exit(EXIT_FAILURE);
+ }
+
+ for (int i = 2; i + 3 < argc; i += 5) {
+ const char* ocspTypeText = argv[i];
+ const char* certNick = argv[i + 1];
+ const char* extraCertname = argv[i + 2];
+ const char* skewChars = argv[i + 3];
+ const char* filename = argv[i + 4];
+
+ OCSPResponseType ORT;
+ if (!StringToOCSPResponseType(ocspTypeText, &ORT)) {
+ PR_fprintf(PR_STDERR, "Cannot generate OCSP response of type %s\n",
+ ocspTypeText);
+ exit(EXIT_FAILURE);
+ }
+
+ UniqueCERTCertificate cert(PK11_FindCertFromNickname(certNick, nullptr));
+ if (!cert) {
+ PrintPRError("PK11_FindCertFromNickname failed");
+ PR_fprintf(PR_STDERR, "Failed to find certificate with nick '%s'\n",
+ certNick);
+ exit(EXIT_FAILURE);
+ }
+
+ time_t skew = static_cast<time_t>(atoll(skewChars));
+
+ SECItemArray* response =
+ GetOCSPResponseForType(ORT, cert, arena, extraCertname, skew);
+ if (!response) {
+ PR_fprintf(PR_STDERR,
+ "Failed to generate OCSP response of type %s "
+ "for %s\n",
+ ocspTypeText, certNick);
+ exit(EXIT_FAILURE);
+ }
+
+ if (!WriteResponse(filename, &response->items[0])) {
+ PR_fprintf(PR_STDERR, "Failed to write file %s\n", filename);
+ exit(EXIT_FAILURE);
+ }
+ }
+ return 0;
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp
new file mode 100644
index 0000000000..b35484572f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp
@@ -0,0 +1,153 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that delivers various stapled OCSP responses.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the OCSP response.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "OCSPCommon.h"
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+const OCSPHost sOCSPHosts[] = {
+ {"ocsp-stapling-good.example.com", ORTGood, nullptr, nullptr},
+ {"ocsp-stapling-revoked.example.com", ORTRevoked, nullptr, nullptr},
+ {"ocsp-stapling-revoked-old.example.com", ORTRevokedOld, nullptr, nullptr},
+ {"ocsp-stapling-unknown.example.com", ORTUnknown, nullptr, nullptr},
+ {"ocsp-stapling-unknown-old.example.com", ORTUnknownOld, nullptr, nullptr},
+ {"ocsp-stapling-good-other.example.com", ORTGoodOtherCert,
+ "ocspOtherEndEntity", nullptr},
+ {"ocsp-stapling-good-other-ca.example.com", ORTGoodOtherCA, "other-test-ca",
+ nullptr},
+ {"ocsp-stapling-expired.example.com", ORTExpired, nullptr, nullptr},
+ {"ocsp-stapling-expired-fresh-ca.example.com", ORTExpiredFreshCA, nullptr,
+ nullptr},
+ {"ocsp-stapling-none.example.com", ORTNone, nullptr, nullptr},
+ {"ocsp-stapling-empty.example.com", ORTEmpty, nullptr, nullptr},
+ {"ocsp-stapling-malformed.example.com", ORTMalformed, nullptr, nullptr},
+ {"ocsp-stapling-srverr.example.com", ORTSrverr, nullptr, nullptr},
+ {"ocsp-stapling-trylater.example.com", ORTTryLater, nullptr, nullptr},
+ {"ocsp-stapling-needssig.example.com", ORTNeedsSig, nullptr, nullptr},
+ {"ocsp-stapling-unauthorized.example.com", ORTUnauthorized, nullptr,
+ nullptr},
+ {"ocsp-stapling-with-intermediate.example.com", ORTGood, nullptr,
+ "ocspEEWithIntermediate"},
+ {"ocsp-stapling-bad-signature.example.com", ORTBadSignature, nullptr,
+ nullptr},
+ {"ocsp-stapling-skip-responseBytes.example.com", ORTSkipResponseBytes,
+ nullptr, nullptr},
+ {"ocsp-stapling-critical-extension.example.com", ORTCriticalExtension,
+ nullptr, nullptr},
+ {"ocsp-stapling-noncritical-extension.example.com", ORTNoncriticalExtension,
+ nullptr, nullptr},
+ {"ocsp-stapling-empty-extensions.example.com", ORTEmptyExtensions, nullptr,
+ nullptr},
+ {"ocsp-stapling-delegated-included.example.com", ORTDelegatedIncluded,
+ "delegatedSigner", nullptr},
+ {"ocsp-stapling-delegated-included-last.example.com",
+ ORTDelegatedIncludedLast, "delegatedSigner", nullptr},
+ {"ocsp-stapling-delegated-missing.example.com", ORTDelegatedMissing,
+ "delegatedSigner", nullptr},
+ {"ocsp-stapling-delegated-missing-multiple.example.com",
+ ORTDelegatedMissingMultiple, "delegatedSigner", nullptr},
+ {"ocsp-stapling-delegated-no-extKeyUsage.example.com", ORTDelegatedIncluded,
+ "invalidDelegatedSignerNoExtKeyUsage", nullptr},
+ {"ocsp-stapling-delegated-from-intermediate.example.com",
+ ORTDelegatedIncluded, "invalidDelegatedSignerFromIntermediate", nullptr},
+ {"ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
+ ORTDelegatedIncluded, "invalidDelegatedSignerKeyUsageCrlSigning", nullptr},
+ {"ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
+ ORTDelegatedIncluded, "invalidDelegatedSignerWrongExtKeyUsage", nullptr},
+ {"ocsp-stapling-ancient-valid.example.com", ORTAncientAlmostExpired,
+ nullptr, nullptr},
+ {"keysize-ocsp-delegated.example.com", ORTDelegatedIncluded,
+ "rsa-1016-keysizeDelegatedSigner", nullptr},
+ {"revoked-ca-cert-used-as-end-entity.example.com", ORTRevoked,
+ "ca-used-as-end-entity", nullptr},
+ {"ocsp-stapling-must-staple.example.com", ORTGood, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-revoked.example.com", ORTRevoked, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-missing.example.com", ORTNone, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-empty.example.com", ORTEmpty, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", ORTGood,
+ nullptr, "must-staple-ee-with-must-staple-int"},
+ {"ocsp-stapling-plain-ee-with-must-staple-int.example.com", ORTGood,
+ nullptr, "must-staple-missing-ee"},
+ {"ocsp-stapling-must-staple-expired.example.com", ORTExpired, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-try-later.example.com", ORTTryLater, nullptr,
+ "must-staple-ee"},
+ {"ocsp-stapling-must-staple-invalid-signer.example.com", ORTGoodOtherCA,
+ "other-test-ca", "must-staple-ee"},
+ {"multi-tls-feature-good.example.com", ORTNone, nullptr,
+ "multi-tls-feature-good-ee"},
+ {"multi-tls-feature-bad.example.com", ORTNone, nullptr,
+ "multi-tls-feature-bad-ee"},
+ {nullptr, ORTNull, nullptr, nullptr}};
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const OCSPHost* host =
+ GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sOCSPHosts);
+ if (!host) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+
+ const char* certNickname =
+ host->mServerCertName ? host->mServerCertName : DEFAULT_CERT_NICKNAME;
+
+ UniqueCERTCertificate cert;
+ SSLKEAType certKEA;
+ if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, certNickname, &cert,
+ &certKEA, nullptr)) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ // If the OCSP response type is "none", don't staple a response.
+ if (host->mORT == ORTNone) {
+ return 0;
+ }
+
+ UniquePLArenaPool arena(PORT_NewArena(1024));
+ if (!arena) {
+ PrintPRError("PORT_NewArena failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ // response is contained by the arena - freeing the arena will free it
+ SECItemArray* response = GetOCSPResponseForType(host->mORT, cert, arena,
+ host->mAdditionalCertName, 0);
+ if (!response) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ // SSL_SetStapledOCSPResponses makes a deep copy of response
+ SECStatus st = SSL_SetStapledOCSPResponses(aFd, response, certKEA);
+ if (st != SECSuccess) {
+ PrintPRError("SSL_SetStapledOCSPResponses failed");
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+int main(int argc, char* argv[]) {
+ return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp
new file mode 100644
index 0000000000..9371617305
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp
@@ -0,0 +1,87 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that uses various bad certificates.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct SanctionsCertHost {
+ const char* mHostName;
+ const char* mCertName;
+};
+
+// Hostname, cert nickname pairs.
+const SanctionsCertHost sSanctionsCertHosts[] = {
+ {"symantec-allowlist-after-cutoff.example.com",
+ "symantec-ee-from-allowlist-after-cutoff"},
+ {"symantec-allowlist-before-cutoff.example.com",
+ "symantec-ee-from-allowlist-before-cutoff"},
+ {"symantec-not-allowlisted-after-cutoff.example.com",
+ "symantec-ee-not-allowlisted-after-cutoff"},
+ {"symantec-not-allowlisted-before-cutoff.example.com",
+ "symantec-ee-not-allowlisted-before-cutoff"},
+ {"symantec-unaffected.example.com", "symantec-ee-unaffected"},
+ {nullptr, nullptr}};
+
+int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
+ const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize) {
+ for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+ UniquePORTString name(
+ static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+ if (name) {
+ PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+ if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr,
+ nullptr) == SECSuccess) {
+ return 0;
+ }
+ }
+ }
+
+ return SSL_SNI_SEND_ALERT;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg) {
+ const SanctionsCertHost* host =
+ GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sSanctionsCertHosts);
+ if (!host) {
+ // No static cert <-> hostname mapping found. This happens when we use a
+ // collection of certificates in a given directory and build a cert DB at
+ // runtime, rather than using an NSS cert DB populated at build time.
+ // (This will be the default in the future.)
+ // For all given server names, check if the runtime-built cert DB contains
+ // a certificate with a matching subject CN.
+ return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+
+ UniqueCERTCertificate cert;
+ SSLKEAType certKEA;
+ if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+ &certKEA, nullptr)) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+int main(int argc, char* argv[]) {
+ return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
new file mode 100644
index 0000000000..ebf8f8e3e7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
@@ -0,0 +1,45 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+GeckoSimplePrograms(
+ [
+ "BadCertAndPinningServer",
+ "DelegatedCredentialsServer",
+ "EncryptedClientHelloServer",
+ "GenerateOCSPResponse",
+ "OCSPStaplingServer",
+ "SanctionsTestServer",
+ ],
+ linkage=None,
+)
+
+if not CONFIG["MOZ_SYSTEM_NSS"]:
+ # Bug 1805371. See comment in ../lib/moz.build
+ GeckoSimplePrograms(
+ [
+ "FaultyServer",
+ ],
+ linkage=None,
+ )
+
+ DEFINES["NSS_USE_STATIC_LIBS"] = True
+
+ LOCAL_INCLUDES += [
+ "../../../../../../nss/lib/ssl",
+ "../lib",
+ ]
+ USE_LIBS += [
+ "tlsserver",
+ ]
+else:
+ LOCAL_INCLUDES += [
+ "../lib",
+ ]
+ USE_LIBS += ["mozpkix", "nspr", "nss", "tlsserver"]
+
+
+if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
+ CXXFLAGS += CONFIG["MOZ_GTK3_CFLAGS"]
diff --git a/security/manager/ssl/tests/unit/tlsserver/default-ee.der b/security/manager/ssl/tests/unit/tlsserver/default-ee.der
new file mode 100644
index 0000000000..3a9b8fa9bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/default-ee.der
@@ -0,0 +1,3 @@
+This is now an unused file. It exists to ease the coordination between gecko
+development trees and the automation infrastructure that runs periodic updates.
+See bug 1203312 and bug 1205406.
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
new file mode 100644
index 0000000000..be9a9af9b1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@@ -0,0 +1,204 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "OCSPCommon.h"
+
+#include <stdio.h>
+
+#include "mozpkix/test/pkixtestutil.h"
+#include "mozpkix/test/pkixtestnss.h"
+#include "TLSServer.h"
+#include "secder.h"
+#include "secerr.h"
+
+using namespace mozilla;
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+using namespace mozilla::test;
+
+static TestKeyPair* CreateTestKeyPairFromCert(
+ const UniqueCERTCertificate& cert) {
+ ScopedSECKEYPrivateKey privateKey(PK11_FindKeyByAnyCert(cert.get(), nullptr));
+ if (!privateKey) {
+ return nullptr;
+ }
+ ScopedSECKEYPublicKey publicKey(CERT_ExtractPublicKey(cert.get()));
+ if (!publicKey) {
+ return nullptr;
+ }
+ return CreateTestKeyPair(RSA_PKCS1(), publicKey, privateKey);
+}
+
+SECItemArray* GetOCSPResponseForType(OCSPResponseType aORT,
+ const UniqueCERTCertificate& aCert,
+ const UniquePLArenaPool& aArena,
+ const char* aAdditionalCertName,
+ time_t aThisUpdateSkew) {
+ MOZ_ASSERT(aArena);
+ MOZ_ASSERT(aCert);
+ // Note: |aAdditionalCertName| may or may not need to be non-null depending
+ // on the |aORT| value given.
+
+ if (aORT == ORTNone) {
+ if (gDebugLevel >= DEBUG_WARNINGS) {
+ fprintf(stderr,
+ "GetOCSPResponseForType called with type ORTNone, "
+ "which makes no sense.\n");
+ }
+ return nullptr;
+ }
+
+ if (aORT == ORTEmpty) {
+ SECItemArray* arr = SECITEM_AllocArray(aArena.get(), nullptr, 1);
+ arr->items[0].data = nullptr;
+ arr->items[0].len = 0;
+ return arr;
+ }
+
+ time_t now = time(nullptr) + aThisUpdateSkew;
+ time_t oldNow = now - (8 * Time::ONE_DAY_IN_SECONDS);
+
+ mozilla::UniqueCERTCertificate cert(CERT_DupCertificate(aCert.get()));
+
+ if (aORT == ORTGoodOtherCert) {
+ cert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr));
+ if (!cert) {
+ PrintPRError("PK11_FindCertFromNickname failed");
+ return nullptr;
+ }
+ }
+ // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic
+ mozilla::UniqueCERTCertificate issuerCert(
+ CERT_FindCertIssuer(aCert.get(), PR_Now(), certUsageSSLCA));
+ if (!issuerCert) {
+ PrintPRError("CERT_FindCertIssuer failed");
+ return nullptr;
+ }
+ Input issuer;
+ if (issuer.Init(cert->derIssuer.data, cert->derIssuer.len) != Success) {
+ return nullptr;
+ }
+ Input issuerPublicKey;
+ if (issuerPublicKey.Init(issuerCert->derPublicKey.data,
+ issuerCert->derPublicKey.len) != Success) {
+ return nullptr;
+ }
+ Input serialNumber;
+ if (serialNumber.Init(cert->serialNumber.data, cert->serialNumber.len) !=
+ Success) {
+ return nullptr;
+ }
+ CertID certID(issuer, issuerPublicKey, serialNumber);
+ OCSPResponseContext context(certID, now);
+
+ mozilla::UniqueCERTCertificate signerCert;
+ if (aORT == ORTGoodOtherCA || aORT == ORTDelegatedIncluded ||
+ aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissing ||
+ aORT == ORTDelegatedMissingMultiple) {
+ signerCert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr));
+ if (!signerCert) {
+ PrintPRError("PK11_FindCertFromNickname failed");
+ return nullptr;
+ }
+ }
+
+ ByteString certs[5];
+
+ if (aORT == ORTDelegatedIncluded) {
+ certs[0].assign(signerCert->derCert.data, signerCert->derCert.len);
+ context.certs = certs;
+ }
+ if (aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissingMultiple) {
+ certs[0].assign(issuerCert->derCert.data, issuerCert->derCert.len);
+ certs[1].assign(cert->derCert.data, cert->derCert.len);
+ certs[2].assign(issuerCert->derCert.data, issuerCert->derCert.len);
+ if (aORT != ORTDelegatedMissingMultiple) {
+ certs[3].assign(signerCert->derCert.data, signerCert->derCert.len);
+ }
+ context.certs = certs;
+ }
+
+ switch (aORT) {
+ case ORTMalformed:
+ context.responseStatus = 1;
+ break;
+ case ORTSrverr:
+ context.responseStatus = 2;
+ break;
+ case ORTTryLater:
+ context.responseStatus = 3;
+ break;
+ case ORTNeedsSig:
+ context.responseStatus = 5;
+ break;
+ case ORTUnauthorized:
+ context.responseStatus = 6;
+ break;
+ default:
+ // context.responseStatus is 0 in all other cases, and it has
+ // already been initialized in the constructor.
+ break;
+ }
+ if (aORT == ORTSkipResponseBytes) {
+ context.skipResponseBytes = true;
+ }
+ if (aORT == ORTExpired || aORT == ORTExpiredFreshCA ||
+ aORT == ORTRevokedOld || aORT == ORTUnknownOld) {
+ context.thisUpdate = oldNow;
+ context.nextUpdate = oldNow + Time::ONE_DAY_IN_SECONDS;
+ }
+ if (aORT == ORTLongValidityAlmostExpired) {
+ context.thisUpdate = now - (320 * Time::ONE_DAY_IN_SECONDS);
+ }
+ if (aORT == ORTAncientAlmostExpired) {
+ context.thisUpdate = now - (640 * Time::ONE_DAY_IN_SECONDS);
+ }
+ if (aORT == ORTRevoked || aORT == ORTRevokedOld) {
+ context.certStatus = 1;
+ }
+ if (aORT == ORTUnknown || aORT == ORTUnknownOld) {
+ context.certStatus = 2;
+ }
+ if (aORT == ORTBadSignature) {
+ context.badSignature = true;
+ }
+ OCSPResponseExtension extension;
+ if (aORT == ORTCriticalExtension || aORT == ORTNoncriticalExtension) {
+ // python DottedOIDToCode.py --tlv
+ // some-Mozilla-OID 1.3.6.1.4.1.13769.666.666.666.1.500.9.2
+ static const uint8_t tlv_some_Mozilla_OID[] = {
+ 0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85,
+ 0x1a, 0x85, 0x1a, 0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x02};
+
+ extension.id.assign(tlv_some_Mozilla_OID, sizeof(tlv_some_Mozilla_OID));
+ extension.critical = (aORT == ORTCriticalExtension);
+ extension.value.push_back(0x05); // tag: NULL
+ extension.value.push_back(0x00); // length: 0
+ extension.next = nullptr;
+ context.responseExtensions = &extension;
+ }
+ if (aORT == ORTEmptyExtensions) {
+ context.includeEmptyExtensions = true;
+ }
+
+ if (!signerCert) {
+ signerCert.reset(CERT_DupCertificate(issuerCert.get()));
+ }
+ context.signerKeyPair.reset(CreateTestKeyPairFromCert(signerCert));
+ if (!context.signerKeyPair) {
+ PrintPRError("PK11_FindKeyByAnyCert failed");
+ return nullptr;
+ }
+
+ ByteString response(CreateEncodedOCSPResponse(context));
+ if (ENCODING_FAILED(response)) {
+ PrintPRError("CreateEncodedOCSPResponse failed");
+ return nullptr;
+ }
+
+ SECItem item = {siBuffer, const_cast<uint8_t*>(response.data()),
+ static_cast<unsigned int>(response.length())};
+ SECItemArray arr = {&item, 1};
+ return SECITEM_DupArray(aArena.get(), &arr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h
new file mode 100644
index 0000000000..c72eae6a8e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h
@@ -0,0 +1,66 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// Implements generating OCSP responses of various types. Used by the
+// programs in tlsserver/cmd.
+
+#ifndef OCSPCommon_h
+#define OCSPCommon_h
+
+#include "ScopedNSSTypes.h"
+#include "certt.h"
+#include "seccomon.h"
+
+enum OCSPResponseType {
+ ORTNull = 0,
+ ORTGood, // the certificate is good
+ ORTRevoked, // the certificate has been revoked
+ ORTRevokedOld, // same, but the response is old
+ ORTUnknown, // the responder doesn't know if the cert is good
+ ORTUnknownOld, // same, but the response is old
+ ORTGoodOtherCert, // the response references a different certificate
+ ORTGoodOtherCA, // the wrong CA has signed the response
+ ORTExpired, // the signature on the response has expired
+ ORTExpiredFreshCA, // fresh signature, but old validity period
+ ORTNone, // no stapled response
+ ORTEmpty, // an empty stapled response
+ ORTMalformed, // the response from the responder was malformed
+ ORTSrverr, // the response indicates there was a server error
+ ORTTryLater, // the responder replied with "try again later"
+ ORTNeedsSig, // the response needs a signature
+ ORTUnauthorized, // the responder is not authorized for this certificate
+ ORTBadSignature, // the response has a signature that does not verify
+ ORTSkipResponseBytes, // the response does not include responseBytes
+ ORTCriticalExtension, // the response includes a critical extension
+ ORTNoncriticalExtension, // the response includes an extension that is not
+ // critical
+ ORTEmptyExtensions, // the response includes a SEQUENCE OF Extension that is
+ // empty
+ ORTDelegatedIncluded, // the response is signed by an included delegated
+ // responder
+ ORTDelegatedIncludedLast, // same, but multiple other certificates are
+ // included
+ ORTDelegatedMissing, // the response is signed by a not included delegated
+ // responder
+ ORTDelegatedMissingMultiple, // same, but multiple other certificates are
+ // included
+ ORTLongValidityAlmostExpired, // a good response, but that was generated a
+ // almost a year ago
+ ORTAncientAlmostExpired, // a good response, with a validity of almost two
+ // years almost expiring
+};
+
+struct OCSPHost {
+ const char* mHostName;
+ OCSPResponseType mORT;
+ const char* mAdditionalCertName; // useful for ORTGoodOtherCert, etc.
+ const char* mServerCertName;
+};
+
+SECItemArray* GetOCSPResponseForType(
+ OCSPResponseType aORT, const mozilla::UniqueCERTCertificate& aCert,
+ const mozilla::UniquePLArenaPool& aArena, const char* aAdditionalCertName,
+ time_t aThisUpdateSkew);
+
+#endif // OCSPCommon_h
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
new file mode 100644
index 0000000000..8eca895525
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
@@ -0,0 +1,694 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "TLSServer.h"
+
+#include <stdio.h>
+#include <string>
+#include <thread>
+#include <vector>
+#include <fstream>
+#include <iostream>
+#ifdef XP_WIN
+# include <windows.h>
+#else
+# include <unistd.h>
+#endif
+
+#include <utility>
+
+#include "base64.h"
+#include "mozilla/Sprintf.h"
+#include "nspr.h"
+#include "nss.h"
+#include "plarenas.h"
+#include "prenv.h"
+#include "prerror.h"
+#include "prnetdb.h"
+#include "prtime.h"
+#include "ssl.h"
+#include "sslexp.h"
+#include "sslproto.h"
+
+namespace mozilla {
+namespace test {
+
+static const uint16_t LISTEN_PORT = 8443;
+
+SSLAntiReplayContext* antiReplay = nullptr;
+
+DebugLevel gDebugLevel = DEBUG_ERRORS;
+uint16_t gCallbackPort = 0;
+
+const std::string kPEMBegin = "-----BEGIN ";
+const std::string kPEMEnd = "-----END ";
+const char DEFAULT_CERT_NICKNAME[] = "default-ee";
+
+struct Connection {
+ PRFileDesc* mSocket;
+ char mByte;
+
+ explicit Connection(PRFileDesc* aSocket);
+ ~Connection();
+};
+
+Connection::Connection(PRFileDesc* aSocket) : mSocket(aSocket), mByte(0) {}
+
+Connection::~Connection() {
+ if (mSocket) {
+ PR_Close(mSocket);
+ }
+}
+
+void PrintPRError(const char* aPrefix) {
+ const char* err = PR_ErrorToName(PR_GetError());
+ if (err) {
+ if (gDebugLevel >= DEBUG_ERRORS) {
+ fprintf(stderr, "%s: %s\n", aPrefix, err);
+ }
+ } else {
+ if (gDebugLevel >= DEBUG_ERRORS) {
+ fprintf(stderr, "%s\n", aPrefix);
+ }
+ }
+}
+
+// This decodes a PEM file into `item`. The line endings need to be
+// UNIX-style, or there will be cross-platform issues.
+static bool DecodePEMFile(const std::string& filename, SECItem* item) {
+ std::ifstream in(filename);
+ if (in.bad()) {
+ return false;
+ }
+
+ char buf[1024];
+ in.getline(buf, sizeof(buf));
+ if (in.bad()) {
+ return false;
+ }
+
+ if (strncmp(buf, kPEMBegin.c_str(), kPEMBegin.size()) != 0) {
+ return false;
+ }
+
+ std::string value;
+ for (;;) {
+ in.getline(buf, sizeof(buf));
+ if (in.bad()) {
+ return false;
+ }
+
+ if (strncmp(buf, kPEMEnd.c_str(), kPEMEnd.size()) == 0) {
+ break;
+ }
+
+ value += buf;
+ }
+
+ unsigned int binLength;
+ UniquePORTString bin(BitwiseCast<char*, unsigned char*>(
+ ATOB_AsciiToData(value.c_str(), &binLength)));
+ if (!bin || binLength == 0) {
+ PrintPRError("ATOB_AsciiToData failed");
+ return false;
+ }
+
+ if (SECITEM_AllocItem(nullptr, item, binLength) == nullptr) {
+ return false;
+ }
+
+ PORT_Memcpy(item->data, bin.get(), binLength);
+ return true;
+}
+
+static SECStatus AddKeyFromFile(const std::string& path,
+ const std::string& filename) {
+ ScopedAutoSECItem item;
+
+ std::string file = path + "/" + filename;
+ if (!DecodePEMFile(file, &item)) {
+ return SECFailure;
+ }
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ PrintPRError("PK11_GetInternalKeySlot failed");
+ return SECFailure;
+ }
+
+ if (PK11_NeedUserInit(slot.get())) {
+ if (PK11_InitPin(slot.get(), nullptr, nullptr) != SECSuccess) {
+ PrintPRError("PK11_InitPin failed");
+ return SECFailure;
+ }
+ }
+
+ SECKEYPrivateKey* privateKey = nullptr;
+ SECItem nick = {siBuffer,
+ BitwiseCast<unsigned char*, const char*>(filename.data()),
+ static_cast<unsigned int>(filename.size())};
+ if (PK11_ImportDERPrivateKeyInfoAndReturnKey(
+ slot.get(), &item, &nick, nullptr, true, false, KU_ALL, &privateKey,
+ nullptr) != SECSuccess) {
+ PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed");
+ return SECFailure;
+ }
+
+ SECKEY_DestroyPrivateKey(privateKey);
+ return SECSuccess;
+}
+
+static SECStatus AddCertificateFromFile(const std::string& path,
+ const std::string& filename) {
+ ScopedAutoSECItem item;
+
+ std::string file = path + "/" + filename;
+ if (!DecodePEMFile(file, &item)) {
+ return SECFailure;
+ }
+
+ UniqueCERTCertificate cert(CERT_NewTempCertificate(
+ CERT_GetDefaultCertDB(), &item, nullptr, false, true));
+ if (!cert) {
+ PrintPRError("CERT_NewTempCertificate failed");
+ return SECFailure;
+ }
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ PrintPRError("PK11_GetInternalKeySlot failed");
+ return SECFailure;
+ }
+ // The nickname is the filename without '.pem'.
+ std::string nickname = filename.substr(0, filename.length() - 4);
+ SECStatus rv = PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE,
+ nickname.c_str(), false);
+ if (rv != SECSuccess) {
+ PrintPRError("PK11_ImportCert failed");
+ return rv;
+ }
+
+ return SECSuccess;
+}
+
+SECStatus LoadCertificatesAndKeys(const char* basePath) {
+ // The NSS cert DB path could have been specified as "sql:path". Trim off
+ // the leading "sql:" if so.
+ if (strncmp(basePath, "sql:", 4) == 0) {
+ basePath = basePath + 4;
+ }
+
+ UniquePRDir fdDir(PR_OpenDir(basePath));
+ if (!fdDir) {
+ PrintPRError("PR_OpenDir failed");
+ return SECFailure;
+ }
+ // On the B2G ICS emulator, operations taken in AddCertificateFromFile
+ // appear to interact poorly with readdir (more specifically, something is
+ // causing readdir to never return null - it indefinitely loops through every
+ // file in the directory, which causes timeouts). Rather than waste more time
+ // chasing this down, loading certificates and keys happens in two phases:
+ // filename collection and then loading. (This is probably a good
+ // idea anyway because readdir isn't reentrant. Something could change later
+ // such that it gets called as a result of calling AddCertificateFromFile or
+ // AddKeyFromFile.)
+ std::vector<std::string> certificates;
+ std::vector<std::string> keys;
+ for (PRDirEntry* dirEntry = PR_ReadDir(fdDir.get(), PR_SKIP_BOTH); dirEntry;
+ dirEntry = PR_ReadDir(fdDir.get(), PR_SKIP_BOTH)) {
+ size_t nameLength = strlen(dirEntry->name);
+ if (nameLength > 4) {
+ if (strncmp(dirEntry->name + nameLength - 4, ".pem", 4) == 0) {
+ certificates.push_back(dirEntry->name);
+ } else if (strncmp(dirEntry->name + nameLength - 4, ".key", 4) == 0) {
+ keys.push_back(dirEntry->name);
+ }
+ }
+ }
+ SECStatus rv;
+ for (std::string& certificate : certificates) {
+ rv = AddCertificateFromFile(basePath, certificate.c_str());
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ }
+ for (std::string& key : keys) {
+ rv = AddKeyFromFile(basePath, key.c_str());
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ }
+ return SECSuccess;
+}
+
+SECStatus InitializeNSS(const char* nssCertDBDir) {
+ // Try initializing an existing DB.
+ if (NSS_Init(nssCertDBDir) == SECSuccess) {
+ return SECSuccess;
+ }
+
+ // Create a new DB if there is none...
+ SECStatus rv = NSS_Initialize(nssCertDBDir, nullptr, nullptr, nullptr, 0);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+
+ // ...and load all certificates into it.
+ return LoadCertificatesAndKeys(nssCertDBDir);
+}
+
+nsresult SendAll(PRFileDesc* aSocket, const char* aData, size_t aDataLen) {
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "sending '%s'\n", aData);
+ }
+
+ while (aDataLen > 0) {
+ int32_t bytesSent =
+ PR_Send(aSocket, aData, aDataLen, 0, PR_INTERVAL_NO_TIMEOUT);
+ if (bytesSent == -1) {
+ PrintPRError("PR_Send failed");
+ return NS_ERROR_FAILURE;
+ }
+
+ aDataLen -= bytesSent;
+ aData += bytesSent;
+ }
+
+ return NS_OK;
+}
+
+nsresult ReplyToRequest(Connection* aConn) {
+ // For debugging purposes, SendAll can print out what it's sending.
+ // So, any strings we give to it to send need to be null-terminated.
+ char buf[2] = {aConn->mByte, 0};
+ return SendAll(aConn->mSocket, buf, 1);
+}
+
+nsresult SetupTLS(Connection* aConn, PRFileDesc* aModelSocket) {
+ PRFileDesc* sslSocket = SSL_ImportFD(aModelSocket, aConn->mSocket);
+ if (!sslSocket) {
+ PrintPRError("SSL_ImportFD failed");
+ return NS_ERROR_FAILURE;
+ }
+ aConn->mSocket = sslSocket;
+
+ /* anti-replay must be configured to accept 0RTT */
+ if (antiReplay) {
+ SECStatus rv = SSL_SetAntiReplayContext(sslSocket, antiReplay);
+ if (rv != SECSuccess) {
+ PrintPRError("error configuring anti-replay ");
+ return NS_ERROR_FAILURE;
+ }
+ }
+
+ SSL_OptionSet(sslSocket, SSL_SECURITY, true);
+ SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, false);
+ SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, true);
+ // Unconditionally enabling 0RTT makes test_session_resumption.js fail
+ SSL_OptionSet(sslSocket, SSL_ENABLE_0RTT_DATA,
+ !!PR_GetEnv("MOZ_TLS_SERVER_0RTT"));
+
+ SSL_ResetHandshake(sslSocket, /* asServer */ 1);
+
+ return NS_OK;
+}
+
+nsresult ReadRequest(Connection* aConn) {
+ int32_t bytesRead =
+ PR_Recv(aConn->mSocket, &aConn->mByte, 1, 0, PR_INTERVAL_NO_TIMEOUT);
+ if (bytesRead < 0) {
+ PrintPRError("PR_Recv failed");
+ return NS_ERROR_FAILURE;
+ } else if (bytesRead == 0) {
+ PR_SetError(PR_IO_ERROR, 0);
+ PrintPRError("PR_Recv EOF in ReadRequest");
+ return NS_ERROR_FAILURE;
+ } else {
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "read '0x%hhx'\n", aConn->mByte);
+ }
+ }
+ return NS_OK;
+}
+
+void HandleConnection(PRFileDesc* aSocket,
+ const UniquePRFileDesc& aModelSocket) {
+ Connection conn(aSocket);
+ nsresult rv = SetupTLS(&conn, aModelSocket.get());
+ if (NS_FAILED(rv)) {
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ PrintPRError("PR_Recv failed");
+ exit(1);
+ }
+
+ // TODO: On tests that are expected to fail (e.g. due to a revoked
+ // certificate), the client will close the connection wtihout sending us the
+ // request byte. In those cases, we should keep going. But, in the cases
+ // where the connection is supposed to suceed, we should verify that we
+ // successfully receive the request and send the response.
+ rv = ReadRequest(&conn);
+ if (NS_SUCCEEDED(rv)) {
+ rv = ReplyToRequest(&conn);
+ }
+}
+
+// returns 0 on success, non-zero on error
+int DoCallback() {
+ UniquePRFileDesc socket(PR_NewTCPSocket());
+ if (!socket) {
+ PrintPRError("PR_NewTCPSocket failed");
+ return 1;
+ }
+
+ PRNetAddr addr;
+ PR_InitializeNetAddr(PR_IpAddrLoopback, gCallbackPort, &addr);
+ if (PR_Connect(socket.get(), &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) {
+ PrintPRError("PR_Connect failed");
+ return 1;
+ }
+
+ const char* request = "GET / HTTP/1.0\r\n\r\n";
+ SendAll(socket.get(), request, strlen(request));
+ char buf[4096];
+ memset(buf, 0, sizeof(buf));
+ int32_t bytesRead =
+ PR_Recv(socket.get(), buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT);
+ if (bytesRead < 0) {
+ PrintPRError("PR_Recv failed 1");
+ return 1;
+ }
+ if (bytesRead == 0) {
+ fprintf(stderr, "PR_Recv eof 1\n");
+ return 1;
+ }
+ fprintf(stderr, "%s\n", buf);
+ return 0;
+}
+
+SECStatus ConfigSecureServerWithNamedCert(
+ PRFileDesc* fd, const char* certName,
+ /*optional*/ UniqueCERTCertificate* certOut,
+ /*optional*/ SSLKEAType* keaOut,
+ /*optional*/ SSLExtraServerCertData* extraData) {
+ UniqueCERTCertificate cert(PK11_FindCertFromNickname(certName, nullptr));
+ if (!cert) {
+ PrintPRError("PK11_FindCertFromNickname failed");
+ return SECFailure;
+ }
+ // If an intermediate certificate issued the server certificate (rather than
+ // directly by a trust anchor), we want to send it along in the handshake so
+ // we don't encounter unknown issuer errors when that's not what we're
+ // testing.
+ UniqueCERTCertificateList certList;
+ UniqueCERTCertificate issuerCert(
+ CERT_FindCertByName(CERT_GetDefaultCertDB(), &cert->derIssuer));
+ // If we can't find the issuer cert, continue without it.
+ if (issuerCert) {
+ // Sadly, CERTCertificateList does not have a CERT_NewCertificateList
+ // utility function, so we must create it ourselves. This consists
+ // of creating an arena, allocating space for the CERTCertificateList,
+ // and then transferring ownership of the arena to that list.
+ UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+ if (!arena) {
+ PrintPRError("PORT_NewArena failed");
+ return SECFailure;
+ }
+ certList.reset(static_cast<CERTCertificateList*>(
+ PORT_ArenaAlloc(arena.get(), sizeof(CERTCertificateList))));
+ if (!certList) {
+ PrintPRError("PORT_ArenaAlloc failed");
+ return SECFailure;
+ }
+ certList->arena = arena.release();
+ // We also have to manually copy the certificates we care about to the
+ // list, because there aren't any utility functions for that either.
+ certList->certs = static_cast<SECItem*>(
+ PORT_ArenaAlloc(certList->arena, 2 * sizeof(SECItem)));
+ if (SECITEM_CopyItem(certList->arena, certList->certs, &cert->derCert) !=
+ SECSuccess) {
+ PrintPRError("SECITEM_CopyItem failed");
+ return SECFailure;
+ }
+ if (SECITEM_CopyItem(certList->arena, certList->certs + 1,
+ &issuerCert->derCert) != SECSuccess) {
+ PrintPRError("SECITEM_CopyItem failed");
+ return SECFailure;
+ }
+ certList->len = 2;
+ }
+
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
+ PrintPRError("PK11_GetInternalKeySlot failed");
+ return SECFailure;
+ }
+ UniqueSECKEYPrivateKey key(
+ PK11_FindKeyByDERCert(slot.get(), cert.get(), nullptr));
+ if (!key) {
+ PrintPRError("PK11_FindKeyByDERCert failed");
+ return SECFailure;
+ }
+
+ if (extraData) {
+ SSLExtraServerCertData dataCopy = {ssl_auth_null, nullptr, nullptr,
+ nullptr, nullptr, nullptr};
+ memcpy(&dataCopy, extraData, sizeof(dataCopy));
+ dataCopy.certChain = certList.get();
+
+ if (SSL_ConfigServerCert(fd, cert.get(), key.get(), &dataCopy,
+ sizeof(dataCopy)) != SECSuccess) {
+ PrintPRError("SSL_ConfigServerCert failed");
+ return SECFailure;
+ }
+
+ } else {
+ // This is the deprecated setup mechanism, to be cleaned up in Bug 1569222
+ SSLKEAType certKEA = NSS_FindCertKEAType(cert.get());
+ if (SSL_ConfigSecureServerWithCertChain(fd, cert.get(), certList.get(),
+ key.get(), certKEA) != SECSuccess) {
+ PrintPRError("SSL_ConfigSecureServer failed");
+ return SECFailure;
+ }
+
+ if (keaOut) {
+ *keaOut = certKEA;
+ }
+ }
+
+ if (certOut) {
+ *certOut = std::move(cert);
+ }
+
+ SSL_OptionSet(fd, SSL_NO_CACHE, false);
+ SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, true);
+ // Unconditionally enabling 0RTT makes test_session_resumption.js fail
+ SSL_OptionSet(fd, SSL_ENABLE_0RTT_DATA, !!PR_GetEnv("MOZ_TLS_SERVER_0RTT"));
+
+ return SECSuccess;
+}
+
+#ifdef XP_WIN
+using PidType = DWORD;
+constexpr bool IsValidPid(long long pid) {
+ // Excluding `(DWORD)-1` because it is not a valid process ID.
+ // See https://devblogs.microsoft.com/oldnewthing/20040223-00/?p=40503
+ return pid > 0 && pid < std::numeric_limits<PidType>::max();
+}
+#else
+using PidType = pid_t;
+constexpr bool IsValidPid(long long pid) {
+ return pid > 0 && pid <= std::numeric_limits<PidType>::max();
+}
+#endif
+
+PidType ConvertPid(const char* pidStr) {
+ long long pid = strtoll(pidStr, nullptr, 10);
+ if (!IsValidPid(pid)) {
+ return 0;
+ }
+ return static_cast<PidType>(pid);
+}
+
+int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig,
+ void* sniSocketConfigArg, ServerConfigFunc configFunc) {
+ if (argc != 3) {
+ fprintf(stderr, "usage: %s <NSS DB directory> <ppid>\n", argv[0]);
+ return 1;
+ }
+ const char* nssCertDBDir = argv[1];
+ PidType ppid = ConvertPid(argv[2]);
+
+ const char* debugLevel = PR_GetEnv("MOZ_TLS_SERVER_DEBUG_LEVEL");
+ if (debugLevel) {
+ int level = atoi(debugLevel);
+ switch (level) {
+ case DEBUG_ERRORS:
+ gDebugLevel = DEBUG_ERRORS;
+ break;
+ case DEBUG_WARNINGS:
+ gDebugLevel = DEBUG_WARNINGS;
+ break;
+ case DEBUG_VERBOSE:
+ gDebugLevel = DEBUG_VERBOSE;
+ break;
+ default:
+ PrintPRError("invalid MOZ_TLS_SERVER_DEBUG_LEVEL");
+ return 1;
+ }
+ }
+
+ const char* callbackPort = PR_GetEnv("MOZ_TLS_SERVER_CALLBACK_PORT");
+ if (callbackPort) {
+ gCallbackPort = atoi(callbackPort);
+ }
+
+ if (InitializeNSS(nssCertDBDir) != SECSuccess) {
+ PR_fprintf(PR_STDERR, "InitializeNSS failed");
+ return 1;
+ }
+
+ if (NSS_SetDomesticPolicy() != SECSuccess) {
+ PrintPRError("NSS_SetDomesticPolicy failed");
+ return 1;
+ }
+
+ if (SSL_ConfigServerSessionIDCache(0, 0, 0, nullptr) != SECSuccess) {
+ PrintPRError("SSL_ConfigServerSessionIDCache failed");
+ return 1;
+ }
+
+ UniquePRFileDesc serverSocket(PR_NewTCPSocket());
+ if (!serverSocket) {
+ PrintPRError("PR_NewTCPSocket failed");
+ return 1;
+ }
+
+ PRSocketOptionData socketOption;
+ socketOption.option = PR_SockOpt_Reuseaddr;
+ socketOption.value.reuse_addr = true;
+ PR_SetSocketOption(serverSocket.get(), &socketOption);
+
+ PRNetAddr serverAddr;
+ PR_InitializeNetAddr(PR_IpAddrLoopback, LISTEN_PORT, &serverAddr);
+ if (PR_Bind(serverSocket.get(), &serverAddr) != PR_SUCCESS) {
+ PrintPRError("PR_Bind failed");
+ return 1;
+ }
+
+ if (PR_Listen(serverSocket.get(), 1) != PR_SUCCESS) {
+ PrintPRError("PR_Listen failed");
+ return 1;
+ }
+
+ UniquePRFileDesc rawModelSocket(PR_NewTCPSocket());
+ if (!rawModelSocket) {
+ PrintPRError("PR_NewTCPSocket failed for rawModelSocket");
+ return 1;
+ }
+
+ UniquePRFileDesc modelSocket(SSL_ImportFD(nullptr, rawModelSocket.release()));
+ if (!modelSocket) {
+ PrintPRError("SSL_ImportFD of rawModelSocket failed");
+ return 1;
+ }
+
+ SSLVersionRange range = {0, 0};
+ if (SSL_VersionRangeGet(modelSocket.get(), &range) != SECSuccess) {
+ PrintPRError("SSL_VersionRangeGet failed");
+ return 1;
+ }
+
+ if (range.max < SSL_LIBRARY_VERSION_TLS_1_3) {
+ range.max = SSL_LIBRARY_VERSION_TLS_1_3;
+ if (SSL_VersionRangeSet(modelSocket.get(), &range) != SECSuccess) {
+ PrintPRError("SSL_VersionRangeSet failed");
+ return 1;
+ }
+ }
+
+ if (PR_GetEnv("MOZ_TLS_SERVER_0RTT")) {
+ if (SSL_CreateAntiReplayContext(PR_Now(), 1L * PR_USEC_PER_SEC, 7, 14,
+ &antiReplay) != SECSuccess) {
+ PrintPRError("Unable to create anti-replay context for 0-RTT.");
+ return 1;
+ }
+ }
+
+ if (SSL_SNISocketConfigHook(modelSocket.get(), sniSocketConfig,
+ sniSocketConfigArg) != SECSuccess) {
+ PrintPRError("SSL_SNISocketConfigHook failed");
+ return 1;
+ }
+
+ // We have to configure the server with a certificate, but it's not one
+ // we're actually going to end up using. In the SNI callback, we pick
+ // the right certificate for the connection.
+ //
+ // Provide an empty |extra_data| to force config via SSL_ConfigServerCert.
+ // This is a temporary mechanism to work around inconsistent setting of
+ // |authType| in the deprecated API (preventing the default cert from
+ // being removed in favor of the SNI-selected cert). This may be removed
+ // after Bug 1569222 removes the deprecated mechanism.
+ SSLExtraServerCertData extra_data = {ssl_auth_null, nullptr, nullptr,
+ nullptr, nullptr, nullptr};
+ if (ConfigSecureServerWithNamedCert(modelSocket.get(), DEFAULT_CERT_NICKNAME,
+ nullptr, nullptr,
+ &extra_data) != SECSuccess) {
+ return 1;
+ }
+
+ // Call back to implementation-defined configuration func, if provided.
+ if (configFunc) {
+ if (((configFunc)(modelSocket.get())) != SECSuccess) {
+ PrintPRError("configFunc failed");
+ return 1;
+ }
+ }
+
+ if (gCallbackPort != 0) {
+ if (DoCallback()) {
+ return 1;
+ }
+ }
+
+ std::thread([ppid] {
+ if (!ppid) {
+ if (gDebugLevel >= DEBUG_ERRORS) {
+ fprintf(stderr, "invalid ppid\n");
+ }
+ return;
+ }
+#ifdef XP_WIN
+ HANDLE parent = OpenProcess(SYNCHRONIZE, false, ppid);
+ if (!parent) {
+ if (gDebugLevel >= DEBUG_ERRORS) {
+ fprintf(stderr, "OpenProcess failed\n");
+ }
+ return;
+ }
+ WaitForSingleObject(parent, INFINITE);
+ CloseHandle(parent);
+#else
+ while (getppid() == ppid) {
+ sleep(1);
+ }
+#endif
+ if (gDebugLevel >= DEBUG_ERRORS) {
+ fprintf(stderr, "Parent process crashed\n");
+ }
+ exit(1);
+ }).detach();
+
+ while (true) {
+ PRNetAddr clientAddr;
+ PRFileDesc* clientSocket =
+ PR_Accept(serverSocket.get(), &clientAddr, PR_INTERVAL_NO_TIMEOUT);
+ HandleConnection(clientSocket, modelSocket);
+ }
+
+ return 0;
+}
+
+} // namespace test
+} // namespace mozilla
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h
new file mode 100644
index 0000000000..3927b3e541
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h
@@ -0,0 +1,93 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef TLSServer_h
+#define TLSServer_h
+
+// This is a standalone server for testing SSL features of Gecko.
+// The client is expected to connect and initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to). If all is good, the client then
+// sends one encrypted byte and receives that same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdint.h>
+
+#include "ScopedNSSTypes.h"
+#include "mozilla/Casting.h"
+#include "prio.h"
+#include "secerr.h"
+#include "ssl.h"
+
+namespace mozilla {
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePRDir, PRDir, PR_CloseDir);
+
+} // namespace mozilla
+
+namespace mozilla {
+namespace test {
+
+typedef SECStatus (*ServerConfigFunc)(PRFileDesc* fd);
+
+enum DebugLevel { DEBUG_ERRORS = 1, DEBUG_WARNINGS = 2, DEBUG_VERBOSE = 3 };
+
+extern DebugLevel gDebugLevel;
+
+void PrintPRError(const char* aPrefix);
+
+// The default certificate is trusted for localhost and *.example.com
+extern const char DEFAULT_CERT_NICKNAME[];
+
+// ConfigSecureServerWithNamedCert sets up the hostname name provided. If the
+// extraData parameter is presented, extraData->certChain will be automatically
+// filled in using database information.
+// Pass DEFAULT_CERT_NICKNAME as certName unless you need a specific
+// certificate.
+SECStatus ConfigSecureServerWithNamedCert(
+ PRFileDesc* fd, const char* certName,
+ /*optional*/ UniqueCERTCertificate* cert,
+ /*optional*/ SSLKEAType* kea,
+ /*optional*/ SSLExtraServerCertData* extraData);
+
+SECStatus InitializeNSS(const char* nssCertDBDir);
+
+// StartServer initializes NSS, sockets, the SNI callback, and a default
+// certificate. configFunc (optional) is a pointer to an implementation-
+// defined configuration function, which is called on the model socket
+// prior to handling any connections.
+int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig,
+ void* sniSocketConfigArg,
+ ServerConfigFunc configFunc = nullptr);
+
+template <typename Host>
+inline const Host* GetHostForSNI(const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, const Host* hosts) {
+ for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+ for (const Host* host = hosts; host->mHostName; ++host) {
+ SECItem hostName;
+ hostName.data = BitwiseCast<unsigned char*, const char*>(host->mHostName);
+ hostName.len = strlen(host->mHostName);
+ if (SECITEM_ItemsAreEqual(&hostName, &aSrvNameArr[i])) {
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+ return host;
+ }
+ }
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "could not find host info from SNI\n");
+ }
+
+ PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
+ return nullptr;
+}
+
+} // namespace test
+} // namespace mozilla
+
+#endif // TLSServer_h
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/moz.build b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
new file mode 100644
index 0000000000..8420cbd87f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
@@ -0,0 +1,50 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+UNIFIED_SOURCES += [
+ "OCSPCommon.cpp",
+ "TLSServer.cpp",
+]
+
+USE_LIBS += [
+ "mozpkix-testlib",
+]
+
+if not CONFIG["MOZ_SYSTEM_NSS"]:
+ # Bug 1805371: The FaultyServer binary added in Bug 1754746 needs to
+ # be statically linked against NSS, but the configuration here breaks
+ # builds with system NSS. A complete solution involves some changes
+ # to the NSS build system. For now we're disabling FaultyServer when
+ # using system NSS and linking the rest of the tests dynamically.
+ DEFINES["NSS_USE_STATIC_LIBS"] = True
+
+ USE_LIBS += [
+ "certdb",
+ "certhi",
+ "cryptohi",
+ "freebl",
+ "mozpkix",
+ "mozpkix-testlib",
+ "nspr",
+ "nss_static",
+ "nssb",
+ "nssdev",
+ "nsspki",
+ "pk11wrap",
+ "smime",
+ "softokn3",
+ "sqlite",
+ "ssl",
+ ]
+
+ if CONFIG["MOZ_FOLD_LIBS"]:
+ USE_LIBS += ["nssutil"]
+ else:
+ USE_LIBS += ["nssutil3"]
+
+Library("tlsserver")
+
+REQUIRES_UNIFIED_BUILD = True
diff --git a/security/manager/ssl/tests/unit/tlsserver/moz.build b/security/manager/ssl/tests/unit/tlsserver/moz.build
new file mode 100644
index 0000000000..1488352914
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/moz.build
@@ -0,0 +1,8 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# lib must be first, because cmd depends on its output
+DIRS += ["lib", "cmd"]
diff --git a/security/manager/ssl/tests/unit/xpcshell-smartcards.ini b/security/manager/ssl/tests/unit/xpcshell-smartcards.ini
new file mode 100644
index 0000000000..0a240f3e59
--- /dev/null
+++ b/security/manager/ssl/tests/unit/xpcshell-smartcards.ini
@@ -0,0 +1,17 @@
+[DEFAULT]
+head = head_psm.js
+tail =
+tags = psm
+skip-if = toolkit == 'android'
+support-files =
+
+[test_osclientcerts_module.js]
+skip-if =
+ os == "linux"
+ os == "android"
+[test_pkcs11_module.js]
+[test_pkcs11_moduleDB.js]
+[test_pkcs11_safe_mode.js]
+[test_pkcs11_slot.js]
+[test_pkcs11_token.js]
+[test_pkcs11_tokenDB.js]
diff --git a/security/manager/ssl/tests/unit/xpcshell.ini b/security/manager/ssl/tests/unit/xpcshell.ini
new file mode 100644
index 0000000000..1bf149cf35
--- /dev/null
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -0,0 +1,242 @@
+[DEFAULT]
+head = head_psm.js
+tags = psm condprof
+firefox-appdir = browser
+skip-if = os == 'win' && msix # https://bugzilla.mozilla.org/show_bug.cgi?id=1809477
+support-files =
+ corrupted_crlite_helper.js
+ bad_certs/**
+ ocsp_certs/**
+ test_baseline_requirements/**
+ test_broken_fips/**
+ test_cert_eku/**
+ test_cert_embedded_null/**
+ test_cert_isBuiltInRoot_reload/**
+ test_cert_keyUsage/**
+ test_cert_overrides_read_only/**
+ test_cert_sha1/**
+ test_cert_signatures/**
+ test_cert_storage_direct/**
+ test_cert_storage_preexisting/**
+ test_cert_storage_preexisting_crlite/**
+ test_cert_trust/**
+ test_cert_utf8/**
+ test_cert_version/**
+ test_certDB_import/**
+ test_content_signing/**
+ test_crlite_filters/**
+ test_crlite_preexisting/**
+ test_crlite_corrupted/**
+ test_ct/**
+ test_delegated_credentials/**
+ test_encrypted_client_hello/**
+ test_ev_certs/**
+ test_faulty_server/**
+ test_intermediate_basic_usage_constraints/**
+ test_intermediate_preloads/**
+ test_keysize/**
+ test_keysize_ev/**
+ test_missing_intermediate/**
+ test_name_constraints/**
+ test_ocsp_url/**
+ test_onecrl/**
+ test_sanctions/**
+ test_sdr_preexisting/**
+ test_sdr_preexisting_with_password/**
+ test_self_signed_certs/**
+ test_signed_apps/**
+ test_validity/**
+ tlsserver/**
+
+[test_add_preexisting_cert.js]
+[test_baseline_requirements_subject_common_name.js]
+[test_blocklist_onecrl.js]
+# Skip signature tests for Thunderbird (Bug 1341983).
+skip-if = appname == "thunderbird"
+tags = remote-settings blocklist psm
+[test_broken_fips.js]
+# FIPS has never been a thing on Android, so the workaround doesn't
+# exist on that platform.
+# FIPS still works on Linux, so this test doesn't make any sense there.
+# FIPS still works on Windows, but running the test to ensure that it does not
+# break with a non-ASCII profile path.
+skip-if = toolkit == 'android' || os == 'linux'
+[test_cert_storage.js]
+tags = addons psm blocklist
+[test_cert_storage_broken_db.js]
+[test_cert_storage_direct.js]
+[test_cert_storage_preexisting.js]
+[test_cert_storage_preexisting_crlite.js]
+# This test cannot succeed on 32-bit platforms. See bugs 1546361 and 1548956.
+skip-if = bits != 64
+[test_cert_chains.js]
+run-sequentially = hardcoded ports
+[test_cert_dbKey.js]
+[test_cert_eku.js]
+[test_cert_embedded_null.js]
+[test_cert_expiration_canary.js]
+run-if = nightly_build
+[test_cert_keyUsage.js]
+[test_cert_isBuiltInRoot.js]
+[test_cert_isBuiltInRoot_reload.js]
+[test_cert_overrides.js]
+run-sequentially = hardcoded ports
+[test_cert_overrides_read_only.js]
+run-sequentially = hardcoded ports
+[test_cert_override_read.js]
+[test_cert_sha1.js]
+[test_cert_signatures.js]
+[test_cert_trust.js]
+[test_cert_version.js]
+[test_cert_utf8.js]
+[test_certDB_export_pkcs12.js]
+[test_certDB_export_pkcs12_with_primary_password.js]
+[test_certDB_import.js]
+# nsCertificateDialogs not available in geckoview, bug 1554276
+skip-if = toolkit == 'android' && processor == 'x86_64'
+[test_certDB_import_pkcs12.js]
+[test_certDB_import_with_primary_password.js]
+# nsCertificateDialogs not available in geckoview, bug 1554276
+skip-if = toolkit == 'android' && processor == 'x86_64'
+[test_constructX509FromBase64.js]
+[test_content_signing.js]
+[test_crlite_filters.js]
+tags = remote-settings psm
+[test_crlite_preexisting.js]
+[test_crlite_filter_corrupted.js]
+[test_crlite_stash_corrupted.js]
+[test_crlite_enrollment_version.js]
+[test_crlite_enrollment_trunc1.js]
+[test_crlite_coverage_version.js]
+[test_crlite_coverage_trunc1.js]
+[test_crlite_coverage_trunc2.js]
+[test_crlite_coverage_trunc3.js]
+[test_crlite_coverage_missing.js]
+[test_ct.js]
+# Requires hard-coded debug-only data
+skip-if = !debug
+run-sequentially = hardcoded ports
+[test_db_format_pref_new.js]
+# Android always has and always will use the new format, so
+# this test doesn't apply.
+skip-if = toolkit == 'android'
+ condprof # Bug 1769154 - as designed
+[test_delegated_credentials.js]
+run-sequentially = hardcoded ports
+[test_encrypted_client_hello.js]
+run-sequentially = hardcoded ports
+[test_encrypted_client_hello_client_only.js]
+run-sequentially = hardcoded ports
+[test_der.js]
+[test_enterprise_roots.js]
+# This feature is implemented for Windows and OS X. However, we don't currently
+# have a way to test it on OS X.
+skip-if = os != 'win'
+[test_ev_certs.js]
+tags = blocklist psm
+run-sequentially = hardcoded ports
+[test_forget_about_site_security_headers.js]
+[test_hash_algorithms.js]
+[test_hash_algorithms_wrap.js]
+# bug 1124289 - run_test_in_child violates the sandbox on android
+skip-if = toolkit == 'android'
+[test_intermediate_basic_usage_constraints.js]
+[test_intermediate_preloads.js]
+run-sequentially = hardcoded ports
+tags = blocklist psm remote-settings
+[test_allow_all_cert_errors.js]
+run-sequentially = hardcoded ports
+[test_keysize.js]
+[test_keysize_ev.js]
+run-sequentially = hardcoded ports
+[test_logoutAndTeardown.js]
+skip-if = socketprocess_networking && os == "linux" && debug
+run-sequentially = hardcoded ports
+[test_missing_intermediate.js]
+run-sequentially = hardcoded ports
+[test_name_constraints.js]
+[test_nonascii_path.js]
+[test_nsCertType.js]
+run-sequentially = hardcoded ports
+[test_nsIX509Cert_utf8.js]
+[test_nsIX509CertValidity.js]
+[test_ocsp_caching.js]
+run-sequentially = hardcoded ports
+[test_ocsp_enabled_pref.js]
+run-sequentially = hardcoded ports
+[test_ocsp_must_staple.js]
+run-sequentially = hardcoded ports
+[test_ocsp_private_caching.js]
+run-sequentially = hardcoded ports
+skip-if = condprof # Bug 1769154 - should look into this
+[test_ocsp_no_hsts_upgrade.js]
+run-sequentially = hardcoded ports
+[test_ocsp_required.js]
+run-sequentially = hardcoded ports
+[test_ocsp_stapling.js]
+run-sequentially = hardcoded ports
+[test_ocsp_stapling_expired.js]
+run-sequentially = hardcoded ports
+[test_ocsp_stapling_with_intermediate.js]
+run-sequentially = hardcoded ports
+[test_ocsp_timeout.js]
+skip-if = (os == "win" && socketprocess_networking)
+run-sequentially = hardcoded ports
+[test_ocsp_url.js]
+run-sequentially = hardcoded ports
+[test_oskeystore.js]
+skip-if = apple_silicon # bug 1729538
+[test_osreauthenticator.js]
+# Reauthentication has been implemented on Windows and MacOS, so running this
+# test results in the OS popping up a dialog, which means we can't run it in
+# automation.
+skip-if = os == 'win' || os == 'mac'
+[test_password_prompt.js]
+[test_pinning.js]
+run-sequentially = hardcoded ports
+[test_sdr.js]
+[test_sdr_preexisting.js]
+# Not relevant to Android. See the comment in the test.
+skip-if = toolkit == 'android'
+[test_sdr_preexisting_with_password.js]
+# Not relevant to Android. See the comment in the test.
+skip-if = toolkit == 'android'
+[test_self_signed_certs.js]
+[test_session_resumption.js]
+skip-if =
+ os == "win" # Bug 1585916
+run-sequentially = hardcoded ports
+[test_signed_apps.js]
+skip-if = true # Bug 1815090 - permanent failure after test certificates expired, disable temporarily
+[test_ssl_status.js]
+run-sequentially = hardcoded ports
+[test_sss_enumerate.js]
+[test_sss_eviction.js]
+skip-if = condprof # Bug 1769154 - as designed
+[test_sss_originAttributes.js]
+[test_sss_readstate.js]
+skip-if = condprof # Bug 1769154 - as designed
+[test_sss_readstate_empty.js]
+skip-if = condprof # Bug 1769154 - as designed
+[test_sss_readstate_garbage.js]
+skip-if = condprof # Bug 1769154 - as designed
+[test_sss_readstate_huge.js]
+skip-if = condprof # Bug 1769154 - as designed
+[test_sss_resetState.js]
+[test_sss_savestate.js]
+skip-if = condprof # Bug 1769154 - as designed
+[test_sss_sanitizeOnShutdown.js]
+firefox-appdir = browser
+# Sanitization works differently on Android - this doesn't apply.
+# browser/modules/Sanitizer.jsm used by the test isn't available in Thunderbird.
+skip-if = toolkit == 'android' || appname == 'thunderbird'
+[test_sts_fqdn.js]
+[test_sts_ipv4_ipv6.js]
+[test_sts_parser.js]
+[test_sts_preloadlist_perwindowpb.js]
+[test_sts_preloadlist_selfdestruct.js]
+[test_sanctions_symantec_apple_google.js]
+run-sequentially = hardcoded ports
+[test_validity.js]
+run-sequentially = hardcoded ports
+[test_x509.js]