1154 files changed, 38668 insertions, 0 deletions

diff --git a/security/manager/ssl/tests/.eslintrc.js b/security/manager/ssl/tests/.eslintrc.js
new file mode 100644
index 0000000000..379eabb2d0
--- /dev/null
+++ b/security/manager/ssl/tests/.eslintrc.js
@@ -0,0 +1,8 @@
+"use strict";
+
+module.exports = {
+  rules: {
+    // Disallow non-top level |var| declarations.
+    "mozilla/var-only-at-top-level": "error",
+  },
+};
diff --git a/security/manager/ssl/tests/gtest/CertDBTest.cpp b/security/manager/ssl/tests/gtest/CertDBTest.cpp
new file mode 100644
index 0000000000..310b0226e1
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/CertDBTest.cpp
@@ -0,0 +1,52 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+#include "nsCOMPtr.h"
+#include "nsIPrefService.h"
+#include "nsIX509Cert.h"
+#include "nsIX509CertDB.h"
+#include "nsServiceManagerUtils.h"
+
+TEST(psm_CertDB, Test)
+{
+  {
+    nsCOMPtr<nsIPrefBranch> prefs(do_GetService(NS_PREFSERVICE_CONTRACTID));
+    ASSERT_TRUE(prefs)
+    << "couldn't get nsIPrefBranch";
+
+    // When PSM initializes, it attempts to get some localized strings.
+    // As a result, Android flips out if this isn't set.
+    nsresult rv = prefs->SetBoolPref("intl.locale.matchOS", true);
+    ASSERT_TRUE(NS_SUCCEEDED(rv))
+    << "couldn't set pref 'intl.locale.matchOS'";
+
+    nsCOMPtr<nsIX509CertDB> certdb(do_GetService(NS_X509CERTDB_CONTRACTID));
+    ASSERT_TRUE(certdb)
+    << "couldn't get certdb";
+
+    nsTArray<RefPtr<nsIX509Cert>> certList;
+    rv = certdb->GetCerts(certList);
+    ASSERT_TRUE(NS_SUCCEEDED(rv))
+    << "couldn't get list of certificates";
+
+    bool foundBuiltIn = false;
+    for (const auto& cert : certList) {
+      ASSERT_TRUE(cert)
+      << "certlist shouldn't have null certificate";
+      ASSERT_TRUE(NS_SUCCEEDED(cert->GetIsBuiltInRoot(&foundBuiltIn)))
+      << "GetIsBuiltInRoot failed";
+      if (foundBuiltIn) {
+        break;
+      }
+    }
+
+    ASSERT_TRUE(foundBuiltIn)
+    << "didn't load any built-in certificates";
+
+    printf("successfully loaded at least one built-in certificate\n");
+
+  }  // this scopes the nsCOMPtrs
+}
diff --git a/security/manager/ssl/tests/gtest/CoseTest.cpp b/security/manager/ssl/tests/gtest/CoseTest.cpp
new file mode 100644
index 0000000000..2f05cad3a7
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/CoseTest.cpp
@@ -0,0 +1,756 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include <assert.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <cstddef>
+#include <memory>
+
+#include <keyhi.h>
+#include <nss.h>
+#include <pk11pub.h>
+
+#include <pkcs11t.h>
+#include <secmodt.h>
+#include <cert.h>
+
+#include "ScopedNSSTypes.h"
+#include "cosec.h"
+
+namespace mozilla {
+
+// "This is the content."
+const uint8_t PAYLOAD[] = {84,  104, 105, 115, 32,  105, 115, 32,  116, 104,
+                           101, 32,  99,  111, 110, 116, 101, 110, 116, 46};
+
+// This is a COSE signature generated with the cose rust library (see
+// third-party/rust/cose). The payload is signed with the P256 key from
+// pykey.py.
+const uint8_t SIGNATURE[] = {
+    0xd8, 0x62, 0x84, 0x59, 0x02, 0xa3, 0xa1, 0x04, 0x82, 0x59, 0x01, 0x4e,
+    0x30, 0x82, 0x01, 0x4a, 0x30, 0x81, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02,
+    0x02, 0x14, 0x5f, 0x3f, 0xae, 0x90, 0x49, 0x30, 0x2f, 0x33, 0x6e, 0x95,
+    0x23, 0xa7, 0xcb, 0x23, 0xd7, 0x65, 0x4f, 0xea, 0x3c, 0xf7, 0x30, 0x0a,
+    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14,
+    0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72,
+    0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f,
+    0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
+    0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x14, 0x31, 0x12,
+    0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x6f, 0x6f,
+    0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+    0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+    0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04,
+    0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c,
+    0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36,
+    0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90,
+    0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6,
+    0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
+    0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55,
+    0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30,
+    0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d,
+    0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75,
+    0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02,
+    0x21, 0x00, 0xc2, 0xe4, 0xc1, 0xa8, 0xe2, 0x89, 0xdc, 0xa1, 0xbb, 0xe7,
+    0xd5, 0x4f, 0x5c, 0x88, 0xad, 0xeb, 0xa4, 0x78, 0xa1, 0x19, 0xbe, 0x22,
+    0x54, 0xc8, 0x9f, 0xef, 0xb8, 0x5d, 0xa2, 0x40, 0xd9, 0x8b, 0x59, 0x01,
+    0x4c, 0x30, 0x82, 0x01, 0x48, 0x30, 0x81, 0xf0, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x43, 0x63, 0x59, 0xad, 0x04, 0x34, 0x56, 0x80, 0x43,
+    0xec, 0x90, 0x6a, 0xd4, 0x10, 0x64, 0x7c, 0x7f, 0x38, 0x32, 0xe2, 0x30,
+    0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30,
+    0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09,
+    0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18,
+    0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+    0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31,
+    0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e,
+    0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+    0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+    0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04,
+    0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c,
+    0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36,
+    0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90,
+    0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6,
+    0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
+    0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55,
+    0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30,
+    0x44, 0x02, 0x20, 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff,
+    0xd1, 0x16, 0x4e, 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf, 0x77,
+    0x5c, 0x93, 0x60, 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d, 0x24, 0x02,
+    0x20, 0x3d, 0x87, 0x0f, 0xac, 0x22, 0x4d, 0x16, 0xd9, 0xa1, 0x95, 0xbb,
+    0x56, 0xe0, 0x21, 0x05, 0x93, 0xd1, 0x07, 0xb5, 0x25, 0x3b, 0xf4, 0x57,
+    0x20, 0x87, 0x13, 0xa2, 0xf7, 0x78, 0x15, 0x30, 0xa7, 0xa0, 0xf6, 0x81,
+    0x83, 0x59, 0x01, 0x33, 0xa2, 0x01, 0x26, 0x04, 0x59, 0x01, 0x2c, 0x30,
+    0x82, 0x01, 0x28, 0x30, 0x81, 0xcf, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
+    0x14, 0x2f, 0xc3, 0x5f, 0x05, 0x80, 0xb4, 0x49, 0x45, 0x13, 0x92, 0xd6,
+    0x93, 0xb7, 0x2d, 0x71, 0x19, 0xc5, 0x8c, 0x40, 0x39, 0x30, 0x0a, 0x06,
+    0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x13, 0x31,
+    0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e,
+    0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30,
+    0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
+    0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31, 0x30,
+    0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e,
+    0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65, 0x2d, 0x70, 0x32,
+    0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce,
+    0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01,
+    0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb, 0x61, 0xe0, 0xf8,
+    0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2, 0xec, 0x05, 0x0b,
+    0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f, 0x79, 0x4b, 0x45,
+    0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4, 0x11, 0x9d, 0x07,
+    0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7, 0x99, 0x1b, 0x7b,
+    0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, 0x30, 0x0a, 0x06,
+    0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00,
+    0x30, 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd,
+    0x5d, 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73,
+    0x75, 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6,
+    0x02, 0x21, 0x00, 0xff, 0x81, 0xbe, 0xa8, 0x0d, 0x03, 0x36, 0x6b, 0x75,
+    0xe2, 0x70, 0x6a, 0xac, 0x07, 0x2e, 0x4c, 0xdc, 0xf9, 0xc5, 0x89, 0xc1,
+    0xcf, 0x88, 0xc2, 0xc8, 0x2a, 0x32, 0xf5, 0x42, 0x0c, 0xfa, 0x0b, 0xa0,
+    0x58, 0x40, 0x1e, 0x6e, 0x08, 0xdf, 0x8f, 0x4f, 0xd6, 0xab, 0x23, 0xae,
+    0x84, 0xaa, 0xf3, 0x43, 0x35, 0x9a, 0x53, 0xb9, 0x8b, 0xf9, 0x81, 0xa1,
+    0xbc, 0x1e, 0x5c, 0x57, 0x5c, 0x0a, 0x20, 0x37, 0xf4, 0x3d, 0x11, 0x08,
+    0xa0, 0x97, 0x4b, 0x68, 0xa4, 0x0f, 0x80, 0xe9, 0x96, 0x30, 0x04, 0x24,
+    0x0e, 0x81, 0x3d, 0x2a, 0x8a, 0x64, 0x40, 0x61, 0x5a, 0x19, 0x00, 0xff,
+    0x74, 0x40, 0x71, 0x82, 0x65, 0xe9};
+
+// This is a COSE signature generated with the cose rust library (see
+// third-party/rust/cose). The payload is signed twice; with the P256 and the
+// RSA key from pykey.py.
+const uint8_t SIGNATURE_ES256_PS256[] = {
+    0xd8, 0x62, 0x84, 0x59, 0x08, 0x52, 0xa1, 0x04, 0x84, 0x59, 0x01, 0x4e,
+    0x30, 0x82, 0x01, 0x4a, 0x30, 0x81, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02,
+    0x02, 0x14, 0x5f, 0x3f, 0xae, 0x90, 0x49, 0x30, 0x2f, 0x33, 0x6e, 0x95,
+    0x23, 0xa7, 0xcb, 0x23, 0xd7, 0x65, 0x4f, 0xea, 0x3c, 0xf7, 0x30, 0x0a,
+    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14,
+    0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72,
+    0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f,
+    0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
+    0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x14, 0x31, 0x12,
+    0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x6f, 0x6f,
+    0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+    0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+    0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04,
+    0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c,
+    0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36,
+    0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90,
+    0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6,
+    0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
+    0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55,
+    0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30,
+    0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d,
+    0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75,
+    0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02,
+    0x21, 0x00, 0xc2, 0xe4, 0xc1, 0xa8, 0xe2, 0x89, 0xdc, 0xa1, 0xbb, 0xe7,
+    0xd5, 0x4f, 0x5c, 0x88, 0xad, 0xeb, 0xa4, 0x78, 0xa1, 0x19, 0xbe, 0x22,
+    0x54, 0xc8, 0x9f, 0xef, 0xb8, 0x5d, 0xa2, 0x40, 0xd9, 0x8b, 0x59, 0x01,
+    0x4c, 0x30, 0x82, 0x01, 0x48, 0x30, 0x81, 0xf0, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x43, 0x63, 0x59, 0xad, 0x04, 0x34, 0x56, 0x80, 0x43,
+    0xec, 0x90, 0x6a, 0xd4, 0x10, 0x64, 0x7c, 0x7f, 0x38, 0x32, 0xe2, 0x30,
+    0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30,
+    0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09,
+    0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18,
+    0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+    0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31,
+    0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e,
+    0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+    0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+    0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04,
+    0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c,
+    0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36,
+    0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90,
+    0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6,
+    0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
+    0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55,
+    0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30,
+    0x44, 0x02, 0x20, 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff,
+    0xd1, 0x16, 0x4e, 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf, 0x77,
+    0x5c, 0x93, 0x60, 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d, 0x24, 0x02,
+    0x20, 0x3d, 0x87, 0x0f, 0xac, 0x22, 0x4d, 0x16, 0xd9, 0xa1, 0x95, 0xbb,
+    0x56, 0xe0, 0x21, 0x05, 0x93, 0xd1, 0x07, 0xb5, 0x25, 0x3b, 0xf4, 0x57,
+    0x20, 0x87, 0x13, 0xa2, 0xf7, 0x78, 0x15, 0x30, 0xa7, 0x59, 0x02, 0xd5,
+    0x30, 0x82, 0x02, 0xd1, 0x30, 0x82, 0x01, 0xbb, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x29, 0x6c, 0x1a, 0xd8, 0x20, 0xcd, 0x74, 0x6d, 0x4b,
+    0x00, 0xf3, 0x16, 0x88, 0xd9, 0x66, 0x87, 0x5f, 0x28, 0x56, 0x6a, 0x30,
+    0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+    0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+    0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18,
+    0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+    0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31,
+    0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x72, 0x6f,
+    0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+    0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,
+    0x01, 0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41,
+    0xfd, 0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea,
+    0xe4, 0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1,
+    0xc7, 0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e,
+    0x1a, 0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71,
+    0x08, 0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c,
+    0x02, 0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93,
+    0xab, 0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e,
+    0xed, 0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02,
+    0x3a, 0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd,
+    0x66, 0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79,
+    0x90, 0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f,
+    0xa8, 0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66,
+    0x5a, 0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24,
+    0xcc, 0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12,
+    0xc0, 0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad,
+    0x1d, 0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3,
+    0x7b, 0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee,
+    0x26, 0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24,
+    0x04, 0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31,
+    0xb8, 0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03,
+    0xac, 0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01,
+    0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
+    0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
+    0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01,
+    0x00, 0x23, 0x2f, 0x9f, 0x72, 0xeb, 0x70, 0x6d, 0x9e, 0x3e, 0x9f, 0xd7,
+    0x9c, 0xd9, 0x19, 0x7c, 0x99, 0x07, 0xc5, 0x5c, 0x9d, 0xf5, 0x66, 0x9f,
+    0x28, 0x8d, 0xfe, 0x0e, 0x3f, 0x38, 0x75, 0xed, 0xee, 0x4e, 0x3f, 0xf6,
+    0x6e, 0x35, 0xe0, 0x95, 0x3f, 0x08, 0x4a, 0x71, 0x5a, 0xf2, 0x4f, 0xc9,
+    0x96, 0x61, 0x8d, 0x45, 0x4b, 0x97, 0x85, 0xff, 0xb0, 0xe3, 0xbb, 0xb5,
+    0xd7, 0x7e, 0xfb, 0xd2, 0xfc, 0xec, 0xfe, 0x42, 0x9f, 0x4e, 0x7b, 0xbf,
+    0x97, 0xbb, 0xb4, 0x3a, 0x93, 0x0b, 0x13, 0x61, 0x90, 0x0c, 0x3a, 0xce,
+    0xf7, 0x8e, 0xef, 0x80, 0xf5, 0x4a, 0x92, 0xc5, 0xa5, 0x03, 0x78, 0xc2,
+    0xee, 0xb8, 0x66, 0x60, 0x6b, 0x76, 0x4f, 0x32, 0x5a, 0x1a, 0xa2, 0x4b,
+    0x7e, 0x2b, 0xa6, 0x1a, 0x89, 0x01, 0xe3, 0xbb, 0x55, 0x13, 0x7c, 0x4c,
+    0xf4, 0x6a, 0x99, 0x94, 0xd1, 0xa0, 0x84, 0x1c, 0x1a, 0xc2, 0x7b, 0xb4,
+    0xa0, 0xb0, 0x3b, 0xdc, 0x5a, 0x7b, 0xc7, 0xe0, 0x44, 0xb2, 0x1f, 0x46,
+    0xd5, 0x8b, 0x39, 0x8b, 0xdc, 0x9e, 0xce, 0xa8, 0x7f, 0x85, 0x1d, 0x4b,
+    0x63, 0x06, 0x1e, 0x8e, 0xe5, 0xe5, 0x99, 0xd9, 0xf7, 0x4d, 0x89, 0x0b,
+    0x1d, 0x5c, 0x27, 0x33, 0x66, 0x21, 0xcf, 0x9a, 0xbd, 0x98, 0x68, 0x23,
+    0x3a, 0x66, 0x9d, 0xd4, 0x46, 0xed, 0x63, 0x58, 0xf3, 0x42, 0xe4, 0x1d,
+    0xe2, 0x47, 0x65, 0x13, 0x8d, 0xd4, 0x1f, 0x4b, 0x7e, 0xde, 0x11, 0x56,
+    0xf8, 0x6d, 0x01, 0x0c, 0x99, 0xbd, 0x8d, 0xca, 0x8a, 0x2e, 0xe3, 0x8a,
+    0x9c, 0x3d, 0x83, 0x8d, 0x69, 0x62, 0x8d, 0x05, 0xea, 0xb7, 0xf5, 0xa3,
+    0x4b, 0xfc, 0x96, 0xcf, 0x18, 0x21, 0x0a, 0xc7, 0xf3, 0x23, 0x7e, 0x1c,
+    0xab, 0xe2, 0xa2, 0xd1, 0x83, 0xc4, 0x25, 0x93, 0x37, 0x80, 0xca, 0xda,
+    0xf0, 0xef, 0x7d, 0x94, 0xb5, 0x59, 0x02, 0xd4, 0x30, 0x82, 0x02, 0xd0,
+    0x30, 0x82, 0x01, 0xba, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, 0x07,
+    0x10, 0xaf, 0xc4, 0x1a, 0x3a, 0x56, 0x4f, 0xd8, 0xc2, 0xcc, 0x46, 0xd7,
+    0x5b, 0xdf, 0x1c, 0x4e, 0x2f, 0x49, 0x3a, 0x30, 0x0b, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x30, 0x13, 0x31, 0x11,
+    0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x72, 0x6f, 0x6f,
+    0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30, 0x31,
+    0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
+    0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06,
+    0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x69, 0x6e, 0x74, 0x2d, 0x72, 0x73,
+    0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+    0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
+    0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xba, 0x88,
+    0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd, 0x6e, 0xb6, 0x88, 0x06,
+    0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4, 0x35, 0x4a, 0xb4, 0xec,
+    0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7, 0x25, 0xa8, 0xe0, 0xd8,
+    0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a, 0x86, 0xf2, 0x6b, 0xe2,
+    0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08, 0x7a, 0xa5, 0x5a, 0xa7,
+    0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02, 0x7e, 0xcd, 0x43, 0xfc,
+    0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab, 0x20, 0xc3, 0x49, 0xe4,
+    0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed, 0x15, 0x82, 0x0f, 0xf1,
+    0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a, 0x8b, 0x2a, 0x41, 0xee,
+    0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66, 0x0b, 0x2b, 0xb0, 0x24,
+    0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90, 0xb1, 0x57, 0x90, 0x3d,
+    0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8, 0x37, 0xd3, 0x88, 0x43,
+    0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a, 0xaa, 0x7e, 0x02, 0x90,
+    0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc, 0x1c, 0x6c, 0x97, 0xad,
+    0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0, 0x75, 0x31, 0xa3, 0x0c,
+    0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d, 0x25, 0xd3, 0x09, 0xef,
+    0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b, 0x2f, 0x22, 0x6f, 0x69,
+    0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26, 0xd6, 0x25, 0x9d, 0xab,
+    0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04, 0x2c, 0xbf, 0x16, 0x8b,
+    0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8, 0xb3, 0xfe, 0x49, 0x23,
+    0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac, 0xda, 0x18, 0x0a, 0x35,
+    0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x1d, 0x30, 0x1b, 0x30,
+    0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01,
+    0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
+    0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+    0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x5e, 0xba, 0x69, 0x55,
+    0x9f, 0xf8, 0xeb, 0x16, 0x21, 0x98, 0xde, 0xb7, 0x31, 0x3e, 0x66, 0xe1,
+    0x3b, 0x0c, 0x29, 0xf7, 0x48, 0x73, 0x05, 0xd9, 0xce, 0x5e, 0x4c, 0xbe,
+    0x03, 0xc4, 0x51, 0xd6, 0x21, 0x92, 0x40, 0x38, 0xaa, 0x5b, 0x28, 0xb5,
+    0xa1, 0x10, 0x52, 0x57, 0xff, 0x91, 0x54, 0x82, 0x86, 0x9e, 0x74, 0xd5,
+    0x3d, 0x82, 0x29, 0xee, 0xd1, 0xcf, 0x93, 0xb1, 0x24, 0x76, 0xbb, 0x95,
+    0x41, 0x06, 0x7e, 0x40, 0x9b, 0xb4, 0xab, 0x44, 0x34, 0x10, 0x8f, 0xb1,
+    0x51, 0x6f, 0xc0, 0x89, 0xd1, 0xa3, 0xc4, 0x9f, 0xb3, 0x48, 0xe1, 0xcd,
+    0x73, 0xad, 0xff, 0x42, 0x5f, 0x76, 0x05, 0x60, 0xc5, 0xe0, 0x45, 0x79,
+    0x18, 0xa1, 0x19, 0xb8, 0xa7, 0x3a, 0x64, 0xb3, 0x19, 0xba, 0x14, 0xa1,
+    0xb5, 0xdc, 0x32, 0xec, 0x09, 0x39, 0x58, 0x54, 0x5b, 0x04, 0xdc, 0x1b,
+    0x66, 0x0d, 0x1d, 0x0d, 0xce, 0x7f, 0xfa, 0x24, 0x52, 0x6a, 0xad, 0xe2,
+    0xc8, 0x30, 0xaf, 0xf2, 0xaf, 0x63, 0xc5, 0xe2, 0xbf, 0xe2, 0x20, 0x1b,
+    0x9e, 0xf9, 0x3d, 0xbc, 0xfb, 0x04, 0x8e, 0xda, 0x7a, 0x1a, 0x5d, 0xd3,
+    0x13, 0xd7, 0x00, 0x8e, 0x9b, 0x5d, 0x85, 0x51, 0xda, 0xd3, 0x91, 0x25,
+    0xf5, 0x67, 0x85, 0x3e, 0x25, 0x89, 0x5e, 0xcb, 0x89, 0x8a, 0xec, 0x8a,
+    0xde, 0x8b, 0xf4, 0x33, 0x5f, 0x76, 0xdb, 0x3d, 0xfc, 0x6a, 0x05, 0x21,
+    0x43, 0xb2, 0x41, 0xd8, 0x33, 0x8d, 0xfd, 0x05, 0x5c, 0x22, 0x0a, 0xf6,
+    0x90, 0x65, 0x9c, 0x4f, 0x8c, 0x44, 0x9f, 0x2d, 0xca, 0xf3, 0x49, 0x9c,
+    0x3a, 0x14, 0x88, 0xab, 0xe4, 0xce, 0xb7, 0xbc, 0x95, 0x22, 0x2e, 0xb1,
+    0x82, 0x4c, 0xbf, 0x83, 0x3e, 0x49, 0x72, 0x03, 0x2a, 0x68, 0xe7, 0x2d,
+    0xe5, 0x2d, 0x4b, 0x61, 0xb0, 0x8d, 0x0d, 0x0c, 0x87, 0xc6, 0x5c, 0x51,
+    0xa0, 0xf6, 0x82, 0x83, 0x59, 0x01, 0x33, 0xa2, 0x01, 0x26, 0x04, 0x59,
+    0x01, 0x2c, 0x30, 0x82, 0x01, 0x28, 0x30, 0x81, 0xcf, 0xa0, 0x03, 0x02,
+    0x01, 0x02, 0x02, 0x14, 0x2f, 0xc3, 0x5f, 0x05, 0x80, 0xb4, 0x49, 0x45,
+    0x13, 0x92, 0xd6, 0x93, 0xb7, 0x2d, 0x71, 0x19, 0xc5, 0x8c, 0x40, 0x39,
+    0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
+    0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+    0x08, 0x69, 0x6e, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18,
+    0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+    0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31,
+    0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65,
+    0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a,
+    0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
+    0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb,
+    0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2,
+    0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f,
+    0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4,
+    0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7,
+    0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0,
+    0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
+    0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13,
+    0x11, 0x50, 0xcd, 0x5d, 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91,
+    0xff, 0xb2, 0x73, 0x75, 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80,
+    0x0a, 0x70, 0xe6, 0x02, 0x21, 0x00, 0xff, 0x81, 0xbe, 0xa8, 0x0d, 0x03,
+    0x36, 0x6b, 0x75, 0xe2, 0x70, 0x6a, 0xac, 0x07, 0x2e, 0x4c, 0xdc, 0xf9,
+    0xc5, 0x89, 0xc1, 0xcf, 0x88, 0xc2, 0xc8, 0x2a, 0x32, 0xf5, 0x42, 0x0c,
+    0xfa, 0x0b, 0xa0, 0x58, 0x40, 0xa3, 0xfb, 0x49, 0xe6, 0x45, 0x29, 0x64,
+    0x76, 0xeb, 0x9d, 0xbd, 0xf5, 0x38, 0x56, 0xbe, 0x6e, 0x31, 0x57, 0x73,
+    0xc1, 0x2d, 0x3e, 0xac, 0xee, 0xba, 0x55, 0x8e, 0x37, 0xd4, 0xea, 0x80,
+    0x25, 0x31, 0x99, 0x9f, 0x4a, 0xb0, 0xf9, 0xd8, 0xb0, 0xed, 0x74, 0xfc,
+    0x8c, 0x02, 0xf0, 0x9f, 0x95, 0xf1, 0xaa, 0x71, 0xcc, 0xd2, 0xe7, 0x1a,
+    0x6d, 0xd4, 0xed, 0xff, 0xf2, 0x78, 0x09, 0x83, 0x7e, 0x83, 0x59, 0x02,
+    0xbb, 0xa2, 0x01, 0x38, 0x24, 0x04, 0x59, 0x02, 0xb3, 0x30, 0x82, 0x02,
+    0xaf, 0x30, 0x82, 0x01, 0x99, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14,
+    0x07, 0x1c, 0x3b, 0x71, 0x08, 0xbe, 0xd7, 0x9f, 0xfd, 0xaf, 0x26, 0xb6,
+    0x08, 0xa3, 0x99, 0x06, 0x77, 0x69, 0x32, 0x7e, 0x30, 0x0b, 0x06, 0x09,
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x30, 0x12, 0x31,
+    0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x69, 0x6e,
+    0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30, 0x31,
+    0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
+    0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x11, 0x31, 0x0f, 0x30, 0x0d, 0x06,
+    0x03, 0x55, 0x04, 0x03, 0x0c, 0x06, 0x65, 0x65, 0x2d, 0x72, 0x73, 0x61,
+    0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+    0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
+    0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xba, 0x88, 0x51,
+    0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd, 0x6e, 0xb6, 0x88, 0x06, 0x36,
+    0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4, 0x35, 0x4a, 0xb4, 0xec, 0xf5,
+    0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7, 0x25, 0xa8, 0xe0, 0xd8, 0x1f,
+    0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a, 0x86, 0xf2, 0x6b, 0xe2, 0xaf,
+    0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08, 0x7a, 0xa5, 0x5a, 0xa7, 0x45,
+    0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02, 0x7e, 0xcd, 0x43, 0xfc, 0x1e,
+    0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab, 0x20, 0xc3, 0x49, 0xe4, 0xdb,
+    0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed, 0x15, 0x82, 0x0f, 0xf1, 0x7e,
+    0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a, 0x8b, 0x2a, 0x41, 0xee, 0xa7,
+    0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66, 0x0b, 0x2b, 0xb0, 0x24, 0x92,
+    0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90, 0xb1, 0x57, 0x90, 0x3d, 0xd2,
+    0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8, 0x37, 0xd3, 0x88, 0x43, 0xef,
+    0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a, 0xaa, 0x7e, 0x02, 0x90, 0x2f,
+    0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc, 0x1c, 0x6c, 0x97, 0xad, 0x96,
+    0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0, 0x75, 0x31, 0xa3, 0x0c, 0x91,
+    0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d, 0x25, 0xd3, 0x09, 0xef, 0xb9,
+    0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b, 0x2f, 0x22, 0x6f, 0x69, 0xe3,
+    0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26, 0xd6, 0x25, 0x9d, 0xab, 0x91,
+    0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04, 0x2c, 0xbf, 0x16, 0x8b, 0x2f,
+    0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8, 0xb3, 0xfe, 0x49, 0x23, 0xfa,
+    0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac, 0xda, 0x18, 0x0a, 0x35, 0xed,
+    0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86,
+    0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00,
+    0x44, 0x92, 0xbb, 0x8e, 0x83, 0x58, 0x56, 0x2e, 0x7a, 0x86, 0xfa, 0x1d,
+    0x77, 0x50, 0x3f, 0x45, 0x8d, 0x90, 0xc4, 0x62, 0x27, 0x21, 0x96, 0x5a,
+    0xef, 0x51, 0x78, 0xd7, 0x7d, 0x0d, 0x02, 0x2d, 0x5a, 0x0e, 0x3c, 0x82,
+    0x6f, 0x1d, 0x92, 0x87, 0xd5, 0x1a, 0x44, 0xae, 0xa7, 0x92, 0xd1, 0x8b,
+    0xfa, 0x16, 0x53, 0x7f, 0xa3, 0x22, 0x96, 0x1a, 0x51, 0x8c, 0xeb, 0xa1,
+    0xe6, 0xf6, 0x37, 0x11, 0xfe, 0x7d, 0x53, 0x3f, 0xae, 0xf0, 0x6b, 0xb9,
+    0xb1, 0x7a, 0x73, 0x07, 0x14, 0xcf, 0x04, 0x05, 0x93, 0x9e, 0xe3, 0xd2,
+    0x4d, 0x9d, 0x6d, 0x35, 0x68, 0xf9, 0x36, 0xe5, 0x10, 0x0a, 0x36, 0xd9,
+    0x48, 0xb0, 0x83, 0xd0, 0xb9, 0x58, 0x74, 0x53, 0xb3, 0xbc, 0x99, 0xab,
+    0xe1, 0x3e, 0xd5, 0x01, 0x8e, 0xcf, 0x3a, 0x69, 0x93, 0x9e, 0xa7, 0x88,
+    0xd4, 0xad, 0x95, 0xf9, 0x2a, 0xb4, 0x7f, 0x95, 0x97, 0x86, 0x50, 0x38,
+    0xb1, 0x04, 0x0a, 0xe4, 0x7a, 0xd5, 0x2d, 0x6c, 0xde, 0x3e, 0x1a, 0x47,
+    0x17, 0x88, 0x63, 0x20, 0x9d, 0x21, 0x3e, 0x0c, 0x6f, 0xfd, 0x20, 0x54,
+    0xd0, 0x67, 0xd2, 0x6b, 0x06, 0xfe, 0x60, 0x13, 0x42, 0x3d, 0xb7, 0xca,
+    0xcb, 0xab, 0x7b, 0x5f, 0x5d, 0x01, 0x56, 0xd3, 0x99, 0x80, 0x0f, 0xde,
+    0x7f, 0x3a, 0x61, 0x9c, 0xd3, 0x6b, 0x5e, 0xfe, 0xb5, 0xfc, 0x39, 0x8b,
+    0x8e, 0xf0, 0x8c, 0x8b, 0x65, 0x46, 0x45, 0xff, 0x47, 0x8f, 0xd4, 0xdd,
+    0xae, 0xc9, 0x72, 0xc7, 0x7f, 0x28, 0x86, 0xf1, 0xf7, 0x6e, 0xcb, 0x86,
+    0x03, 0xeb, 0x0c, 0x46, 0xe5, 0xa0, 0x6b, 0xef, 0xd4, 0x5e, 0xa4, 0x0f,
+    0x53, 0xe1, 0xbc, 0xb4, 0xc9, 0x37, 0x0e, 0x75, 0xdd, 0x93, 0xe8, 0x0f,
+    0x18, 0x0a, 0x02, 0x83, 0x17, 0x74, 0xbb, 0x1a, 0x42, 0x5b, 0x63, 0x2c,
+    0x80, 0x80, 0xa6, 0x84, 0xa0, 0x59, 0x01, 0x00, 0x51, 0xf4, 0xe6, 0x1c,
+    0x18, 0x7b, 0x28, 0xa0, 0x1f, 0x63, 0xbf, 0xa5, 0xbd, 0x89, 0x9f, 0xd9,
+    0x30, 0x46, 0x4b, 0x34, 0x9b, 0x9d, 0x0f, 0xb0, 0x33, 0x11, 0xf8, 0xaa,
+    0x84, 0x4e, 0xb2, 0xca, 0x29, 0x83, 0x54, 0x28, 0x99, 0x2a, 0x43, 0x7f,
+    0xe0, 0xe6, 0xd8, 0xdc, 0xd7, 0xf4, 0xb3, 0xd7, 0xf7, 0x39, 0xd5, 0xdc,
+    0xde, 0xdc, 0x23, 0x78, 0xd7, 0x90, 0xc0, 0x52, 0xf5, 0xd2, 0x14, 0x6f,
+    0xf9, 0x24, 0x48, 0xc8, 0x75, 0x4a, 0x9a, 0x4c, 0x61, 0x2f, 0x96, 0x4e,
+    0xc8, 0x02, 0x95, 0x72, 0xef, 0xbc, 0x91, 0xae, 0xf8, 0x23, 0xfb, 0xba,
+    0x9f, 0xfd, 0xe0, 0x1a, 0x8e, 0xa9, 0x03, 0x16, 0x76, 0xf4, 0xdb, 0x81,
+    0x5a, 0x69, 0xeb, 0xf5, 0x55, 0xd7, 0x68, 0x28, 0xe4, 0xce, 0xde, 0x1b,
+    0xb4, 0x90, 0xac, 0x97, 0x07, 0x15, 0xe0, 0xce, 0x5f, 0x3f, 0x89, 0xaf,
+    0xc1, 0xb8, 0x46, 0x5e, 0x87, 0xa1, 0x8d, 0xa7, 0x44, 0x09, 0x02, 0x4e,
+    0xbe, 0x6b, 0xfb, 0xab, 0xeb, 0x19, 0x62, 0x9e, 0xb0, 0xef, 0x0a, 0x6b,
+    0xcf, 0xe0, 0x00, 0xa9, 0x68, 0x2a, 0x8e, 0xfe, 0x8a, 0xb9, 0x57, 0x52,
+    0xb3, 0x08, 0x80, 0x5e, 0xa6, 0x88, 0x5f, 0x31, 0xd1, 0xe9, 0x6d, 0xf7,
+    0x54, 0x4e, 0xf8, 0x17, 0xb0, 0x1c, 0xca, 0xa6, 0xa6, 0x80, 0xf8, 0xd8,
+    0xf5, 0x94, 0xa4, 0xb2, 0xd0, 0x7e, 0xbb, 0x4f, 0xdb, 0x3a, 0x91, 0x5f,
+    0xb3, 0xc1, 0xfa, 0x60, 0xe4, 0xce, 0xe3, 0xe5, 0x14, 0x1f, 0x9c, 0x01,
+    0x60, 0xff, 0xe2, 0x09, 0xe6, 0x1a, 0x82, 0x69, 0xb6, 0xeb, 0x52, 0x1e,
+    0x3d, 0xc7, 0xfd, 0x69, 0x9d, 0x2a, 0xa5, 0xdb, 0xc1, 0x6a, 0x5a, 0x7d,
+    0x23, 0x2a, 0x00, 0xe4, 0x53, 0x16, 0x8e, 0xc1, 0x56, 0xf5, 0x5a, 0x8d,
+    0x59, 0x1f, 0x7f, 0xff, 0x77, 0x6f, 0x92, 0xea, 0x5d, 0x31, 0xe9, 0x18};
+
+// The RSA intermediate certificate that issued the EE cert used in the
+// signature above. The certificate was generated with pycert.py
+const uint8_t RSA_INT[] = {
+    0x30, 0x82, 0x02, 0xd0, 0x30, 0x82, 0x01, 0xba, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x07, 0x10, 0xaf, 0xc4, 0x1a, 0x3a, 0x56, 0x4f, 0xd8,
+    0xc2, 0xcc, 0x46, 0xd7, 0x5b, 0xdf, 0x1c, 0x4e, 0x2f, 0x49, 0x3a, 0x30,
+    0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+    0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+    0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18,
+    0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+    0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31,
+    0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x69, 0x6e,
+    0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
+    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
+    0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
+    0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd,
+    0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4,
+    0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7,
+    0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a,
+    0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08,
+    0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02,
+    0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab,
+    0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed,
+    0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a,
+    0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66,
+    0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90,
+    0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8,
+    0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a,
+    0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc,
+    0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0,
+    0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d,
+    0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b,
+    0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26,
+    0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04,
+    0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8,
+    0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac,
+    0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
+    0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,
+    0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f,
+    0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86,
+    0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00,
+    0x5e, 0xba, 0x69, 0x55, 0x9f, 0xf8, 0xeb, 0x16, 0x21, 0x98, 0xde, 0xb7,
+    0x31, 0x3e, 0x66, 0xe1, 0x3b, 0x0c, 0x29, 0xf7, 0x48, 0x73, 0x05, 0xd9,
+    0xce, 0x5e, 0x4c, 0xbe, 0x03, 0xc4, 0x51, 0xd6, 0x21, 0x92, 0x40, 0x38,
+    0xaa, 0x5b, 0x28, 0xb5, 0xa1, 0x10, 0x52, 0x57, 0xff, 0x91, 0x54, 0x82,
+    0x86, 0x9e, 0x74, 0xd5, 0x3d, 0x82, 0x29, 0xee, 0xd1, 0xcf, 0x93, 0xb1,
+    0x24, 0x76, 0xbb, 0x95, 0x41, 0x06, 0x7e, 0x40, 0x9b, 0xb4, 0xab, 0x44,
+    0x34, 0x10, 0x8f, 0xb1, 0x51, 0x6f, 0xc0, 0x89, 0xd1, 0xa3, 0xc4, 0x9f,
+    0xb3, 0x48, 0xe1, 0xcd, 0x73, 0xad, 0xff, 0x42, 0x5f, 0x76, 0x05, 0x60,
+    0xc5, 0xe0, 0x45, 0x79, 0x18, 0xa1, 0x19, 0xb8, 0xa7, 0x3a, 0x64, 0xb3,
+    0x19, 0xba, 0x14, 0xa1, 0xb5, 0xdc, 0x32, 0xec, 0x09, 0x39, 0x58, 0x54,
+    0x5b, 0x04, 0xdc, 0x1b, 0x66, 0x0d, 0x1d, 0x0d, 0xce, 0x7f, 0xfa, 0x24,
+    0x52, 0x6a, 0xad, 0xe2, 0xc8, 0x30, 0xaf, 0xf2, 0xaf, 0x63, 0xc5, 0xe2,
+    0xbf, 0xe2, 0x20, 0x1b, 0x9e, 0xf9, 0x3d, 0xbc, 0xfb, 0x04, 0x8e, 0xda,
+    0x7a, 0x1a, 0x5d, 0xd3, 0x13, 0xd7, 0x00, 0x8e, 0x9b, 0x5d, 0x85, 0x51,
+    0xda, 0xd3, 0x91, 0x25, 0xf5, 0x67, 0x85, 0x3e, 0x25, 0x89, 0x5e, 0xcb,
+    0x89, 0x8a, 0xec, 0x8a, 0xde, 0x8b, 0xf4, 0x33, 0x5f, 0x76, 0xdb, 0x3d,
+    0xfc, 0x6a, 0x05, 0x21, 0x43, 0xb2, 0x41, 0xd8, 0x33, 0x8d, 0xfd, 0x05,
+    0x5c, 0x22, 0x0a, 0xf6, 0x90, 0x65, 0x9c, 0x4f, 0x8c, 0x44, 0x9f, 0x2d,
+    0xca, 0xf3, 0x49, 0x9c, 0x3a, 0x14, 0x88, 0xab, 0xe4, 0xce, 0xb7, 0xbc,
+    0x95, 0x22, 0x2e, 0xb1, 0x82, 0x4c, 0xbf, 0x83, 0x3e, 0x49, 0x72, 0x03,
+    0x2a, 0x68, 0xe7, 0x2d, 0xe5, 0x2d, 0x4b, 0x61, 0xb0, 0x8d, 0x0d, 0x0c,
+    0x87, 0xc6, 0x5c, 0x51};
+
+// The RSA root certificate that issued the RSA intermediate certificate above.
+// The certificate was generated with pycert.py
+const uint8_t RSA_ROOT[] = {
+    0x30, 0x82, 0x02, 0xd1, 0x30, 0x82, 0x01, 0xbb, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x29, 0x6c, 0x1a, 0xd8, 0x20, 0xcd, 0x74, 0x6d, 0x4b,
+    0x00, 0xf3, 0x16, 0x88, 0xd9, 0x66, 0x87, 0x5f, 0x28, 0x56, 0x6a, 0x30,
+    0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+    0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+    0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18,
+    0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+    0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31,
+    0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x72, 0x6f,
+    0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+    0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,
+    0x01, 0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41,
+    0xfd, 0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea,
+    0xe4, 0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1,
+    0xc7, 0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e,
+    0x1a, 0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71,
+    0x08, 0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c,
+    0x02, 0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93,
+    0xab, 0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e,
+    0xed, 0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02,
+    0x3a, 0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd,
+    0x66, 0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79,
+    0x90, 0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f,
+    0xa8, 0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66,
+    0x5a, 0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24,
+    0xcc, 0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12,
+    0xc0, 0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad,
+    0x1d, 0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3,
+    0x7b, 0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee,
+    0x26, 0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24,
+    0x04, 0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31,
+    0xb8, 0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03,
+    0xac, 0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01,
+    0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
+    0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
+    0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01,
+    0x00, 0x23, 0x2f, 0x9f, 0x72, 0xeb, 0x70, 0x6d, 0x9e, 0x3e, 0x9f, 0xd7,
+    0x9c, 0xd9, 0x19, 0x7c, 0x99, 0x07, 0xc5, 0x5c, 0x9d, 0xf5, 0x66, 0x9f,
+    0x28, 0x8d, 0xfe, 0x0e, 0x3f, 0x38, 0x75, 0xed, 0xee, 0x4e, 0x3f, 0xf6,
+    0x6e, 0x35, 0xe0, 0x95, 0x3f, 0x08, 0x4a, 0x71, 0x5a, 0xf2, 0x4f, 0xc9,
+    0x96, 0x61, 0x8d, 0x45, 0x4b, 0x97, 0x85, 0xff, 0xb0, 0xe3, 0xbb, 0xb5,
+    0xd7, 0x7e, 0xfb, 0xd2, 0xfc, 0xec, 0xfe, 0x42, 0x9f, 0x4e, 0x7b, 0xbf,
+    0x97, 0xbb, 0xb4, 0x3a, 0x93, 0x0b, 0x13, 0x61, 0x90, 0x0c, 0x3a, 0xce,
+    0xf7, 0x8e, 0xef, 0x80, 0xf5, 0x4a, 0x92, 0xc5, 0xa5, 0x03, 0x78, 0xc2,
+    0xee, 0xb8, 0x66, 0x60, 0x6b, 0x76, 0x4f, 0x32, 0x5a, 0x1a, 0xa2, 0x4b,
+    0x7e, 0x2b, 0xa6, 0x1a, 0x89, 0x01, 0xe3, 0xbb, 0x55, 0x13, 0x7c, 0x4c,
+    0xf4, 0x6a, 0x99, 0x94, 0xd1, 0xa0, 0x84, 0x1c, 0x1a, 0xc2, 0x7b, 0xb4,
+    0xa0, 0xb0, 0x3b, 0xdc, 0x5a, 0x7b, 0xc7, 0xe0, 0x44, 0xb2, 0x1f, 0x46,
+    0xd5, 0x8b, 0x39, 0x8b, 0xdc, 0x9e, 0xce, 0xa8, 0x7f, 0x85, 0x1d, 0x4b,
+    0x63, 0x06, 0x1e, 0x8e, 0xe5, 0xe5, 0x99, 0xd9, 0xf7, 0x4d, 0x89, 0x0b,
+    0x1d, 0x5c, 0x27, 0x33, 0x66, 0x21, 0xcf, 0x9a, 0xbd, 0x98, 0x68, 0x23,
+    0x3a, 0x66, 0x9d, 0xd4, 0x46, 0xed, 0x63, 0x58, 0xf3, 0x42, 0xe4, 0x1d,
+    0xe2, 0x47, 0x65, 0x13, 0x8d, 0xd4, 0x1f, 0x4b, 0x7e, 0xde, 0x11, 0x56,
+    0xf8, 0x6d, 0x01, 0x0c, 0x99, 0xbd, 0x8d, 0xca, 0x8a, 0x2e, 0xe3, 0x8a,
+    0x9c, 0x3d, 0x83, 0x8d, 0x69, 0x62, 0x8d, 0x05, 0xea, 0xb7, 0xf5, 0xa3,
+    0x4b, 0xfc, 0x96, 0xcf, 0x18, 0x21, 0x0a, 0xc7, 0xf3, 0x23, 0x7e, 0x1c,
+    0xab, 0xe2, 0xa2, 0xd1, 0x83, 0xc4, 0x25, 0x93, 0x37, 0x80, 0xca, 0xda,
+    0xf0, 0xef, 0x7d, 0x94, 0xb5};
+
+// The P256 intermediate certificate that issued the EE cert used in the
+// signatures above. The certificate was generated with pycert.py
+const uint8_t P256_INT[] = {
+    0x30, 0x82, 0x01, 0x48, 0x30, 0x81, 0xf0, 0xa0, 0x03, 0x02, 0x01, 0x02,
+    0x02, 0x14, 0x43, 0x63, 0x59, 0xad, 0x04, 0x34, 0x56, 0x80, 0x43, 0xec,
+    0x90, 0x6a, 0xd4, 0x10, 0x64, 0x7c, 0x7f, 0x38, 0x32, 0xe2, 0x30, 0x0a,
+    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14,
+    0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72,
+    0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f,
+    0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
+    0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31, 0x11,
+    0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e, 0x74,
+    0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a,
+    0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
+    0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb,
+    0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2,
+    0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f,
+    0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4,
+    0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7,
+    0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0,
+    0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
+    0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
+    0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08, 0x2a,
+    0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44,
+    0x02, 0x20, 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff, 0xd1,
+    0x16, 0x4e, 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf, 0x77, 0x5c,
+    0x93, 0x60, 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d, 0x24, 0x02, 0x20,
+    0x3d, 0x87, 0x0f, 0xac, 0x22, 0x4d, 0x16, 0xd9, 0xa1, 0x95, 0xbb, 0x56,
+    0xe0, 0x21, 0x05, 0x93, 0xd1, 0x07, 0xb5, 0x25, 0x3b, 0xf4, 0x57, 0x20,
+    0x87, 0x13, 0xa2, 0xf7, 0x78, 0x15, 0x30, 0xa7};
+
+// The P256 root certificate that issued the P256 intermediate certificate
+// above. The certificate was generated with pycert.py
+const uint8_t P256_ROOT[] = {
+    0x30, 0x82, 0x01, 0x4a, 0x30, 0x81, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02,
+    0x02, 0x14, 0x5f, 0x3f, 0xae, 0x90, 0x49, 0x30, 0x2f, 0x33, 0x6e, 0x95,
+    0x23, 0xa7, 0xcb, 0x23, 0xd7, 0x65, 0x4f, 0xea, 0x3c, 0xf7, 0x30, 0x0a,
+    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14,
+    0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72,
+    0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f,
+    0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
+    0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x14, 0x31, 0x12,
+    0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x6f, 0x6f,
+    0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+    0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+    0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04,
+    0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c,
+    0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36,
+    0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90,
+    0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6,
+    0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
+    0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55,
+    0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30,
+    0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d,
+    0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75,
+    0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02,
+    0x21, 0x00, 0xc2, 0xe4, 0xc1, 0xa8, 0xe2, 0x89, 0xdc, 0xa1, 0xbb, 0xe7,
+    0xd5, 0x4f, 0x5c, 0x88, 0xad, 0xeb, 0xa4, 0x78, 0xa1, 0x19, 0xbe, 0x22,
+    0x54, 0xc8, 0x9f, 0xef, 0xb8, 0x5d, 0xa2, 0x40, 0xd9, 0x8b};
+
+void check_hard_coded_certs(const uint8_t** cert_chain, size_t cert_chain_len,
+                            const size_t* certs_len) {
+  // Very hacky and fragile check that the intermediate certs are correct.
+  switch (cert_chain_len) {
+    case 2: {
+      const uint8_t* cert = cert_chain[0];
+      size_t cert_len = certs_len[0];
+      ASSERT_EQ(cert_len, sizeof(P256_ROOT));
+      ASSERT_EQ(0, memcmp(cert, P256_ROOT, cert_len));
+      cert = cert_chain[1];
+      cert_len = certs_len[1];
+      ASSERT_EQ(cert_len, sizeof(P256_INT));
+      ASSERT_EQ(0, memcmp(cert, P256_INT, cert_len));
+      break;
+    }
+    case 4: {
+      const uint8_t* cert = cert_chain[0];
+      size_t cert_len = certs_len[0];
+      ASSERT_EQ(cert_len, sizeof(P256_ROOT));
+      ASSERT_EQ(0, memcmp(cert, P256_ROOT, cert_len));
+      cert = cert_chain[1];
+      cert_len = certs_len[1];
+      ASSERT_EQ(cert_len, sizeof(P256_INT));
+      ASSERT_EQ(0, memcmp(cert, P256_INT, cert_len));
+      cert = cert_chain[2];
+      cert_len = certs_len[2];
+      ASSERT_EQ(cert_len, sizeof(RSA_ROOT));
+      ASSERT_EQ(0, memcmp(cert, RSA_ROOT, cert_len));
+      cert = cert_chain[3];
+      cert_len = certs_len[3];
+      ASSERT_EQ(cert_len, sizeof(RSA_INT));
+      ASSERT_EQ(0, memcmp(cert, RSA_INT, cert_len));
+      break;
+    }
+    default:
+      // In this case something went wrong.
+      ASSERT_EQ(true, false);
+  }
+}
+
+/* Verification function called from cose-rust.
+ * Returns true if everything goes well and the signature is good, false in any
+ * other case. */
+bool verify_callback(const uint8_t* payload, size_t payload_len,
+                     const uint8_t** cert_chain, size_t cert_chain_len,
+                     const size_t* certs_len, const uint8_t* ee_cert,
+                     size_t ee_cert_len, const uint8_t* signature,
+                     size_t signature_len, uint8_t signature_algorithm,
+                     void* ctx) {
+  UniquePK11SlotInfo slot(PK11_GetInternalSlot());
+  if (!slot) {
+    return false;
+  }
+
+  CK_MECHANISM_TYPE mechanism;
+  SECOidTag oid;
+  uint32_t hash_length;
+  SECItem param = {siBuffer, nullptr, 0};
+  CK_RSA_PKCS_PSS_PARAMS rsa_pss_params = {CKM_SHA256, CKG_MGF1_SHA256,
+                                           SHA256_LENGTH};
+  switch (signature_algorithm) {
+    case (ES256):
+      mechanism = CKM_ECDSA;
+      oid = SEC_OID_SHA256;
+      hash_length = SHA256_LENGTH;
+      break;
+    case (PS256):
+      mechanism = CKM_RSA_PKCS_PSS;
+      oid = SEC_OID_SHA256;
+      hash_length = SHA256_LENGTH;
+      param = {siBuffer, reinterpret_cast<unsigned char*>(&rsa_pss_params),
+               sizeof(rsa_pss_params)};
+      break;
+    default:
+      return false;
+  }
+  check_hard_coded_certs(cert_chain, cert_chain_len, certs_len);
+
+  uint8_t hash_buf[HASH_LENGTH_MAX];
+  SECStatus rv = PK11_HashBuf(oid, hash_buf, payload, payload_len);
+  if (rv != SECSuccess) {
+    return false;
+  }
+  SECItem hash_item = {siBuffer, hash_buf, hash_length};
+  CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB();
+  if (!db_handle) {
+    return false;
+  }
+  SECItem der_cert = {siBuffer, const_cast<uint8_t*>(ee_cert),
+                      static_cast<unsigned int>(ee_cert_len)};
+  UniqueCERTCertificate cert(
+      CERT_NewTempCertificate(db_handle, &der_cert, nullptr, false, true));
+  if (!cert) {
+    return false;
+  }
+  UniqueSECKEYPublicKey key(CERT_ExtractPublicKey(cert.get()));
+  if (!key) {
+    return false;
+  }
+  SECItem signature_item = {siBuffer, const_cast<uint8_t*>(signature),
+                            static_cast<unsigned int>(signature_len)};
+  rv = PK11_VerifyWithMechanism(key.get(), mechanism, &param, &signature_item,
+                                &hash_item, nullptr);
+  if (rv != SECSuccess) {
+    return false;
+  }
+
+  return true;
+}
+
+class psm_COSE : public ::testing::Test {};
+
+TEST_F(psm_COSE, CoseTestingSingleSignature) {
+  SECStatus rv = NSS_NoDB_Init(nullptr);
+  ASSERT_EQ(SECSuccess, rv);
+  bool result =
+      verify_cose_signature_ffi(PAYLOAD, sizeof(PAYLOAD), SIGNATURE,
+                                sizeof(SIGNATURE), nullptr, verify_callback);
+  ASSERT_TRUE(result);
+}
+
+TEST_F(psm_COSE, CoseTestingTwoSignatures) {
+  SECStatus rv = NSS_NoDB_Init(nullptr);
+  ASSERT_EQ(SECSuccess, rv);
+  bool result = verify_cose_signature_ffi(
+      PAYLOAD, sizeof(PAYLOAD), SIGNATURE_ES256_PS256,
+      sizeof(SIGNATURE_ES256_PS256), nullptr, verify_callback);
+  ASSERT_TRUE(result);
+}
+
+TEST_F(psm_COSE, CoseTestingAlteredPayload) {
+  SECStatus rv = NSS_NoDB_Init(nullptr);
+  ASSERT_EQ(SECSuccess, rv);
+  uint8_t altered_payload[20] = {84,  104, 105, 115, 32,  104, 115,
+                                 32,  116, 104, 101, 32,  99,  111,
+                                 110, 116, 101, 110, 116, 46};
+  bool result = verify_cose_signature_ffi(
+      altered_payload, sizeof(altered_payload), SIGNATURE_ES256_PS256,
+      sizeof(SIGNATURE_ES256_PS256), nullptr, verify_callback);
+  ASSERT_FALSE(result);
+}
+
+}  // namespace mozilla
diff --git a/security/manager/ssl/tests/gtest/DataStorageTest.cpp b/security/manager/ssl/tests/gtest/DataStorageTest.cpp
new file mode 100644
index 0000000000..c288aeb3db
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/DataStorageTest.cpp
@@ -0,0 +1,201 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include "mozilla/DataStorage.h"
+#include "nsAppDirectoryServiceDefs.h"
+#include "nsDirectoryServiceUtils.h"
+#include "nsNetUtil.h"
+#include "nsPrintfCString.h"
+#include "nsStreamUtils.h"
+#include "prtime.h"
+
+using namespace mozilla;
+
+class psm_DataStorageTest : public ::testing::Test {
+ protected:
+  void SetUp() override {
+    const ::testing::TestInfo* const testInfo =
+        ::testing::UnitTest::GetInstance()->current_test_info();
+    NS_ConvertUTF8toUTF16 testName(testInfo->name());
+    storage = DataStorage::GetFromRawFileName(testName);
+    storage->Init();
+  }
+
+  RefPtr<DataStorage> storage;
+};
+
+constexpr auto testKey = "test"_ns;
+constexpr auto testValue = "value"_ns;
+constexpr auto privateTestValue = "private"_ns;
+
+TEST_F(psm_DataStorageTest, GetPutRemove) {
+  // Test Put/Get on Persistent data
+  EXPECT_EQ(NS_OK, storage->Put(testKey, testValue, DataStorage_Persistent));
+  // Don't re-use testKey / testValue here, to make sure that this works as
+  // expected with objects that have the same semantic value but are not
+  // literally the same object.
+  nsCString result = storage->Get("test"_ns, DataStorage_Persistent);
+  EXPECT_STREQ("value", result.get());
+
+  // Get on Temporary/Private data with the same key should give nothing
+  result = storage->Get(testKey, DataStorage_Temporary);
+  EXPECT_TRUE(result.IsEmpty());
+  result = storage->Get(testKey, DataStorage_Private);
+  EXPECT_TRUE(result.IsEmpty());
+
+  // Put with Temporary/Private data shouldn't affect Persistent data
+  constexpr auto temporaryTestValue = "temporary"_ns;
+  EXPECT_EQ(NS_OK,
+            storage->Put(testKey, temporaryTestValue, DataStorage_Temporary));
+  EXPECT_EQ(NS_OK,
+            storage->Put(testKey, privateTestValue, DataStorage_Private));
+  result = storage->Get(testKey, DataStorage_Temporary);
+  EXPECT_STREQ("temporary", result.get());
+  result = storage->Get(testKey, DataStorage_Private);
+  EXPECT_STREQ("private", result.get());
+  result = storage->Get(testKey, DataStorage_Persistent);
+  EXPECT_STREQ("value", result.get());
+
+  // Put of a previously-present key overwrites it (if of the same type)
+  constexpr auto newValue = "new"_ns;
+  EXPECT_EQ(NS_OK, storage->Put(testKey, newValue, DataStorage_Persistent));
+  result = storage->Get(testKey, DataStorage_Persistent);
+  EXPECT_STREQ("new", result.get());
+
+  // Removal should work
+  storage->Remove(testKey, DataStorage_Temporary);
+  result = storage->Get(testKey, DataStorage_Temporary);
+  EXPECT_TRUE(result.IsEmpty());
+  // But removing one type shouldn't affect the others
+  result = storage->Get(testKey, DataStorage_Private);
+  EXPECT_STREQ("private", result.get());
+  result = storage->Get(testKey, DataStorage_Persistent);
+  EXPECT_STREQ("new", result.get());
+  // Test removing the other types as well
+  storage->Remove(testKey, DataStorage_Private);
+  result = storage->Get(testKey, DataStorage_Private);
+  EXPECT_TRUE(result.IsEmpty());
+  storage->Remove(testKey, DataStorage_Persistent);
+  result = storage->Get(testKey, DataStorage_Persistent);
+  EXPECT_TRUE(result.IsEmpty());
+}
+
+TEST_F(psm_DataStorageTest, InputValidation) {
+  // Keys may not have tabs or newlines
+  EXPECT_EQ(NS_ERROR_INVALID_ARG,
+            storage->Put("key\thas tab"_ns, testValue, DataStorage_Persistent));
+  nsCString result = storage->Get("key\thas tab"_ns, DataStorage_Persistent);
+  EXPECT_TRUE(result.IsEmpty());
+  EXPECT_EQ(NS_ERROR_INVALID_ARG, storage->Put("key has\nnewline"_ns, testValue,
+                                               DataStorage_Persistent));
+  result = storage->Get("keyhas\nnewline"_ns, DataStorage_Persistent);
+  EXPECT_TRUE(result.IsEmpty());
+  // Values may not have newlines
+  EXPECT_EQ(NS_ERROR_INVALID_ARG, storage->Put(testKey, "value\nhas newline"_ns,
+                                               DataStorage_Persistent));
+  result = storage->Get(testKey, DataStorage_Persistent);
+  // Values may have tabs
+  EXPECT_TRUE(result.IsEmpty());
+  EXPECT_EQ(NS_OK, storage->Put(testKey, "val\thas tab; this is ok"_ns,
+                                DataStorage_Persistent));
+  result = storage->Get(testKey, DataStorage_Persistent);
+  EXPECT_STREQ("val\thas tab; this is ok", result.get());
+
+  nsCString longKey("a");
+  for (int i = 0; i < 8; i++) {
+    longKey.Append(longKey);
+  }
+  // A key of length 256 will work
+  EXPECT_EQ(NS_OK, storage->Put(longKey, testValue, DataStorage_Persistent));
+  result = storage->Get(longKey, DataStorage_Persistent);
+  EXPECT_STREQ("value", result.get());
+  longKey.AppendLiteral("a");
+  // A key longer than that will not work
+  EXPECT_EQ(NS_ERROR_INVALID_ARG,
+            storage->Put(longKey, testValue, DataStorage_Persistent));
+  result = storage->Get(longKey, DataStorage_Persistent);
+  EXPECT_TRUE(result.IsEmpty());
+
+  nsCString longValue("a");
+  for (int i = 0; i < 10; i++) {
+    longValue.Append(longValue);
+  }
+  // A value of length 1024 will work
+  EXPECT_EQ(NS_OK, storage->Put(testKey, longValue, DataStorage_Persistent));
+  result = storage->Get(testKey, DataStorage_Persistent);
+  EXPECT_STREQ(longValue.get(), result.get());
+  longValue.AppendLiteral("a");
+  // A value longer than that will not work
+  storage->Remove(testKey, DataStorage_Persistent);
+  EXPECT_EQ(NS_ERROR_INVALID_ARG,
+            storage->Put(testKey, longValue, DataStorage_Persistent));
+  result = storage->Get(testKey, DataStorage_Persistent);
+  EXPECT_TRUE(result.IsEmpty());
+}
+
+TEST_F(psm_DataStorageTest, Eviction) {
+  // Eviction is on a per-table basis. Tables shouldn't affect each other.
+  EXPECT_EQ(NS_OK, storage->Put(testKey, testValue, DataStorage_Persistent));
+  for (int i = 0; i < 1025; i++) {
+    EXPECT_EQ(NS_OK,
+              storage->Put(nsPrintfCString("%d", i), nsPrintfCString("%d", i),
+                           DataStorage_Temporary));
+    nsCString result =
+        storage->Get(nsPrintfCString("%d", i), DataStorage_Temporary);
+    EXPECT_STREQ(nsPrintfCString("%d", i).get(), result.get());
+  }
+  // We don't know which entry got evicted, but we can count them.
+  int entries = 0;
+  for (int i = 0; i < 1025; i++) {
+    nsCString result =
+        storage->Get(nsPrintfCString("%d", i), DataStorage_Temporary);
+    if (!result.IsEmpty()) {
+      entries++;
+    }
+  }
+  EXPECT_EQ(entries, 1024);
+  nsCString result = storage->Get(testKey, DataStorage_Persistent);
+  EXPECT_STREQ("value", result.get());
+}
+
+TEST_F(psm_DataStorageTest, ClearPrivateData) {
+  EXPECT_EQ(NS_OK,
+            storage->Put(testKey, privateTestValue, DataStorage_Private));
+  nsCString result = storage->Get(testKey, DataStorage_Private);
+  EXPECT_STREQ("private", result.get());
+  storage->Observe(nullptr, "last-pb-context-exited", nullptr);
+  result = storage->Get(testKey, DataStorage_Private);
+  EXPECT_TRUE(result.IsEmpty());
+}
+
+TEST_F(psm_DataStorageTest, Shutdown) {
+  EXPECT_EQ(NS_OK, storage->Put(testKey, testValue, DataStorage_Persistent));
+  nsCString result = storage->Get(testKey, DataStorage_Persistent);
+  EXPECT_STREQ("value", result.get());
+  // Get "now" (in days) close to when the data was last touched, so we won't
+  // get intermittent failures with the day not matching.
+  int64_t microsecondsPerDay = 24 * 60 * 60 * int64_t(PR_USEC_PER_SEC);
+  int32_t nowInDays = int32_t(PR_Now() / microsecondsPerDay);
+  // Simulate shutdown.
+  storage->Observe(nullptr, "profile-before-change", nullptr);
+  nsCOMPtr<nsIFile> backingFile;
+  EXPECT_EQ(NS_OK, NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR,
+                                          getter_AddRefs(backingFile)));
+  const ::testing::TestInfo* const testInfo =
+      ::testing::UnitTest::GetInstance()->current_test_info();
+  NS_ConvertUTF8toUTF16 testName(testInfo->name());
+  EXPECT_EQ(NS_OK, backingFile->Append(testName));
+  nsCOMPtr<nsIInputStream> fileInputStream;
+  EXPECT_EQ(NS_OK, NS_NewLocalFileInputStream(getter_AddRefs(fileInputStream),
+                                              backingFile));
+  nsCString data;
+  EXPECT_EQ(NS_OK, NS_ConsumeStream(fileInputStream, UINT32_MAX, data));
+  // The data will be of the form 'test\t0\t<days since the epoch>\tvalue'
+  EXPECT_STREQ(nsPrintfCString("test\t0\t%d\tvalue\n", nowInDays).get(),
+               data.get());
+}
diff --git a/security/manager/ssl/tests/gtest/DeserializeCertTest.cpp b/security/manager/ssl/tests/gtest/DeserializeCertTest.cpp
new file mode 100644
index 0000000000..acad30e2ae
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/DeserializeCertTest.cpp
@@ -0,0 +1,507 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include "TransportSecurityInfo.h"
+#include "nsCOMPtr.h"
+#include "nsITransportSecurityInfo.h"
+#include "nsIX509Cert.h"
+#include "nsString.h"
+#include "mozilla/Maybe.h"
+
+using namespace mozilla;
+using namespace mozilla::psm;
+
+// nsITransportSecurityInfo de-serializatin tests
+//
+// These tests verify that we can still deserialize old binary strings
+// generated for security info.  This is necessary because service workers
+// stores these strings on disk.
+//
+// If you make a change and start breaking these tests, you will need to
+// add a compat fix for loading the old versions.  For things that affect
+// the UUID, but do not break the rest of the format you can simply add
+// another hack condition in nsBinaryInputStream::ReadObject().  If you
+// change the overall format of the serialization then we will need more
+// complex handling in the security info concrete classes.
+//
+// We would like to move away from this binary compatibility requirement
+// in service workers.  See bug 1248628.
+void deserializeAndVerify(const nsCString& serializedSecInfo,
+                          Maybe<size_t> failedCertChainLength = Nothing(),
+                          Maybe<size_t> succeededCertChainLength = Nothing()) {
+  nsCOMPtr<nsITransportSecurityInfo> securityInfo;
+  nsresult rv = TransportSecurityInfo::Read(serializedSecInfo,
+                                            getter_AddRefs(securityInfo));
+  ASSERT_EQ(NS_OK, rv);
+  ASSERT_TRUE(securityInfo);
+
+  nsCOMPtr<nsIX509Cert> cert;
+  rv = securityInfo->GetServerCert(getter_AddRefs(cert));
+  ASSERT_EQ(NS_OK, rv);
+  ASSERT_TRUE(cert);
+
+  nsTArray<RefPtr<nsIX509Cert>> failedCertArray;
+  rv = securityInfo->GetFailedCertChain(failedCertArray);
+  ASSERT_EQ(NS_OK, rv);
+
+  if (failedCertChainLength) {
+    ASSERT_FALSE(failedCertArray.IsEmpty());
+    for (const auto& cert : failedCertArray) {
+      ASSERT_TRUE(cert);
+    }
+    ASSERT_EQ(*failedCertChainLength, failedCertArray.Length());
+  } else {
+    ASSERT_TRUE(failedCertArray.IsEmpty());
+  }
+
+  nsTArray<RefPtr<nsIX509Cert>> succeededCertArray;
+  rv = securityInfo->GetSucceededCertChain(succeededCertArray);
+  ASSERT_EQ(NS_OK, rv);
+
+  if (succeededCertChainLength) {
+    ASSERT_FALSE(succeededCertArray.IsEmpty());
+    for (const auto& cert : succeededCertArray) {
+      ASSERT_TRUE(cert);
+    }
+    ASSERT_EQ(*succeededCertChainLength, succeededCertArray.Length());
+  } else {
+    ASSERT_TRUE(succeededCertArray.IsEmpty());
+  }
+}
+
+TEST(psm_DeserializeCert, gecko33)
+{
+  // clang-format off
+  // Gecko 33+ vintage Security info serialized with UUIDs:
+  //  - nsISupports  00000000-0000-0000-c000-000000000046
+  //  - nsISSLStatus fa9ba95b-ca3b-498a-b889-7c79cf28fee8
+  //  - nsIX509Cert  f8ed8364-ced9-4c6e-86ba-48af53c393e6
+  nsCString base64Serialization(
+  "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAQAAgAAAAAAAAAAAAAAAAAAAAA"
+  "B4vFIJp5wRkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8F+O2DZM7ZTG6GukivU8OT5gAAAAIAAAWpMII"
+  "FpTCCBI2gAwIBAgIQD4svsaKEC+QtqtsU2TF8ITANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUN"
+  "lcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFN"
+  "lcnZlciBDQTAeFw0xNTAyMjMwMDAwMDBaFw0xNjAzMDIxMjAwMDBaMGoxCzAJBgNVBAYTAlVTMRYwFAYDVQQHEw1TYW4gRnJhbmN"
+  "pc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRUwEwYDVQQKEwxGYXN0bHksIEluYy4xFzAVBgNVBAMTDnd3dy5naXRodWIuY29tMII"
+  "BIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+9WUCgrgUNwP/JC3cUefLAXeDpq8Ko/U8p8IRvny0Ri0I6Uq0t+RP/nF0LJ"
+  "Avda8QHYujdgeDTePepBX7+OiwBFhA0YO+rM3C2Z8IRaN/i9eLln+Yyc68+1z+E10s1EXdZrtDGvN6MHqygGsdfkXKfBLUJ1BZEh"
+  "s9sBnfcjq3kh5gZdBArdG9l5NpdmQhtceaFGsPiWuJxGxRzS4i95veUHWkhMpEYDEEBdcDGxqArvQCvzSlngdttQCfx8OUkBTb3B"
+  "A2okpTwwJfqPsxVetA6qR7UNc+fVb6KHwvm0bzi2rQ3xw3D/syRHwdMkpoVDQPCk43H9WufgfBKRen87dFwIDAQABo4ICPzCCAjs"
+  "wHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjswHQYDVR0OBBYEFGS/RLNGCZvPWh1xSaIEcouINIQjMHsGA1UdEQR0MHK"
+  "CDnd3dy5naXRodWIuY29tggpnaXRodWIuY29tggwqLmdpdGh1Yi5jb22CCyouZ2l0aHViLmlvgglnaXRodWIuaW+CFyouZ2l0aHV"
+  "idXNlcmNvbnRlbnQuY29tghVnaXRodWJ1c2VyY29udGVudC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwM"
+  "BBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzMuY3J"
+  "sMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzMuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb"
+  "9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYMGCCsGAQUFBwEBBHcwdTAkBggrBgEFBQc"
+  "wAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUN"
+  "lcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAc4dbVmuKvyI7"
+  "KZ4Txk+ZqcAYToJGKUIVaPL94e5SZGweUisjaCbplAOihnf6Mxt8n6vnuH2IsCaz2NRHqhdcosjT3CwAiJpJNkXPKWVL/txgdSTV"
+  "2cqB1GG4esFOalvI52dzn+J4fTIYZvNF+AtGyHSLm2XRXYZCw455laUKf6Sk9RDShDgUvzhOKL4GXfTwKXv12MyMknJybH8UCpjC"
+  "HZmFBVHMcUN/87HsQo20PdOekeEvkjrrMIxW+gxw22Yb67yF/qKgwrWr+43bLN709iyw+LWiU7sQcHL2xk9SYiWQDj2tYz2soObV"
+  "QYTJm0VUZMEVFhtALq46cx92Zu4vFwC8AAwAAAAABAQAA");
+  // clang-format on
+
+  deserializeAndVerify(base64Serialization);
+}
+
+TEST(psm_DeserializeCert, gecko46)
+{
+  // clang-format off
+  // Gecko 46+ vintage Security info serialized with UUIDs:
+  //  - nsISupports  00000000-0000-0000-c000-000000000046
+  //  - nsISSLStatus fa9ba95b-ca3b-498a-b889-7c79cf28fee8
+  //  - nsIX509Cert  bdc3979a-5422-4cd5-8589-696b6e96ea83
+  nsCString base64Serialization(
+  "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAQAAgAAAAAAAAAAAAAAAAAAAAA"
+  "B4vFIJp5wRkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAIAAAWzMII"
+  "FrzCCBJegAwIBAgIQB3pdwzYjAfmJ/lT3+G8+ZDANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUN"
+  "lcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFN"
+  "lcnZlciBDQTAeFw0xNjAxMjAwMDAwMDBaFw0xNzA0MDYxMjAwMDBaMGoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybml"
+  "hMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxGYXN0bHksIEluYy4xFzAVBgNVBAMTDnd3dy5naXRodWIuY29tMII"
+  "BIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+9WUCgrgUNwP/JC3cUefLAXeDpq8Ko/U8p8IRvny0Ri0I6Uq0t+RP/nF0LJ"
+  "Avda8QHYujdgeDTePepBX7+OiwBFhA0YO+rM3C2Z8IRaN/i9eLln+Yyc68+1z+E10s1EXdZrtDGvN6MHqygGsdfkXKfBLUJ1BZEh"
+  "s9sBnfcjq3kh5gZdBArdG9l5NpdmQhtceaFGsPiWuJxGxRzS4i95veUHWkhMpEYDEEBdcDGxqArvQCvzSlngdttQCfx8OUkBTb3B"
+  "A2okpTwwJfqPsxVetA6qR7UNc+fVb6KHwvm0bzi2rQ3xw3D/syRHwdMkpoVDQPCk43H9WufgfBKRen87dFwIDAQABo4ICSTCCAkU"
+  "wHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjswHQYDVR0OBBYEFGS/RLNGCZvPWh1xSaIEcouINIQjMHsGA1UdEQR0MHK"
+  "CDnd3dy5naXRodWIuY29tggwqLmdpdGh1Yi5jb22CCmdpdGh1Yi5jb22CCyouZ2l0aHViLmlvgglnaXRodWIuaW+CFyouZ2l0aHV"
+  "idXNlcmNvbnRlbnQuY29tghVnaXRodWJ1c2VyY29udGVudC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwM"
+  "BBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3J"
+  "sMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb"
+  "9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3MHU"
+  "wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQ"
+  "uY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQE"
+  "ATxbRdPg+o49+96/P+rbdp4ie+CGtfCgUubT/Z9C54k+BfQO0nbxVgCSM5WZQuLgo2Q+0lcxisod8zxZeU0j5wviQINwOln/iN89"
+  "Bx3VmDRynTe4CqhsAwOoO1ERmCAmsAJBwY/rNr4mK22p8erBrqMW0nYXYU5NFynI+pNTjojhKD4II8PNV8G2yMWwYOb/u4+WPzUA"
+  "HC9DpZdrWTEH/W69Cr/KxRqGsWPwpgMv2Wqav8jaT35JxqTXjOlhQqzo6fNn3eYOeCf4PkCxZKwckWjy10qDaRbjhwAMHAGj2TPr"
+  "idlvOj/7QyyX5m8up/1US8z1fRW4yoCSOt6V2bwuH6cAvAAMAAAAAAQEAAA==");
+  // clang-format on
+
+  deserializeAndVerify(base64Serialization);
+}
+
+TEST(psm_DeserializeCert, preSSLStatusConsolidation)
+{
+  // clang-format off
+  // Generated using serialized output of test "good.include-subdomains.pinning.example.com"
+  // in security/manager/ssl/tests/unit/test_cert_chains.js
+  nsCString base64Serialization(
+  "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAgAAgAAAAAAAAAAAAAAAAAAAAAB4vFIJp5w"
+  "RkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAONMIIDiTCCAnGg"
+  "AwIBAgIUWbWLTwLBvfwcoiU7I8lDz9snfUgwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE2MTEyNzAw"
+  "MDAwMFoYDzIwMTkwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw"
+  "ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV"
+  "JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o"
+  "N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd"
+  "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0"
+  "gg0qLmV4YW1wbGUuY29tghUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs"
+  "ZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB"
+  "hhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBE+6IPJK5OeonoQPC4CCWMd69SjhwS7X6TNgxDJzW7"
+  "qpVm4SFyYZ2xqzr2zib5LsYek6/jok5LPSpJVeFuSeiesvGMxk0O4ZEihPxSM4uR4xpCnPzz7LoFIzMELJv5i+cgLw4+6cINPkLj"
+  "oCUdb+AXSTur7THJaO75B44I2JjJfMfzgW1FwoWgXL/PQWRw+VY6OY1glqZOXzP+vfSja1SoggpiCzdPx7h1/SEEZov7zhCZXv1C"
+  "enx1njlpcj9wWEJMsyZczMNtiz5GkRrLaqCz9F8ah3NvkvPAZ0oOqtxuQgMXK/c0OXJVKi0SCJsWqZDoZhCrS/dE9guxlseZqhSI"
+  "wC8DAwAAAAABAQAAAAAAAAZ4MjU1MTkAAAAOUlNBLVBTUy1TSEEyNTYBlZ+xZWUXSH+rm9iRO+Uxl650zaXNL0c/lvXwt//2LGgA"
+  "AAACZgoyJpFcT/u7IImFpjLfBb3Dl5pUIkzVhYlpa26W6oMAAAAAAAADjTCCA4kwggJxoAMCAQICFFm1i08Cwb38HKIlOyPJQ8/b"
+  "J31IMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAxNjExMjcwMDAwMDBaGA8yMDE5MDIwNTAwMDAwMFow"
+  "GjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2"
+  "ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC"
+  "a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk"
+  "zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+"
+  "SSP6clHEMdUDrNoYCjXtjQIDAQABo4HKMIHHMIGQBgNVHREEgYgwgYWCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNvbYIVKi5waW5u"
+  "aW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3ViZG9tYWlucy5waW5uaW5nLmV4YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9t"
+  "YWlucy5waW5uaW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4"
+  "LzANBgkqhkiG9w0BAQsFAAOCAQEARPuiDySuTnqJ6EDwuAgljHevUo4cEu1+kzYMQyc1u6qVZuEhcmGdsas69s4m+S7GHpOv46JO"
+  "Sz0qSVXhbknonrLxjMZNDuGRIoT8UjOLkeMaQpz88+y6BSMzBCyb+YvnIC8OPunCDT5C46AlHW/gF0k7q+0xyWju+QeOCNiYyXzH"
+  "84FtRcKFoFy/z0FkcPlWOjmNYJamTl8z/r30o2tUqIIKYgs3T8e4df0hBGaL+84QmV79Qnp8dZ45aXI/cFhCTLMmXMzDbYs+RpEa"
+  "y2qgs/RfGodzb5LzwGdKDqrcbkIDFyv3NDlyVSotEgibFqmQ6GYQq0v3RPYLsZbHmaoUiGYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM"
+  "1YWJaWtuluqDAAAAAAAAAtcwggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYD"
+  "VQQDDAdUZXN0IENBMCIYDzIwMTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0G"
+  "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr"
+  "4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk"
+  "fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo"
+  "4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQF"
+  "MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK"
+  "9cZFVtzRWYEYkIlicAyTiPw34bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK9"
+  "22MsOsnrLjNlpRDmuH0VFhb5uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZB"
+  "bEw7P6+V9zz5cAzaaq7EB0mCE+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBCAAA=");
+  // clang-format on
+
+  deserializeAndVerify(base64Serialization, Nothing(), Some(2));
+}
+
+TEST(psm_DeserializeCert, preSSLStatusConsolidationFailedCertChain)
+{
+  // clang-format off
+  // Generated using serialized output of test "expired.example.com"
+  // in security/manager/ssl/tests/unit/test_cert_chains.js
+  nsCString base64Serialization(
+  "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAABAAAAAAAAAAA///gCwAAAAAB4vFIJp5w"
+  "RkeyPxAQ9RJGKPqbqVvKO0mKuIl8ec8o/uhmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAAAAAAMgMIIDHDCCAgSg"
+  "AwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAw"
+  "MDAwMFoYDzIwMTQwMTAxMDAwMDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEB"
+  "BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6"
+  "pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9"
+  "0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK"
+  "lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJl"
+  "ZC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcN"
+  "AQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzfT+ow5WVsxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7"
+  "IAMO1CEr5FVdCOVTma5hmu/81rkJLmZ8RQDWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3L9zJ2JqNc60+hB8l"
+  "297ZaSl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74VkQyNobaFzDZ+Zr3QmfbejEsY2EYnq8XuENgIO4DuYrm80/p6bMO6"
+  "laB0Uv5W6uXZgBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFwWwtnoK7IAAAMAAAEAAAEAAQAAAAAAAAAAAAAAAZWfsWVlF0h/q5vY"
+  "kTvlMZeudM2lzS9HP5b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwggMcMIICBKAD"
+  "AgECAhRj0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAw"
+  "MDAwWhgPMjAxNDAxMDEwMDAwMDBaMCIxIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEF"
+  "AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql"
+  "WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S"
+  "O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV"
+  "YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVk"
+  "LmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0B"
+  "AQsFAAOCAQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF0DjclopP2B8yxuc/WqIjbN6XdT4Xsg"
+  "Aw7UISvkVV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrKf/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb"
+  "3tlpKXSdsp99vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag7gO5iubzT+npsw7qV"
+  "oHRS/lbq5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAA"
+  "AAAAAtcwggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENB"
+  "MCIYDzIwMTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA"
+  "A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa"
+  "p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7"
+  "xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh"
+  "He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P"
+  "BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK9cZFVtzRWYEYkIli"
+  "cAyTiPw34bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK922MsOsnrLjNlpRDm"
+  "uH0VFhb5uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZBbEw7P6+V9zz5cAza"
+  "aq7EB0mCE+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBCAZWfsWVlF0h/q5vYkTvlMZeu"
+  "dM2lzS9HP5b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwggMcMIICBKADAgECAhRj"
+  "0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAwMDAwWhgP"
+  "MjAxNDAxMDEwMDAwMDBaMCIxIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
+  "MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc"
+  "1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf"
+  "qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl"
+  "nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVkLmV4YW1w"
+  "bGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOC"
+  "AQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF0DjclopP2B8yxuc/WqIjbN6XdT4XsgAw7UISvk"
+  "VV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrKf/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb3tlpKXSd"
+  "sp99vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag7gO5iubzT+npsw7qVoHRS/lbq"
+  "5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAtcw"
+  "ggLTMIIBu6ADAgECAhRdBTvvC7swO3cbVWIGn/56DrQ+cjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIw"
+  "MTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw"
+  "ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV"
+  "JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o"
+  "N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd"
+  "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEG"
+  "MA0GCSqGSIb3DQEBCwUAA4IBAQCDjewR53YLc3HzZKugRDbQVxjJNILW6fSIyW9dSglYcWh6aiOK9cZFVtzRWYEYkIlicAyTiPw3"
+  "4bXzxU1cK6sCSmBR+UTXbRPGb4OOy3MRaoF1m3jxwnPkQwxezDiqJTydCbYcBu0sKwURAZOd5QK922MsOsnrLjNlpRDmuH0VFhb5"
+  "uN2I5mM3NvMnP2Or19O1Bk//iGD6AyJfiZFcii+FsDrJhbzw6lakEV7O/EnD0kk2l7I0VMtg1xZBbEw7P6+V9zz5cAzaaq7EB0mC"
+  "E+jJckSzSETBN+7lyVD8gwmHYxxZfPnUM/yvPbMU9L3xWD/z6HHwO6r+9m7BT+2pHjBC");
+  // clang-format on
+
+  deserializeAndVerify(base64Serialization, Some(2));
+}
+
+TEST(psm_DeserializeCert, preNsIX509CertListReplacement)
+{
+  // This was the serialized output of test
+  // "good.include-subdomains.pinning.example.com" // in
+  // security/manager/ssl/tests/unit/test_cert_chains.js The serialized output
+  // was generated before we replace nsIX509CertList with Array<nsIX509Cert>, so
+  // it had the old version of transportSecurityInfo.
+  nsCString base64Serialization(
+      "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgA"
+      "AAAAAAAAAAAAAAAAAAAEAMQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA"
+      "AAAAONMIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6TIyPRSIwDQYJKoZIhvcNAQELB"
+      "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAwMjA1MDAw"
+      "MDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4I"
+      "BDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZ"
+      "wGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tF"
+      "YIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n"
+      "FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN"
+      "7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe"
+      "2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tg"
+      "hUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu"
+      "ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb20"
+      "wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA"
+      "0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvlaobK2YRb4OGMxySIKuQ80N0X"
+      "lO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4sv0swx/+oUxCfLb0VIl/kdUqLkbGY"
+      "rAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU+aL9QOuvT/j3rXoimcdo6X3TK1SN2/64fGM"
+      "yG/pwas+JXehbReUf4n1ewk84ADtb+ew8tRAKf/uxzKUj5t/UgqDsnTWq5wUc5IJKwoHT41"
+      "sQnNqPg12x4+WGWiAsWCpR/hKYHFGr7rb4JTGEPAJpWcv9WtZYAvwT78a2xpHp5XNglj16I"
+      "jWEukvJuU1WwC8AAwAAAAABAQAAAAAAAAZ4MjU1MTkAAAAOUlNBLVBTUy1TSEEyNTYBlZ+x"
+      "ZWUXSH+rm9iRO+Uxl650zaXNL0c/lvXwt//2LGgAAAACZgoyJpFcT/u7IImFpjLfBb3Dl5p"
+      "UIkzVhYlpa26W6oMAAAAAAAADjTCCA4kwggJxoAMCAQICFA1KP/RtK8+3yYlk8NIWOkyMj0"
+      "UiMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAxNzExMjcwMDAwM"
+      "DBaGA8yMDIwMDIwNTAwMDAwMFowGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MIIBIjAN"
+      "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz"
+      "1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4IC"
+      "mTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXk"
+      "D3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK"
+      "9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP"
+      "+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HKMIHHMIGQBgNVHREEgYgwgYWCCWxvY2FsaG9zdI"
+      "INKi5leGFtcGxlLmNvbYIVKi5waW5uaW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3ViZ"
+      "G9tYWlucy5waW5uaW5nLmV4YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9tYWlucy5waW5u"
+      "aW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2x"
+      "vY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEApILjYTMlQmIcmF3xNtsDb5WqGy"
+      "tmEW+DhjMckiCrkPNDdF5TvsaSyU7PWMxVWNfiUxzXs9UH8D/SiXmc5081cy4eLL9LMMf/q"
+      "FMQny29FSJf5HVKi5GxmKwJrY3jimS2qlbUR9AZ5mz6MC2pNaYup0GDlPmi/UDrr0/49616"
+      "IpnHaOl90ytUjdv+uHxjMhv6cGrPiV3oW0XlH+J9XsJPOAA7W/nsPLUQCn/7scylI+bf1IK"
+      "g7J01qucFHOSCSsKB0+NbEJzaj4NdsePlhlogLFgqUf4SmBxRq+62+CUxhDwCaVnL/VrWWA"
+      "L8E+/GtsaR6eVzYJY9eiI1hLpLyblNVmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtul"
+      "uqDAAAAAAAAAtcwggLTMIIBu6ADAgECAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG"
+      "9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDA"
+      "yMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDw"
+      "AwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm"
+      "24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP"
+      "8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFth"
+      "Vt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7Ly"
+      "JvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NA"
+      "gMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IB"
+      "AQAgyCfLAcVs/MkERxunH9pZA4ja1QWWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR"
+      "3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmL"
+      "NeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8Oal"
+      "QICt0M0wx29B6HNof3px2NxKyC6qlf01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+S"
+      "Xo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB96muQQ2M3WDiMz5ZLI3oMLu8KSPsAA==");
+
+  deserializeAndVerify(base64Serialization, Nothing(), Some(2));
+}
+
+TEST(psm_DeserializeCert, preNsIX509CertListReplacementV2)
+{
+  // Same as the above test, however, this is the v2 version of the
+  // serialization.
+  nsCString base64Serialization(
+      "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAAAgA"
+      "AAAAAAAAAAAAAAAAAAAEAMgFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA"
+      "AAAAONMIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6TIyPRSIwDQYJKoZIhvcNAQELB"
+      "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAwMjA1MDAw"
+      "MDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4I"
+      "BDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZ"
+      "wGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tF"
+      "YIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n"
+      "FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN"
+      "7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe"
+      "2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tg"
+      "hUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu"
+      "ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb20"
+      "wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA"
+      "0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvlaobK2YRb4OGMxySIKuQ80N0X"
+      "lO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4sv0swx/+oUxCfLb0VIl/kdUqLkbGY"
+      "rAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU+aL9QOuvT/j3rXoimcdo6X3TK1SN2/64fGM"
+      "yG/pwas+JXehbReUf4n1ewk84ADtb+ew8tRAKf/uxzKUj5t/UgqDsnTWq5wUc5IJKwoHT41"
+      "sQnNqPg12x4+WGWiAsWCpR/hKYHFGr7rb4JTGEPAJpWcv9WtZYAvwT78a2xpHp5XNglj16I"
+      "jWEukvJuU1WEwEABAAAAAABAQAAAAAAAAZ4MjU1MTkAAAAOUlNBLVBTUy1TSEEyNTYBlZ+x"
+      "ZWUXSH+rm9iRO+Uxl650zaXNL0c/lvXwt//2LGgAAAACZgoyJpFcT/u7IImFpjLfBb3Dl5p"
+      "UIkzVhYlpa26W6oMAAAAAAAADjTCCA4kwggJxoAMCAQICFA1KP/RtK8+3yYlk8NIWOkyMj0"
+      "UiMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAxNzExMjcwMDAwM"
+      "DBaGA8yMDIwMDIwNTAwMDAwMFowGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MIIBIjAN"
+      "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz"
+      "1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4IC"
+      "mTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXk"
+      "D3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK"
+      "9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP"
+      "+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HKMIHHMIGQBgNVHREEgYgwgYWCCWxvY2FsaG9zdI"
+      "INKi5leGFtcGxlLmNvbYIVKi5waW5uaW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3ViZ"
+      "G9tYWlucy5waW5uaW5nLmV4YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9tYWlucy5waW5u"
+      "aW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2x"
+      "vY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEApILjYTMlQmIcmF3xNtsDb5WqGy"
+      "tmEW+DhjMckiCrkPNDdF5TvsaSyU7PWMxVWNfiUxzXs9UH8D/SiXmc5081cy4eLL9LMMf/q"
+      "FMQny29FSJf5HVKi5GxmKwJrY3jimS2qlbUR9AZ5mz6MC2pNaYup0GDlPmi/UDrr0/49616"
+      "IpnHaOl90ytUjdv+uHxjMhv6cGrPiV3oW0XlH+J9XsJPOAA7W/nsPLUQCn/7scylI+bf1IK"
+      "g7J01qucFHOSCSsKB0+NbEJzaj4NdsePlhlogLFgqUf4SmBxRq+62+CUxhDwCaVnL/VrWWA"
+      "L8E+/GtsaR6eVzYJY9eiI1hLpLyblNVmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtul"
+      "uqDAAAAAAAAAtcwggLTMIIBu6ADAgECAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG"
+      "9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDA"
+      "yMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDw"
+      "AwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm"
+      "24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP"
+      "8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFth"
+      "Vt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7Ly"
+      "JvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NA"
+      "gMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IB"
+      "AQAgyCfLAcVs/MkERxunH9pZA4ja1QWWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR"
+      "3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmL"
+      "NeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8Oal"
+      "QICt0M0wx29B6HNof3px2NxKyC6qlf01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+S"
+      "Xo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB96muQQ2M3WDiMz5ZLI3oMLu8KSPsAAA=");
+
+  deserializeAndVerify(base64Serialization, Nothing(), Some(2));
+}
+
+TEST(psm_DeserializeCert, preNsIX509CertListReplacementWithFailedChain)
+{
+  // This was the serialized output of test "expired.example.com"
+  // in security/manager/ssl/tests/unit/test_cert_chains.js
+  // The serialized output was generated before we replace nsIX509CertList with
+  // Array<nsIX509Cert>, so it had the old version of transportSecurityInfo.
+  nsCString base64Serialization(
+      "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAABAA"
+      "AAAAAAAAA///gCwAAAAEAMQFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA"
+      "AAAAMgMIIDHDCCAgSgAwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQELB"
+      "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQwMTAxMDAw"
+      "MDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvc"
+      "NAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wc"
+      "clqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk2"
+      "7lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI"
+      "H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wn"
+      "vuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxD"
+      "HVA6zaGAo17Y0CAwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJlZC5leGFtcGxlLmNvbTAyB"
+      "ggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJ"
+      "KoZIhvcNAQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzfT+ow5WV"
+      "sxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7IAMO1CEr5FVdCOVTma5hmu/81rkJLmZ8RQ"
+      "DWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3L9zJ2JqNc60+hB8l297Za"
+      "Sl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74VkQyNobaFzDZ+Zr3QmfbejEsY2EYn"
+      "q8XuENgIO4DuYrm80/p6bMO6laB0Uv5W6uXZgBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFw"
+      "WwtnoK7IAAAAAAAEAAAEAAQAAAAAAAAAAAAAAAZWfsWVlF0h/q5vYkTvlMZeudM2lzS9HP5"
+      "b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwg"
+      "gMcMIICBKADAgECAhRj0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAw"
+      "DgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAwMDAwWhgPMjAxNDAxMDEwMDAwMDBaMCI"
+      "xIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAA"
+      "OCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngfv"
+      "bGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO"
+      "7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEP"
+      "vJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naO"
+      "Gzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYC"
+      "jXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUF"
+      "BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0"
+      "BAQsFAAOCAQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF"
+      "0DjclopP2B8yxuc/WqIjbN6XdT4XsgAw7UISvkVV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrK"
+      "f/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb3tlpKXSdsp99"
+      "vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag"
+      "7gO5iubzT+npsw7qVoHRS/lbq5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsm"
+      "YKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAtcwggLTMIIBu6ADAgECA"
+      "hQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0"
+      "IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1R"
+      "lc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBj"
+      "YQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJ"
+      "JwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw"
+      "JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7f"
+      "ilhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL"
+      "8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wC"
+      "wYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1QWW"
+      "jsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv6"
+      "3dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ4"
+      "69RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf01"
+      "wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB"
+      "96muQQ2M3WDiMz5ZLI3oMLu8KSPs");
+
+  deserializeAndVerify(base64Serialization, Some(2));
+}
+
+TEST(psm_DeserializeCert, preNsIX509CertListReplacementWithFailedChainV2)
+{
+  // Same as the above test, however, this is the v2 version of the
+  // serialization.
+  nsCString base64Serialization(
+      "FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjojH6pBabDSgSnsfLHeAAAABAA"
+      "AAAAAAAAA///gCwAAAAEAMgFmCjImkVxP+7sgiYWmMt8FvcOXmlQiTNWFiWlrbpbqgwAAAA"
+      "AAAAMgMIIDHDCCAgSgAwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQELB"
+      "QAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQwMTAxMDAw"
+      "MDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvc"
+      "NAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wc"
+      "clqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk2"
+      "7lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI"
+      "H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wn"
+      "vuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxD"
+      "HVA6zaGAo17Y0CAwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJlZC5leGFtcGxlLmNvbTAyB"
+      "ggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJ"
+      "KoZIhvcNAQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzfT+ow5WV"
+      "sxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7IAMO1CEr5FVdCOVTma5hmu/81rkJLmZ8RQ"
+      "DWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3L9zJ2JqNc60+hB8l297Za"
+      "Sl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74VkQyNobaFzDZ+Zr3QmfbejEsY2EYn"
+      "q8XuENgIO4DuYrm80/p6bMO6laB0Uv5W6uXZgBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFw"
+      "WwtnoK7IAAAAAAAEAAAEAAQAAAAAAAAAAAAAAAZWfsWVlF0h/q5vYkTvlMZeudM2lzS9HP5"
+      "b18Lf/9ixoAAAAAmYKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAyAwg"
+      "gMcMIICBKADAgECAhRj0REAgqPSOz9huEmgytwueP766jANBgkqhkiG9w0BAQsFADASMRAw"
+      "DgYDVQQDDAdUZXN0IENBMCIYDzIwMTMwMTAxMDAwMDAwWhgPMjAxNDAxMDEwMDAwMDBaMCI"
+      "xIDAeBgNVBAMMF0V4cGlyZWQgVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAA"
+      "OCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngfv"
+      "bGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO"
+      "7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEP"
+      "vJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naO"
+      "Gzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYC"
+      "jXtjQIDAQABo1YwVDAeBgNVHREEFzAVghNleHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUF"
+      "BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0"
+      "BAQsFAAOCAQEAiaIW7LbvlPpv5R3qCX8SXqqmBYdRd5iK/aynt34dXN9P6jDlZWzEj8YwqF"
+      "0DjclopP2B8yxuc/WqIjbN6XdT4XsgAw7UISvkVV0I5VOZrmGa7/zWuQkuZnxFANZY6FkrK"
+      "f/toPtMfULV7vrzIK3kTYMOXyYeKX3NHwE+yhfC5Lcv3MnYmo1zrT6EHyXb3tlpKXSdsp99"
+      "vju6S+fmRInu0j2f99Jd2PUmu6TCNk/7vhWRDI2htoXMNn5mvdCZ9t6MSxjYRierxe4Q2Ag"
+      "7gO5iubzT+npsw7qVoHRS/lbq5dmAFl1FN7VYx1hYaGa+cUVCZ/6dp446XqvIXBbC2egrsm"
+      "YKMiaRXE/7uyCJhaYy3wW9w5eaVCJM1YWJaWtuluqDAAAAAAAAAtcwggLTMIIBu6ADAgECA"
+      "hQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0"
+      "IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB1R"
+      "lc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBj"
+      "YQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJ"
+      "JwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw"
+      "JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7f"
+      "ilhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL"
+      "8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wC"
+      "wYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1QWW"
+      "jsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMXv6"
+      "3dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKoQ4"
+      "69RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf01"
+      "wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoUuB"
+      "96muQQ2M3WDiMz5ZLI3oMLu8KSPsAA==");
+
+  deserializeAndVerify(base64Serialization, Some(2));
+}
diff --git a/security/manager/ssl/tests/gtest/HMACTest.cpp b/security/manager/ssl/tests/gtest/HMACTest.cpp
new file mode 100644
index 0000000000..679c101124
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/HMACTest.cpp
@@ -0,0 +1,64 @@
+#include <string>
+#include "gtest/gtest.h"
+
+#include "ScopedNSSTypes.h"
+#include "mozilla/gtest/MozAssertions.h"
+#include "mozilla/Span.h"
+#include "nss.h"
+#include "secoidt.h"
+
+// From RFC 2202
+const unsigned char kTestKey[] = "Jefe";
+const unsigned char kTestInput[] = "what do ya want for nothing?";
+
+struct HMACTestCase {
+  SECOidTag hashAlg;
+  std::basic_string<uint8_t> expectedOutput;
+};
+
+#define EXPECTED_RESULT(val)                                        \
+  std::basic_string<uint8_t>(reinterpret_cast<const uint8_t*>(val), \
+                             sizeof(val) - 1)
+
+static const HMACTestCase HMACTestCases[] = {
+    {
+        SEC_OID_MD5,
+        EXPECTED_RESULT(
+            "\x75\x0c\x78\x3e\x6a\xb0\xb5\x03\xea\xa8\x6e\x31\x0a\x5d\xb7\x38"),
+    },
+    {
+        SEC_OID_SHA256,
+        EXPECTED_RESULT(
+            "\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75\xc7"
+            "\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec\x38\x43"),
+    },
+};
+
+#undef EXPECTED_RESULT
+
+class psm_HMAC : public ::testing::Test,
+                 public ::testing::WithParamInterface<HMACTestCase> {
+ public:
+  void SetUp() override { NSS_NoDB_Init(nullptr); }
+};
+
+TEST_P(psm_HMAC, Test) {
+  mozilla::HMAC hmac;
+  const HMACTestCase& testCase(GetParam());
+  nsresult rv = hmac.Begin(testCase.hashAlg,
+                           mozilla::Span(kTestKey, sizeof(kTestKey) - 1));
+  ASSERT_NS_SUCCEEDED(rv);
+  rv = hmac.Update(reinterpret_cast<const unsigned char*>(kTestInput),
+                   sizeof(kTestInput) - 1);
+  ASSERT_NS_SUCCEEDED(rv);
+  nsTArray<uint8_t> output;
+  rv = hmac.End(output);
+  ASSERT_NS_SUCCEEDED(rv);
+  EXPECT_EQ(output.Length(), testCase.expectedOutput.length());
+  for (size_t i = 0; i < output.Length(); i++) {
+    EXPECT_EQ(output[i], testCase.expectedOutput[i]);
+  }
+}
+
+INSTANTIATE_TEST_SUITE_P(psm_HMAC, psm_HMAC,
+                         ::testing::ValuesIn(HMACTestCases));
diff --git a/security/manager/ssl/tests/gtest/MD4Test.cpp b/security/manager/ssl/tests/gtest/MD4Test.cpp
new file mode 100644
index 0000000000..0dfc938358
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/MD4Test.cpp
@@ -0,0 +1,62 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This file tests the md4.c implementation.
+
+#include "gtest/gtest.h"
+#include "md4.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Casting.h"
+
+struct RFC1320TestParams {
+  const char* data;
+  const uint8_t expectedHash[16];
+};
+
+static const RFC1320TestParams RFC1320_TEST_PARAMS[] = {
+    {"",
+     {0x31, 0xd6, 0xcf, 0xe0, 0xd1, 0x6a, 0xe9, 0x31, 0xb7, 0x3c, 0x59, 0xd7,
+      0xe0, 0xc0, 0x89, 0xc0}},
+    {"a",
+     {0xbd, 0xe5, 0x2c, 0xb3, 0x1d, 0xe3, 0x3e, 0x46, 0x24, 0x5e, 0x05, 0xfb,
+      0xdb, 0xd6, 0xfb, 0x24}},
+    {"abc",
+     {0xa4, 0x48, 0x01, 0x7a, 0xaf, 0x21, 0xd8, 0x52, 0x5f, 0xc1, 0x0a, 0xe8,
+      0x7a, 0xa6, 0x72, 0x9d}},
+    {"message digest",
+     {0xd9, 0x13, 0x0a, 0x81, 0x64, 0x54, 0x9f, 0xe8, 0x18, 0x87, 0x48, 0x06,
+      0xe1, 0xc7, 0x01, 0x4b}},
+    {
+        "abcdefghijklmnopqrstuvwxyz",
+        {0xd7, 0x9e, 0x1c, 0x30, 0x8a, 0xa5, 0xbb, 0xcd, 0xee, 0xa8, 0xed, 0x63,
+         0xdf, 0x41, 0x2d, 0xa9},
+    },
+    {
+        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+        {0x04, 0x3f, 0x85, 0x82, 0xf2, 0x41, 0xdb, 0x35, 0x1c, 0xe6, 0x27, 0xe1,
+         0x53, 0xe7, 0xf0, 0xe4},
+    },
+    {
+        "1234567890123456789012345678901234567890123456789012345678901234567890"
+        "1234567890",
+        {0xe3, 0x3b, 0x4d, 0xdc, 0x9c, 0x38, 0xf2, 0x19, 0x9c, 0x3e, 0x7b, 0x16,
+         0x4f, 0xcc, 0x05, 0x36},
+    }};
+
+class psm_MD4 : public ::testing::Test,
+                public ::testing::WithParamInterface<RFC1320TestParams> {};
+
+TEST_P(psm_MD4, RFC1320TestValues) {
+  const RFC1320TestParams& params(GetParam());
+  uint8_t actualHash[16];
+  md4sum(mozilla::BitwiseCast<const uint8_t*, const char*>(params.data),
+         strlen(params.data), actualHash);
+  EXPECT_TRUE(mozilla::ArrayEqual(actualHash, params.expectedHash))
+      << "MD4 hashes aren't equal for input: '" << params.data << "'";
+}
+
+INSTANTIATE_TEST_SUITE_P(psm_MD4, psm_MD4,
+                         testing::ValuesIn(RFC1320_TEST_PARAMS));
diff --git a/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp b/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
new file mode 100644
index 0000000000..23d0cefc2b
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
@@ -0,0 +1,357 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "CertVerifier.h"
+#include "OCSPCache.h"
+#include "gtest/gtest.h"
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/Casting.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/Sprintf.h"
+#include "nss.h"
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/test/pkixtestutil.h"
+#include "prerr.h"
+#include "secerr.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+using mozilla::OriginAttributes;
+
+template <size_t N>
+inline Input LiteralInput(const char (&valueString)[N]) {
+  // Ideally we would use mozilla::BitwiseCast() here rather than
+  // reinterpret_cast for better type checking, but the |N - 1| part trips
+  // static asserts.
+  return Input(reinterpret_cast<const uint8_t(&)[N - 1]>(valueString));
+}
+
+const int MaxCacheEntries = 1024;
+
+class psm_OCSPCacheTest : public ::testing::Test {
+ protected:
+  psm_OCSPCacheTest() : now(Now()) {}
+
+  static void SetUpTestCase() { NSS_NoDB_Init(nullptr); }
+
+  const Time now;
+  mozilla::psm::OCSPCache cache;
+};
+
+static void PutAndGet(
+    mozilla::psm::OCSPCache& cache, const CertID& certID, Result result,
+    Time time, const OriginAttributes& originAttributes = OriginAttributes()) {
+  // The first time is thisUpdate. The second is validUntil.
+  // The caller is expecting the validUntil returned with Get
+  // to be equal to the passed-in time. Since these values will
+  // be different in practice, make thisUpdate less than validUntil.
+  Time thisUpdate(time);
+  ASSERT_EQ(Success, thisUpdate.SubtractSeconds(10));
+  Result rv = cache.Put(certID, originAttributes, result, thisUpdate, time);
+  ASSERT_TRUE(rv == Success);
+  Result resultOut;
+  Time timeOut(Time::uninitialized);
+  ASSERT_TRUE(cache.Get(certID, originAttributes, resultOut, timeOut));
+  ASSERT_EQ(result, resultOut);
+  ASSERT_EQ(time, timeOut);
+}
+
+Input fakeIssuer1(LiteralInput("CN=issuer1"));
+Input fakeKey000(LiteralInput("key000"));
+Input fakeKey001(LiteralInput("key001"));
+Input fakeSerial0000(LiteralInput("0000"));
+
+TEST_F(psm_OCSPCacheTest, TestPutAndGet) {
+  Input fakeSerial000(LiteralInput("000"));
+  Input fakeSerial001(LiteralInput("001"));
+
+  SCOPED_TRACE("");
+  PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial001), Success,
+            now);
+  Result resultOut;
+  Time timeOut(Time::uninitialized);
+  ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial000),
+                         OriginAttributes(), resultOut, timeOut));
+}
+
+TEST_F(psm_OCSPCacheTest, TestVariousGets) {
+  SCOPED_TRACE("");
+  for (int i = 0; i < MaxCacheEntries; i++) {
+    uint8_t serialBuf[8];
+    snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
+             sizeof(serialBuf), "%04d", i);
+    Input fakeSerial;
+    ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
+    Time timeIn(now);
+    ASSERT_EQ(Success, timeIn.AddSeconds(i));
+    PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success,
+              timeIn);
+  }
+
+  Time timeIn(now);
+  Result resultOut;
+  Time timeOut(Time::uninitialized);
+
+  // This will be at the end of the list in the cache
+  CertID cert0000(fakeIssuer1, fakeKey000, fakeSerial0000);
+  ASSERT_TRUE(cache.Get(cert0000, OriginAttributes(), resultOut, timeOut));
+  ASSERT_EQ(Success, resultOut);
+  ASSERT_EQ(timeIn, timeOut);
+  // Once we access it, it goes to the front
+  ASSERT_TRUE(cache.Get(cert0000, OriginAttributes(), resultOut, timeOut));
+  ASSERT_EQ(Success, resultOut);
+  ASSERT_EQ(timeIn, timeOut);
+
+  // This will be in the middle
+  Time timeInPlus512(now);
+  ASSERT_EQ(Success, timeInPlus512.AddSeconds(512));
+
+  static const Input fakeSerial0512(LiteralInput("0512"));
+  CertID cert0512(fakeIssuer1, fakeKey000, fakeSerial0512);
+  ASSERT_TRUE(cache.Get(cert0512, OriginAttributes(), resultOut, timeOut));
+  ASSERT_EQ(Success, resultOut);
+  ASSERT_EQ(timeInPlus512, timeOut);
+  ASSERT_TRUE(cache.Get(cert0512, OriginAttributes(), resultOut, timeOut));
+  ASSERT_EQ(Success, resultOut);
+  ASSERT_EQ(timeInPlus512, timeOut);
+
+  // We've never seen this certificate
+  static const Input fakeSerial1111(LiteralInput("1111"));
+  ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey000, fakeSerial1111),
+                         OriginAttributes(), resultOut, timeOut));
+}
+
+TEST_F(psm_OCSPCacheTest, TestEviction) {
+  SCOPED_TRACE("");
+  // By putting more distinct entries in the cache than it can hold,
+  // we cause the least recently used entry to be evicted.
+  for (int i = 0; i < MaxCacheEntries + 1; i++) {
+    uint8_t serialBuf[8];
+    snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
+             sizeof(serialBuf), "%04d", i);
+    Input fakeSerial;
+    ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
+    Time timeIn(now);
+    ASSERT_EQ(Success, timeIn.AddSeconds(i));
+    PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success,
+              timeIn);
+  }
+
+  Result resultOut;
+  Time timeOut(Time::uninitialized);
+  ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial0000),
+                         OriginAttributes(), resultOut, timeOut));
+}
+
+TEST_F(psm_OCSPCacheTest, TestNoEvictionForRevokedResponses) {
+  SCOPED_TRACE("");
+  CertID notEvicted(fakeIssuer1, fakeKey000, fakeSerial0000);
+  Time timeIn(now);
+  PutAndGet(cache, notEvicted, Result::ERROR_REVOKED_CERTIFICATE, timeIn);
+  // By putting more distinct entries in the cache than it can hold,
+  // we cause the least recently used entry that isn't revoked to be evicted.
+  for (int i = 1; i < MaxCacheEntries + 1; i++) {
+    uint8_t serialBuf[8];
+    snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
+             sizeof(serialBuf), "%04d", i);
+    Input fakeSerial;
+    ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
+    Time timeIn(now);
+    ASSERT_EQ(Success, timeIn.AddSeconds(i));
+    PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success,
+              timeIn);
+  }
+  Result resultOut;
+  Time timeOut(Time::uninitialized);
+  ASSERT_TRUE(cache.Get(notEvicted, OriginAttributes(), resultOut, timeOut));
+  ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut);
+  ASSERT_EQ(timeIn, timeOut);
+
+  Input fakeSerial0001(LiteralInput("0001"));
+  CertID evicted(fakeIssuer1, fakeKey000, fakeSerial0001);
+  ASSERT_FALSE(cache.Get(evicted, OriginAttributes(), resultOut, timeOut));
+}
+
+TEST_F(psm_OCSPCacheTest, TestEverythingIsRevoked) {
+  SCOPED_TRACE("");
+  Time timeIn(now);
+  // Fill up the cache with revoked responses.
+  for (int i = 0; i < MaxCacheEntries; i++) {
+    uint8_t serialBuf[8];
+    snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
+             sizeof(serialBuf), "%04d", i);
+    Input fakeSerial;
+    ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
+    Time timeIn(now);
+    ASSERT_EQ(Success, timeIn.AddSeconds(i));
+    PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial),
+              Result::ERROR_REVOKED_CERTIFICATE, timeIn);
+  }
+  static const Input fakeSerial1025(LiteralInput("1025"));
+  CertID good(fakeIssuer1, fakeKey000, fakeSerial1025);
+  // This will "succeed", allowing verification to continue. However,
+  // nothing was actually put in the cache.
+  Time timeInPlus1025(timeIn);
+  ASSERT_EQ(Success, timeInPlus1025.AddSeconds(1025));
+  Time timeInPlus1025Minus50(timeInPlus1025);
+  ASSERT_EQ(Success, timeInPlus1025Minus50.SubtractSeconds(50));
+  Result result = cache.Put(good, OriginAttributes(), Success,
+                            timeInPlus1025Minus50, timeInPlus1025);
+  ASSERT_EQ(Success, result);
+  Result resultOut;
+  Time timeOut(Time::uninitialized);
+  ASSERT_FALSE(cache.Get(good, OriginAttributes(), resultOut, timeOut));
+
+  static const Input fakeSerial1026(LiteralInput("1026"));
+  CertID revoked(fakeIssuer1, fakeKey000, fakeSerial1026);
+  // This will fail, causing verification to fail.
+  Time timeInPlus1026(timeIn);
+  ASSERT_EQ(Success, timeInPlus1026.AddSeconds(1026));
+  Time timeInPlus1026Minus50(timeInPlus1026);
+  ASSERT_EQ(Success, timeInPlus1026Minus50.SubtractSeconds(50));
+  result =
+      cache.Put(revoked, OriginAttributes(), Result::ERROR_REVOKED_CERTIFICATE,
+                timeInPlus1026Minus50, timeInPlus1026);
+  ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, result);
+}
+
+TEST_F(psm_OCSPCacheTest, VariousIssuers) {
+  SCOPED_TRACE("");
+  Time timeIn(now);
+  static const Input fakeIssuer2(LiteralInput("CN=issuer2"));
+  static const Input fakeSerial001(LiteralInput("001"));
+  CertID subject(fakeIssuer1, fakeKey000, fakeSerial001);
+  PutAndGet(cache, subject, Success, now);
+  Result resultOut;
+  Time timeOut(Time::uninitialized);
+  ASSERT_TRUE(cache.Get(subject, OriginAttributes(), resultOut, timeOut));
+  ASSERT_EQ(Success, resultOut);
+  ASSERT_EQ(timeIn, timeOut);
+  // Test that we don't match a different issuer DN
+  ASSERT_FALSE(cache.Get(CertID(fakeIssuer2, fakeKey000, fakeSerial001),
+                         OriginAttributes(), resultOut, timeOut));
+  // Test that we don't match a different issuer key
+  ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial001),
+                         OriginAttributes(), resultOut, timeOut));
+}
+
+TEST_F(psm_OCSPCacheTest, Times) {
+  SCOPED_TRACE("");
+  CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000);
+  PutAndGet(cache, certID, Result::ERROR_OCSP_UNKNOWN_CERT,
+            TimeFromElapsedSecondsAD(100));
+  PutAndGet(cache, certID, Success, TimeFromElapsedSecondsAD(200));
+  // This should not override the more recent entry.
+  ASSERT_EQ(
+      Success,
+      cache.Put(certID, OriginAttributes(), Result::ERROR_OCSP_UNKNOWN_CERT,
+                TimeFromElapsedSecondsAD(100), TimeFromElapsedSecondsAD(100)));
+  Result resultOut;
+  Time timeOut(Time::uninitialized);
+  ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
+  // Here we see the more recent time.
+  ASSERT_EQ(Success, resultOut);
+  ASSERT_EQ(TimeFromElapsedSecondsAD(200), timeOut);
+
+  // Result::ERROR_REVOKED_CERTIFICATE overrides everything
+  PutAndGet(cache, certID, Result::ERROR_REVOKED_CERTIFICATE,
+            TimeFromElapsedSecondsAD(50));
+}
+
+TEST_F(psm_OCSPCacheTest, NetworkFailure) {
+  SCOPED_TRACE("");
+  CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000);
+  PutAndGet(cache, certID, Result::ERROR_CONNECT_REFUSED,
+            TimeFromElapsedSecondsAD(100));
+  PutAndGet(cache, certID, Success, TimeFromElapsedSecondsAD(200));
+  // This should not override the already present entry.
+  ASSERT_EQ(
+      Success,
+      cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED,
+                TimeFromElapsedSecondsAD(300), TimeFromElapsedSecondsAD(350)));
+  Result resultOut;
+  Time timeOut(Time::uninitialized);
+  ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
+  ASSERT_EQ(Success, resultOut);
+  ASSERT_EQ(TimeFromElapsedSecondsAD(200), timeOut);
+
+  PutAndGet(cache, certID, Result::ERROR_OCSP_UNKNOWN_CERT,
+            TimeFromElapsedSecondsAD(400));
+  // This should not override the already present entry.
+  ASSERT_EQ(
+      Success,
+      cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED,
+                TimeFromElapsedSecondsAD(500), TimeFromElapsedSecondsAD(550)));
+  ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
+  ASSERT_EQ(Result::ERROR_OCSP_UNKNOWN_CERT, resultOut);
+  ASSERT_EQ(TimeFromElapsedSecondsAD(400), timeOut);
+
+  PutAndGet(cache, certID, Result::ERROR_REVOKED_CERTIFICATE,
+            TimeFromElapsedSecondsAD(600));
+  // This should not override the already present entry.
+  ASSERT_EQ(
+      Success,
+      cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED,
+                TimeFromElapsedSecondsAD(700), TimeFromElapsedSecondsAD(750)));
+  ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
+  ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut);
+  ASSERT_EQ(TimeFromElapsedSecondsAD(600), timeOut);
+}
+
+TEST_F(psm_OCSPCacheTest, TestOriginAttributes) {
+  CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000);
+
+  // We test two attributes, firstPartyDomain and partitionKey, respectively
+  // because we don't have entries that have both attributes set because the two
+  // features that use these attributes are mutually exclusive.
+
+  // Set pref for OCSP cache network partitioning.
+  mozilla::Preferences::SetBool("privacy.partition.network_state.ocsp_cache",
+                                true);
+
+  SCOPED_TRACE("");
+  OriginAttributes attrs;
+  attrs.mFirstPartyDomain.AssignLiteral("foo.com");
+  PutAndGet(cache, certID, Success, now, attrs);
+
+  Result resultOut;
+  Time timeOut(Time::uninitialized);
+  attrs.mFirstPartyDomain.AssignLiteral("bar.com");
+  ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut));
+
+  // OCSP cache should not be isolated by containers for firstPartyDomain.
+  attrs.mUserContextId = 1;
+  attrs.mFirstPartyDomain.AssignLiteral("foo.com");
+  ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut));
+
+  // Clear originAttributes.
+  attrs.mUserContextId = 0;
+  attrs.mFirstPartyDomain.Truncate();
+
+  // Add OCSP cache for the partitionKey.
+  attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
+  PutAndGet(cache, certID, Success, now, attrs);
+
+  // Check cache entry for the partitionKey.
+  attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
+  ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut));
+
+  // OCSP cache entry should not exist for the other partitionKey.
+  attrs.mPartitionKey.AssignLiteral("(https,bar.com)");
+  ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut));
+
+  // OCSP cache should not be isolated by containers for partitonKey.
+  attrs.mUserContextId = 1;
+  attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
+  ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut));
+
+  // OCSP cache should not exist for the OAs which has both attributes set.
+  attrs.mUserContextId = 0;
+  attrs.mFirstPartyDomain.AssignLiteral("foo.com");
+  attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
+  ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut));
+}
diff --git a/security/manager/ssl/tests/gtest/README.txt b/security/manager/ssl/tests/gtest/README.txt
new file mode 100644
index 0000000000..0e51322690
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/README.txt
@@ -0,0 +1,2 @@
+Please name all test cases in this directory with the prefix "psm". This makes
+it easier to run all PSM related GTests at once.
diff --git a/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp b/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp
new file mode 100644
index 0000000000..0c9d3ef60d
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp
@@ -0,0 +1,383 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSIOLayer.h"
+#include "sslproto.h"
+#include "sslerr.h"
+
+#include "gtest/gtest.h"
+
+constexpr auto HOST = "example.org"_ns;
+const int16_t PORT = 443;
+
+class psm_TLSIntoleranceTest : public ::testing::Test {
+ protected:
+  nsSSLIOLayerHelpers helpers;
+};
+
+TEST_F(psm_TLSIntoleranceTest, FullFallbackProcess) {
+  ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, helpers.mVersionFallbackLimit);
+
+  // No adjustment made when there is no entry for the site.
+  {
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, PORT, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+  }
+
+  {
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, PORT, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+
+    ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, range.min,
+                                                    range.max, 0));
+  }
+
+  {
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, PORT, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+
+    ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT, range.min,
+                                                    range.max, 0));
+  }
+
+  {
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, PORT, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.max);
+
+    ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT, range.min,
+                                                     range.max, 0));
+  }
+
+  {
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, PORT, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+    // When rememberIntolerantAtVersion returns false, it also resets the
+    // intolerance information for the server.
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+  }
+}
+
+TEST_F(psm_TLSIntoleranceTest, DisableFallbackWithHighLimit) {
+  // this value disables version fallback entirely: with this value, all efforts
+  // to mark an origin as version intolerant fail
+  helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_2;
+  ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+      HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0));
+  ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+      HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0));
+  ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+      HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_0, 0));
+}
+
+TEST_F(psm_TLSIntoleranceTest, FallbackLimitBelowMin) {
+  // check that we still respect the minimum version,
+  // when it is higher than the fallback limit
+  ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+      HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1, SSL_LIBRARY_VERSION_TLS_1_2, 0));
+  {
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, PORT, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+  }
+
+  ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+      HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1, SSL_LIBRARY_VERSION_TLS_1_1, 0));
+}
+
+TEST_F(psm_TLSIntoleranceTest, TolerantOverridesIntolerant1) {
+  ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+      HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0));
+  helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
+  SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                           SSL_LIBRARY_VERSION_TLS_1_2};
+  helpers.adjustForTLSIntolerance(HOST, PORT, range);
+  ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+  ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+}
+
+TEST_F(psm_TLSIntoleranceTest, TolerantOverridesIntolerant2) {
+  ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+      HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0));
+  helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_2);
+  SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                           SSL_LIBRARY_VERSION_TLS_1_2};
+  helpers.adjustForTLSIntolerance(HOST, PORT, range);
+  ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+  ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+}
+
+TEST_F(psm_TLSIntoleranceTest, IntolerantDoesNotOverrideTolerant) {
+  // No adjustment made when there is no entry for the site.
+  helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
+  // false because we reached the floor set by rememberTolerantAtVersion.
+  ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+      HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_1, 0));
+  SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                           SSL_LIBRARY_VERSION_TLS_1_2};
+  helpers.adjustForTLSIntolerance(HOST, PORT, range);
+  ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+  ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+}
+
+TEST_F(psm_TLSIntoleranceTest, PortIsRelevant) {
+  helpers.rememberTolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_2);
+  ASSERT_FALSE(helpers.rememberIntolerantAtVersion(
+      HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0));
+  ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+      HOST, 2, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2, 0));
+
+  {
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, 1, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+  }
+
+  {
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, 2, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+  }
+}
+
+TEST_F(psm_TLSIntoleranceTest, IntoleranceReasonInitial) {
+  ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 1));
+
+  helpers.rememberTolerantAtVersion(HOST, 2, SSL_LIBRARY_VERSION_TLS_1_2);
+  ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 2));
+}
+
+TEST_F(psm_TLSIntoleranceTest, IntoleranceReasonStored) {
+  helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0,
+                                      SSL_LIBRARY_VERSION_TLS_1_2,
+                                      SSL_ERROR_BAD_SERVER);
+  ASSERT_EQ(SSL_ERROR_BAD_SERVER, helpers.getIntoleranceReason(HOST, 1));
+
+  helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0,
+                                      SSL_LIBRARY_VERSION_TLS_1_1,
+                                      SSL_ERROR_BAD_MAC_READ);
+  ASSERT_EQ(SSL_ERROR_BAD_MAC_READ, helpers.getIntoleranceReason(HOST, 1));
+}
+
+TEST_F(psm_TLSIntoleranceTest, IntoleranceReasonCleared) {
+  ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 1));
+
+  helpers.rememberIntolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_0,
+                                      SSL_LIBRARY_VERSION_TLS_1_2,
+                                      SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
+  ASSERT_EQ(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT,
+            helpers.getIntoleranceReason(HOST, 1));
+
+  helpers.rememberTolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_2);
+  ASSERT_EQ(0, helpers.getIntoleranceReason(HOST, 1));
+}
+
+TEST_F(psm_TLSIntoleranceTest, TLSForgetIntolerance) {
+  {
+    ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+        HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2,
+        0));
+
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, PORT, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+  }
+
+  {
+    helpers.forgetIntolerance(HOST, PORT);
+
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, PORT, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+  }
+}
+
+TEST_F(psm_TLSIntoleranceTest, TLSDontForgetTolerance) {
+  {
+    helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
+
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, PORT, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+  }
+
+  {
+    ASSERT_TRUE(helpers.rememberIntolerantAtVersion(
+        HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2,
+        0));
+
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, PORT, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
+  }
+
+  {
+    helpers.forgetIntolerance(HOST, PORT);
+
+    SSLVersionRange range = {SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_2};
+    helpers.adjustForTLSIntolerance(HOST, PORT, range);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.min);
+    ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
+  }
+}
+
+TEST_F(psm_TLSIntoleranceTest, TLSPerSiteFallbackLimit) {
+  constexpr auto example_com = "example.com"_ns;
+  constexpr auto example_net = "example.net"_ns;
+  constexpr auto example_org = "example.org"_ns;
+
+  helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_0;
+
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+
+  helpers.mVersionFallbackLimit = SSL_LIBRARY_VERSION_TLS_1_2;
+
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+
+  helpers.setInsecureFallbackSites(example_com);
+
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+
+  helpers.setInsecureFallbackSites("example.com,example.net"_ns);
+
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+
+  helpers.setInsecureFallbackSites(example_net);
+
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_FALSE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+
+  helpers.setInsecureFallbackSites(""_ns);
+
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_com, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_net, SSL_LIBRARY_VERSION_TLS_1_0));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_2));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_1));
+  ASSERT_TRUE(
+      helpers.fallbackLimitReached(example_org, SSL_LIBRARY_VERSION_TLS_1_0));
+}
diff --git a/security/manager/ssl/tests/gtest/moz.build b/security/manager/ssl/tests/gtest/moz.build
new file mode 100644
index 0000000000..9f793fd7cb
--- /dev/null
+++ b/security/manager/ssl/tests/gtest/moz.build
@@ -0,0 +1,26 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+SOURCES += [
+    "CertDBTest.cpp",
+    "CoseTest.cpp",
+    "DataStorageTest.cpp",
+    "DeserializeCertTest.cpp",
+    "HMACTest.cpp",
+    "MD4Test.cpp",
+    "OCSPCacheTest.cpp",
+    "TLSIntoleranceTest.cpp",
+]
+
+LOCAL_INCLUDES += [
+    "/security/certverifier",
+    "/security/manager/ssl",
+    "/third_party/rust/cose-c/include",
+]
+
+include("/ipc/chromium/chromium-config.mozbuild")
+
+FINAL_LIBRARY = "xul-gtest"
diff --git a/security/manager/ssl/tests/mochitest/browser/browser.ini b/security/manager/ssl/tests/mochitest/browser/browser.ini
new file mode 100644
index 0000000000..8ca1cb1d0d
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser.ini
@@ -0,0 +1,40 @@
+[DEFAULT]
+tags = psm
+support-files =
+  *.pem
+  head.js
+  hsts_headers.sjs
+  hsts_headers_framed.html
+  some_content.html
+  some_content_framed.html
+  browser_clientAuth_speculative_connection.html
+
+[browser_HSTS.js]
+https_first_disabled = true
+[browser_add_exception_dialog.js]
+[browser_bug627234_perwindowpb.js]
+[browser_certViewer.js]
+skip-if = verify
+[browser_certificateManager.js]
+[browser_clientAuthRememberService.js]
+skip-if =
+  os == "win" && os_version == "6.1" # Skip on Azure - frequent failure
+[browser_clientAuth_connection.js]
+# Any test that has to delete certificates (e.g. as part of cleanup) is
+# fundamentally incompatible with verify due to how NSS handles deleting
+# certificates.
+skip-if =
+  verify
+  socketprocess_networking
+  os == "win" && os_version == "6.1" # Skip on Azure - frequent failure
+[browser_clientAuth_speculative_connection.js]
+skip-if = socketprocess_networking
+[browser_clientAuth_ui.js]
+[browser_deleteCert_ui.js]
+[browser_downloadCert_ui.js]
+[browser_editCACertTrust.js]
+# An earlier attempt at landing this test resulted in frequent intermittent
+# failures, almost entirely on Linux. See Bug 1309519.
+skip-if = os == "linux"
+[browser_exportP12_passwordUI.js]
+[browser_loadPKCS11Module_ui.js]
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_HSTS.js b/security/manager/ssl/tests/mochitest/browser/browser_HSTS.js
new file mode 100644
index 0000000000..f578ac7c4f
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_HSTS.js
@@ -0,0 +1,277 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Tests that HTTP Strict Transport Security (HSTS) headers are noted as appropriate.
+
+// Register a cleanup function to clear all accumulated HSTS state when this
+// test is done.
+add_task(async function register_cleanup() {
+  registerCleanupFunction(() => {
+    let sss = Cc["@mozilla.org/ssservice;1"].getService(
+      Ci.nsISiteSecurityService
+    );
+    sss.clearAll();
+  });
+});
+
+// In the absense of HSTS information, no upgrade should happen.
+add_task(async function test_no_hsts_information_no_upgrade() {
+  let httpUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "http://example.com"
+    ) + "some_content.html";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl);
+  Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+  gBrowser.removeCurrentTab();
+});
+
+// Visit a secure site that sends an HSTS header to set up the rest of the
+// test.
+add_task(async function see_hsts_header() {
+  let setHstsUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "https://example.com"
+    ) + "hsts_headers.sjs";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, setHstsUrl);
+  gBrowser.removeCurrentTab();
+});
+
+// Given a known HSTS host, future http navigations to that domain will be
+// upgraded.
+add_task(async function test_http_upgrade() {
+  let httpUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "http://example.com"
+    ) + "some_content.html";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl);
+  Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https");
+  gBrowser.removeCurrentTab();
+});
+
+// http navigations to unrelated hosts should not be upgraded.
+add_task(async function test_unrelated_domain_no_upgrade() {
+  let differentHttpUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "http://example.org"
+    ) + "some_content.html";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, differentHttpUrl);
+  Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+  gBrowser.removeCurrentTab();
+});
+
+// http navigations in private contexts shouldn't use information from
+// non-private contexts, so no upgrade should occur.
+add_task(async function test_private_window_no_upgrade() {
+  await SpecialPowers.pushPrefEnv({
+    set: [["dom.security.https_first_pbm", false]],
+  });
+  let privateWindow = OpenBrowserWindow({ private: true });
+  await BrowserTestUtils.firstBrowserLoaded(privateWindow, false);
+  let url =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "http://example.com"
+    ) + "some_content.html";
+  await BrowserTestUtils.openNewForegroundTab(privateWindow.gBrowser, url);
+  Assert.equal(
+    privateWindow.gBrowser.selectedBrowser.currentURI.scheme,
+    "http"
+  );
+  privateWindow.gBrowser.removeCurrentTab();
+  privateWindow.close();
+});
+
+// Since the header didn't specify "includeSubdomains", visiting a subdomain
+// should not result in an upgrade.
+add_task(async function test_subdomain_no_upgrade() {
+  let subdomainHttpUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "http://test1.example.com"
+    ) + "some_content.html";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, subdomainHttpUrl);
+  Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+  gBrowser.removeCurrentTab();
+});
+
+// Now visit a secure site that sends an HSTS header that also includes subdomains.
+add_task(async function see_hsts_header_include_subdomains() {
+  let setHstsUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "https://example.com"
+    ) + "hsts_headers.sjs?includeSubdomains";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, setHstsUrl);
+  gBrowser.removeCurrentTab();
+});
+
+// Now visiting a subdomain should result in an upgrade.
+add_task(async function test_subdomain_upgrade() {
+  let subdomainHttpUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "http://test1.example.com"
+    ) + "some_content.html";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, subdomainHttpUrl);
+  Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https");
+  gBrowser.removeCurrentTab();
+});
+
+// Visiting a subdomain with https should result in an https URL (this isn't an
+// upgrade - this test is essentially a consistency check).
+add_task(async function test_already_https() {
+  let subdomainHttpsUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "https://test2.example.com"
+    ) + "some_content.html";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, subdomainHttpsUrl);
+  Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https");
+  gBrowser.removeCurrentTab();
+});
+
+// Test that subresources are upgraded.
+add_task(async function test_iframe_upgrade() {
+  let framedUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "https://example.com"
+    ) + "some_content_framed.html";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, framedUrl);
+  await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () {
+    await ContentTaskUtils.waitForCondition(() => {
+      let frame = content.document.getElementById("frame");
+      if (frame) {
+        return frame.baseURI.startsWith("https://");
+      }
+      return false;
+    });
+  });
+  gBrowser.removeCurrentTab();
+});
+
+// Clear state.
+add_task(async function clear_hsts_state() {
+  let sss = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  sss.clearAll();
+});
+
+// Make sure this test is valid.
+add_task(async function test_no_hsts_information_no_upgrade_again() {
+  let httpUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "http://example.com"
+    ) + "some_content.html";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl);
+  Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+  gBrowser.removeCurrentTab();
+});
+
+// Visit a site with an iframe that loads first-party content that sends an
+// HSTS header. The header should be heeded because it's first-party.
+add_task(async function see_hsts_header_in_framed_first_party_context() {
+  let framedUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "https://example.com"
+    ) + "hsts_headers_framed.html";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, framedUrl);
+  await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () {
+    await ContentTaskUtils.waitForCondition(() => {
+      return content.document.getElementById("done");
+    });
+  });
+  gBrowser.removeCurrentTab();
+});
+
+// Check that the framed, first-party header was heeded.
+add_task(async function test_http_upgrade_after_framed_first_party_header() {
+  let httpUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "http://example.com"
+    ) + "some_content.html";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl);
+  Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "https");
+  gBrowser.removeCurrentTab();
+});
+
+// Visit a site with an iframe that loads third-party content that sends an
+// HSTS header. The header should be ignored because it's third-party.
+add_task(async function see_hsts_header_in_third_party_context() {
+  let framedUrl =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "https://example.com"
+    ) + "hsts_headers_framed.html?third-party";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, framedUrl);
+  await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () {
+    await ContentTaskUtils.waitForCondition(() => {
+      return content.document.getElementById("done");
+    });
+  });
+  gBrowser.removeCurrentTab();
+});
+
+// Since the HSTS header was not received in a first-party context, no upgrade
+// should occur.
+add_task(async function test_no_upgrade_for_third_party_header() {
+  let url =
+    getRootDirectory(gTestPath).replace(
+      "chrome://mochitests/content",
+      "http://example.org"
+    ) + "some_content.html";
+  await BrowserTestUtils.openNewForegroundTab(gBrowser, url);
+  Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+  gBrowser.removeCurrentTab();
+});
+
+// Clear state again.
+add_task(async function clear_hsts_state_again() {
+  let sss = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  sss.clearAll();
+});
+
+// HSTS information encountered in private contexts should not be used in
+// non-private contexts.
+add_task(
+  async function test_no_upgrade_for_HSTS_information_from_private_window() {
+    await SpecialPowers.pushPrefEnv({
+      set: [["dom.security.https_first_pbm", false]],
+    });
+    let privateWindow = OpenBrowserWindow({ private: true });
+    await BrowserTestUtils.firstBrowserLoaded(privateWindow, false);
+    let setHstsUrl =
+      getRootDirectory(gTestPath).replace(
+        "chrome://mochitests/content",
+        "https://example.com"
+      ) + "hsts_headers.sjs";
+    await BrowserTestUtils.openNewForegroundTab(
+      privateWindow.gBrowser,
+      setHstsUrl
+    );
+    privateWindow.gBrowser.removeCurrentTab();
+
+    let httpUrl =
+      getRootDirectory(gTestPath).replace(
+        "chrome://mochitests/content",
+        "http://example.com"
+      ) + "some_content.html";
+    await BrowserTestUtils.openNewForegroundTab(gBrowser, httpUrl);
+    Assert.equal(gBrowser.selectedBrowser.currentURI.scheme, "http");
+    gBrowser.removeCurrentTab();
+
+    privateWindow.close();
+  }
+);
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_add_exception_dialog.js b/security/manager/ssl/tests/mochitest/browser/browser_add_exception_dialog.js
new file mode 100644
index 0000000000..d04af61036
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_add_exception_dialog.js
@@ -0,0 +1,69 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// This test makes sure that adding certificate exceptions behaves correctly
+// when done from the prefs window
+
+XPCOMUtils.defineLazyModuleGetters(this, {
+  BrowserWindowTracker: "resource:///modules/BrowserWindowTracker.jsm",
+});
+
+function test() {
+  const EXCEPTIONS_DLG_URL = "chrome://pippki/content/exceptionDialog.xhtml";
+  const EXCEPTIONS_DLG_FEATURES = "chrome,centerscreen";
+  const INVALID_CERT_DOMAIN = "self-signed.example.com";
+  const INVALID_CERT_LOCATION = "https://" + INVALID_CERT_DOMAIN + "/";
+  waitForExplicitFinish();
+
+  function testAddCertificate() {
+    win.removeEventListener("load", testAddCertificate);
+    Services.obs.addObserver(async function onCertUI(aSubject, aTopic, aData) {
+      Services.obs.removeObserver(onCertUI, "cert-exception-ui-ready");
+      ok(win.gCert, "The certificate information should be available now");
+
+      let dialog = win.document.getElementById("exceptiondialog");
+      let confirmButton = dialog.getButton("extra1");
+      confirmButton.click();
+      ok(
+        params.exceptionAdded,
+        "The certificate exception should have been added"
+      );
+
+      registerCleanupFunction(() => {
+        let certOverrideService = Cc[
+          "@mozilla.org/security/certoverride;1"
+        ].getService(Ci.nsICertOverrideService);
+        certOverrideService.clearValidityOverride(INVALID_CERT_DOMAIN, -1, {});
+      });
+
+      BrowserTestUtils.loadURIString(gBrowser, INVALID_CERT_LOCATION);
+      let loaded = await BrowserTestUtils.browserLoaded(
+        gBrowser,
+        false,
+        INVALID_CERT_LOCATION,
+        true
+      );
+      ok(loaded, "The certificate exception should allow the page to load");
+
+      finish();
+    }, "cert-exception-ui-ready");
+  }
+
+  let bWin = BrowserWindowTracker.getTopWindow();
+  let params = {
+    exceptionAdded: false,
+    location: INVALID_CERT_LOCATION,
+    prefetchCert: true,
+  };
+
+  let win = bWin.openDialog(
+    EXCEPTIONS_DLG_URL,
+    "",
+    EXCEPTIONS_DLG_FEATURES,
+    params
+  );
+  win.addEventListener("load", testAddCertificate);
+}
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js b/security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js
new file mode 100644
index 0000000000..564aca088d
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js
@@ -0,0 +1,91 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+function whenNewWindowLoaded(aOptions, aCallback) {
+  let win = OpenBrowserWindow(aOptions);
+  win.addEventListener(
+    "load",
+    function () {
+      aCallback(win);
+    },
+    { once: true }
+  );
+}
+
+// This is a template to help porting global private browsing tests
+// to per-window private browsing tests
+function test() {
+  // initialization
+  waitForExplicitFinish();
+  let windowsToClose = [];
+  let testURI = "about:blank";
+  let uri;
+  let gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+
+  function originAttributes(aIsPrivateMode) {
+    return aIsPrivateMode ? { privateBrowsingId: 1 } : {};
+  }
+
+  function doTest(aIsPrivateMode, aWindow, aCallback) {
+    BrowserTestUtils.browserLoaded(aWindow.gBrowser.selectedBrowser).then(
+      () => {
+        uri = aWindow.Services.io.newURI("https://localhost/img.png");
+        gSSService.processHeader(
+          uri,
+          "max-age=1000",
+          originAttributes(aIsPrivateMode)
+        );
+        ok(
+          gSSService.isSecureURI(uri, originAttributes(aIsPrivateMode)),
+          "checking sts host"
+        );
+
+        aCallback();
+      }
+    );
+
+    BrowserTestUtils.loadURIString(aWindow.gBrowser.selectedBrowser, testURI);
+  }
+
+  function testOnWindow(aOptions, aCallback) {
+    whenNewWindowLoaded(aOptions, function (aWin) {
+      windowsToClose.push(aWin);
+      // execute should only be called when need, like when you are opening
+      // web pages on the test. If calling executeSoon() is not necesary, then
+      // call whenNewWindowLoaded() instead of testOnWindow() on your test.
+      executeSoon(function () {
+        aCallback(aWin);
+      });
+    });
+  }
+
+  // this function is called after calling finish() on the test.
+  registerCleanupFunction(function () {
+    windowsToClose.forEach(function (aWin) {
+      aWin.close();
+    });
+    uri = Services.io.newURI("http://localhost");
+    gSSService.resetState(uri);
+  });
+
+  // test first when on private mode
+  testOnWindow({ private: true }, function (aWin) {
+    doTest(true, aWin, function () {
+      // test when not on private mode
+      testOnWindow({}, function (aWin) {
+        doTest(false, aWin, function () {
+          // test again when on private mode
+          testOnWindow({ private: true }, function (aWin) {
+            doTest(true, aWin, function () {
+              finish();
+            });
+          });
+        });
+      });
+    });
+  });
+}
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js b/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
new file mode 100644
index 0000000000..7f0b8888c1
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
@@ -0,0 +1,112 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Repeatedly opens the certificate viewer dialog with various certificates and
+// determines that the viewer correctly identifies either what usages those
+// certificates are valid for or what errors prevented the certificates from
+// being verified.
+
+add_task(async function testCAandTitle() {
+  let cert = await readCertificate("ca.pem", "CTu,CTu,CTu");
+  let url = getURL(cert);
+  await openCertViewerAndCheckTabName(url, "ca");
+});
+
+add_task(async function testSSLEndEntity() {
+  let cert = await readCertificate("ssl-ee.pem", ",,");
+  let url = getURL(cert);
+  await openCertViewerAndCheckTabName(url, "ssl-ee");
+});
+
+add_task(async function testEmailEndEntity() {
+  let cert = await readCertificate("email-ee.pem", ",,");
+  let url = getURL(cert);
+  await openCertViewerAndCheckTabName(url, "email-ee");
+});
+
+add_task(async function testCodeSignEndEntity() {
+  let cert = await readCertificate("code-ee.pem", ",,");
+  let url = getURL(cert);
+  await openCertViewerAndCheckTabName(url, "code-ee");
+});
+
+add_task(async function testExpired() {
+  let cert = await readCertificate("expired-ca.pem", ",,");
+  let url = getURL(cert);
+  await openCertViewerAndCheckTabName(url, "expired-ca");
+});
+
+add_task(async function testUntrusted() {
+  let cert = await readCertificate("untrusted-ca.pem", "p,p,p");
+  let url = getURL(cert);
+  await openCertViewerAndCheckTabName(url, "untrusted-ca");
+});
+
+add_task(async function testInvalid() {
+  // This certificate has a keyUsage extension asserting cRLSign and
+  // keyCertSign, but it doesn't have a basicConstraints extension. This
+  // shouldn't be valid for any usage. Sadly, we give a pretty bad error
+  // message in this case.
+  let cert = await readCertificate("invalid.pem", ",,");
+  let url = getURL(cert);
+  await openCertViewerAndCheckTabName(url, "invalid");
+});
+
+add_task(async function testLongOID() {
+  // This certificate has a certificatePolicies extension with a policy with a
+  // very long OID. This tests that we don't crash when looking at it.
+  let cert = await readCertificate("longOID.pem", ",,");
+  let url = getURL(cert);
+  await openCertViewerAndCheckTabName(url, "Long OID");
+});
+
+/**
+ * Given a certificate, returns its PEMs (each one of the certificate chain) string in a url.
+ *
+ * @param {object} cert
+ *      A certificate object
+ * @returns {string} an URL for opening the certificate viewer
+ */
+function getURL(cert) {
+  // Note that we don't get the certificate chain as in e.g browser/base/content/browser.js,
+  // because all the .pem files when opened with CS (https://github.com/april/certainly-something)
+  // shows only one certificate
+  let derb64 = encodeURIComponent(cert.getBase64DERString());
+  return `about:certificate?cert=${derb64}`;
+}
+
+/**
+ * Given an certificate URL, opens the new certificate viewer and check
+ * if a certain element exists, with its expected result.
+ *
+ * @param {string} url
+ *        The URL with the certificate info
+ * @param {string} expectedTabName
+ *        The expected name of the tab in the certificate viewer
+ */
+async function openCertViewerAndCheckTabName(url, expectedTabName) {
+  await BrowserTestUtils.withNewTab(
+    { gBrowser, url },
+    async function (browser) {
+      await SpecialPowers.spawn(
+        browser,
+        [expectedTabName],
+        async function (expectedTabName) {
+          let certificateSection = await ContentTaskUtils.waitForCondition(
+            () => {
+              return content.document.querySelector("certificate-section");
+            },
+            "Certificate section found"
+          );
+          let tabName =
+            certificateSection.shadowRoot.querySelector(
+              ".tab[idnumber='0']"
+            ).textContent;
+          Assert.equal(tabName, expectedTabName);
+        }
+      );
+    }
+  );
+}
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js b/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js
new file mode 100644
index 0000000000..c6619909d0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js
@@ -0,0 +1,105 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+async function checkServerCertificates(win, expectedValues = []) {
+  await TestUtils.waitForCondition(() => {
+    return (
+      win.document.getElementById("serverList").itemChildren.length ==
+      expectedValues.length
+    );
+  }, `Expected to have ${expectedValues.length} but got ${win.document.getElementById("serverList").itemChildren.length}`);
+  await new Promise(win.requestAnimationFrame);
+
+  let labels = win.document
+    .getElementById("serverList")
+    .querySelectorAll("label");
+
+  // The strings we will get from the DOM are localized with Fluent.
+  // This will wait until the translation is applied.
+  if (expectedValues.length) {
+    await BrowserTestUtils.waitForCondition(
+      () => labels[1].value || !!labels[1].textContent.length,
+      "At least one label is populated"
+    );
+  }
+
+  expectedValues.forEach((item, i) => {
+    let hostPort = labels[i * 3].value;
+    let fingerprint = labels[i * 3 + 1].value || labels[i * 3 + 1].textContent;
+
+    Assert.equal(
+      hostPort,
+      item.hostPort,
+      `Expected override to be ${item.hostPort} but got ${hostPort}`
+    );
+
+    Assert.equal(
+      fingerprint,
+      item.fingerprint,
+      `Expected override to have field ${item.fingerprint}`
+    );
+  });
+}
+
+async function deleteOverride(win, expectedLength) {
+  win.document.getElementById("serverList").selectedIndex = 0;
+  await TestUtils.waitForCondition(() => {
+    return (
+      win.document.getElementById("serverList").itemChildren.length ==
+      expectedLength
+    );
+  });
+  let newWinPromise = BrowserTestUtils.domWindowOpenedAndLoaded();
+  // Since the .click() blocks we need to dispatch it to the main thread avoid that.
+  Services.tm.dispatchToMainThread(() =>
+    win.document.getElementById("websites_deleteButton").click()
+  );
+  let newWin = await newWinPromise;
+  newWin.document.getElementById("deleteCertificate").acceptDialog();
+  Assert.equal(
+    win.document.getElementById("serverList").selectedIndex,
+    0,
+    "After deletion we expect the selectedItem to be reset."
+  );
+}
+
+add_task(async function test_cert_manager_server_tab() {
+  let win = await openCertManager();
+
+  await checkServerCertificates(win);
+
+  win.document.getElementById("certmanager").acceptDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  let cert = await readCertificate("md5-ee.pem", ",,");
+  let certOverrideService = Cc[
+    "@mozilla.org/security/certoverride;1"
+  ].getService(Ci.nsICertOverrideService);
+  certOverrideService.rememberValidityOverride(
+    "example.com",
+    443,
+    {},
+    cert,
+    false
+  );
+
+  win = await openCertManager();
+
+  await checkServerCertificates(win, [
+    {
+      hostPort: "example.com:443",
+      fingerprint: cert.sha256Fingerprint,
+    },
+  ]);
+
+  await deleteOverride(win, 1);
+
+  await checkServerCertificates(win, []);
+
+  win.document.getElementById("certmanager").acceptDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  certOverrideService.clearAllOverrides();
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuthRememberService.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuthRememberService.js
new file mode 100644
index 0000000000..460379e688
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuthRememberService.js
@@ -0,0 +1,297 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+/**
+ * Test certificate (i.e. build/pgo/certs/mochitest.client).
+ *
+ * @type {nsIX509Cert}
+ */
+var cert;
+var cert2;
+var cert3;
+
+var sdr = Cc["@mozilla.org/security/sdr;1"].getService(Ci.nsISecretDecoderRing);
+var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+var deleted = false;
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+  "resource://testing-common/MockRegistrar.sys.mjs"
+);
+
+function findCertByCommonName(commonName) {
+  for (let cert of certDB.getCerts()) {
+    if (cert.commonName == commonName) {
+      return cert;
+    }
+  }
+  return null;
+}
+
+async function testHelper(connectURL, expectedURL) {
+  let win = await BrowserTestUtils.openNewBrowserWindow();
+
+  await SpecialPowers.pushPrefEnv({
+    set: [["security.default_personal_cert", "Ask Every Time"]],
+  });
+
+  BrowserTestUtils.loadURIString(win.gBrowser.selectedBrowser, connectURL);
+
+  await BrowserTestUtils.browserLoaded(
+    win.gBrowser.selectedBrowser,
+    false,
+    expectedURL,
+    true
+  );
+  let loadedURL = win.gBrowser.selectedBrowser.documentURI.spec;
+  Assert.ok(
+    loadedURL.startsWith(expectedURL),
+    `Expected and actual URLs should match (got '${loadedURL}', expected '${expectedURL}')`
+  );
+
+  await win.close();
+
+  // This clears the TLS session cache so we don't use a previously-established
+  // ticket to connect and bypass selecting a client auth certificate in
+  // subsequent tests.
+  sdr.logout();
+}
+
+async function openRequireClientCert() {
+  gClientAuthDialogs.chooseCertificateCalled = false;
+  await testHelper(
+    "https://requireclientcert.example.com:443",
+    "https://requireclientcert.example.com/"
+  );
+}
+
+async function openRequireClientCert2() {
+  gClientAuthDialogs.chooseCertificateCalled = false;
+  await testHelper(
+    "https://requireclientcert-2.example.com:443",
+    "https://requireclientcert-2.example.com/"
+  );
+}
+
+// Mock implementation of nsIClientAuthRememberService
+const gClientAuthRememberService = {
+  forgetRememberedDecision(key) {
+    deleted = true;
+    Assert.equal(
+      key,
+      "exampleKey2",
+      "Expected to get the same key that was passed in getDecisions()"
+    );
+  },
+
+  getDecisions() {
+    return [
+      {
+        asciiHost: "example.com",
+        dbKey: cert.dbKey,
+        entryKey: "exampleKey1",
+      },
+      {
+        asciiHost: "example.org",
+        dbKey: cert2.dbKey,
+        entryKey: "exampleKey2",
+      },
+      {
+        asciiHost: "example.test",
+        dbKey: cert3.dbKey,
+        entryKey: "exampleKey3",
+      },
+      {
+        asciiHost: "unavailable.example.com",
+        // This dbKey should not correspond to any real certificate. The first
+        // 8 bytes have to be 0, followed by the lengths of the serial number
+        // and issuer distinguished name, respectively, and then followed by
+        // the bytes of the serial number and finally the encoded issuer
+        // distinguished name. In this case, the serial number is a single 0
+        // byte and the issuer distinguished name is a DER SEQUENCE of length 0
+        // (the bytes 0x30 and 0).
+        // See also the documentation in nsNSSCertificateDB::FindCertByDBKey.
+        dbKey: "AAAAAAAAAAAAAAABAAAAAgAeAA==",
+        entryKey: "exampleKey4",
+      },
+    ];
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIClientAuthRememberService"]),
+};
+
+const gClientAuthDialogs = {
+  _chooseCertificateCalled: false,
+
+  get chooseCertificateCalled() {
+    return this._chooseCertificateCalled;
+  },
+
+  set chooseCertificateCalled(value) {
+    this._chooseCertificateCalled = value;
+  },
+
+  chooseCertificate(
+    hostname,
+    port,
+    organization,
+    issuerOrg,
+    certList,
+    selectedIndex,
+    rememberClientAuthCertificate
+  ) {
+    rememberClientAuthCertificate.value = true;
+    this.chooseCertificateCalled = true;
+    selectedIndex.value = 0;
+    return true;
+  },
+
+  QueryInterface: ChromeUtils.generateQI([Ci.nsIClientAuthDialogs]),
+};
+
+add_task(async function testRememberedDecisionsUI() {
+  cert = findCertByCommonName("Mochitest client");
+  cert2 = await readCertificate("pgo-ca-all-usages.pem", ",,");
+  cert3 = await readCertificate("client-cert-via-intermediate.pem", ",,");
+  isnot(cert, null, "Should be able to find the test client cert");
+  isnot(cert2, null, "Should be able to find pgo-ca-all-usages.pem");
+  isnot(cert3, null, "Should be able to find client-cert-via-intermediate.pem");
+
+  let clientAuthRememberServiceCID = MockRegistrar.register(
+    "@mozilla.org/security/clientAuthRememberService;1",
+    gClientAuthRememberService
+  );
+
+  let win = await openCertManager();
+
+  let listItems = win.document
+    .getElementById("rememberedList")
+    .querySelectorAll("richlistitem");
+
+  Assert.equal(
+    listItems.length,
+    4,
+    "rememberedList has expected number of items"
+  );
+
+  let labels = win.document
+    .getElementById("rememberedList")
+    .querySelectorAll("label");
+
+  Assert.equal(
+    labels.length,
+    12,
+    "rememberedList has expected number of labels"
+  );
+
+  await BrowserTestUtils.waitForCondition(
+    () => !!labels[10].textContent.length,
+    "Localized label is populated"
+  );
+
+  let expectedHosts = [
+    "example.com",
+    "example.org",
+    "example.test",
+    "unavailable.example.com",
+  ];
+  let hosts = [
+    labels[0].value,
+    labels[3].value,
+    labels[6].value,
+    labels[9].value,
+  ];
+  let expectedNames = [
+    cert.commonName,
+    cert2.commonName,
+    cert3.commonName,
+    "(Unavailable)",
+  ];
+  let names = [
+    labels[1].value,
+    labels[4].value,
+    labels[7].value,
+    labels[10].textContent,
+  ];
+  let expectedSerialNumbers = [
+    cert.serialNumber,
+    cert2.serialNumber,
+    cert3.serialNumber,
+    "(Unavailable)",
+  ];
+  let serialNumbers = [
+    labels[2].value,
+    labels[5].value,
+    labels[8].value,
+    labels[11].textContent,
+  ];
+
+  for (let i = 0; i < listItems.length; i++) {
+    Assert.equal(hosts[i], expectedHosts[i], "got expected asciiHost");
+    Assert.equal(names[i], expectedNames[i], "got expected commonName");
+    Assert.equal(
+      serialNumbers[i],
+      expectedSerialNumbers[i],
+      "got expected serialNumber"
+    );
+  }
+
+  win.document.getElementById("rememberedList").selectedIndex = 1;
+  win.document.getElementById("remembered_deleteButton").click();
+
+  Assert.ok(deleted, "Expected forgetRememberedDecision() to get called");
+
+  win.document.getElementById("certmanager").acceptDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  MockRegistrar.unregister(clientAuthRememberServiceCID);
+});
+
+add_task(async function testDeletingRememberedDecisions() {
+  let clientAuthDialogsCID = MockRegistrar.register(
+    "@mozilla.org/nsClientAuthDialogs;1",
+    gClientAuthDialogs
+  );
+  let cars = Cc["@mozilla.org/security/clientAuthRememberService;1"].getService(
+    Ci.nsIClientAuthRememberService
+  );
+
+  await openRequireClientCert();
+  Assert.ok(
+    gClientAuthDialogs.chooseCertificateCalled,
+    "chooseCertificate should have been called if visiting 'requireclientcert.example.com' for the first time"
+  );
+
+  await openRequireClientCert();
+  Assert.ok(
+    !gClientAuthDialogs.chooseCertificateCalled,
+    "chooseCertificate should not have been called if visiting 'requireclientcert.example.com' for the second time"
+  );
+
+  await openRequireClientCert2();
+  Assert.ok(
+    gClientAuthDialogs.chooseCertificateCalled,
+    "chooseCertificate should have been called if visiting 'requireclientcert-2.example.com' for the first time"
+  );
+
+  let originAttributes = { privateBrowsingId: 0 };
+  cars.deleteDecisionsByHost("requireclientcert.example.com", originAttributes);
+
+  await openRequireClientCert();
+  Assert.ok(
+    gClientAuthDialogs.chooseCertificateCalled,
+    "chooseCertificate should have been called after removing all remembered decisions for 'requireclientcert.example.com'"
+  );
+
+  await openRequireClientCert2();
+  Assert.ok(
+    !gClientAuthDialogs.chooseCertificateCalled,
+    "chooseCertificate should not have been called if visiting 'requireclientcert-2.example.com' for the second time"
+  );
+
+  MockRegistrar.unregister(clientAuthDialogsCID);
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_connection.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_connection.js
new file mode 100644
index 0000000000..d8f57c3e8b
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_connection.js
@@ -0,0 +1,401 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests various scenarios connecting to a server that requires client cert
+// authentication. Also tests that nsIClientAuthDialogs.chooseCertificate
+// is called at the appropriate times and with the correct arguments.
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+  "resource://testing-common/MockRegistrar.sys.mjs"
+);
+
+const DialogState = {
+  // Assert that chooseCertificate() is never called.
+  ASSERT_NOT_CALLED: "ASSERT_NOT_CALLED",
+  // Return that the user selected the first given cert.
+  RETURN_CERT_SELECTED: "RETURN_CERT_SELECTED",
+  // Return that the user canceled.
+  RETURN_CERT_NOT_SELECTED: "RETURN_CERT_NOT_SELECTED",
+};
+
+var sdr = Cc["@mozilla.org/security/sdr;1"].getService(Ci.nsISecretDecoderRing);
+let cars = Cc["@mozilla.org/security/clientAuthRememberService;1"].getService(
+  Ci.nsIClientAuthRememberService
+);
+
+var gExpectedClientCertificateChoices;
+
+// Mock implementation of nsIClientAuthDialogs.
+const gClientAuthDialogs = {
+  _state: DialogState.ASSERT_NOT_CALLED,
+  _rememberClientAuthCertificate: false,
+  _chooseCertificateCalled: false,
+
+  set state(newState) {
+    info(`old state: ${this._state}`);
+    this._state = newState;
+    info(`new state: ${this._state}`);
+  },
+
+  get state() {
+    return this._state;
+  },
+
+  set rememberClientAuthCertificate(value) {
+    this._rememberClientAuthCertificate = value;
+  },
+
+  get rememberClientAuthCertificate() {
+    return this._rememberClientAuthCertificate;
+  },
+
+  get chooseCertificateCalled() {
+    return this._chooseCertificateCalled;
+  },
+
+  set chooseCertificateCalled(value) {
+    this._chooseCertificateCalled = value;
+  },
+
+  chooseCertificate(
+    hostname,
+    port,
+    organization,
+    issuerOrg,
+    certList,
+    selectedIndex,
+    rememberClientAuthCertificate
+  ) {
+    this.chooseCertificateCalled = true;
+    Assert.notEqual(
+      this.state,
+      DialogState.ASSERT_NOT_CALLED,
+      "chooseCertificate() should be called only when expected"
+    );
+
+    rememberClientAuthCertificate.value = this.rememberClientAuthCertificate;
+
+    Assert.equal(
+      hostname,
+      "requireclientcert.example.com",
+      "Hostname should be 'requireclientcert.example.com'"
+    );
+    Assert.equal(port, 443, "Port should be 443");
+    Assert.equal(
+      organization,
+      "",
+      "Server cert Organization should be empty/not present"
+    );
+    Assert.equal(
+      issuerOrg,
+      "Mozilla Testing",
+      "Server cert issuer Organization should be 'Mozilla Testing'"
+    );
+
+    // For mochitests, the cert at build/pgo/certs/mochitest.client should be
+    // selectable as well as one of the PGO certs we loaded in `setup`, so we do
+    // some brief checks to confirm this.
+    Assert.notEqual(certList, null, "Cert list should not be null");
+    Assert.equal(
+      certList.length,
+      gExpectedClientCertificateChoices,
+      `${gExpectedClientCertificateChoices} certificates should be available`
+    );
+
+    for (let cert of certList.enumerate(Ci.nsIX509Cert)) {
+      Assert.notEqual(cert, null, "Cert list should contain nsIX509Certs");
+      Assert.equal(
+        cert.issuerCommonName,
+        "Temporary Certificate Authority",
+        "cert should have expected issuer CN"
+      );
+    }
+
+    if (this.state == DialogState.RETURN_CERT_SELECTED) {
+      selectedIndex.value = 0;
+      return true;
+    }
+    return false;
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIClientAuthDialogs"]),
+};
+
+add_setup(async function () {
+  let clientAuthDialogsCID = MockRegistrar.register(
+    "@mozilla.org/nsClientAuthDialogs;1",
+    gClientAuthDialogs
+  );
+  registerCleanupFunction(() => {
+    MockRegistrar.unregister(clientAuthDialogsCID);
+  });
+
+  // This CA has the expected keyCertSign and cRLSign usages. It should not be
+  // presented for use as a client certificate.
+  await readCertificate("pgo-ca-regular-usages.pem", "CTu,CTu,CTu");
+  // This CA has all keyUsages. For compatibility with preexisting behavior, it
+  // will be presented for use as a client certificate.
+  await readCertificate("pgo-ca-all-usages.pem", "CTu,CTu,CTu");
+  // This client certificate was issued by an intermediate that was issued by
+  // the test CA. The server only lists the test CA's subject distinguished name
+  // as an acceptible issuer name for client certificates. If the implementation
+  // can determine that the test CA is a root CA for the client certificate and
+  // thus is acceptible to use, it should be included in the chooseCertificate
+  // callback. At the beginning of this test (speaking of this file as a whole),
+  // the client is not aware of the intermediate, and so it is not available in
+  // the callback.
+  await readCertificate("client-cert-via-intermediate.pem", ",,");
+  // This certificate has an id-kp-OCSPSigning EKU. Client certificates
+  // shouldn't have this EKU, but there is at least one private PKI where they
+  // do. For interoperability, such certificates will be presented for use.
+  await readCertificate("client-cert-with-ocsp-signing.pem", ",,");
+  gExpectedClientCertificateChoices = 3;
+});
+
+/**
+ * Test helper for the tests below.
+ *
+ * @param {string} prefValue
+ *        Value to set the "security.default_personal_cert" pref to.
+ * @param {string} urlToNavigate
+ *        The URL to navigate to.
+ * @param {string} expectedURL
+ *        If the connection is expected to load successfully, the URL that
+ *        should load. If the connection is expected to fail and result in an
+ *        error page, |undefined|.
+ * @param {boolean} expectCallingChooseCertificate
+ *        Determines whether we expect chooseCertificate to be called.
+ * @param {object} options
+ *        Optional options object to pass on to the window that gets opened.
+ * @param {string} expectStringInPage
+ *        Optional string that is expected to be in the content of the page
+ *        once it loads.
+ */
+async function testHelper(
+  prefValue,
+  urlToNavigate,
+  expectedURL,
+  expectCallingChooseCertificate,
+  options = undefined,
+  expectStringInPage = undefined
+) {
+  gClientAuthDialogs.chooseCertificateCalled = false;
+  await SpecialPowers.pushPrefEnv({
+    set: [["security.default_personal_cert", prefValue]],
+  });
+
+  let win = await BrowserTestUtils.openNewBrowserWindow(options);
+
+  BrowserTestUtils.loadURIString(win.gBrowser.selectedBrowser, urlToNavigate);
+  if (expectedURL) {
+    await BrowserTestUtils.browserLoaded(
+      win.gBrowser.selectedBrowser,
+      false,
+      "https://requireclientcert.example.com/",
+      true
+    );
+    let loadedURL = win.gBrowser.selectedBrowser.documentURI.spec;
+    Assert.ok(
+      loadedURL.startsWith(expectedURL),
+      `Expected and actual URLs should match (got '${loadedURL}', expected '${expectedURL}')`
+    );
+  } else {
+    await new Promise(resolve => {
+      let removeEventListener = BrowserTestUtils.addContentEventListener(
+        win.gBrowser.selectedBrowser,
+        "AboutNetErrorLoad",
+        () => {
+          removeEventListener();
+          resolve();
+        },
+        { capture: false, wantUntrusted: true }
+      );
+    });
+  }
+
+  Assert.equal(
+    gClientAuthDialogs.chooseCertificateCalled,
+    expectCallingChooseCertificate,
+    "chooseCertificate should have been called if we were expecting it to be called"
+  );
+
+  if (expectStringInPage) {
+    let pageContent = await SpecialPowers.spawn(
+      win.gBrowser.selectedBrowser,
+      [],
+      async function () {
+        return content.document.body.textContent;
+      }
+    );
+    Assert.ok(
+      pageContent.includes(expectStringInPage),
+      `page should contain the string '${expectStringInPage}' (was '${pageContent}')`
+    );
+  }
+
+  await win.close();
+
+  // This clears the TLS session cache so we don't use a previously-established
+  // ticket to connect and bypass selecting a client auth certificate in
+  // subsequent tests.
+  sdr.logout();
+}
+
+// Test that if a certificate is chosen automatically the connection succeeds,
+// and that nsIClientAuthDialogs.chooseCertificate() is never called.
+add_task(async function testCertChosenAutomatically() {
+  gClientAuthDialogs.state = DialogState.ASSERT_NOT_CALLED;
+  await testHelper(
+    "Select Automatically",
+    "https://requireclientcert.example.com/",
+    "https://requireclientcert.example.com/",
+    false
+  );
+  // This clears all saved client auth certificate state so we don't influence
+  // subsequent tests.
+  cars.clearRememberedDecisions();
+});
+
+// Test that if the user doesn't choose a certificate, the connection fails and
+// an error page is displayed.
+add_task(async function testCertNotChosenByUser() {
+  gClientAuthDialogs.state = DialogState.RETURN_CERT_NOT_SELECTED;
+  await testHelper(
+    "Ask Every Time",
+    "https://requireclientcert.example.com/",
+    undefined,
+    true,
+    undefined,
+    // bug 1818556: ssltunnel doesn't behave as expected here on Windows
+    AppConstants.platform != "win"
+      ? "SSL_ERROR_RX_CERTIFICATE_REQUIRED_ALERT"
+      : undefined
+  );
+  cars.clearRememberedDecisions();
+});
+
+// Test that if the user chooses a certificate the connection suceeeds.
+add_task(async function testCertChosenByUser() {
+  gClientAuthDialogs.state = DialogState.RETURN_CERT_SELECTED;
+  await testHelper(
+    "Ask Every Time",
+    "https://requireclientcert.example.com/",
+    "https://requireclientcert.example.com/",
+    true
+  );
+  cars.clearRememberedDecisions();
+});
+
+// Test that the cancel decision is remembered correctly
+add_task(async function testEmptyCertChosenByUser() {
+  gClientAuthDialogs.state = DialogState.RETURN_CERT_NOT_SELECTED;
+  gClientAuthDialogs.rememberClientAuthCertificate = true;
+  await testHelper(
+    "Ask Every Time",
+    "https://requireclientcert.example.com/",
+    undefined,
+    true
+  );
+  await testHelper(
+    "Ask Every Time",
+    "https://requireclientcert.example.com/",
+    undefined,
+    false
+  );
+  cars.clearRememberedDecisions();
+});
+
+// Test that if the user chooses a certificate in a private browsing window,
+// configures Firefox to remember this certificate for the duration of the
+// session, closes that window (and thus all private windows), reopens a private
+// window, and visits that site again, they are re-asked for a certificate (i.e.
+// any state from the previous private session should be gone). Similarly, after
+// closing that private window, if the user opens a non-private window, they
+// again should be asked to choose a certificate (i.e. private state should not
+// be remembered/used in non-private contexts).
+add_task(async function testClearPrivateBrowsingState() {
+  gClientAuthDialogs.rememberClientAuthCertificate = true;
+  gClientAuthDialogs.state = DialogState.RETURN_CERT_SELECTED;
+  await testHelper(
+    "Ask Every Time",
+    "https://requireclientcert.example.com/",
+    "https://requireclientcert.example.com/",
+    true,
+    {
+      private: true,
+    }
+  );
+  await testHelper(
+    "Ask Every Time",
+    "https://requireclientcert.example.com/",
+    "https://requireclientcert.example.com/",
+    true,
+    {
+      private: true,
+    }
+  );
+  await testHelper(
+    "Ask Every Time",
+    "https://requireclientcert.example.com/",
+    "https://requireclientcert.example.com/",
+    true
+  );
+  // NB: we don't `cars.clearRememberedDecisions()` in between the two calls to
+  // `testHelper` because that would clear all client auth certificate state and
+  // obscure what we're testing (that Firefox properly clears the relevant state
+  // when the last private window closes).
+  cars.clearRememberedDecisions();
+});
+
+// Test that 3rd party certificates are taken into account when filtering client
+// certificates based on the acceptible CA list sent by the server.
+add_task(async function testCertFilteringWithIntermediate() {
+  let intermediateBytes = await IOUtils.readUTF8(
+    getTestFilePath("intermediate.pem")
+  ).then(
+    pem => {
+      let base64 = pemToBase64(pem);
+      let bin = atob(base64);
+      let bytes = [];
+      for (let i = 0; i < bin.length; i++) {
+        bytes.push(bin.charCodeAt(i));
+      }
+      return bytes;
+    },
+    error => {
+      throw error;
+    }
+  );
+  let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
+  nssComponent.addEnterpriseIntermediate(intermediateBytes);
+  gExpectedClientCertificateChoices = 4;
+  gClientAuthDialogs.state = DialogState.RETURN_CERT_SELECTED;
+  await testHelper(
+    "Ask Every Time",
+    "https://requireclientcert.example.com/",
+    "https://requireclientcert.example.com/",
+    true
+  );
+  cars.clearRememberedDecisions();
+  // This will reset the added intermediate.
+  await SpecialPowers.pushPrefEnv({
+    set: [["security.enterprise_roots.enabled", true]],
+  });
+});
+
+// Test that if the server certificate does not validate successfully,
+// nsIClientAuthDialogs.chooseCertificate() is never called.
+add_task(async function testNoDialogForUntrustedServerCertificate() {
+  gClientAuthDialogs.state = DialogState.ASSERT_NOT_CALLED;
+  await testHelper(
+    "Ask Every Time",
+    "https://requireclientcert-untrusted.example.com/",
+    undefined,
+    false
+  );
+  // This clears all saved client auth certificate state so we don't influence
+  // subsequent tests.
+  cars.clearRememberedDecisions();
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.html b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.html
new file mode 100644
index 0000000000..82aac47b2a
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.html
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+<a href="https://requireclientcert.example.com" id="link">Click Me</a>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js
new file mode 100644
index 0000000000..aec0ec45aa
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js
@@ -0,0 +1,90 @@
+/* eslint-disable mozilla/no-arbitrary-setTimeout */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// Tests that with speculative connections enabled, connections to servers that
+// request a client authentication certificate succeed (the specific bug that
+// was addressed with this patch involved navigation hanging because the
+// connection to the server couldn't make progress without asking for a client
+// authentication certificate, but it also wouldn't ask for a client
+// authentication certificate until the connection had been claimed, which
+// required that it make progress first).
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+  "resource://testing-common/MockRegistrar.sys.mjs"
+);
+
+const TEST_PATH = getRootDirectory(gTestPath).replace(
+  "chrome://mochitests/content",
+  "https://example.com"
+);
+
+let chooseCertificateCalled = false;
+
+const clientAuthDialogs = {
+  chooseCertificate(
+    hostname,
+    port,
+    organization,
+    issuerOrg,
+    certList,
+    selectedIndex,
+    rememberClientAuthCertificate
+  ) {
+    is(certList.length, 1, "should have only one client certificate available");
+    selectedIndex.value = 0;
+    rememberClientAuthCertificate.value = false;
+    ok(
+      !chooseCertificateCalled,
+      "chooseCertificate should only be called once"
+    );
+    chooseCertificateCalled = true;
+    return true;
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIClientAuthDialogs"]),
+};
+
+add_setup(async function () {
+  await SpecialPowers.pushPrefEnv({
+    set: [
+      // Enable speculative connections.
+      ["network.http.speculative-parallel-limit", 6],
+      // Always ask to select a client authentication certificate.
+      ["security.default_personal_cert", "Ask Every Time"],
+    ],
+  });
+  let clientAuthDialogsCID = MockRegistrar.register(
+    "@mozilla.org/nsClientAuthDialogs;1",
+    clientAuthDialogs
+  );
+  registerCleanupFunction(async function () {
+    MockRegistrar.unregister(clientAuthDialogsCID);
+  });
+});
+
+add_task(
+  async function test_no_client_auth_selection_dialog_for_speculative_connections() {
+    await BrowserTestUtils.withNewTab(
+      `${TEST_PATH}browser_clientAuth_speculative_connection.html`,
+      async browser => {
+        // Click the link to navigate to a page that requests a client
+        // authentication certificate. Necko will make a speculative
+        // connection, but unfortunately there's no event or notification to
+        // observe. This test ensures that the navigation succeeds and that a
+        // client authentication certificate was requested.
+        let loaded = BrowserTestUtils.browserLoaded(
+          browser,
+          false,
+          "https://requireclientcert.example.com/"
+        );
+        await BrowserTestUtils.synthesizeMouseAtCenter("#link", {}, browser);
+        await loaded;
+        ok(chooseCertificateCalled, "chooseCertificate must have been called");
+      }
+    );
+  }
+);
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
new file mode 100644
index 0000000000..516ba701ce
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
@@ -0,0 +1,195 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that the client authentication certificate chooser correctly displays
+// provided information and correctly returns user input.
+
+const TEST_HOSTNAME = "Test Hostname";
+const TEST_ORG = "Test Org";
+const TEST_ISSUER_ORG = "Test Issuer Org";
+const TEST_PORT = 123;
+
+var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+/**
+ * Test certificate (i.e. build/pgo/certs/mochitest.client).
+ *
+ * @type {nsIX509Cert}
+ */
+var cert;
+
+/**
+ * Opens the client auth cert chooser dialog.
+ *
+ * @param {nsIX509Cert} cert The cert to pass to the dialog for display.
+ * @returns {Promise}
+ *          A promise that resolves when the dialog has finished loading, with
+ *          an array consisting of:
+ *            1. The window of the opened dialog.
+ *            2. The return value nsIWritablePropertyBag2 passed to the dialog.
+ */
+function openClientAuthDialog(cert) {
+  let certList = Cc["@mozilla.org/array;1"].createInstance(Ci.nsIMutableArray);
+  certList.appendElement(cert);
+
+  let returnVals = Cc["@mozilla.org/hash-property-bag;1"].createInstance(
+    Ci.nsIWritablePropertyBag2
+  );
+  let win = window.openDialog(
+    "chrome://pippki/content/clientauthask.xhtml",
+    "",
+    "",
+    TEST_HOSTNAME,
+    TEST_ORG,
+    TEST_ISSUER_ORG,
+    TEST_PORT,
+    certList,
+    returnVals
+  );
+  return TestUtils.topicObserved("cert-dialog-loaded").then(() => [
+    win,
+    returnVals,
+  ]);
+}
+
+/**
+ * Checks that the contents of the given cert chooser dialog match the details
+ * of build/pgo/certs/mochitest.client.
+ *
+ * @param {window} win The cert chooser window.
+ * @param {string} notBefore
+ *        The formatted notBefore date of mochitest.client.
+ * @param {string} notAfter
+ *        The formatted notAfter date of mochitest.client.
+ */
+function checkDialogContents(win, notBefore, notAfter) {
+  is(
+    win.document.getElementById("hostname").textContent,
+    `${TEST_HOSTNAME}:${TEST_PORT}`,
+    "Actual and expected hostname and port should be equal"
+  );
+  is(
+    win.document.getElementById("organization").textContent,
+    `Organization: “${TEST_ORG}�`,
+    "Actual and expected organization should be equal"
+  );
+  is(
+    win.document.getElementById("issuer").textContent,
+    `Issued Under: “${TEST_ISSUER_ORG}�`,
+    "Actual and expected issuer organization should be equal"
+  );
+
+  is(
+    win.document.getElementById("nicknames").label,
+    "Mochitest client [03]",
+    "Actual and expected selected cert nickname and serial should be equal"
+  );
+  is(
+    win.document.getElementById("nicknames").itemCount,
+    1,
+    "correct number of items"
+  );
+
+  let [subject, serialNum, validity, issuer, tokenName] = win.document
+    .getElementById("details")
+    .value.split("\n");
+  is(
+    subject,
+    "Issued to: CN=Mochitest client",
+    "Actual and expected subject should be equal"
+  );
+  is(
+    serialNum,
+    "Serial number: 03",
+    "Actual and expected serial number should be equal"
+  );
+  is(
+    validity,
+    `Valid from ${notBefore} to ${notAfter}`,
+    "Actual and expected validity should be equal"
+  );
+  is(
+    issuer,
+    "Issued by: OU=Profile Guided Optimization,O=Mozilla Testing,CN=Temporary Certificate Authority",
+    "Actual and expected issuer should be equal"
+  );
+  is(
+    tokenName,
+    "Stored on: Software Security Device",
+    "Actual and expected token name should be equal"
+  );
+}
+
+function findCertByCommonName(commonName) {
+  for (let cert of certDB.getCerts()) {
+    if (cert.commonName == commonName) {
+      return cert;
+    }
+  }
+  return null;
+}
+
+add_setup(async function () {
+  cert = findCertByCommonName("Mochitest client");
+  isnot(cert, null, "Should be able to find the test client cert");
+});
+
+// Test that the contents of the dialog correspond to the details of the
+// provided cert.
+add_task(async function testContents() {
+  const formatter = new Intl.DateTimeFormat(undefined, {
+    dateStyle: "medium",
+    timeStyle: "long",
+  });
+  let [win] = await openClientAuthDialog(cert);
+  checkDialogContents(
+    win,
+    formatter.format(new Date(cert.validity.notBefore / 1000)),
+    formatter.format(new Date(cert.validity.notAfter / 1000))
+  );
+  await BrowserTestUtils.closeWindow(win);
+});
+
+// Test that the right values are returned when the dialog is accepted.
+add_task(async function testAcceptDialogReturnValues() {
+  let [win, retVals] = await openClientAuthDialog(cert);
+  win.document.getElementById("rememberBox").checked = true;
+  info("Accepting dialog");
+  win.document.getElementById("certAuthAsk").acceptDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  ok(
+    retVals.get("certChosen"),
+    "Return value should signal user chose a certificate"
+  );
+  is(
+    retVals.get("selectedIndex"),
+    0,
+    "0 should be returned as the selected index"
+  );
+  ok(
+    retVals.get("rememberSelection"),
+    "Return value should signal 'Remember this decision' checkbox was checked"
+  );
+});
+
+// Test that the right values are returned when the dialog is canceled.
+add_task(async function testCancelDialogReturnValues() {
+  let [win, retVals] = await openClientAuthDialog(cert);
+  win.document.getElementById("rememberBox").checked = false;
+  info("Canceling dialog");
+  win.document.getElementById("certAuthAsk").cancelDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  ok(
+    !retVals.get("certChosen"),
+    "Return value should signal user did not choose a certificate"
+  );
+  ok(
+    !retVals.get("rememberSelection"),
+    "Return value should signal 'Remember this decision' checkbox was unchecked"
+  );
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js
new file mode 100644
index 0000000000..a8ff7cc8fb
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js
@@ -0,0 +1,259 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests various aspects of the cert delete confirmation dialog.
+// Among other things, tests that for each type of cert that can be deleted:
+// 1. The various lines of explanation text are correctly set.
+// 2. The implementation correctly falls back through multiple cert attributes
+//    to determine what to display to represent a cert.
+
+/**
+ * An array of tree items corresponding to TEST_CASES.
+ *
+ * @type {nsICertTreeItem[]}
+ */
+var gCertArray = [];
+
+const FAKE_HOST_PORT = "Fake host and port";
+
+/**
+ * @typedef TestCase
+ * @type {object}
+ * @property {string} certFilename
+ *           Filename of the cert, or null if we don't want to import a cert for
+ *           this test case (i.e. we expect the hostPort attribute of
+ *           nsICertTreeItem to be used).
+ * @property {string} expectedDisplayString
+ *           The string we expect the UI to display to represent the given cert.
+ * @property {string} expectedSerialNumber
+ *           The serial number we expect the UI to display if it exists.
+ */
+
+/**
+ * A list of test cases representing certs that get "deleted".
+ *
+ * @type {TestCase[]}
+ */
+const TEST_CASES = [
+  {
+    certFilename: null,
+    expectedDisplayString: FAKE_HOST_PORT,
+    expectedSerialNumber: null,
+  },
+  {
+    certFilename: "has-cn.pem",
+    expectedDisplayString: "Foo",
+    expectedSerialNumber: null,
+  },
+  {
+    certFilename: "has-ou.pem",
+    expectedDisplayString: "Bar",
+    expectedSerialNumber: null,
+  },
+  {
+    certFilename: "has-o.pem",
+    expectedDisplayString: "Baz",
+    expectedSerialNumber: null,
+  },
+  {
+    certFilename: "has-non-empty-subject.pem",
+    expectedDisplayString: "C=US",
+    expectedSerialNumber: null,
+  },
+  {
+    certFilename: "has-empty-subject.pem",
+    expectedDisplayString: "Certificate with serial number: 0A",
+    expectedSerialNumber: "0A",
+  },
+];
+
+/**
+ * Opens the cert delete confirmation dialog.
+ *
+ * @param {string} tabID
+ *        The ID of the cert category tab the certs to delete belong to.
+ * @returns {Promise}
+ *          A promise that resolves when the dialog has finished loading, with
+ *          an array consisting of:
+ *            1. The window of the opened dialog.
+ *            2. The return value object passed to the dialog.
+ */
+function openDeleteCertConfirmDialog(tabID) {
+  let retVals = {
+    deleteConfirmed: false,
+  };
+  let win = window.openDialog(
+    "chrome://pippki/content/deletecert.xhtml",
+    "",
+    "",
+    tabID,
+    gCertArray,
+    retVals
+  );
+  return new Promise((resolve, reject) => {
+    win.addEventListener(
+      "load",
+      function () {
+        executeSoon(() => resolve([win, retVals]));
+      },
+      { once: true }
+    );
+  });
+}
+
+add_setup(async function () {
+  for (let testCase of TEST_CASES) {
+    let cert = null;
+    if (testCase.certFilename) {
+      cert = await readCertificate(testCase.certFilename, ",,");
+    }
+    let certTreeItem = {
+      hostPort: FAKE_HOST_PORT,
+      cert,
+      QueryInterface: ChromeUtils.generateQI(["nsICertTreeItem"]),
+    };
+    gCertArray.push(certTreeItem);
+  }
+});
+
+/**
+ * Test helper for the below test cases.
+ *
+ * @param {string} tabID
+ *        ID of the cert category tab the certs to delete belong to.
+ * @param {string} expectedTitleL10nId
+ *        The L10nId of title the dialog is expected to have.
+ * @param {string} expectedConfirmL10nId
+ *        The l10n id of confirmation message the dialog expected to show.
+ * @param {string} expectedImpactL10nId
+ *        The l10n id of impact the dialog expected to show.
+ */
+async function testHelper(
+  tabID,
+  expectedTitleL10nId,
+  expectedConfirmL10nId,
+  expectedImpactL10nId
+) {
+  let [win] = await openDeleteCertConfirmDialog(tabID);
+  let certList = win.document.getElementById("certlist");
+
+  Assert.deepEqual(
+    win.document.l10n.getAttributes(win.document.documentElement),
+    expectedTitleL10nId,
+    `Actual and expected titles should match for ${tabID}`
+  );
+  let confirm = win.document.getElementById("confirm");
+  Assert.deepEqual(
+    win.document.l10n.getAttributes(confirm),
+    expectedConfirmL10nId,
+    `Actual and expected confirm message should match for ${tabID}`
+  );
+  let impact = win.document.getElementById("impact");
+  Assert.deepEqual(
+    win.document.l10n.getAttributes(impact),
+    expectedImpactL10nId,
+    `Actual and expected impact should match for ${tabID}`
+  );
+
+  Assert.equal(
+    certList.itemCount,
+    TEST_CASES.length,
+    `No. of certs displayed should match for ${tabID}`
+  );
+  for (let i = 0; i < certList.itemCount; i++) {
+    let item = certList.getItemAtIndex(i);
+    if (TEST_CASES[i].expectedSerialNumber == null) {
+      Assert.equal(
+        item.label,
+        TEST_CASES[i].expectedDisplayString,
+        "Actual and expected display string should match for " +
+          `index ${i} for ${tabID}`
+      );
+    } else {
+      Assert.deepEqual(
+        win.document.l10n.getAttributes(item.children[0]),
+        {
+          id: "cert-with-serial",
+          args: { serialNumber: TEST_CASES[i].expectedSerialNumber },
+        },
+        "Actual and expected display string should match for " +
+          `index ${i} for ${tabID}`
+      );
+    }
+  }
+
+  await BrowserTestUtils.closeWindow(win);
+}
+
+// Test deleting certs from the "Your Certificates" tab.
+add_task(async function testDeletePersonalCerts() {
+  const expectedTitleL10nId = { id: "delete-user-cert-title", args: null };
+  const expectedConfirmL10nId = { id: "delete-user-cert-confirm", args: null };
+  const expectedImpactL10nId = { id: "delete-user-cert-impact", args: null };
+  await testHelper(
+    "mine_tab",
+    expectedTitleL10nId,
+    expectedConfirmL10nId,
+    expectedImpactL10nId
+  );
+});
+
+// Test deleting certs from the "People" tab.
+add_task(async function testDeleteOtherPeopleCerts() {
+  const expectedTitleL10nId = { id: "delete-email-cert-title", args: null };
+  // ’ doesn't seem to work when embedded in the following literals, which is
+  // why escape codes are used instead.
+  const expectedConfirmL10nId = { id: "delete-email-cert-confirm", args: null };
+  const expectedImpactL10nId = { id: "delete-email-cert-impact", args: null };
+  await testHelper(
+    "others_tab",
+    expectedTitleL10nId,
+    expectedConfirmL10nId,
+    expectedImpactL10nId
+  );
+});
+
+// Test deleting certs from the "Authorities" tab.
+add_task(async function testDeleteCACerts() {
+  const expectedTitleL10nId = { id: "delete-ca-cert-title", args: null };
+  const expectedConfirmL10nId = { id: "delete-ca-cert-confirm", args: null };
+  const expectedImpactL10nId = { id: "delete-ca-cert-impact", args: null };
+  await testHelper(
+    "ca_tab",
+    expectedTitleL10nId,
+    expectedConfirmL10nId,
+    expectedImpactL10nId
+  );
+});
+
+// Test that the right values are returned when the dialog is accepted.
+add_task(async function testAcceptDialogReturnValues() {
+  let [win, retVals] = await openDeleteCertConfirmDialog(
+    "ca_tab" /* arbitrary */
+  );
+  info("Accepting dialog");
+  win.document.getElementById("deleteCertificate").acceptDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  Assert.ok(
+    retVals.deleteConfirmed,
+    "Return value should signal user accepted"
+  );
+});
+
+// Test that the right values are returned when the dialog is canceled.
+add_task(async function testCancelDialogReturnValues() {
+  let [win, retVals] = await openDeleteCertConfirmDialog(
+    "ca_tab" /* arbitrary */
+  );
+  info("Canceling dialog");
+  win.document.getElementById("deleteCertificate").cancelDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  Assert.ok(
+    !retVals.deleteConfirmed,
+    "Return value should signal user did not accept"
+  );
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js
new file mode 100644
index 0000000000..51715b1352
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js
@@ -0,0 +1,134 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that the cert download/import UI correctly identifies the cert being
+// downloaded, and allows the trust of the cert to be specified.
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+  "resource://testing-common/MockRegistrar.sys.mjs"
+);
+
+/**
+ * @typedef TestCase
+ * @type {object}
+ * @property {string} certFilename
+ *           Filename of the cert for this test case.
+ * @property {string} expectedDisplayString
+ *           The string we expect the UI to display to represent the given cert.
+ * @property {nsIX509Cert} cert
+ *           Handle to the cert once read in setup().
+ */
+
+/**
+ * A list of test cases representing certs that get "downloaded".
+ *
+ * @type {TestCase[]}
+ */
+const TEST_CASES = [
+  { certFilename: "has-cn.pem", expectedDisplayString: "Foo", cert: null },
+  {
+    certFilename: "has-empty-subject.pem",
+    expectedDisplayString: "Certificate Authority (unnamed)",
+    cert: null,
+  },
+];
+
+/**
+ * Opens the cert download dialog.
+ *
+ * @param {nsIX509Cert} cert
+ *        The cert to pass to the dialog for display.
+ * @returns {Promise}
+ *          A promise that resolves when the dialog has finished loading, with
+ *          an array consisting of:
+ *            1. The window of the opened dialog.
+ *            2. The return value nsIWritablePropertyBag2 passed to the dialog.
+ */
+function openCertDownloadDialog(cert) {
+  let returnVals = Cc["@mozilla.org/hash-property-bag;1"].createInstance(
+    Ci.nsIWritablePropertyBag2
+  );
+  let win = window.openDialog(
+    "chrome://pippki/content/downloadcert.xhtml",
+    "",
+    "",
+    cert,
+    returnVals
+  );
+  return new Promise((resolve, reject) => {
+    win.addEventListener(
+      "load",
+      function () {
+        executeSoon(() => resolve([win, returnVals]));
+      },
+      { once: true }
+    );
+  });
+}
+
+add_setup(async function () {
+  for (let testCase of TEST_CASES) {
+    testCase.cert = await readCertificate(testCase.certFilename, ",,");
+    Assert.notEqual(
+      testCase.cert,
+      null,
+      `'${testCase.certFilename}' should have been read`
+    );
+  }
+});
+
+// Test that the trust header message corresponds to the provided cert, and that
+// the View Cert button launches the cert viewer for the provided cert.
+add_task(async function testTrustHeaderAndViewCertButton() {
+  for (let testCase of TEST_CASES) {
+    let [win] = await openCertDownloadDialog(testCase.cert);
+    let expectedTrustHeaderString =
+      `Do you want to trust \u201C${testCase.expectedDisplayString}\u201D ` +
+      "for the following purposes?";
+    Assert.equal(
+      win.document.getElementById("trustHeader").textContent,
+      expectedTrustHeaderString,
+      "Actual and expected trust header text should match for " +
+        `${testCase.certFilename}`
+    );
+
+    await BrowserTestUtils.closeWindow(win);
+  }
+});
+
+// Test that the right values are returned when the dialog is accepted.
+add_task(async function testAcceptDialogReturnValues() {
+  let [win, retVals] = await openCertDownloadDialog(TEST_CASES[0].cert);
+  win.document.getElementById("trustSSL").checked = true;
+  win.document.getElementById("trustEmail").checked = false;
+  info("Accepting dialog");
+  win.document.getElementById("download_cert").acceptDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  Assert.ok(
+    retVals.get("importConfirmed"),
+    "Return value should signal user chose to import the cert"
+  );
+  Assert.ok(
+    retVals.get("trustForSSL"),
+    "Return value should signal SSL trust checkbox was checked"
+  );
+  Assert.ok(
+    !retVals.get("trustForEmail"),
+    "Return value should signal E-mail trust checkbox was unchecked"
+  );
+});
+
+// Test that the right values are returned when the dialog is canceled.
+add_task(async function testCancelDialogReturnValues() {
+  let [win, retVals] = await openCertDownloadDialog(TEST_CASES[0].cert);
+  info("Canceling dialog");
+  win.document.getElementById("download_cert").cancelDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  Assert.ok(
+    !retVals.get("importConfirmed"),
+    "Return value should signal user chose not to import the cert"
+  );
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js b/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js
new file mode 100644
index 0000000000..9a36eca7bf
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js
@@ -0,0 +1,141 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that the UI for editing the trust of a CA certificate correctly
+// reflects trust in the cert DB, and correctly updates trust in the cert DB
+// when requested.
+
+var gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+/**
+ * The cert we're editing the trust of.
+ *
+ * @type {nsIX509Cert}
+ */
+var gCert;
+
+/**
+ * Opens the cert trust editing dialog.
+ *
+ * @returns {Promise}
+ *          A promise that resolves when the dialog has finished loading with
+ *          the window of the opened dialog.
+ */
+function openEditCertTrustDialog() {
+  let win = window.openDialog(
+    "chrome://pippki/content/editcacert.xhtml",
+    "",
+    "",
+    gCert
+  );
+  return new Promise((resolve, reject) => {
+    win.addEventListener(
+      "load",
+      function () {
+        executeSoon(() => resolve(win));
+      },
+      { once: true }
+    );
+  });
+}
+
+add_setup(async function () {
+  // Initially trust ca.pem for SSL but not e-mail.
+  gCert = await readCertificate("ca.pem", "CT,,");
+  Assert.ok(
+    gCertDB.isCertTrusted(
+      gCert,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.TRUSTED_SSL
+    ),
+    "Sanity check: ca.pem should be trusted for SSL"
+  );
+  Assert.ok(
+    !gCertDB.isCertTrusted(
+      gCert,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.TRUSTED_EMAIL
+    ),
+    "Sanity check: ca.pem should not be trusted for e-mail"
+  );
+});
+
+// Tests the following:
+// 1. The checkboxes correctly reflect the trust set in setup().
+// 2. Accepting the dialog after flipping some of the checkboxes results in the
+//    correct trust being set in the cert DB.
+add_task(async function testAcceptDialog() {
+  let win = await openEditCertTrustDialog();
+
+  let sslCheckbox = win.document.getElementById("trustSSL");
+  let emailCheckbox = win.document.getElementById("trustEmail");
+  Assert.ok(sslCheckbox.checked, "Cert should be trusted for SSL in UI");
+  Assert.ok(
+    !emailCheckbox.checked,
+    "Cert should not be trusted for e-mail in UI"
+  );
+
+  sslCheckbox.checked = false;
+  emailCheckbox.checked = true;
+
+  info("Accepting dialog");
+  win.document.getElementById("editCaCert").acceptDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  Assert.ok(
+    !gCertDB.isCertTrusted(
+      gCert,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.TRUSTED_SSL
+    ),
+    "Cert should no longer be trusted for SSL"
+  );
+  Assert.ok(
+    gCertDB.isCertTrusted(
+      gCert,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.TRUSTED_EMAIL
+    ),
+    "Cert should now be trusted for e-mail"
+  );
+});
+
+// Tests the following:
+// 1. The checkboxes correctly reflect the trust set in testAcceptDialog().
+// 2. Canceling the dialog even after flipping the checkboxes doesn't result in
+//    a change of trust in the cert DB.
+add_task(async function testCancelDialog() {
+  let win = await openEditCertTrustDialog();
+
+  let sslCheckbox = win.document.getElementById("trustSSL");
+  let emailCheckbox = win.document.getElementById("trustEmail");
+  Assert.ok(!sslCheckbox.checked, "Cert should not be trusted for SSL in UI");
+  Assert.ok(emailCheckbox.checked, "Cert should be trusted for e-mail in UI");
+
+  sslCheckbox.checked = true;
+  emailCheckbox.checked = false;
+
+  info("Canceling dialog");
+  win.document.getElementById("editCaCert").cancelDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  Assert.ok(
+    !gCertDB.isCertTrusted(
+      gCert,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.TRUSTED_SSL
+    ),
+    "Cert should still not be trusted for SSL"
+  );
+  Assert.ok(
+    gCertDB.isCertTrusted(
+      gCert,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.TRUSTED_EMAIL
+    ),
+    "Cert should still be trusted for e-mail"
+  );
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js b/security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js
new file mode 100644
index 0000000000..8e6af27cbb
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js
@@ -0,0 +1,164 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that the UI for setting the password on a to be exported PKCS #12 file:
+//   1. Correctly requires the password to be typed in twice as confirmation.
+//   2. Calculates and displays the strength of said password.
+
+/**
+ * @typedef TestCase
+ * @type {object}
+ * @property {string} name
+ *           The name of the test case for display purposes.
+ * @property {string} password1
+ *           The password to enter into the first password textbox.
+ * @property {string} password2
+ *           The password to enter into the second password textbox.
+ * @property {string} strength
+ *           The expected strength of the password in the range [0, 100].
+ */
+
+/**
+ * A list of test cases representing various inputs to the password textboxes.
+ *
+ * @type {TestCase[]}
+ */
+const TEST_CASES = [
+  { name: "empty", password1: "", password2: "", strength: "0" },
+  { name: "match-weak", password1: "foo", password2: "foo", strength: "10" },
+  {
+    name: "match-medium",
+    password1: "foo123",
+    password2: "foo123",
+    strength: "60",
+  },
+  {
+    name: "match-strong",
+    password1: "fooBARBAZ 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三",
+    password2: "fooBARBAZ 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三",
+    strength: "100",
+  },
+  { name: "mismatch-weak", password1: "foo", password2: "bar", strength: "10" },
+  {
+    name: "mismatch-medium",
+    password1: "foo123",
+    password2: "bar",
+    strength: "60",
+  },
+  {
+    name: "mismatch-strong",
+    password1: "fooBARBAZ 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三",
+    password2: "bar",
+    strength: "100",
+  },
+];
+
+/**
+ * Opens the dialog shown to set the password on a PKCS #12 file being exported.
+ *
+ * @returns {Promise}
+ *          A promise that resolves when the dialog has finished loading, with
+ *          an array consisting of:
+ *            1. The window of the opened dialog.
+ *            2. The return value nsIWritablePropertyBag2 passed to the dialog.
+ */
+function openSetP12PasswordDialog() {
+  let returnVals = Cc["@mozilla.org/hash-property-bag;1"].createInstance(
+    Ci.nsIWritablePropertyBag2
+  );
+  let win = window.openDialog(
+    "chrome://pippki/content/setp12password.xhtml",
+    "",
+    "",
+    returnVals
+  );
+  return new Promise((resolve, reject) => {
+    win.addEventListener(
+      "load",
+      function () {
+        executeSoon(() => resolve([win, returnVals]));
+      },
+      { once: true }
+    );
+  });
+}
+
+// Tests that the first password textbox is the element that is initially
+// focused.
+add_task(async function testFocus() {
+  let [win] = await openSetP12PasswordDialog();
+  Assert.equal(
+    win.document.activeElement,
+    win.document.getElementById("pw1"),
+    "First password textbox should have focus"
+  );
+  await BrowserTestUtils.closeWindow(win);
+});
+
+// Tests that the password strength algorithm used is reasonable, and that the
+// Accept button is only enabled if the two passwords match.
+add_task(async function testPasswordStrengthAndEquality() {
+  let [win] = await openSetP12PasswordDialog();
+  let password1Textbox = win.document.getElementById("pw1");
+  let password2Textbox = win.document.getElementById("pw2");
+  let strengthProgressBar = win.document.getElementById("pwmeter");
+
+  for (let testCase of TEST_CASES) {
+    password1Textbox.value = testCase.password1;
+    password2Textbox.value = testCase.password2;
+    // Setting the value of the password textboxes via |.value| apparently
+    // doesn't cause the oninput handlers to be called, so we do it here.
+    password1Textbox.oninput();
+    password2Textbox.oninput();
+
+    Assert.equal(
+      win.document.getElementById("setp12password").getButton("accept")
+        .disabled,
+      password1Textbox.value != password2Textbox.value,
+      "Actual and expected accept button disable state should " +
+        `match for ${testCase.name}`
+    );
+    Assert.equal(
+      strengthProgressBar.value,
+      testCase.strength,
+      `Actual and expected strength value should match for ${testCase.name}`
+    );
+  }
+
+  await BrowserTestUtils.closeWindow(win);
+});
+
+// Test that the right values are returned when the dialog is accepted.
+add_task(async function testAcceptDialogReturnValues() {
+  let [win, retVals] = await openSetP12PasswordDialog();
+  const password = "fooBAR 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?一二三";
+  win.document.getElementById("pw1").value = password;
+  win.document.getElementById("pw2").value = password;
+  info("Accepting dialog");
+  win.document.getElementById("setp12password").acceptDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  Assert.ok(
+    retVals.get("confirmedPassword"),
+    "Return value should signal user confirmed a password"
+  );
+  Assert.equal(
+    retVals.get("password"),
+    password,
+    "Actual and expected password should match"
+  );
+});
+
+// Test that the right values are returned when the dialog is canceled.
+add_task(async function testCancelDialogReturnValues() {
+  let [win, retVals] = await openSetP12PasswordDialog();
+  info("Canceling dialog");
+  win.document.getElementById("setp12password").cancelDialog();
+  await BrowserTestUtils.windowClosed(win);
+
+  Assert.ok(
+    !retVals.get("confirmedPassword"),
+    "Return value should signal user didn't confirm a password"
+  );
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js
new file mode 100644
index 0000000000..9e4e244123
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js
@@ -0,0 +1,312 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the dialog used for loading PKCS #11 modules.
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+  "resource://testing-common/MockRegistrar.sys.mjs"
+);
+
+const gMockPKCS11ModuleDB = {
+  addModuleCallCount: 0,
+  expectedLibPath: "",
+  expectedModuleName: "",
+  throwOnAddModule: false,
+
+  addModule(moduleName, libraryFullPath, cryptoMechanismFlags, cipherFlags) {
+    this.addModuleCallCount++;
+    Assert.equal(
+      moduleName,
+      this.expectedModuleName,
+      "addModule: Name given should be what's in the name textbox"
+    );
+    Assert.equal(
+      libraryFullPath,
+      this.expectedLibPath,
+      "addModule: Path given should be what's in the path textbox"
+    );
+    Assert.equal(
+      cryptoMechanismFlags,
+      0,
+      "addModule: No crypto mechanism flags should be passed"
+    );
+    Assert.equal(cipherFlags, 0, "addModule: No cipher flags should be passed");
+
+    if (this.throwOnAddModule) {
+      throw new Error(`addModule: Throwing exception`);
+    }
+  },
+
+  deleteModule(moduleName) {
+    Assert.ok(false, `deleteModule: should not be called`);
+  },
+
+  getInternal() {
+    throw new Error("not expecting getInternal() to be called");
+  },
+
+  getInternalFIPS() {
+    throw new Error("not expecting getInternalFIPS() to be called");
+  },
+
+  listModules() {
+    throw new Error("not expecting listModules() to be called");
+  },
+
+  get canToggleFIPS() {
+    throw new Error("not expecting get canToggleFIPS() to be called");
+  },
+
+  toggleFIPSMode() {
+    throw new Error("not expecting toggleFIPSMode() to be called");
+  },
+
+  get isFIPSEnabled() {
+    throw new Error("not expecting get isFIPSEnabled() to be called");
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIPKCS11ModuleDB"]),
+};
+
+const gMockPromptService = {
+  alertCallCount: 0,
+  expectedText: "",
+  expectedWindow: null,
+
+  alert(parent, dialogTitle, text) {
+    this.alertCallCount++;
+    Assert.equal(
+      parent,
+      this.expectedWindow,
+      "alert: Parent should be expected window"
+    );
+    Assert.equal(dialogTitle, null, "alert: Title should be null");
+    Assert.equal(
+      text,
+      this.expectedText,
+      "alert: Actual and expected text should match"
+    );
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIPromptService"]),
+};
+
+var gMockPKCS11CID = MockRegistrar.register(
+  "@mozilla.org/security/pkcs11moduledb;1",
+  gMockPKCS11ModuleDB
+);
+var gMockPromptServiceCID = MockRegistrar.register(
+  "@mozilla.org/prompter;1",
+  gMockPromptService
+);
+
+var gMockFilePicker = SpecialPowers.MockFilePicker;
+gMockFilePicker.init(window);
+
+var gTempFile = Services.dirsvc.get("TmpD", Ci.nsIFile);
+gTempFile.append("browser_loadPKCS11Module_ui-fakeModule");
+
+registerCleanupFunction(() => {
+  gMockFilePicker.cleanup();
+  MockRegistrar.unregister(gMockPKCS11CID);
+  MockRegistrar.unregister(gMockPromptServiceCID);
+});
+
+function resetCallCounts() {
+  gMockPKCS11ModuleDB.addModuleCallCount = 0;
+  gMockPromptService.alertCallCount = 0;
+}
+
+/**
+ * Opens the dialog shown to load a PKCS #11 module.
+ *
+ * @returns {Promise}
+ *          A promise that resolves when the dialog has finished loading, with
+ *          the window of the opened dialog.
+ */
+function openLoadModuleDialog() {
+  let win = window.openDialog(
+    "chrome://pippki/content/load_device.xhtml",
+    "",
+    ""
+  );
+  return new Promise(resolve => {
+    win.addEventListener(
+      "load",
+      function () {
+        executeSoon(() => resolve(win));
+      },
+      { once: true }
+    );
+  });
+}
+
+/**
+ * Presses the browse button and simulates interacting with the file picker that
+ * should be triggered.
+ *
+ * @param {window} win
+ *        The dialog window.
+ * @param {boolean} cancel
+ *        If true, the file picker is canceled. If false, gTempFile is chosen in
+ *        the file picker and the file picker is accepted.
+ */
+async function browseToTempFile(win, cancel) {
+  gMockFilePicker.showCallback = () => {
+    gMockFilePicker.setFiles([gTempFile]);
+
+    if (cancel) {
+      info("MockFilePicker returning cancel");
+      return Ci.nsIFilePicker.returnCancel;
+    }
+
+    info("MockFilePicker returning OK");
+    return Ci.nsIFilePicker.returnOK;
+  };
+
+  info("Pressing browse button");
+  win.document.getElementById("browse").doCommand();
+  await TestUtils.topicObserved("LoadPKCS11Module:FilePickHandled");
+}
+
+add_task(async function testBrowseButton() {
+  let win = await openLoadModuleDialog();
+  let pathBox = win.document.getElementById("device_path");
+  let originalPathBoxValue = "expected path if picker is canceled";
+  pathBox.value = originalPathBoxValue;
+
+  // Test what happens if the file picker is canceled.
+  await browseToTempFile(win, true);
+  Assert.equal(
+    pathBox.value,
+    originalPathBoxValue,
+    "Path shown should be unchanged due to canceled picker"
+  );
+
+  // Test what happens if the file picker is not canceled.
+  await browseToTempFile(win, false);
+  Assert.equal(
+    pathBox.value,
+    gTempFile.path,
+    "Path shown should be same as the one chosen in the file picker"
+  );
+
+  await BrowserTestUtils.closeWindow(win);
+});
+
+function testAddModuleHelper(win, throwOnAddModule) {
+  resetCallCounts();
+  gMockPKCS11ModuleDB.expectedLibPath = gTempFile.path;
+  gMockPKCS11ModuleDB.expectedModuleName = "test module";
+  gMockPKCS11ModuleDB.throwOnAddModule = throwOnAddModule;
+
+  win.document.getElementById("device_name").value =
+    gMockPKCS11ModuleDB.expectedModuleName;
+  win.document.getElementById("device_path").value =
+    gMockPKCS11ModuleDB.expectedLibPath;
+
+  info("Accepting dialog");
+  win.document.getElementById("loaddevice").acceptDialog();
+}
+
+add_task(async function testAddModuleSuccess() {
+  let win = await openLoadModuleDialog();
+
+  testAddModuleHelper(win, false);
+  await BrowserTestUtils.windowClosed(win);
+
+  Assert.equal(
+    gMockPKCS11ModuleDB.addModuleCallCount,
+    1,
+    "addModule() should have been called once"
+  );
+  Assert.equal(
+    gMockPromptService.alertCallCount,
+    0,
+    "alert() should never have been called"
+  );
+});
+
+add_task(async function testAddModuleFailure() {
+  let win = await openLoadModuleDialog();
+  gMockPromptService.expectedText = "Unable to add module";
+  gMockPromptService.expectedWindow = win;
+
+  // The exception we throw in addModule is first reported as an uncaught
+  // exception by XPConnect before an exception is propagated to the actual
+  // caller.
+  expectUncaughtException(true);
+
+  testAddModuleHelper(win, true);
+  expectUncaughtException(false);
+  // If adding a module fails, the dialog will not close. As such, we have to
+  // close the window ourselves.
+  await BrowserTestUtils.closeWindow(win);
+
+  Assert.equal(
+    gMockPKCS11ModuleDB.addModuleCallCount,
+    1,
+    "addModule() should have been called once"
+  );
+  Assert.equal(
+    gMockPromptService.alertCallCount,
+    1,
+    "alert() should have been called once"
+  );
+});
+
+add_task(async function testCancel() {
+  let win = await openLoadModuleDialog();
+  resetCallCounts();
+
+  info("Canceling dialog");
+  win.document.getElementById("loaddevice").cancelDialog();
+
+  Assert.equal(
+    gMockPKCS11ModuleDB.addModuleCallCount,
+    0,
+    "addModule() should never have been called"
+  );
+  Assert.equal(
+    gMockPromptService.alertCallCount,
+    0,
+    "alert() should never have been called"
+  );
+
+  await BrowserTestUtils.windowClosed(win);
+});
+
+async function testModuleNameHelper(moduleName, acceptButtonShouldBeDisabled) {
+  let win = await openLoadModuleDialog();
+  resetCallCounts();
+
+  info(`Setting Module Name to '${moduleName}'`);
+  let moduleNameBox = win.document.getElementById("device_name");
+  moduleNameBox.value = moduleName;
+  // this makes this not a great test, but it's the easiest way to simulate this
+  moduleNameBox.onchange();
+
+  let dialogNode = win.document.querySelector("dialog");
+  Assert.equal(
+    dialogNode.getAttribute("buttondisabledaccept"),
+    acceptButtonShouldBeDisabled ? "true" : "", // it's a string
+    `dialog accept button should ${
+      acceptButtonShouldBeDisabled ? "" : "not "
+    }be disabled`
+  );
+
+  return BrowserTestUtils.closeWindow(win);
+}
+
+add_task(async function testEmptyModuleName() {
+  await testModuleNameHelper("", true);
+});
+
+add_task(async function testReservedModuleName() {
+  await testModuleNameHelper("Root Certs", true);
+});
+
+add_task(async function testAcceptableModuleName() {
+  await testModuleNameHelper("Some Module Name", false);
+});
diff --git a/security/manager/ssl/tests/mochitest/browser/ca.pem b/security/manager/ssl/tests/mochitest/browser/ca.pem
new file mode 100644
index 0000000000..91233a79dd
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUW0tAkXslaf5AkE2ROwvnEvMo79MwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA/1uiRtJJ6gASZfaGdmjTgHNnG
+OX3VBb8CGbu7yrmlUU0/oiH9BHb9/gq+Gwwcjg++2AEmUWd4damMXKUtRzouP6dV
+Z02jnExdXqq3xLDP71/bY3eneqg/KVIv3wDaHhatmVqWB4oy4itNmvVbbtCjUOyX
+DF3RM5HPQEDjMJO0TjKZMXp5HbyggAvGTbyw6kz+6EVuxxhFqVq1bti1CU4tGBdk
+b6ZOVQhxgJljogn70syXX+CUuUtu9+ufklWQjMtITjBKTSP5cg/NMnKrAL7dF30n
+aUcXz8fpmzjseQjk6uzkDYSFW2HiQtMHKhpCOXAoZ0hGtQ4BXhyhScK2sSB8
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ca.pem.certspec
new file mode 100644
index 0000000000..6660f5d478
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem
new file mode 100644
index 0000000000..d5a039da41
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIUAee5xOtLu81Y/SiLJ0STt50RMT8wDQYJKoZIhvcNAQEL
+BQAwQTEoMCYGA1UEAwwfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEV
+MBMGA1UECwwMSW50ZXJtZWRpYXRlMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCcxJTAjBgNVBAMMHGNsaWVudCBjZXJ0IHZpYSBpbnRlcm1lZGlh
+dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA
+A4IBAQCE6MA6Fdz6xzNIKqV043/urSVLkVeUAwcSeezuQ3/mTOxP1tj5wtNj+Uso
+hS30XJT3geaVlNnr64+tHthJ0MC23lwEwVNPr6xGXfaFPeaw/ummrTPjhZYXWNKm
+oTmavnj5izA/czrwE0drzPSEKM36yX9xwf8iGAiKFpzYZkjX/0+KuG0rPm7Qgvcg
+fWY17qK3aQKJea/J+i1S4pKjiMxqigXdskTcyvwruagfSRXPbVjVhsmdObWFCcsE
+ry7PbOg9yMkjX4UkUOs2PqYjvRD9MqEIMJelBhi1wdi/TKVCAcvHb7MxYH+LP1Qw
+Pi1oYACb5mW9qKKClpSHxNr04NWA
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem.certspec b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem.certspec
new file mode 100644
index 0000000000..cab2448889
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/CN=Temporary Certificate Authority/OU=Intermediate
+subject:client cert via intermediate
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem
new file mode 100644
index 0000000000..78286e0d36
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjCgAwIBAgIUU6sY262PVGY54q2FxUD1ZqmwIiMwDQYJKoZIhvcNAQEL
+BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAw
+MFowKzEpMCcGA1UEAwwgY2xpZW50IGNlcnQgd2l0aCBPQ1NQU2lnbmluZyBla3Uw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjITAfMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDCTANBgkqhkiG
+9w0BAQsFAAOCAQEAE6gT6G/Ib4Pw2nTE++I4CpRBEkkAct39JNzsyBvT2ShM29V8
+iQkqQDszpvwc3ftnVwF4FI/darsiE1uaLs2POr2MuJjXKMkxfnlCCEaKMvOMBekK
+Ybm5zo01YYoybiPgPWX3p19nkNcHBSCmWWHt1t96JNtFJobBU0gszx5x1l7FFYOZ
+xq5F9nbczqeFhKU9YSYwk0wOpALCRy9VLiuWQtoqMFa8gfSbfpAPn2avIy989/dS
+Zn8joPmWmCNsplAwXlzHffZZgg1EcnajsjxMjSjDMIt3IbTM+uWA8qfTKdu4vDdc
+541L1ma1kZAe97/gRaNzpCZGaGGSJz9TfhHlaQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem.certspec b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem.certspec
new file mode 100644
index 0000000000..5cbd5af8f0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem.certspec
@@ -0,0 +1,3 @@
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+subject:client cert with OCSPSigning eku
+extension:extKeyUsage:clientAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/mochitest/browser/code-ee.pem b/security/manager/ssl/tests/mochitest/browser/code-ee.pem
new file mode 100644
index 0000000000..cf541b540b
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/code-ee.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAbCgAwIBAgIUH6zK9zay4frBqO9qURd3GUeWak8wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEjEQMA4GA1UEAwwHY29kZS1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMXMBUwEwYDVR0lBAwwCgYI
+KwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBABr4gvRF8SN/dO2YGh6DchN50cLl
+Om6d82KA3LgBcLgFOcDMldtUf1maAJxh+Me1mipsJ3RlnWXoummcol61G+xO2Hjb
+uruw6+ttoNwOX80QvOYwRX5NABpGOxb7pReUFCiWO63Hve/pSjN+EP/2OGF5ndQb
+Qlo81qFePb1ylr0Ebmz6C1zasWiciS7+NPuyCxDu1UHdbBmeqrFJxi7hTvmYuLYB
+HRFJqQy4sogCOBHiBiH5iclkUmM/+c9CuyiCuqLFCLiay6qgBvYCn3hLPJVMIrl6
+/Y5Y+XEAOevaKjXsSCcyu4r89mChPYFKAhucqFN6QrNxHm9vIyfaL5E0dEg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/code-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/code-ee.pem.certspec
new file mode 100644
index 0000000000..93f9a84265
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/code-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:code-ee
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem
new file mode 100644
index 0000000000..326888f61d
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwjCCAaqgAwIBAgIUZ0P6GYwMhwdeVdDdwsrrm9WDMpIwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKZXhwaXJlZC1jYTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAdMRswGQYDVQQDDBJlZS1mcm9tLWV4cGlyZWQtY2EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT
+2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV
+JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N
+jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA
+BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh
+He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB
+AAEwDQYJKoZIhvcNAQELBQADggEBAGdIC3QGmFDHvbj90BWGTwtmOncA6bThMES6
+OPyPTSWcoDa5hnvqi3UsX3O6c+cA2FB80Bop479wgtcGKZq9p7zzXtZRdqHW6xQa
+BMO7I04hU0rJXgqRnbjgpf4v5JIoLWLDdzqOs+51VGANSBAuKMg39mXifskKTjcf
+E3wGCikRxKN7Z1NyB6roRBTIdMwG6tTbJ/ZyqZNkt6aqw8kEXZNqm5unzD8PyMmm
+AUiaXMZrplfWAO8RKnmWyYJzAFp1oVZHf3dTrQ8GUVbSBaKlI9+p1jdVmDkzgUNo
+Y/OOflG7uWEsdKUq3gbooFMusQpyjMZtKxe1HutK12jPnK9DEy0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem.certspec
new file mode 100644
index 0000000000..3e280fc4fc
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem.certspec
@@ -0,0 +1,2 @@
+issuer:expired-ca
+subject:ee-from-expired-ca
diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem
new file mode 100644
index 0000000000..0eda6fea83
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUReDMx4rhamCnCZ1c4abV5C8OwPIwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMdW50cnVzdGVkLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMB8xHTAbBgNVBAMMFGVlLWZyb20tdW50cnVzdGVkLWNh
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA8nC2eyCl4TwO6oKmyBGxZ/nkin+RW
+aSa/iHz1qov/nfHisxzTeKCUPvRBfTWR1jCLvnii89CjcQCoTfM+P/lrmGe0VffJ
+/Czmi6nkV5IaK2l0lXnpjSuIwpreqTziC4U3VA1TYCF8afN5y66r87X3t8YEjvGD
+Ypn6pTYApHLKt7qJ+lfMkdSlgDvbgMgdBHRSayF0Be8icuoC0pQFZXHlA81Wvao9
+vDskHxrla2QEUJ3GnxYG2oaQTsNIVW5SjgqRpFJAYWTXjJpUKI8VR3U0h3vLbcXr
+esF+fzYlIKJFE13WCo6Tf1cvPU2wWZeB6hi3iC3VniEUtp+T94VhVLAG
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem.certspec
new file mode 100644
index 0000000000..833e1a23a6
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem.certspec
@@ -0,0 +1,2 @@
+issuer:untrusted-ca
+subject:ee-from-untrusted-ca
diff --git a/security/manager/ssl/tests/mochitest/browser/email-ee.pem b/security/manager/ssl/tests/mochitest/browser/email-ee.pem
new file mode 100644
index 0000000000..8b9448c6a7
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/email-ee.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUYa+qat2+K6UrReFkeL4gpZvziCkwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEzERMA8GA1UEAwwIZW1haWwtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoG
+CCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQChV2j3U91RsK4oxoBwFf562R9g
+CARt6olvETxlle+NMeN7JqiWOKo9ReTgPpwu1f6Eg4t1L8QljHXBAcv4rbtFa+Nt
+h2UjxEklRqp/A3FnIB5SMeU0PE5WyKVLe5k3+I4b1+k9J2HxOEUBdDLYjRQ5KWh5
+iDbOhlGacLnElGyzntmIy6asH9wLYmrF2ZvYcvIrvX/o/+MkTGMRwDsA/eeaQbK5
+sNwkAxfvMiSkXZlGdfDPeMNYTP0SwsTwJKtlLKBxmHkF+tzjZqWYBr+vM2eWiIRl
+WYWzVJWmvTlWI04Lpd+R6Oc9vvxFhxXO5VzXzJpAllmbA2FVs+x3sRRakGWd
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/email-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/email-ee.pem.certspec
new file mode 100644
index 0000000000..82e3296706
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/email-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:email-ee
+extension:extKeyUsage:emailProtection
diff --git a/security/manager/ssl/tests/mochitest/browser/expired-ca.pem b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem
new file mode 100644
index 0000000000..e019b37127
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUS6xUkMzG2REizII2g+VecO/KqX8wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDExMDEwMTAw
+MDAwMFowFTETMBEGA1UEAwwKZXhwaXJlZC1jYTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABJdjrt25wocw4aP
+eR1kZuu3WS0bKfuvhQQPFkAG+HYSC5eu0OriQCRlxn+qHY7du9dePcD6DTMDIVDW
+r+oBJ9BwCEREyTcV8AEaHdcTAakXOMhq6OOltl6HUu3lSlqRslzAhtl1chM0P8m1
+Aj+ceOkCFHvnsDd+zcSP75u8zzJKypSWQwAg/i5S0BNLOWYarPiczuYi4HAOpwtX
+QqlmDNMYySqPFfH72BuQdCLuviBXmMP8/kOouBNP4ti06RR88XgqfoL/jV4gkIM7
+92hXt0WpS/QffjWzLaej39YhW4pMZ+hF4bk9nUCtN/MHtg8WDj1CgfSJZegrl28W
+3riMotA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/expired-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem.certspec
new file mode 100644
index 0000000000..15bdcd7d73
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/expired-ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:expired-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+validity:20100101-20110101
diff --git a/security/manager/ssl/tests/mochitest/browser/has-cn.pem b/security/manager/ssl/tests/mochitest/browser/has-cn.pem
new file mode 100644
index 0000000000..cccd8f92cc
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-cn.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAgIUNYIXTgcbtso82Swb2ciZEygN0ScwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowNzEMMAoGA1UEAwwDRm9vMQwwCgYDVQQLDANCYXIxDDAKBgNVBAoMA0Jh
+ejELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFqub/ejjAfj
+tWZuXDCKchVrxiN2PljQe5uKepmkFFvlOt3nkTTvZdvvUd5QTwRdrg6HcPx075SZ
+uj0SzzuBSJrz99zbbkspHnT2l2R47kYx8P3FNodUCYcnnpAJlPIaVOxGR1ul9ZZb
++qz1OMaysszwOPCRwx2OKi+cj3SuVvGFwzDBaLkJkljQyWyuOihJJXKoc/D1MUIc
+nyakQkwEawb63cYE5OfaBQe+hL2Inm2a5CmXR+N8+/Sac85Azd1I3TisYnfiaHZD
+j0yGMhIQ1d3qV8jZQDTgg1qImG35/paBDCZOlvuz+IlwpGmE/Cvvj2ujmpPP8mh/
+kDAob3uIchA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/has-cn.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-cn.pem.certspec
new file mode 100644
index 0000000000..a4a0fcb5fa
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-cn.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:/CN=Foo/OU=Bar/O=Baz/C=US
diff --git a/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem
new file mode 100644
index 0000000000..de3a247a5c
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICijCCAXKgAwIBAgIBCjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJjYTAi
+GA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAAMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQBxrxn5lQCA9h/kx9uR5rX0DtEpdOHyHHMQlJu33NZjC3mc
+PStwcsTDPCM6TCgu4rqmPrYQuw/YN6sUoSiD8jD5ywz/8UEeAlHpi7j/3zLL2mhw
+8f+gu96NSAMmbSg8gBXPMca7uZ4FbDP8h5Aa6d+cT0xSlbhyD5OXIdVN1ju4daR/
+Qab/ksmLvVH6l2yWN72ZaEUpn1bCbpW1CWCJMuGzFExQxP4HO7SO0yOCw+1DRfzU
+oRjXYlj51CTEWqUNa5lqLnRjIiyP+ahH73nbLCubggPQhrI6iMhB8IaWjew3SIgM
+UCaTOOQmM6tpObDSVyHtuiEDWPasyC8yVvMy5LRI
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem.certspec
new file mode 100644
index 0000000000..6346f7b83a
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:
+serialNumber:10
diff --git a/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem
new file mode 100644
index 0000000000..af8b89c4b9
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICqjCCAZKgAwIBAgIUJ9bwAWFp2jt506L4XfpDxTkpK/swDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGmf
+8XVFVrwdXfdlJsMkFh7dvT3I2Eh4MFFeETf8rKe9lVIFv0B3IjJzXE+wjc/BpEPY
+Yhh/1Bhi+SBSMUuxUwwmOmLhcUQNMVbWhy3n5JoOyt0tq9KsgjrUEFVcmz0eoWbd
+/NkiaDsKp7d8Nvuz1JEX0JLZf+JpyoMG8gT2Qxl2QZeY2z0BsnHnfTzsoARm9nZP
+cMhH9scqoVbPEEST5PlgB0Z8T2974fH9VHNFdbaml37p7aQMnt+g/NusKEXZlcTJ
+bIN7pQyp9rkCQV9Tiw5EvnZK0AWQF6ymL9WD7O5reyPzQ6kvRNJrmxKzs9mocj9J
+Y4fc7KGQ3CBwfGEHLdg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem.certspec
new file mode 100644
index 0000000000..cc1b668a63
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:/C=US
diff --git a/security/manager/ssl/tests/mochitest/browser/has-o.pem b/security/manager/ssl/tests/mochitest/browser/has-o.pem
new file mode 100644
index 0000000000..55353b8eb7
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-o.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUaRRl+1wXs1a/UB82ZaCqoPtH0NswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGzEMMAoGA1UECgwDQmF6MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAoZ6x5m03rOaM4Z2H1ZCu0gLLdoPgYvbTYvDQBMzea84mT8Zz
+D7UKQGIA2o72dhQY7xzs1rhNZJlog/hP/Xtve9vN/do2QPOlTuK/bKV92CdW3B+J
+D0xn8FM8qoMkFnwAIojhuRHJ5/CrnSrbBj5DPTBOktYW2mLGvFvMvGkZe0IMcSKO
+LhOrP1ZBn0jWGGmuGdtFnyiV2IGZMoXIYHGYWLLvzMbesNY3P90tWnzc1m8TTWZg
++KTj479e2DvWsxvVu5rG+oMLI65m+YbMmz93R7BYfO3exkzVK6ZDmZvxr5ggivCw
+HsselmxKcSpJbJuY6DvRtu9TwS3NJwCQJMJwPQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/has-o.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-o.pem.certspec
new file mode 100644
index 0000000000..f7cc3ffc73
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-o.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:/O=Baz/C=US
diff --git a/security/manager/ssl/tests/mochitest/browser/has-ou.pem b/security/manager/ssl/tests/mochitest/browser/has-ou.pem
new file mode 100644
index 0000000000..7fc4dc3a64
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-ou.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUU4uHxO/2rTwK9zo7UktMNOPJfP0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowKTEMMAoGA1UECwwDQmFyMQwwCgYDVQQKDANCYXoxCzAJBgNVBAYTAlVT
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAv92wXP+0GoQ1xAUFK2uijpyx+3dwb
+EaNQ10Ny8PQ7u/Vu7xPq3seYp4eVmJphQGzfS2oPMyqKrLI3E++2ohThqdE5NJQd
+voXGTrAvNgAVlW1l3E/KIUs/CChG9gO+iPBbWUJ7oklajESuJmHFefP7pFsmrkRI
+7yaB04F63ymPJIwBboVPFks0HPmf1veTXzi85Lm2rr8Y6+yk4REIkvF2RdWYhAmZ
+PoXSmfcBxuZlG0+tRu7ZzfyhLCQIeunJjyXeJiVEpd2/ISlP+tQUs9RNEc6eQnUO
+Uszfc7n1zKcWnykyEDaa9P8DW0RIUjqy6cfVaFDI4I5Vv8S5f/fU/HVM
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/has-ou.pem.certspec b/security/manager/ssl/tests/mochitest/browser/has-ou.pem.certspec
new file mode 100644
index 0000000000..8879dabf51
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/has-ou.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:/OU=Bar/O=Baz/C=US
diff --git a/security/manager/ssl/tests/mochitest/browser/head.js b/security/manager/ssl/tests/mochitest/browser/head.js
new file mode 100644
index 0000000000..1ae951d7a5
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/head.js
@@ -0,0 +1,82 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+"use strict";
+
+var gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+/**
+ * List of certs imported via readCertificate(). Certs in this list are
+ * automatically deleted from the cert DB when a test including this head file
+ * finishes.
+ *
+ * @type {nsIX509Cert[]}
+ */
+var gImportedCerts = [];
+
+registerCleanupFunction(() => {
+  for (let cert of gImportedCerts) {
+    gCertDB.deleteCertificate(cert);
+  }
+});
+
+// This function serves the same purpose as the one defined in head_psm.js.
+function pemToBase64(pem) {
+  return pem
+    .replace(/-----BEGIN CERTIFICATE-----/, "")
+    .replace(/-----END CERTIFICATE-----/, "")
+    .replace(/[\r\n]/g, "");
+}
+
+/**
+ * Given the filename of a certificate, returns a promise that will resolve with
+ * a handle to the certificate when that certificate has been read and imported
+ * with the given trust settings.
+ *
+ * Certs imported via this function will automatically be deleted from the cert
+ * DB once the calling test finishes.
+ *
+ * @param {string} filename
+ *        The filename of the certificate (assumed to be in the same directory).
+ * @param {string} trustString
+ *        A string describing how the certificate should be trusted (see
+ *        `certutil -A --help`).
+ * @returns {Promise}
+ *         A promise that will resolve with a handle to the certificate.
+ */
+function readCertificate(filename, trustString) {
+  return IOUtils.readUTF8(getTestFilePath(filename)).then(
+    pem => {
+      let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+        Ci.nsIX509CertDB
+      );
+      let base64 = pemToBase64(pem);
+      certdb.addCertFromBase64(base64, trustString);
+      let cert = certdb.constructX509FromBase64(base64);
+      gImportedCerts.push(cert);
+      return cert;
+    },
+    error => {
+      throw error;
+    }
+  );
+}
+
+/**
+ * Asynchronously opens the certificate manager.
+ *
+ * @returns {Window} a handle on the opened certificate manager window
+ */
+async function openCertManager() {
+  let win = window.openDialog("chrome://pippki/content/certManager.xhtml");
+  return new Promise((resolve, reject) => {
+    win.addEventListener(
+      "load",
+      function () {
+        executeSoon(() => resolve(win));
+      },
+      { once: true }
+    );
+  });
+}
diff --git a/security/manager/ssl/tests/mochitest/browser/hsts_headers.sjs b/security/manager/ssl/tests/mochitest/browser/hsts_headers.sjs
new file mode 100644
index 0000000000..95eede25f0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/hsts_headers.sjs
@@ -0,0 +1,16 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+"use strict";
+
+function handleRequest(request, response) {
+  let hstsHeader = "max-age=300";
+  if (request.queryString == "includeSubdomains") {
+    hstsHeader += "; includeSubdomains";
+  }
+  response.setHeader("Strict-Transport-Security", hstsHeader);
+  response.setHeader("Pragma", "no-cache");
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/html", false);
+  response.setStatusLine(request.httpVersion, 200);
+  response.write("<!DOCTYPE html><html><body><h1>Ok!</h1></body></html>");
+}
diff --git a/security/manager/ssl/tests/mochitest/browser/hsts_headers_framed.html b/security/manager/ssl/tests/mochitest/browser/hsts_headers_framed.html
new file mode 100644
index 0000000000..5a0791557b
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/hsts_headers_framed.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+  "use strict";
+
+  let src = document.location.href.replace("hsts_headers_framed.html", "hsts_headers.sjs");
+  if (document.location.search == "?third-party") {
+    src = src.replace("example.com", "example.org");
+  }
+  let frame = document.createElement("iframe");
+  frame.setAttribute("src", src);
+  frame.onload = () => {
+    let done = document.createElement("h1");
+    done.textContent = "done";
+    done.setAttribute("id", "done");
+    document.body.appendChild(done);
+  };
+  document.body.appendChild(frame);
+</script>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/browser/intermediate.pem b/security/manager/ssl/tests/mochitest/browser/intermediate.pem
new file mode 100644
index 0000000000..08d8d31c9f
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/intermediate.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWjCCAkKgAwIBAgIUFfVirSKu6HtZb2LYCmJb2aHMq0wwDQYJKoZIhvcNAQEL
+BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAw
+MFowQTEoMCYGA1UEAwwfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEV
+MBMGA1UECwwMSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
+A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAdKOLt5qF0rjrdg+yVRYeeFQM
+wF2w3aYSqjFLC0pxjYxta3TZVYA8JsErqIefsaU+lvURUFpAZxBhocySXOOkjhdo
+BtJDa5XpPmcRbLpj3YmL1TxBsgkyVJyWHg8RczxE2RckROAIrk/EoQU7yi4kjXxr
+g/uaxekzGYq2dysPR4+Pm1HfnpBRXVQ20P77AJmYrB6HFGHTXR7FsU2CdXQU5D4K
+UfmyBbJA2jfZZLl05rPkJNHCoI3WWdMDyGEMo+cuYJ3/lfPE7k7LGANrn1fUkC8u
+RgXoGKW/UBpLGsluYwMDiSGrsUe2G3Iv63K0Z+HYEMs/Ez03ueph5R2aanVeHQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec b/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec
new file mode 100644
index 0000000000..a562814041
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+subject:/CN=Temporary Certificate Authority/OU=Intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/mochitest/browser/invalid.pem b/security/manager/ssl/tests/mochitest/browser/invalid.pem
new file mode 100644
index 0000000000..0fabf3e81c
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/invalid.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwDCCAaigAwIBAgIUTcJUGOsO/pcSk2CcjS3L0FXun4swDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEjEQMA4GA1UEAwwHaW52YWxpZDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgEG
+MA0GCSqGSIb3DQEBCwUAA4IBAQAHRQ4x0bpexE1zpa7fbvNqxmhR8ybYTMVEHveL
+NxAhaxpvN2wjIRbB5VsAk38UunB3J3RvqkmOHYvGwCJZNQhe0RUsg+yCh+yK3bSe
+30Q0uKXdqqtAsCyBhTBxp3hqFzaJgz9hzUUAqSHHCO8jZUugu+RNq2uv6bMYBY1S
+YW2QiJG1yur2PLtQsG+NCd+S/4KDi+7N1w+5rD/CtDD0H0vAVvXXNuIjUjFuADlV
+hghm2rF5N7i5T1mroDeQT2l89XEQghB+cGtdgbzOBucAI8v3rOV/Qg8xk1l61nYz
+8xh7zBXdrByqd1mtTnyOBtzNIjLLveqgQxo1QIKh19vYrW3k
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec b/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec
new file mode 100644
index 0000000000..71a1707c35
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:invalid
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/mochitest/browser/longOID.pem b/security/manager/ssl/tests/mochitest/browser/longOID.pem
new file mode 100644
index 0000000000..d199f88a01
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/longOID.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIESjCCAzKgAwIBAgIUbSwzdRwYtipF7m7s7eZIseaX64wwDQYJKoZIhvcNAQEL
+BQAwEzERMA8GA1UEAwwITG9uZyBPSUQwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0
+MDIwNTAwMDAwMFowEzERMA8GA1UEAwwITG9uZyBPSUQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjggGQMIIBjDAM
+BgNVHRMEBTADAQH/MIIBegYDVR0gBIIBcTCCAW0wggFpBoIBZSqD3OuTf4Pc65N/
+g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zr
+k3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D
+3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuT
+f4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc
+65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/
+g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zr
+k3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D
+3OuTf4Pc65N/ATANBgkqhkiG9w0BAQsFAAOCAQEAbq2wf1RHXZAU9iD60DX8B52M
+zz0n2Bv3R4rmqJeoFlvgRhnInb0c5N5ceqbjzGE2QTEmjgDhyy5wiU70yLblkyNz
+IWxYxg3Qzjfcibt9AQYYoHXS8rEAKJ5oTWrVExPLCsSnmzL8TDwEb9v/noOwdilU
+98BD3H+5hQMiYZIVo66Jq5uexLV69DH0+pI1n68pKtFtABpX1grjhEVC670mb5uO
+YoMl4GGqFhkmFwpiOcFKcvESfHZdUhzTiPa86rU8LGfA5YyaQMStUWb6jFaCt+LK
+bKyf4De9/3XZpsRoPX7VscBtBLhhnvZERkITAt1ovbZmX4IY9Yh6Jo7Z9urzqg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec b/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec
new file mode 100644
index 0000000000..c3c08ac84b
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Long OID
+subject:Long OID
+extension:basicConstraints:cA,
+extension:certificatePolicies:1.2.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.1
diff --git a/security/manager/ssl/tests/mochitest/browser/md5-ee.pem b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem
new file mode 100644
index 0000000000..b65bd1a9e9
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrjCCAZagAwIBAgIUU6LuY45SDmIYSOVybKlfPm4PkDMwDQYJKoZIhvcNAQEE
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowETEPMA0GA1UEAwwGbWQ1LWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEBBAUAA4IB
+AQCmzCGveXJAR75YgRtydRG1y2yxonzm5bKb1sdk4y0Oma7cMeibR7QAz8kCxu3J
+jqc7B1f7G2RD0uWe7Am8diTfPiuDhTJY9kSFqiigrdFB7tpvWUYbfo+jSnfXK8+o
+jhaNGAqz42yrcwxyUHTzUG1jSe6bQYoQu3evJTb31g6VYCHG+QcF5BUMKu3MkCQ6
+L5dK4+4m6ocLycTBGXkcjf0PEhYkyUN2rSYPykNMkEdYx3VVNLbnMqVkC1ozqA4U
+AZuTAZmDeGPzOPtEm85x730nO1DH2MJClZcNHc5iEUiTD3B78EJAtPdgBRfvf6K/
+BCCj6SSNUceqcvU1DkB9tj4U
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec
new file mode 100644
index 0000000000..279c158026
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:md5-ee
+signature:md5WithRSAEncryption
diff --git a/security/manager/ssl/tests/mochitest/browser/moz.build b/security/manager/ssl/tests/mochitest/browser/moz.build
new file mode 100644
index 0000000000..67b1ac4bbb
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/moz.build
@@ -0,0 +1,7 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+BROWSER_CHROME_MANIFESTS += ["browser.ini"]
diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem
new file mode 100644
index 0000000000..8017659689
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgzCCAmugAwIBAgIUIVidj/ZVgLtZWGWK7cZ8hRvkLCIwDQYJKoZIhvcNAQEL
+BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAw
+MFowajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
+AgH+MA0GCSqGSIb3DQEBCwUAA4IBAQBbElkqm+Dtof/toa8F2jT0n4u+MSeVCV8v
+uGzZb34g8j/VPNKqaX3KYFqKhRjQvG/ScFn2xQRVEaX402qCPZkrSFNI0+sGERBo
+MydN0awvZEWn3AEMccbXH7ZzBXNAqu7iNtkUns0Gde9S362ejlEXhlEewFQhhlEs
+LBzUrjiW8AiKG8keFiajEgO8yDbtEjy8z9MPkK23oLBgtVQtg1GO3X2rUxHGZwkE
+Ck8ikXVoaw7olYchAhwFTYtbK7+Pwq1U6Rs/1CWSla++6SAh/uasDnnDziLJj3z+
+MBv2WVFfBpRTCr0IdF/fOqsC5utncdXZe8qwViS5/JzZbySctrbO
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..4def496f67
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+subject:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem
new file mode 100644
index 0000000000..502632f5a3
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgzCCAmugAwIBAgIUU34Ahx5Y3OrxTZ8Zij+34BQHt4AwDQYJKoZIhvcNAQEL
+BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAw
+MFowajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
+AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCqS4h6tvzNQUKlLt3gdUuOjviVTfOhc2qA
+w0TmWZUY2DDfIo1jggqH2yIikPGByOfkEJ3VICRk0N6Ivk6Nh3EZyp/mmebpGOIV
+Qz9itOzknvny33LwVFovwer4hnHXGKIrcGDIORNWt6BGJ0oREji6bZ8Py12ZuMJ3
+stXdKN3bOrVqrDbCBAmaXuqtngpob5TRCP5/6WJDaFE3JjKOpY+JIwXFSotA+/PO
+aNRF5kGRyBsuESb3l5UNMckwMZedxYCndT4ntGxoA/YJ/lo0boqaP4lVqpbabIqp
+G42FXocz+dpeWPZYFZEx/hNBQRqXNegIuzv7U4rdeHfbuyxDJhXo
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec
new file mode 100644
index 0000000000..448e167bd0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+subject:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/mochitest/browser/revoked.pem b/security/manager/ssl/tests/mochitest/browser/revoked.pem
new file mode 100644
index 0000000000..db8fca458a
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/revoked.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAZegAwIBAgIUOZGi7rHuV7JtJp8SD/Di7lbe3vkwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEjEQMA4GA1UEAwwHcmV2b2tlZDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEAYK8T1YdY7LQ42fkIm48FNnEduEul9ISTjgqpcGscFAEaUtlfb+LoYFXJJh1M
+rcw1WtNaMoA7UMjnj6+18RXi6wTuJiCK9RiLdBFDbZUf8mbavbf69WAwgW1ekT5P
+KNZ+OCQAbw2F41u3MTA4tEybPd9I/fkUiuHwVAFQh4seSOq5WGuu1INgEhHd27R9
+zLRVw37WZIo6DusMt+hmE0KyMNtpoBsGvtMBhnVTA/Hox7DyYoYTh2b8N7zDSda8
+nfon3Zw1ZvoHXw/0p0kfftdrychilcNjequSF1e0PvWC5TnGF7rRck0BHI0Mg00I
+Nej1od23fhK305jDXk6oJ3VqJg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec b/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec
new file mode 100644
index 0000000000..daf75c670f
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:revoked
diff --git a/security/manager/ssl/tests/mochitest/browser/some_content.html b/security/manager/ssl/tests/mochitest/browser/some_content.html
new file mode 100644
index 0000000000..f591f32d3d
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/some_content.html
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<html>
+<body>
+<h1>Some Content!</h1>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/browser/some_content_framed.html b/security/manager/ssl/tests/mochitest/browser/some_content_framed.html
new file mode 100644
index 0000000000..8f8194f9e7
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/some_content_framed.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+  "use strict";
+
+  let src = document.location.href.replace("https://", "http://");
+  let frame = document.createElement("iframe");
+  frame.setAttribute("id", "frame");
+  frame.setAttribute("src", src);
+  document.body.appendChild(frame);
+</script>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem
new file mode 100644
index 0000000000..0ea778c9c3
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUFRaHxC8q2vvr6gyB8AMvtVwPTeYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowETEPMA0GA1UEAwwGc3NsLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyEwHzAdBgNVHSUEFjAUBggr
+BgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB0FoJO4EuzTF5o0
+mfFcJV3ORxRDTKUqrcE1cl0S0wcFJ7T8A+XEFnAP/YqxFgFCjbpAtJwxv4P3IOPv
+b6dGhSG9rEHJUnVFoKcHnoajzFnn741J0/i6Lkux2tM/eF0sTnADVxmlklt7848h
+0DWNrRY/NbouJjQy8yxVMIrJLSWR9G0fzXLemieXnVKA7MGXH7cbECC8gWYgsuEP
+pTdJ0r9OsTfgLAoW34RxGFSl/l0gmFuinbbqLVGCUQ6TIeLfn9bmKgMxat+TdT6L
+w5k/S3w1bm69naK1YdTGQVFIO4wrNPHOAUXxrcziMd56oMnXmcuG/Ef9N3zqB5/X
+8Q5H9gE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec
new file mode 100644
index 0000000000..c4037675f1
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ssl-ee
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem
new file mode 100644
index 0000000000..5154c97ccd
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuzCCAaOgAwIBAgIUBdsczlklj8pHAhNbKaxiu+leXzMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHdW5rbm93bjAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAZMRcwFQYDVQQDDA51bmtub3duLWlzc3VlcjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkq
+hkiG9w0BAQsFAAOCAQEAFUiE73r6gX+NDLhNvEOHBxSFYVCdvMSJ3WSojaF6JKht
+bXdx1/M/TqC0cKi/m4pNEW/2VVjOyibc3qRb/X+TRcHZz3PaSA5cYRfoJVPyH+k6
+LAkGmeGLlCNYFrtcfu9qQ+/ap2z5XzmrJa76KxEXW/RjR16sfCIfRP7HGJZ3fYsB
+JC91LSzGtIMrqA5K97tolp09cC2cIojNXSlaXwQqVn+2uMQdLMcecFcth1P5Sp02
+rBbzlzCZUl0XVhmAOeEefhak2dnwTG6vRZlbim927/8DzPIEgwmZbvjIrpmYQMZx
+GoVdCCgwSbC/uM8tI+LebrJCXqP0VRiZrc3PMbcUUw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec
new file mode 100644
index 0000000000..c76a4e2c7b
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec
@@ -0,0 +1,2 @@
+issuer:unknown
+subject:unknown-issuer
diff --git a/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem
new file mode 100644
index 0000000000..4f09a837ae
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUJ52B/yodNzE1jqzgJSkNIQMaj1swDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFzEVMBMGA1UEAwwMdW50cnVzdGVkLWNhMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAoZWuIsn8xdiC
+OyqqSA4hpY0wVq6xutUD2WlV8zDLf4by2C8Tno7NMMC1a/+UuQlmfLs1ztb3RPgj
+hJ/24fGuGnP/E71VwrZ/IR2mQBhRdo1ILZeHSDuTKqXGBds5SBHd77NIIMSmbU7w
+dhy6bh6Qbh9WYIoHA5h/QGn5x7+b90I0yzTLPkpEV7/v++VWt6hIU/Xc+TvJ1g8M
+uR9QKz9EQzbuVytTXGUzFaUattCtaPKxikf8xhHqcZypjU7r1FEa/JAqUlYWiEew
+V+7I4IsgpPbOUZoUKU1R/KzHObVKHcmsxBhQ5FYIW8tiXqkFAxp9I4hgAuu9yOB0
+3EV9PsnIrQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec
new file mode 100644
index 0000000000..04f4430574
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:untrusted-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs
new file mode 100644
index 0000000000..96c14f4e65
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs
@@ -0,0 +1,7 @@
+"use strict";
+
+function handleRequest(request, response) {
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.setHeader("Access-Control-Allow-Origin", "*");
+  response.write("<html><body>hello!</body></html>");
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/backward.html b/security/manager/ssl/tests/mochitest/mixedcontent/backward.html
new file mode 100644
index 0000000000..8699a07dda
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/backward.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <script type="text/javascript">
+  "use strict";
+  window.onload = function()
+  {
+    window.setTimeout(function()
+    {
+      SpecialPowers.wrap(window).docShell
+        .QueryInterface(SpecialPowers.Ci.nsIWebNavigation)
+        .goBack();
+    }, 100);
+  };
+
+  </script>
+</head>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js b/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js
new file mode 100644
index 0000000000..9d67ba1f92
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js
@@ -0,0 +1,11 @@
+/* import-globals-from mixedContentTest.js */
+"use strict";
+
+document.open();
+// eslint-disable-next-line no-unsanitized/method
+document.write("This is insecure XSS script " + document.cookie);
+isSecurityState(
+  "broken",
+  "security broken after document write from unsecure script"
+);
+finish();
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html
new file mode 100644
index 0000000000..4bbf9bfe8c
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 383369 test, step 2</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/does_not_exist.css">
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  window.onload = function runTest() {
+    window.setTimeout(function () {
+      window.location =
+        "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html?runtest";
+    }, 0);
+  };
+
+  async function afterNavigationTest()
+  {
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html
new file mode 100644
index 0000000000..276c2343fd
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 383369 test, final step</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    await isSecurityState("secure", "secure page after insecure download and insecure subcontent still secure");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("secure", "still secure after back/forward");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/download.auto b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto
new file mode 100644
index 0000000000..4d2fb7d5ae
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto
@@ -0,0 +1 @@
+Temporary file for security/mixedconent tests
\ No newline at end of file
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^
new file mode 100644
index 0000000000..9c3159e153
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^
@@ -0,0 +1,2 @@
+Content-disposition: "attachment"
+Content-type: application/x-auto-download
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs
new file mode 100644
index 0000000000..9e34227f00
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs
@@ -0,0 +1,6 @@
+"use strict";
+
+function handleRequest(request, response) {
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  //response.setHeader("Content-type", "image/gif");
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs
new file mode 100644
index 0000000000..5f78a806b4
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs
@@ -0,0 +1,17 @@
+"use strict";
+
+function handleRequest(request, response) {
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.setHeader("Content-type", "image/bitmap");
+
+  let bmpheader =
+    "\x42\x4D\x36\x10\x0E\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00\x00\x00\x80\x02\x00\x00\xE0\x01\x00\x00\x01\x00\x18\x00\x00\x00\x00\x00\x00\x10\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+  let bmpdatapiece =
+    "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+
+  response.bodyOutputStream.write(bmpheader, 54);
+  // Fill 640*480*3 nulls
+  for (let i = 0; i < (640 * 480 * 3) / 64; ++i) {
+    response.bodyOutputStream.write(bmpdatapiece, 64);
+  }
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html
new file mode 100644
index 0000000000..064783e0cb
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html
@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+</head>
+
+<body>
+  This is frame 1:
+  <script>
+    "use strict";
+    // eslint-disable-next-line no-unsanitized/method
+    document.write(location.href);
+  </script>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html
new file mode 100644
index 0000000000..37fc604ea6
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+</head>
+
+<body>
+  This is frame 2:
+  <script>
+    "use strict";
+    // eslint-disable-next-line no-unsanitized/method
+    document.write(location.href);
+  </script>
+  <iframe src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html
new file mode 100644
index 0000000000..6c7a5473cb
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html
@@ -0,0 +1,8 @@
+<!DOCTYPE HTML>
+<META http-equiv="Refresh"
+      Content="0; URL=http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html">
+<html>
+  <body>
+    Redirecting by meta tag...
+  </body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs
new file mode 100644
index 0000000000..914391e8f5
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs
@@ -0,0 +1,9 @@
+"use strict";
+
+function handleRequest(request, response) {
+  response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+  response.setHeader(
+    "Location",
+    "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"
+  );
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs
new file mode 100644
index 0000000000..32afc824ea
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs
@@ -0,0 +1,9 @@
+"use strict";
+
+function handleRequest(request, response) {
+  response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+  response.setHeader(
+    "Location",
+    "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"
+  );
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs
new file mode 100644
index 0000000000..cb966a56d2
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs
@@ -0,0 +1,9 @@
+"use strict";
+
+function handleRequest(request, response) {
+  response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+  response.setHeader(
+    "Location",
+    "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg"
+  );
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs
new file mode 100644
index 0000000000..d128ce2238
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs
@@ -0,0 +1,9 @@
+"use strict";
+
+function handleRequest(request, response) {
+  response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+  response.setHeader(
+    "Location",
+    "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg"
+  );
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js b/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js
new file mode 100644
index 0000000000..6c300b7fc3
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js
@@ -0,0 +1,211 @@
+"use strict";
+
+/**
+ * Helper script for mixed content testing. It opens a new top-level window
+ * from a secure origin and '?runtest' query. That tells us to run the test
+ * body, function runTest(). Then we wait for call of finish(). On its first
+ * call it loads helper page 'backward.html' that immediately navigates
+ * back to the test secure test. This checks the bfcache. We got second call
+ * to onload and this time we call afterNavigationTest() function to let the
+ * test check security state after re-navigation back. Then we again wait for
+ * finish() call, that this time finishes completelly the test.
+ */
+
+// Tells the framework if to load the test in an insecure page (http://)
+var loadAsInsecure = false;
+// Set true to bypass the navigation forward/back test
+var bypassNavigationTest = false;
+// Set true to do forward/back navigation over an http:// page, test state leaks
+var navigateToInsecure = false;
+// Open the test in two separate windows, test requests sharing among windows
+var openTwoWindows = false;
+// Override the name of the test page to load, useful e.g. to prevent load
+// of images or other content before the test starts; this is actually
+// a 'redirect' to a different test page.
+var testPage = "";
+// Assign a function to this variable to have a clean up at the end
+var testCleanUp = null;
+// Contains mixed active content that needs to load to run the test
+var hasMixedActiveContent = false;
+
+// Internal variables
+var _windowCount = 0;
+
+window.onload = async function onLoad() {
+  if (location.search == "?runtest") {
+    try {
+      if (history.length == 1) {
+        // Each test that includes this helper file is supposed to define
+        // runTest(). See the top level comment.
+        await runTest(); // eslint-disable-line no-undef
+      } else {
+        // Each test that includes this helper file is supposed to define
+        // afterNavigationTest(). See the top level comment.
+        await afterNavigationTest(); // eslint-disable-line no-undef
+      }
+    } catch (ex) {
+      ok(false, "Exception thrown during test: " + ex);
+      finish();
+    }
+  } else {
+    window.addEventListener("message", onMessageReceived);
+
+    let secureTestLocation = loadAsInsecure
+      ? "http://example.com"
+      : "https://example.com";
+    secureTestLocation += location.pathname;
+    if (testPage != "") {
+      let array = secureTestLocation.split("/");
+      array.pop();
+      array.push(testPage);
+      secureTestLocation = array.join("/");
+    }
+    secureTestLocation += "?runtest";
+
+    if (hasMixedActiveContent) {
+      SpecialPowers.pushPrefEnv(
+        { set: [["security.mixed_content.block_active_content", false]] },
+        null
+      );
+    }
+    if (openTwoWindows) {
+      _windowCount = 2;
+      window.open(secureTestLocation, "_new1", "");
+      window.open(secureTestLocation, "_new2", "");
+    } else {
+      _windowCount = 1;
+      window.open(secureTestLocation);
+    }
+  }
+};
+
+function onMessageReceived(event) {
+  switch (event.data) {
+    // Indication of all test parts finish (from any of the frames)
+    case "done":
+      if (--_windowCount == 0) {
+        if (testCleanUp) {
+          testCleanUp();
+        }
+        if (hasMixedActiveContent) {
+          SpecialPowers.popPrefEnv(null);
+        }
+
+        SimpleTest.finish();
+      }
+      break;
+
+    // Any other message is an error or success message of a test.
+    default:
+      SimpleTest.ok(!event.data.match(/^FAILURE/), event.data);
+      break;
+  }
+}
+
+function postMsg(message) {
+  opener.postMessage(message, "http://mochi.test:8888");
+}
+
+function finish() {
+  if (history.length == 1 && !bypassNavigationTest) {
+    window.setTimeout(() => {
+      window.location.assign(
+        navigateToInsecure
+          ? "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/backward.html"
+          : "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/backward.html"
+      );
+    }, 0);
+  } else {
+    postMsg("done");
+    window.close();
+  }
+}
+
+function ok(a, message) {
+  if (!a) {
+    postMsg("FAILURE: " + message);
+  } else {
+    postMsg(message);
+  }
+}
+
+function is(a, b, message) {
+  if (a != b) {
+    postMsg(`FAILURE: ${message}, expected ${b} got ${a}`);
+  } else {
+    postMsg(`${message}, expected ${b} got ${a}`);
+  }
+}
+
+async function isSecurityState(expectedState, message, test) {
+  if (!test) {
+    test = ok;
+  }
+
+  let state = await SpecialPowers.getSecurityState(window);
+
+  let isInsecure =
+    state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IS_INSECURE;
+  let isBroken =
+    state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IS_BROKEN;
+  let isEV =
+    state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL;
+
+  let gotState = "secure";
+  if (isInsecure) {
+    gotState = "insecure";
+  } else if (isBroken) {
+    gotState = "broken";
+  } else if (isEV) {
+    gotState = "EV";
+  }
+
+  test(
+    gotState == expectedState,
+    (message || "") + ", expected " + expectedState + " got " + gotState
+  );
+
+  switch (expectedState) {
+    case "insecure":
+      test(
+        isInsecure && !isBroken && !isEV,
+        "for 'insecure' excpected flags [1,0,0], " + (message || "")
+      );
+      break;
+    case "broken":
+      test(
+        !isInsecure && isBroken && !isEV,
+        "for 'broken' expected  flags [0,1,0], " + (message || "")
+      );
+      break;
+    case "secure":
+      test(
+        !isInsecure && !isBroken && !isEV,
+        "for 'secure' expected flags [0,0,0], " + (message || "")
+      );
+      break;
+    case "EV":
+      test(
+        !isInsecure && !isBroken && isEV,
+        "for 'EV' expected flags [0,0,1], " + (message || "")
+      );
+      break;
+    default:
+      throw new Error("Invalid isSecurityState state");
+  }
+}
+
+function waitForSecurityState(expectedState, callback) {
+  let roundsLeft = 200; // Wait for 20 seconds (=200*100ms)
+  let interval = window.setInterval(async () => {
+    await isSecurityState(expectedState, "", isok => {
+      if (isok) {
+        roundsLeft = 0;
+      }
+    });
+    if (!roundsLeft--) {
+      window.clearInterval(interval);
+      callback();
+    }
+  }, 100);
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.ini b/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.ini
new file mode 100644
index 0000000000..ec68371093
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.ini
@@ -0,0 +1,70 @@
+[DEFAULT]
+# Disable for Http/3 since Http/3 tests require to run with https.
+skip-if =
+  http3
+prefs =
+  security.mixed_content.upgrade_display_content=false
+  dom.security.https_first=false
+support-files =
+  alloworigin.sjs
+  backward.html
+  bug329869.js
+  bug383369step2.html
+  bug383369step3.html
+  download.auto
+  download.auto^headers^
+  emptyimage.sjs
+  hugebmp.sjs
+  iframe.html
+  iframe2.html
+  iframeMetaRedirect.html
+  iframesecredirect.sjs
+  iframeunsecredirect.sjs
+  imgsecredirect.sjs
+  imgunsecredirect.sjs
+  mixedContentTest.js
+  moonsurface.jpg
+  nocontent.sjs
+  redirecttoemptyimage.sjs
+  somestyle.css
+  unsecureIframe.html
+  unsecurePictureDup.html
+
+[test_bug329869.html]
+[test_bug383369.html]
+skip-if = toolkit == 'android'
+[test_bug455367.html]
+[test_bug472986.html]
+[test_bug477118.html]
+[test_bug521461.html]
+[test_cssBefore1.html]
+[test_cssContent1.html]
+[test_cssContent2.html]
+[test_documentWrite1.html]
+[test_documentWrite2.html]
+[test_dynDelayedUnsecurePicture.html]
+[test_dynDelayedUnsecureXHR.html]
+[test_dynUnsecureBackground.html]
+[test_dynUnsecureIframeRedirect.html]
+[test_dynUnsecurePicture.html]
+[test_dynUnsecurePicturePreload.html]
+[test_dynUnsecureRedirect.html]
+disabled=intermitently fails, quite often, bug 487402
+[test_innerHtmlDelayedUnsecurePicture.html]
+[test_innerHtmlUnsecurePicture.html]
+[test_javascriptPicture.html]
+[test_secureAll.html]
+[test_securePicture.html]
+[test_unsecureBackground.html]
+[test_unsecureCSS.html]
+[test_unsecureIframe.html]
+[test_unsecureIframe2.html]
+skip-if =
+  fission && os == "android" # Bug 1827330
+[test_unsecureIframeMetaRedirect.html]
+disabled=intermittently fails, less often, bug 487632
+[test_unsecureIframeRedirect.html]
+[test_unsecurePicture.html]
+[test_unsecurePictureDup.html]
+[test_unsecurePictureInIframe.html]
+[test_unsecureRedirect.html]
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg b/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg
new file mode 100644
index 0000000000..c0ffca256a
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/moz.build b/security/manager/ssl/tests/mochitest/mixedcontent/moz.build
new file mode 100644
index 0000000000..7c990fbc62
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/moz.build
@@ -0,0 +1,7 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+MOCHITEST_MANIFESTS += ["mochitest.ini"]
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs
new file mode 100644
index 0000000000..d5d65cf8a4
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs
@@ -0,0 +1,5 @@
+"use strict";
+
+function handleRequest(request, response) {
+  response.setStatusLine(request.httpVersion, 204, "No Content");
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs
new file mode 100644
index 0000000000..98ed0a2f52
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs
@@ -0,0 +1,9 @@
+"use strict";
+
+function handleRequest(request, response) {
+  response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+  response.setHeader(
+    "Location",
+    "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs"
+  );
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css b/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css
new file mode 100644
index 0000000000..9867e3c41e
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css
@@ -0,0 +1,4 @@
+body
+{
+  background-color: lightBlue;
+}
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html
new file mode 100644
index 0000000000..ccb9a8d9cf
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>dymanic script load</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  hasMixedActiveContent = true;
+
+  async function runTest()
+  {
+    await isSecurityState("secure");
+    window.setTimeout(function () {
+      let newElement = document.createElement("script");
+      newElement.src = "http://example.org/tests/security/manager/ssl/tests/" +
+                       "mochitest/mixedcontent/bug329869.js";
+      document.body.appendChild(newElement);
+    }, 0);
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("secure", "when we navigate back, we're loading our secure page again and not loading an insecure script, so our security state is secure");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html
new file mode 100644
index 0000000000..8341f83744
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html
@@ -0,0 +1,89 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 383369 test</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  // We want to start this test from an insecure context
+  loadAsInsecure = true;
+  // We don't want to go through the navigation back/forward test
+  bypassNavigationTest = true;
+
+  async function runTest() {
+    let script = SpecialPowers.loadChromeScript(function() {
+      /* eslint-env mozilla/chrome-script */
+      // Force download to be w/o user assistance for our testing mime type
+      const mimeSvc = Cc["@mozilla.org/mime;1"].getService(Ci.nsIMIMEService);
+      let handlerInfo =
+        mimeSvc.getFromTypeAndExtension("application/x-auto-download", "auto");
+      handlerInfo.preferredAction = Ci.nsIHandlerInfo.saveToDisk;
+      handlerInfo.alwaysAskBeforeHandling = false;
+      handlerInfo.preferredApplicationHandler = null;
+
+      const handlerSvc = Cc["@mozilla.org/uriloader/handler-service;1"]
+                           .getService(Ci.nsIHandlerService);
+      handlerSvc.store(handlerInfo);
+
+      let profileDir = Services.dirsvc.get("ProfDS", Ci.nsIFile);
+      profileDir.append("downloads");
+
+      let prefBranch = Services.prefs.getBranch("browser.download.");
+
+      prefBranch.setCharPref("dir", profileDir.path);
+      prefBranch.setBoolPref("useDownloadDir", true);
+      prefBranch.setIntPref("folderList", 2);
+
+      const { Downloads } =
+        ChromeUtils.import("resource://gre/modules/Downloads.jsm");
+      Downloads.getList(Downloads.PUBLIC).then(list => {
+        list.addView({
+          onDownloadAdded(aDownload) {
+            list.removeView(this);
+            aDownload.whenSucceeded().then(() => {
+              list.removeFinished();
+              sendAsyncMessage("navigate", "bug383369step2.html");
+            });
+          },
+        });
+        sendAsyncMessage("navigate", "download.auto");
+      }).catch(console.error);
+    });
+    script.addMessageListener("navigate", function(url) {
+      window.location = url;
+    });
+  }
+
+  async function afterNavigationTest() {}
+
+  testCleanUp = function cleanup() {
+    SpecialPowers.loadChromeScript(function() {
+      const mimeSvc = Cc["@mozilla.org/mime;1"].getService(Ci.nsIMIMEService);
+      let handlerInfo =
+        mimeSvc.getFromTypeAndExtension("application/x-auto-download", "auto");
+
+      const handlerSvc = Cc["@mozilla.org/uriloader/handler-service;1"]
+                           .getService(Ci.nsIHandlerService);
+      handlerSvc.remove(handlerInfo);
+
+      let prefBranch = Services.prefs.getBranch("browser.download.");
+
+      const prefKeys = ["dir", "useDownloadDir", "folderList"];
+      for (let prefKey of prefKeys) {
+        if (prefBranch.prefHasUserValue(prefKey)) {
+          prefBranch.clearUserPref(prefKey);
+        }
+      }
+    });
+  };
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html
new file mode 100644
index 0000000000..d2ad64c454
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>No content image doesn't break security</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    SpecialPowers.pushPrefEnv(
+      {"set": [["security.mixed_content.upgrade_display_content", false]]},
+      null);
+    await isSecurityState("broken", "broken");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html
new file mode 100644
index 0000000000..bd55a600ca
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>img.src replace</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  SimpleTest.expectAssertions(0, 4);
+
+  // Clear the default onload assigned to test start because we must
+  // wait for replaced image to load and only after that test the security state
+  var onLoadFunction = window.onload;
+  window.onload = function()
+  {
+    let img1 = document.getElementById("img1");
+    img1.addEventListener("load", onLoadFunction);
+    img1.src = "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg";
+  };
+
+  async function runTest()
+  {
+    await isSecurityState("secure", "secure");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("secure", "secure after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img id="img1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html
new file mode 100644
index 0000000000..90932790f0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 477118</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    await isSecurityState("secure", "data <img> doesn't break security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("secure", "still secure after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAAN1wAADdcBQiibeAAAAAd0SU1FB9kBDxIAOdxBIbcAAAI+SURBVDjLxZO7TxRhFMV/M/PN7EPYhS02yytggo+ERAgxERsNhYnGzsQojaHT3r9F0cTaUjs6NUQLBRKDi4I8FEwkLMgO+5rdeX3XAoVYiZWnP797cu69Bv8gqZ+0QTqIdRpl1VHGvnV884CJwQgwicVtoB/ku/H4ycOnURgP/Q1g21Fw4+r0RjbbNmaq4ayO35UkXp9S2UzHxK2bE4QNl82FVwD0D49jn+hERBCRgwTiIX7pvGUGYF/BlO327d3ENfV7wuL0AyjPICIsfPvAmev3qdVqlMtlCoUCGxurDPT1kEnPomQKkRTFpXOjh4DN4kvGLuSJ/JC38y/ouXyXYrGIiBDHMVtbu1SrvXTlbfp6HcQcoVwp5hRAaWedPXFYfL+E1lAKswSRy+joKEEQICLkcjm01hiGgRcksW0b4SMKYHb+OSt6ma+VffxWRF3S5OeeMX7pHkqpwy5EBK31H90ogFODF1lbm8OtlEhloDORpbdnhDAMaTabhwbbtkkkEkRRhGVZR4BCfojJO4+o1VwQAItEIolpmliWRVtbG7s/dlDKotGo47U8CvkuAEwA3/eJoxhE0WyGuO4+nucRBAHVahXDMKg3agRhQBAGVKsVtNZHCRzHwTAMcrnc0eX9it3e3g7A6cGzhx0AKHWwQOV5jdXXb2ZOaa3BOP5ffF5ZptVqflG+3xpbWv5kh2FolEo7dnmv7Lium6zXG0nf95MiguM4QTqd9jPZTCvX2eF393QHqVRKZ7KZkP+unzPGLX8Jr7F8AAAAAElFTkSuQmCC" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html
new file mode 100644
index 0000000000..59085a5ec4
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html
@@ -0,0 +1,39 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 521461</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+  SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest");
+
+  loadAsInsecure = true;
+
+  async function runTest()
+  {
+    window.location = "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs";
+    window.setTimeout(async () => {
+      await isSecurityState("insecure", "location.href doesn't effect the security state");
+      is(document.body.innerHTML, "This is an unsecure page!\n", "Document has not changed content");
+      finish();
+    }, 1000);
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("insecure", "still not secure after navigation");
+    is(document.body.innerHTML, "This is an unsecure page!\n", "Document has not changed content");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>This is an unsecure page!</body></html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html
new file mode 100644
index 0000000000..98cee1bb53
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>CSS :before styling 1</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+  <style type="text/css">
+    p:before
+    {
+      content: url(http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg);
+    }
+  </style>
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure content added by :before styling breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <p>
+    There is a moon surface left to this text
+  </p>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html
new file mode 100644
index 0000000000..5c5019ca78
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html
@@ -0,0 +1,41 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>CSS conent styling 1</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <style type="text/css">
+    p
+    {
+      content: url(http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg);
+    }
+  </style>
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure content added by :before styling breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <p></p>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html
new file mode 100644
index 0000000000..19e5784334
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>CSS conent styling 2</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  if (navigator.platform.startsWith("Mac")) {
+    SimpleTest.expectAssertions(0, 1);
+  }
+
+  async function runTest()
+  {
+    await isSecurityState("secure");
+    document.getElementById("para").style.content =
+      "url('http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg')";
+
+    waitForSecurityState("broken", async () =>
+    {
+      await isSecurityState("broken", "insecure content added by styling breaks security");
+      finish();
+    });
+  }
+
+  async function afterNavigationTest()
+  {
+    is(document.getElementById("para").style.content, "");
+    await isSecurityState("secure", "security full after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <p id="para"></p>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html
new file mode 100644
index 0000000000..90eca5bcdb
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>document.write('<img src="http://">')</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure <img> written dynamically breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <script class="testbody" type="text/javascript">
+  "use strict";
+  document.write(
+    "<img src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg' />");
+  </script>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html
new file mode 100644
index 0000000000..e009fd4f54
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html
@@ -0,0 +1,40 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>document.write('<iframe src="http://">')</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  hasMixedActiveContent = true;
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure iframe written dynamically breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <script class="testbody" type="text/javascript">
+  "use strict";
+  document.write(
+    "<iframe src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html'></iframe>");
+  </script>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html
new file mode 100644
index 0000000000..514902d047
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html
@@ -0,0 +1,47 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>img.src changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    await isSecurityState("secure");
+    window.setTimeout(function() {
+      // Don't do this synchronously from onload handler
+      document.getElementById("image1").src =
+        "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg";
+    }, 0);
+
+    waitForSecurityState("broken", async () =>
+    {
+      await isSecurityState("broken", "src='http://...' changed to broken");
+      finish();
+    });
+  }
+
+  async function afterNavigationTest()
+  {
+    is(document.getElementById("image1").src,
+      "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg",
+      "img.src secure again");
+    await isSecurityState("secure", "security full after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img id="image1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html
new file mode 100644
index 0000000000..d9a8cc8af7
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>unsecure XHR test</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  hasMixedActiveContent = true;
+
+  async function runTest()
+  {
+    await isSecurityState("secure");
+    window.setTimeout(async () => {
+      try {
+        let req = new XMLHttpRequest();
+        req.open("GET", "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs", false);
+        req.send(null);
+
+        // Change should be immediate, the request was sent synchronously
+        await isSecurityState("broken", "security broken after insecure XHR");
+      } catch (ex) {
+        ok(false, ex);
+      }
+
+      finish();
+    }, 0);
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("secure", "security full after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html
new file mode 100644
index 0000000000..fd66b21a64
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html
@@ -0,0 +1,44 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>body.background changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  // This test, as is, equals to https://kuix.de/misc/test17/358438.php
+
+  async function runTest()
+  {
+    await isSecurityState("secure");
+    document.body.background =
+      "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg";
+
+    waitForSecurityState("broken", async () => {
+      await isSecurityState("broken", "document.body.background='http://...' changed to broken");
+      finish();
+    });
+  }
+
+  async function afterNavigationTest()
+  {
+    is(document.body.background,
+      "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg",
+      "document backround secure again");
+    await isSecurityState("secure", "secure after re-navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body background="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg">
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html
new file mode 100644
index 0000000000..8934de4b79
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html
@@ -0,0 +1,44 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>iframe.src changes to unsecure redirect test</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  hasMixedActiveContent = true;
+
+  async function runTest()
+  {
+    await isSecurityState("secure");
+    let self = window;
+    let iframe = document.getElementById("iframe1");
+    iframe.onload = async () => {
+      await self.isSecurityState("broken", "src='redirect to unsecure' changed to broken");
+      self.finish();
+    };
+
+    iframe.src =
+      "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs";
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe id="iframe1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html
new file mode 100644
index 0000000000..5ef5a28b2c
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>img.src changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+  SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest");
+
+  // This test, as is, equals to https://kuix.de/misc/test17/358438.php
+
+  async function runTest()
+  {
+    await isSecurityState("secure");
+    document.getElementById("image1").src =
+      "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg";
+
+    window.setTimeout(async () => {
+      await isSecurityState("broken", "src='http://...' changed to broken");
+      finish();
+    }, 500);
+  }
+
+  async function afterNavigationTest()
+  {
+    is(document.getElementById("image1").src,
+      "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg",
+      "img.src secure again");
+    await isSecurityState("secure", "security full after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img id="image1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html
new file mode 100644
index 0000000000..d8506e8cc5
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>img.src changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  (new Image()).src =
+    "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg";
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "(new Image()).src='http://...' changed to broken");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html
new file mode 100644
index 0000000000..a73c7f8619
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html
@@ -0,0 +1,39 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>img.src changes to unsecure redirect test</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    await isSecurityState("secure");
+    document.getElementById("image1").src =
+      "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs";
+
+    window.setTimeout(async () => {
+      await isSecurityState("broken", "src='redirect to unsecure' changed to broken");
+      finish();
+    }, 500);
+  }
+
+  async function afterNavigationTest()
+  {
+    is(document.getElementById("image1").src,
+      "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg",
+      "img.src secure again");
+    await isSecurityState("secure", "security full after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img id="image1" src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html
new file mode 100644
index 0000000000..45bf140384
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>innerHTML changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+  SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest");
+
+  async function runTest()
+  {
+    await isSecurityState("secure");
+
+    window.setTimeout(function () {
+      document.getElementById("buddy").innerHTML =
+        "<img id='image1' src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg' />";
+    }, 1);
+
+    waitForSecurityState("broken", async () => {
+      await isSecurityState("broken", "innerHTML loading insecure changed to broken");
+      finish();
+    });
+  }
+
+  async function afterNavigationTest()
+  {
+    is(document.getElementById("buddy").innerHTML, "\n", "innerHTML back to previous");
+    await isSecurityState("secure");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body id="buddy"></body></html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html
new file mode 100644
index 0000000000..d8b3e5f6e0
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html
@@ -0,0 +1,40 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>innerHTML changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+  SimpleTest.requestFlakyTimeout("Timeout in mixedContentTest");
+
+  async function runTest()
+  {
+    await isSecurityState("secure");
+
+    document.getElementById("buddy").innerHTML =
+      "<img id='image1' src='http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg' />";
+
+    window.setTimeout(async () => {
+      await isSecurityState("broken", "innerHTML loading insecure changed to broken");
+      finish();
+    }, 500);
+  }
+
+  async function afterNavigationTest()
+  {
+    is(document.getElementById("buddy").innerHTML, "\n", "innerHTML back to previous");
+    await isSecurityState("secure");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body id="buddy"></body></html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html
new file mode 100644
index 0000000000..66a28ce74e
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Secure img load</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    await isSecurityState("secure", "javascript: <img> should not break security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("secure", "Still secure after renavigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="javascript:'Random data'" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html
new file mode 100644
index 0000000000..efd754dd58
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>All secure anti-regression check</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <link rel="stylesheet" type="text/css"
+    href="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  // Navigation test goes over an insecure page, test state leak
+  navigateToInsecure = true;
+
+  async function runTest()
+  {
+    await isSecurityState("secure", "insecure <img> load breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("secure", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+  <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs" />
+  <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html
new file mode 100644
index 0000000000..961713a2da
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Secure img load</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  loadAsInsecure = true;
+
+  async function runTest()
+  {
+    await isSecurityState("insecure", "left insecure");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("insecure", "left insecure after renavigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html
new file mode 100644
index 0000000000..02fdb29d41
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>background unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  // This test, as is, equals to https://kuix.de/misc/test17/358438.php
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "security broken");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body background="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg">
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html
new file mode 100644
index 0000000000..c775347e72
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure css load</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <link rel="stylesheet" type="text/css"
+    href="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  hasMixedActiveContent = true;
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure <img> load breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html
new file mode 100644
index 0000000000..291ce3747e
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure iframe load</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  hasMixedActiveContent = true;
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure <iframe> load breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html
new file mode 100644
index 0000000000..8f49ecda51
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure iframe load</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  hasMixedActiveContent = true;
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure <iframe> load breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html
new file mode 100644
index 0000000000..4eebbf5b22
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure redirect iframe load</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    window.setTimeout(async () =>
+    {
+      await isSecurityState("broken", "insecure meta-tag <iframe> load breaks security");
+      finish();
+    }, 500);
+  }
+
+  async function afterNavigationTest()
+  {
+    window.setTimeout(async () =>
+    {
+      await isSecurityState("broken", "security still broken after navigation");
+      finish();
+    }, 500);
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html
new file mode 100644
index 0000000000..12a4233494
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure redirect iframe load</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  hasMixedActiveContent = true;
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure <iframe> load breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html
new file mode 100644
index 0000000000..3c19811db9
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure img load</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure <img> load breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html
new file mode 100644
index 0000000000..81ed58ffde
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure img load in two windows</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  openTwoWindows = true;
+  testPage = "unsecurePictureDup.html";
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html
new file mode 100644
index 0000000000..21bcf5f810
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure img in iframe load</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  hasMixedActiveContent = true;
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure <img> in an <iframe> load breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html"></iframe>
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html
new file mode 100644
index 0000000000..82611ff3fe
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Redirect from secure to unsecure img</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  hasMixedActiveContent = true;
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure <img> load breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html
new file mode 100644
index 0000000000..2282677418
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html
@@ -0,0 +1,9 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+</head>
+
+<body>
+  <img src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html b/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html
new file mode 100644
index 0000000000..7ce3701620
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure img load in two windows</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  async function runTest()
+  {
+    await isSecurityState("broken", "insecure <img> load breaks security");
+    finish();
+  }
+
+  async function afterNavigationTest()
+  {
+    await isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs" />
+</body>
+</html>
diff --git a/security/manager/ssl/tests/mochitest/moz.build b/security/manager/ssl/tests/mochitest/moz.build
new file mode 100644
index 0000000000..ddb344c83c
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/moz.build
@@ -0,0 +1,10 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+TEST_DIRS += [
+    "browser",
+    "mixedcontent",
+]
diff --git a/security/manager/ssl/tests/moz.build b/security/manager/ssl/tests/moz.build
new file mode 100644
index 0000000000..d39ca0ff17
--- /dev/null
+++ b/security/manager/ssl/tests/moz.build
@@ -0,0 +1,17 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DIRS += ["unit"]
+
+TEST_DIRS += [
+    "gtest",
+    "mochitest",
+]
+
+XPCSHELL_TESTS_MANIFESTS += ["unit/xpcshell.ini"]
+
+if not CONFIG["MOZ_NO_SMART_CARDS"]:
+    XPCSHELL_TESTS_MANIFESTS += ["unit/xpcshell-smartcards.ini"]
diff --git a/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem
new file mode 100644
index 0000000000..0887f60558
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgIUAyI54Ss40HvhJFymYwne7lBQZJ8wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAmMSQwIgYDVQQDDBtFRSB3aXRoIGJhZCBzdWJqZWN0QWx0TmFt
+ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjHjAcMBoGA1UdEQQTMBGCDyouKi5leGFtcGxlLmNvbTANBgkqhkiG
+9w0BAQsFAAOCAQEAMOjSTR1Tmp4baReRr6pvdH+HucpdIf5ZtH7Vn3h5e+Iuq9OO
+Ugq9qquo3sR1IAIAsCxWA/HHZMQOU5X1BxmC5+CXMfHmC/+1vLsxjZozhizKzpMh
+vtuJ33lgrwL30aTkF2IAPmqwu4akPFRdFGUtCL2LHeNGrO5UWQLDv7eDI8btkkm7
+AjV4u9y2/1W5um4KTQHWFzyl0iz1P5x/2MymBeiM4khRbQbfl8DmW6COLbhvPDEg
+YPL4ibjmMwOuOUgZ6bCw5Ck/cR7Yz7vVIOMC21d7elqJKfQ5tg62ZGs3r7L+Ir5o
+461gJUgzKhxT4MUQsLSCtKzSab9Rjg3pwfmHvQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec
new file mode 100644
index 0000000000..1b368c26f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:EE with bad subjectAltNames
+extension:subjectAlternativeName:*.*.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem
new file mode 100644
index 0000000000..9faffde6d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKzCCAhOgAwIBAgIUPU/rVUoMybyCeEAWx++fMAuZ6k0wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8xOTQ2MDIxNDAwMDAwMFoYDzIwMzEw
+MTAxMDAwMDAwWjAsMSowKAYDVQQDDCFCZWZvcmUgVU5JWCBFcG9jaCBUZXN0IEVu
+ZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W
+1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq
+ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx
+0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV
+t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo
+4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx
+1QOs2hgKNe2NAgMBAAGjWzBZMCMGA1UdEQQcMBqCGGJlZm9yZS1lcG9jaC5leGFt
+cGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2Nh
+bGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBALocgfctX/9NDtkQ7zAkGl14
+UXkXBCq7vn5fKss2bCG7D6M/+Q4ZJ64/QXGK96tKqdJctiyIN3KArnk4/pWfYCQG
+DgIHXFAgbKUQU0uiGmPwbPQnYq8la6VEarMrzWnGhqVPG1wsqiO1cnecycvm2W7W
+9n7qvw3s2Gf0WZIQKqpNmuhouboeiK1xFxryLWiNaG087WPHb71e1C+1enVb/hJN
+E1KD7dBtBh0sOC6bOFdc4BzhDHnDzPSznSqouotHf5U8YniKoPcDCml544msKwP8
+LCj3tG1VdMxL+p83ETDHG6GLUY20R0E6WJJfvfZ3hdxRUKgaAs+diT3xYXXYqTA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec
new file mode 100644
index 0000000000..ac97b2231a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Before UNIX Epoch Test End-entity
+validity:19460214-20310101
+extension:subjectAlternativeName:before-epoch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem
new file mode 100644
index 0000000000..6cdfa86a25
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUL5tQyA2FR4V3eMcfGyWTxS4vmp0wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8xOTQ2MDIxNDAwMDAwMFoYDzIwMzEw
+MTAxMDAwMDAwWjAuMSwwKgYDVQQDDCNCZWZvcmUgVU5JWCBFcG9jaCBUZXN0IElu
+dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBAGDlMbdxc1BHrn6l1svyskkHx68lSeTGVucIpClu
+mJIT3rsTR5swYuyvrWe/gqkVqGRv2gIpMUYAJoHWjF4fRyWkIjJz5JnSP5qxFKKk
+NFrjXFpGSqxJGtuMUNNGk7P30RLje5aE00bqrZHokfrokzChC3G3QJPOwvJtP1Gk
+wldQ8AeoHu/u3oEB3caoC1QpFfgF5kunNETSIxX5bTmsjTSSJnJjnf46FQdbOWUh
+P5Qkr6ZNK4ZAOIm+PRRyJ44JiHab+up/cEs17/T5dNcnHCy4TYXquNKwOe35qakm
+iexwhKycaAEM0TcTI1OA5K4tCwFvaiOr4eTzxN28Cemd89E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec
new file mode 100644
index 0000000000..835e63f2b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Before UNIX Epoch Test Intermediate
+validity:19460214-20310101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem
new file mode 100644
index 0000000000..3c00353a49
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWjCCAkKgAwIBAgIUGeo1nKP85zWT0JhJqZ5K3WQBKx0wDQYJKoZIhvcNAQEL
+BQAwLjEsMCoGA1UEAwwjQmVmb3JlIFVOSVggRXBvY2ggVGVzdCBJbnRlcm1lZGlh
+dGUwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowODE2MDQGA1UE
+AwwtVGVzdCBFbmQtZW50aXR5IHdpdGggQmVmb3JlIFVOSVggRXBvY2ggaXNzdWVy
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABo2IwYDAqBgNVHREEIzAhgh9iZWZvcmUtZXBvY2gtaXNzdWVyLmV4YW1w
+bGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2Fs
+aG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAb3Nv1Hxi4XlvI6yMMgFGEKiU
+gWk9TLQgIkjXbVlyfxhNrJs8WcY1V56sIC8EoBaCsMEgh3htvAhkVJ9v6HEZqgP8
+lwtUpta8sniuMRogVPehIIU53HB0Fp2LzoEQB0UzS7mD0LNCubK0BPMsNdT+LwSQ
+1sA7df8nQVdmLbcoFchQ1CaaSzyf8aFEWNuBiUF46j9BvcQykG8BhpDJ3+lV/Wl7
+wEXaFsW+/cEb0XBLQS/N+2B43+7EZQ9ZVOr1834V+d5jAFOHpyYfjVCySBd+VrRi
+NXq0j86M0RrhKYUzYNQ+bj5NIqHVG+TNYFc7TX6sqGW8S5HJ0v4/bYe33SuTdw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec
new file mode 100644
index 0000000000..9aabe21628
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Before UNIX Epoch Test Intermediate
+subject:Test End-entity with Before UNIX Epoch issuer
+extension:subjectAlternativeName:before-epoch-issuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem
new file mode 100644
index 0000000000..69972591d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUCfV2HIsCkOeqHcXdhZf6ejBahIswDQYJKoZIhvcNAQEL
+BQAwODE2MDQGA1UEAwwtU2VsZi1TaWduZWQgQmVmb3JlIFVOSVggRXBvY2ggVGVz
+dCBFbmQtRW50aXR5MCIYDzE5NDYwMjE0MDAwMDAwWhgPMjAzMTAxMDEwMDAwMDBa
+MDgxNjA0BgNVBAMMLVNlbGYtU2lnbmVkIEJlZm9yZSBVTklYIEVwb2NoIFRlc3Qg
+RW5kLUVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMzMDEwLwYDVR0RBCgwJoIkYmVmb3JlLWVwb2NoLXNl
+bGYtc2lnbmVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBCrP9yopCm
+BJSG6MIq3olV8meoQ2wIrCm2i1Ob2BI3JXW9CSjtnklmQaXzyEY6EnH7K/qzHMbz
+prbtiM+e0GjwwYNDAe3Ad1kUjDUSVnMAYmtTJOYxhmGYztkmM2xkz9Tvn+M4U35A
+GXimG82MDslBvDINDCPvwWsjst8oMwDAezpxZP2zZ/BrXbyUvOfCqyWQrRTNfSmF
+Aub2UQBdjSCgwY5RpzJ2ib5IWmVm3vPQmhM69FwI3WzWsbOb6MYdyPpnVnlN626l
+AwLjoaSP3F/lSgPzDqVKgx6rjqkYANPGaLLXdRH3ynJlxuW9JlamyuEypPIA0+Ml
+rvaprkFh5rXU
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec
new file mode 100644
index 0000000000..579e85e496
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Self-Signed Before UNIX Epoch Test End-Entity
+subject:Self-Signed Before UNIX Epoch Test End-Entity
+validity:19460214-20310101
+extension:subjectAlternativeName:before-epoch-self-signed.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem
new file mode 100644
index 0000000000..354741fc50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUAywOkzxiH/uWcwxb85Yy3OI46WgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IEludGVybWVkaWF0ZSB1c2VkIGFz
+IEVuZC1FbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjcjBwMAwGA1UdEwQFMAMBAf8wMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMCwGA1UdEQQl
+MCOCIWNhLXVzZWQtYXMtZW5kLWVudGl0eS5leGFtcGxlLmNvbTANBgkqhkiG9w0B
+AQsFAAOCAQEAN+g9N3uhls8y70fGORVEyYVjBmMCFeQz3DQw3u1J7+aHe6efygSP
+OKPXW3SbHSxlPFIsicVSHO3sso3zUGoedMw0KSyni4tR4yQ9jllrqijVCWorqRbU
+tlseF5hfw7DsKcl6jGA5UN0Aiq9SwKArdkRL+0Ykk0a/rxMEiOjf/Ao3ImfJnsCa
+frDKqziMWOmQtxrVTabpgRqCd1gtTg4cCsy7Yto8v4Gn1N/EL8FAXGWOieWDQ2Iv
+UFd9p0eTReBbRNC/QuZa7nEEAh4JO+JCAW4rHI6+beSPCT+lFQbF8sAJYSMGf0lb
+LAwyUGAPPLRx+SweIClb4EO+iVAFuR0Tug==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec
new file mode 100644
index 0000000000..8e16705b50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate used as End-Entity
+extension:basicConstraints:cA,
+extension:authorityInformationAccess:http://localhost:8888/
+extension:subjectAlternativeName:ca-used-as-end-entity.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.key b/security/manager/ssl/tests/unit/bad_certs/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem
new file mode 100644
index 0000000000..5dc7cf4ef8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti
+AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym
+qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc
+5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm
+lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo
+Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem
new file mode 100644
index 0000000000..729808a76c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUI58z0zygvl7soKf2Z7nS20tb80cwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUTWlzc2luZyBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcw
+MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowJzElMCMGA1UEAwwcZWUtZnJvbS1taXNz
+aW5nLWludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMnMCUwIwYDVR0RBBwwGoIJbG9jYWxob3N0
+gg0qLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAIik8evPkL8v8lNHey
+GnsO5D21ZoBASKz5RQSiVrIUznEBnRpWSBUDbgIZWQCiP1TZBBpa9F2B6rA9VLM7
+HyetiyL2vEra2t9jH0zrHp0L+azwy1Keog2vFcuBmLEI9zOKvSyCLCAeQ0OlI6iS
+wlNbbauU+UaPVffNk7g8yjM0SScktdA1Ve4/Dwu8OqJZ2XX+gb9pRlowFz4btCBL
+Fo//5sz9CcagJN7c+Rpk2kOvomHe1pgnioNHYQmj6viGXN8AS7dPDXi8z08uxgJ/
+kCSUZeoZLVwRReEGCjhDOiLgCRx+/2mzs/xjuM+43g1hWfj7cce6iR4nfMRWAhsZ
+3WRx
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec
new file mode 100644
index 0000000000..48bb1c6e4a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Missing Intermediate
+subject:ee-from-missing-intermediate
+extension:subjectAlternativeName:localhost,*.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem
new file mode 100644
index 0000000000..141c88fe42
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUDUVlzgTWxF+qWP8tpQ3tfmThWikwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjArMSkwJwYDVQQDEyBJbW1pbmVudGx5IERpc3RydXN0ZWQgRW5k
+IEVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaNvMG0wNwYDVR0RBDAwLoIJbG9jYWxob3N0giFpbW1pbmVu
+dGx5LWRpc3RydXN0ZWQuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsG
+AQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IB
+AQAA9rWfwMwc5IIktzvNVAv67CAKcvNoxxuik5vnQk51qglv/k+buamFEpW5nPxS
+Rp8g6TL6Bqppgk4txyLa6+ffbNYoTrMNs29Tj8TjTohvrahYGN4rusXEAmAz7dNj
+hY3nPDVOXG3u90iYHIJOwr/5xlSfjUFFVRBEO0ypt2qaTtbXBbP8JbNiYDFkRVbc
+QGlnq5QiZCzaAQPDG7bOZp4U2ZObu0Vc2jrKfHL1K4Z1tlZdeYJ5M810dEO9GAyj
+TwSRtbiSosWfRjxTH7AyfMn7OGTjoTPukYilLusCmpXy7NI+DOFLDicrNZP4uZ+B
+pG67V1YevJXG5D0nKoAFKNOX
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec
new file mode 100644
index 0000000000..dd8c6707ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:printableString/CN=Imminently Distrusted End Entity
+extension:subjectAlternativeName:localhost,imminently-distrusted.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem
new file mode 100644
index 0000000000..04c4f9f167
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJTCCAg2gAwIBAgIUY+eX/gQmQBSMBZI1NjyBEpmUFYEwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMB4xHDAaBgNVBAMME0VFIElzc3VlZCBieSBub24t
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjWzBZMCMGA1UdEQQcMBqCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNv
+bTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6
+ODg4OC8wDQYJKoZIhvcNAQELBQADggEBAGG1ldwhUiaY+jVOyDZyQxN2tFCN3TOh
+14tkKxzbx7o2awiLgNtOHAXMyb/6qwT+ktHwxtdA97wJGTYXMcAqAsD7ZtigINe3
+f63d/7uC7Ns7gnw++IFxGbjX7/cJSZMaqg35xMxcWtgt7pb7epXttz7hi2AD2LWu
+jXwCQEVdoPmdOqMVvE4yg6VweKqepOKUoK4hrv8JUWRVT3mhGU53MZhCKNkQ+MiR
+p/ECWX2XGtDKxp5KPYpmInYS2GN5XOpC/KhRAbssT4az0dgRNk1kFHsHUDd1xzq6
+BYhw+Bz+5poWVcf0IUsqjtYt/lOc+1LxXWF6vg443ARf1FXP6TEvLHs=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec
new file mode 100644
index 0000000000..63c36d34b3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test End-entity
+subject:EE Issued by non-CA
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem
new file mode 100644
index 0000000000..b1eedea530
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCAdKgAwIBAgIUM7VyNhRBbWRLG2FoCiuqSMtzfOowDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVjEgQ2VydDAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRFRSBJc3N1ZWQgYnkgVjEgQ2VydDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaMnMCUwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMA0GCSqG
+SIb3DQEBCwUAA4IBAQAXC7B3o4sVsRB3uopTCMVOxj/Doueqkh0u0QGSzB5JaA1L
+ncJd8RNqfKpkwsSGF10ljmqYVU8yS2qWmswAIVU6tpGLMwqBgjqdpHtVUn/SLA3u
+p67uFwvkj+k0nM9g/y1Uy5P2wnsq0FzAklApWVM2ePsCtDPEQ2M5tVggGYeHicEy
+olOOWo28j1otCzACCJc11kBw80WmfGYl+/WUKWqHF3Mv4cBVJ53BRNm+ZTvzwBmK
+wMulP4DX0NMNeS8vQkL3GBlBpGXDsz5yOkYizib/M+U1zalW7WYoSdmUT477iSFu
+0NmUMXeRal7v+izGEVftwHFIRw2U80y9sCz7855c
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec
new file mode 100644
index 0000000000..9ed9b33db7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec
@@ -0,0 +1,3 @@
+issuer:V1 Cert
+subject:EE Issued by V1 Cert
+extension:subjectAlternativeName:localhost,*.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem
new file mode 100644
index 0000000000..da9948c82e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUB4Wp0b3lv9F9ib3AeTvgSe1ehCIwDQYJKoZIhvcNAQEL
+BQAwADAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAtMSswKQYD
+VQQDDCJFbmQgZW50aXR5IHNpZ25lZCBieSBlbXB0eSBuYW1lIENBMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyow
+KDAmBgNVHREEHzAdghtlbXB0eWlzc3Vlcm5hbWUuZXhhbXBsZS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAG7JkRGPBAyJMbMMYaHXWDUUxiJOc4yIPC7ykNhhHGpjD+Y5
+zTwxsasl1bmwfu7CY0Lv0dAwGLUkZvoEvKV/PH4NtFN8XVauT/Yq0Zc3ZaADUUFV
+w2+HfFDIotGhLY1AFKqf4OCLzam5raYseTk5ogUu68ImPtxCC5HgE+EUpbfQurB7
+GQnxvXgfDPoBVYM8DKGAhkNJrhtO3naOH3181Au8fnYmaqvQeC7uXMPqph4pUZgl
+i2wUpg1z5XeAEAZhs5qBfR7YvKrDh13cud94rSeoEEr7hSIOUfkXuxX4dLMDmjci
+FqXlePARPBXNCbmdivysrKCZXocOS1aQiCOQHBo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec
new file mode 100644
index 0000000000..a99d84b79e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec
@@ -0,0 +1,3 @@
+issuer:
+subject:End entity signed by empty name CA
+extension:subjectAlternativeName:emptyissuername.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem
new file mode 100644
index 0000000000..7d4afb1d35
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwTCCAamgAwIBAgIUfQaeKSLdERUr8AYc1REkbyViS6QwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
+BjANBgkqhkiG9w0BAQsFAAOCAQEAnOQhNmRo+447vTeC4BzE03fSjmfV7RegozrU
+ZHYOJzetUmNeOYZ2hJfgRA6ZBWbI67iCKfazjVP7aWg0yAOD/0Zua6jkkXB4plAi
+O23XuUj3ZHMIRw//cuol7Aaiv4zkBQYCt6xJqnT/aXby6EANPqbMeO8GpemeZvfv
+Q5VIeDN+1gTiinDQO84HELHqmefZkrSuafNzdWn9AlgciWPviAqhSdTpdjlKAHHJ
+DP7dZ+vr94Z6stGkd74H6OqeGAAu4CXmlC4d2J+mBmbL6uVB4N7IXy4V0FSB9E+g
+DlL4oJVqRs8f797Ks7o+nJHrl3/kkyYKbwL+A/tjke/OV5ST7A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec
new file mode 100644
index 0000000000..0a7cfdfd84
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem
new file mode 100644
index 0000000000..b72b8bf238
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOzCCAiOgAwIBAgIUUTQl0w6xynABX6J3RLxwd5dmb6cwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMB8xHTAbBgNVBAMMFGV2LXRlc3QtaW50ZXJtZWRpYXRlMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+o3kwdzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBHBggrBgEFBQcBAQQ7MDkw
+NwYIKwYBBQUHMAGGK2h0dHA6Ly9sb2NhbGhvc3Q6ODg4OC9ldi10ZXN0LWludGVy
+bWVkaWF0ZS8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBCwUAA4IBAQAd
+YtclCaPr3EvDHKCLyZq0UiH8AIOdFC4Ii8t6+N1kn49R/yDVH2vQVzGAUGeZ8wNF
+x6WqNWOhzNuaWx3D+iOcg6wTM8l3HPphsxfltjaTccWCS+VU3DfLWK+BStdf2SwT
+zZYzaOtqphaCjD+zCmpEq/CipM5htDsj+ijfpGMbgm7pQroOj4RfS03Y27uy6bLW
+lNQ/LvmMnN9vOH4ahTdSf4TP6a7Q2rQqgwX4hSjLWqd2OJerVjrGc5xlwmh6FhQn
+ykhoFJsfuz4d/3N5aSugct03S1iLNVeA9RbeVokNfKB5AMJgZwhmCC2GSxhDIHPb
+V6NmrlAx9nedbGwRopc9
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec
new file mode 100644
index 0000000000..d5b5859672
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:ev-test-intermediate
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://localhost:8888/ev-test-intermediate/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test.pem b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem
new file mode 100644
index 0000000000..4bf9681537
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAiqgAwIBAgIUL2uvkW2WStYLtuliwgT2ffxO85UwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUZXYtdGVzdC1pbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcw
+MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowEjEQMA4GA1UEAwwHZXYtdGVzdDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaN/MH0wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvZXYtdGVzdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0
+CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF
+AAOCAQEArR4O8KOT7AloCUSNOW7fCdaXfTOPjnCfXb+lA3UdnMOJYodXRGevmn9D
++A0/M84FzUyc+CqOww7Qv4VG203P1Km6JAajtN5E8WUf67uh0onYdtNquaQsTJ9+
+adib+uYK3b/8XSHk3m6CUz8dbuVAdM/VPv7wnbPk2iQe23CE6BO/vHwV2nBqbIa/
+veucNZF4W5Loelb8wwvx15ozXIWScZHuF9IYjQdXsweZ96h++d3QY+iLp8JGMhKN
+Qtpfwo/XkvVbUeUhCpnUlx/oWzT/RjIRg8NoHUvX5rjQv8utRRTxju/yjnHh1HHM
+NavCexSqWF0hX69JoniwAVZb6sGIHA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec
new file mode 100644
index 0000000000..10f8022585
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev-test-intermediate
+subject:ev-test
+extension:authorityInformationAccess:http://localhost:8888/ev-test/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.key b/security/manager/ssl/tests/unit/bad_certs/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.pem b/security/manager/ssl/tests/unit/bad_certs/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem
new file mode 100644
index 0000000000..a7d657a970
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAgSgAwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQw
+MTAxMDAwMDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJlZC5leGFtcGxlLmNvbTAyBggrBgEF
+BQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJ
+KoZIhvcNAQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzf
+T+ow5WVsxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7IAMO1CEr5FVdCOVTma5h
+mu/81rkJLmZ8RQDWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3
+L9zJ2JqNc60+hB8l297ZaSl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74V
+kQyNobaFzDZ+Zr3QmfbejEsY2EYnq8XuENgIO4DuYrm80/p6bMO6laB0Uv5W6uXZ
+gBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFwWwtnoK7I=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec
new file mode 100644
index 0000000000..0a03bc36f4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Expired Test End-entity
+validity:20130101-20140101
+extension:subjectAlternativeName:expired.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem
new file mode 100644
index 0000000000..e03d862761
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUY9VlD+O8GH3DRfxtYTip4pS6eBYwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoYDzIwMTMw
+MTAxMDAwMDAwWjAkMSIwIAYDVQQDDBlFeHBpcmVkIFRlc3QgSW50ZXJtZWRpYXRl
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
+AQsFAAOCAQEANf+C+WsnAgYfISDS37prll2DOGYWKajcVZNzkScDzNGkK2s0c/td
+Mb+HXehqvYz20hT4wEwQZnPt9qMWH7bBEWiJfw85OINbKmG/i0gjZZDgbFMMdHvc
+j6BXJoxL0gAy8fOQyTDuMNX0NBJzSmWhzBsL99BHAWdG6XXQTzSyumiekc8ip4GG
+EhJvArbZwgIBigzdpbc/lQI0dR2qER0BUXamWU8fi2RuvQqtEi2ANjJHrWOillXU
+PR3j0F2LyvoiYlhiNhE1g3JH4VYZ+3eboRCrjel4J3rZHksN17r6+Fla1/YZdz2l
+nAGA5McLBKXYBVcARV4adXlBe1z79TiDeQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec
new file mode 100644
index 0000000000..38a0abd8a4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Expired Test Intermediate
+validity:20110101-20130101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem
new file mode 100644
index 0000000000..b9d08b9795
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIUI8ozCyw0+PlX8kSh6xCqm1S+kZwwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZRXhwaXJlZCBUZXN0IEludGVybWVkaWF0ZTAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAuMSwwKgYDVQQDDCNUZXN0IEVu
+ZC1lbnRpdHkgd2l0aCBleHBpcmVkIGlzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNcMFowJAYDVR0RBB0w
+G4IZZXhwaXJlZGlzc3Vlci5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQAD
+ggEBADc3mhtwi4RO49fA5MWYiSDzLur0n6uvJFvLwrCFan5zb0GWCyJcvawUzxH3
+BpgNK7FmKeGPOE+mcjd35O3AgVeReWxy9RFXRAZsBThHZUGjEKi/D4kenNplg9I/
+x2DIjHlmjG9sDR2ibNo6pEOqWi2z+l3NcPpCvljJwz8FWms13AR4ns8c5mdjvBv2
+I3nvO/pezyaYVaAAV0h5EN/hQcTn1AuG/EAesigPAAg/ngm0QEJMfzvSX5z5M8Hg
+s1wUbkPXIcNCkuQ/tibM4xBeOmd6+pcXyhWywl8Z0SbVHfLlRHb72t8YWgvwZjLY
+YwAw1B7ii5wR+4I3ppmcdiKABok=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec
new file mode 100644
index 0000000000..855f454221
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Expired Test Intermediate
+subject:Test End-entity with expired issuer
+extension:subjectAlternativeName:expiredissuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem
new file mode 100644
index 0000000000..d9af1411c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIUB1U85Lv+0j+a0CDGRThLAhFWSv0wDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOVW5rbm93biBJc3N1ZXIwIhgPMjAyMTExMjcwMDAwMDBa
+GA8yMDI0MDIwNTAwMDAwMFowGjEYMBYGA1UEAwwPSUROIENlcnRpZmljYXRlMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABozgwNjA0BgNVHREELTArgilidWc0MTM5MDkueG4tLWh4YWpiaGVnMmF6M2Fs
+LnhuLS1qeGFscGRscDANBgkqhkiG9w0BAQsFAAOCAQEAM0ukmmrbeVbEPB3KwnP2
+R1jHeTyVbRoQjQubHClDsoTQSD1evz3PWksfUE1D5e+jXC4DkQ8r9bgkYG1Hoy3A
+g7i5hvROwGmp99vYP/xXX8n0EXn2aQXXyGWImAIiGiu9Obn+K86Cc53jGOOQMjIo
+4cwvRdmVfxsPWupsbcW2RrZdyN1m+19SBAcGOH5jCwGfrEklUmmjxoMBYfFgBEiA
+39RJKN/H8mHaaG/pVBObJtgimGMigYJU8E44fY8YloFc6NSfzgwwlVuwfnj9PSFU
+/w2nZHpEwOZBdU4iUPydtAqUSEWZ8/GDzC2xg6SIzmQveFBp6BAQHg6udCTtZdSW
+tQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec
new file mode 100644
index 0000000000..b3d840fbd3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Unknown Issuer
+subject:IDN Certificate
+extension:subjectAlternativeName:bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key
new file mode 100644
index 0000000000..d43495f851
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICcAIBADANBgkqhkiG9w0BAQEFAASCAlowggJWAgEAAoGAANKbsS+4T93NKbOl
+GctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZ
+BX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvmnZoIMTbh
+WvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAQJ/PEllBwvzkMJR1aLFJ3xbX9C97oXK
+1/4rJ5grsoURSlBwBANq4c+K5Usl5Ns5IVq9fpA/YYwtiy8IzGzRLbzNciBeSUW2
+s984nl5D3goUi7LITiQx/b5ZILBEuycvRez/ByG337YDl/xhOp6jXCIwBTDK6PkV
+nFNN878JEJUZAQJAD58XWXyFuAUbnGmvtV71dsmW29CQR9DM3ludYOpcZ/5PrGe+
+gD9LasWj8FD3a5ZvsU9c8QV2HlrebdlgsYO6VQJADXtjcRLOYaVRaMD5yThvsnmr
+QMug1Ukza7plJ3JjqseCYRosgdm2Nc94xAAYhZ4BjF6QBtEuPS7m80bnn6QzaQJA
+Cf1smj6m6RrjIHD5/BwhD/k1L5e+XR7rlRuzloHp3FtnKlMiIbPYkAyanZm50KTh
+AtxFDKG4ewsTid5lFsCuDQJAAUG4MkkbfdSoMwiSACTHnK5kvUR9+IO7TFZyqWur
+SLcSOzTyYyRFLNzrF/IeVw40fL4v1MLY+ZEOrCy22JW4yQJABFjdau4YyIsvm4Hx
+vDB1riDcH5lz0gck8gsGBD1hR8h4nUoHroi8gshDjIk+AXsTlH9i4LGJWKMetmSx
+nmTT4A==
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec
new file mode 100644
index 0000000000..21ed73d60b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec
@@ -0,0 +1 @@
+rsa1016
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem
new file mode 100644
index 0000000000..6725f9e566
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtzCCAZ+gAwIBAgIUIREXOabfdCGvGyDuQgOBkzu20zEwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowKTEnMCUGA1UEAwweSW5hZGVxdWF0ZSBLZXkg
+U2l6ZSBFbmQtRW50aXR5MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgADSm7Ev
+uE/dzSmzpRnLZsQ7jY+L5UW6eThM5mPtA991mRYA65IHkNJTDOzlRNuZpx8FiWo+
+0gcWVTSqmQV+R8R+O8ga2m+h4S43JotQRqVSaPna18y0hdgaLhnVDU8LaFSsr217
+5p2aCDE24Vr6j1PByMhPxgdyed0OVdc2mlvdAgMBAAGjZTBjMC0GA1UdEQQmMCSC
+ImluYWRlcXVhdGUta2V5LXNpemUtZWUuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3
+DQEBCwUAA4IBAQA0rIC1XkHz6blfEbgKH79ausj4LhJtZHWVSoV1bAHfeSHoc97S
+Q1UMai44eoJVBNdSpzZKr5yIu4xXFGkHUxG8JQ+TWpfaABs9V3ZpfCNjHkgn9fM1
+aBX0+cnyKE/e9k3FkQaIXBEBzXC/FM+F8eOXCucPWAWJIml31/TIteh3FE0P4zUP
+kK8oqiRdG0flBxXoc4ZL4lekpq6SmZTKSrCxNZbFGUkANgxmtfRMhHZKpA35BqCv
+JhSqU4VuYlBNq6c37yNK/5XD1QV0UpmhofKVRscqBl7bPJP/vqskogU0U1/6EQcf
+MadiPI0GKVvPEwaBKl10jxhFaCtvRSyLTQBB
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec
new file mode 100644
index 0000000000..02b595dc9a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test Intermediate
+subject:Inadequate Key Size End-Entity
+subjectKey:rsa1016
+extension:subjectAlternativeName:inadequate-key-size-ee.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem
new file mode 100644
index 0000000000..8374c1399b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgIUN1pxcl/u0+W9JsxKsrvr8nDaWdEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRJbmFkZXF1YXRlIEtleSBVc2FnZSBUZXN0
+IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjbjBsMAsGA1UdDwQEAwIBAjApBgNVHREEIjAggh5p
+bmFkZXF1YXRla2V5dXNhZ2UuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIG
+CCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUA
+A4IBAQBWJJ77vwC6xBIh2ANYJ+kthp/f4Hz9YxZko5W0TSoeTwNNnQ5SorZ5h8nQ
+9fr471N4RvK1knH2dCR8fqlyJmf3sW8QQuHpKHHq6AaDbxXABRIGKC/k+Ykc5xdG
+G6bI/+AlUmjN6fiRCL5ffL5WNXVq4b3edkOvfeKUxiCwoamOy7F4/fMBf+SB/D0+
+05n9tPJcnhll0ah2J0Cw8jiMOpks7nvzU31biKx06gLFwFwAIKTt/xih/nQZAhbq
+m8UP9q1l3UwGxnHZ2r1K+zpO7sYwXk6TAK+9lKcJTheuy4aK1GE/czU/9BrP9WR+
+N/9WVK3KTS8r4EtrybjHMKUaS00V
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec
new file mode 100644
index 0000000000..4d553890b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Inadequate Key Usage Test End-entity
+extension:keyUsage:cRLSign
+extension:subjectAlternativeName:inadequatekeyusage.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem
new file mode 100644
index 0000000000..2269f4676e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0DCCAbigAwIBAgIUPT3TDbFEvyL6hxMsXXAnhbUEvXAwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGDAWMBQGA1Ud
+EQQNMAuCCTEyNy4wLjAuMTANBgkqhkiG9w0BAQsFAAOCAQEArvYJZIHcejci3ZW9
+BhYUPn3jv/byMmAvSzPHxy9AJk9ZEITGceiEAB/G5MUaG86/tuSmK2x50kTjezll
++KF4PWKjdzgUHUbQD3tgG4gc74the675k6xWAH9cCn9e1ZYX9vi7zEUPxFlKQnAa
+SsnQQRobrLNoZsqJQ6tqui6lPvZ66jpKFDSFLE7FMfTYKLJJhhTsROCX4OY4YkUb
+zXmozzMk1yK0Gy91x1IoqWl8Eua42TeM5klGrt4r+U6pwA8JsMXMusdmvZXwZYJS
+1LFqRQsSLFxDqFicpJDvXp6TT9Z7TG/z2gdFPH+e+G+pdNQmVnm66SHmfRpf5JiO
+F9rdOA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec
new file mode 100644
index 0000000000..7662338470
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:127.0.0.1
+extension:subjectAlternativeName:127.0.0.1
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem
new file mode 100644
index 0000000000..3f373d09f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAh6gAwIBAgIUGUp8qIucVUZ0D+cPoEILDVfteu8wDQYJKoZIhvcNAQEE
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoYDzIwMTMw
+MTAxMDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IE1ENVNpZ25hdHVyZS1FeHBpcmVk
+IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjYzBhMCsGA1UdEQQkMCKCIG1kNXNpZ25hdHVyZS1l
+eHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQQFAAOCAQEAYMtZZk0A
+c3xvnK0PSwNxsWidAdOEY5uOKJTPT1LZFUQsNHw/2f7csfDneTeLNoCNKH7LPF3t
+J+zwUMzq1Ut0vIRSs5r84P7LK7KaBRrSwWPSnTP90X4VX3IVIQ7dbwTkrlUaRzfs
+B4Pqa/p2GVuvrLmbtmd2SDw+52GubJYVOF6u2s4KKgUGhHWtegzQOsVKTFEOoqBr
+X3yDEJhK7M82NMiGtq3Fr5F0sLD6DuGL0Mm7ei9junSLS4sH0M+Hac2BVmXwYNTS
+ekKzyjmZ1TYRlo2sCgYyYfCLcTOswG7uVHLU+ie0+Dbaik2NcolUgFNnC7Uk3E+t
+DhSRNeOtKglSxw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec
new file mode 100644
index 0000000000..e4c2b7008d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Test CA
+subject:Test MD5Signature-Expired End-entity
+validity:20110101-20130101
+signature:md5WithRSAEncryption
+extension:subjectAlternativeName:md5signature-expired.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature.pem b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem
new file mode 100644
index 0000000000..c71d1b4c02
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDLDCCAhSgAwIBAgIUF9VdXuc6cyMkwLE5QkiaA5XGPGgwDQYJKoZIhvcNAQEE
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAtMSswKQYDVQQDDCJUZXN0IEVuZC1lbnRpdHkgd2l0aCBNRDUg
+c2lnbmF0dXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAaghhtZDVzaWduYXR1cmUuZXhh
+bXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9j
+YWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBBAUAA4IBAQAKDmz3Jd/rFPskUruCHHHb
+GnWoyquul7YYH69Mxro9u8kfB0apfPzTUjdaXNVPmJn201NsMZQsooR3w7WvKw+O
+WwZULevf5OBDuUUltHES6YDHZbUSPyzG9TDEruQUtFdhmAe+r0xrdacdkI391Pzv
+ORdY3x2v3esRJY3DwbTdufKcqmQ0cmiMPRLGJsMBFjmvQdBFBB+iRtp9Jf+3shM2
+M2ZgKMw+gepEX23KXpJcdXI/s8SZhpO1xIzxwcH8sXM+JV7OpfecPfmrylTkA7BX
+PgeD0Aj/BEtEQk4K+HgHZvriHNiukhCwGf/Hh7r5b+zothSAqAGD0iIwnXpja25B
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec
new file mode 100644
index 0000000000..02742d910e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test End-entity with MD5 signature
+signature:md5WithRSAEncryption
+extension:subjectAlternativeName:md5signature.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem
new file mode 100644
index 0000000000..d5782da2cd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKTCCAhGgAwIBAgIUXWNmi3NOMsq8iBKvohtG0kX2YFIwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQw
+MTAxMDAwMDAwWjArMSkwJwYDVQQDDCBNaXNtYXRjaC1FeHBpcmVkIFRlc3QgRW5k
+LWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXZG9lc250bWF0Y2guZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCt7JzZlMgD/ZHZobiGxcfE/EPQ
+/V405Xu7DGdTJh5cTiFF1h3sQl06BfrCEAo0yhOrpPyMtmhTI+rMyF7PvFWZMQ89
+bk9y4cZ7jG1NEd6B+jlYfD4mFbLR3AbMEbf6QVjYDK29+XnjnhvczT5NPPl8g7rF
+6y1FhFcFMTGiGZCOyhCz0nXbG/LpP/alH+WucXRdpMLUQbEXEDzWOq5WJ1ZPS556
+2Ouurfr1mkydAlXCGc5RYPVLRY48CwX2z+kfHRnF4TCb3ck5oOlqabP+bc+HD7EE
+UgEEdnE6zpUs1D7s8C8Mp89LUcXx+s51/ZUQvGE4btBMML0lNImwwbqxbv02
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec
new file mode 100644
index 0000000000..262f08d6be
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Mismatch-Expired Test End-entity
+validity:20130101-20140101
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem
new file mode 100644
index 0000000000..b70a632693
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDLzCCAhegAwIBAgIUcYUtGOYg2nrx/OAYr+cxTZVbv34wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMzMDEwMTAwMDAwMFoYDzIwMzQw
+MTAxMDAwMDAwWjAxMS8wLQYDVQQDDCZNaXNtYXRjaC1Ob3QgWWV0IFZhbGlkIFRl
+c3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXZG9lc250bWF0Y2gu
+ZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8v
+bG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCu5v5Saw0htF59xmKf
+CQJ7YI4M/TvuNJjhVdwq5phvEw3k+qweEdpLHERGu4nrzyDTMKqN8kXO6tXUspnh
+LpXCvmaDLNxx/UyYofWslqYqFwM4vQ4l5QEUriR1ndMN256ELRSx2cEpWCi9xHMb
+1cqB12ulLMCpitmK+NXpflViZy7HliTQOCdwhLPDNWRKsRF85EHOuFzcx4uqfWdw
+5zwA0zVOYG21fyY51bhy4oy7HjTWUOrGi/klwzz2TEDTUX6nRHYagrFxO7C1GMlg
+pe32InUfLU0rR8G9lP/tSug8HawSH/TCE+63jo2BGWaIYGSd+k11QzU+CsT15+A2
+tbAC
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec
new file mode 100644
index 0000000000..947eb7d678
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Mismatch-Not Yet Valid Test End-entity
+validity:20330101-20340101
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem
new file mode 100644
index 0000000000..4902855da5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOTCCAiGgAwIBAgIUO1bWrdrsbGfiDSe6i14vOA3vWsIwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoY
+DzIwMTMwMTAxMDAwMDAwWjA1MTMwMQYDVQQDDCpNaXNtYXRjaC1VbnRydXN0ZWQt
+RXhwaXJlZCBUZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjWjBYMCIGA1UdEQQbMBmCF2Rv
+ZXNudG1hdGNoLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAlTFY
+rHGARngEHz3XEngdY1E3hf2GdITTHssgVRvpW3IvNmUJDhk3zVqvjb2hIVDmxFRv
+ad7yCKK7FQum2A1MKZh/Pl7ylWv6vkdtB8HSg9F5qYifyUD/XEjYp3uSrfAXW7Pp
+XHZHgBR6nlOB1EpAqrLtpEjxMX6F0fcXClOlWf0UsPLv1M6JvPNns/4tbHBnrhfm
+e0DqBMfZIJV7x633eZhpLQmOIA27rZtpElWZsA6Gtenl3szr8mpOgy3hxuEs9oFn
+cigHg2ECzaOKM5ayTP0dc2OVbVgUX/2doF8pGHiIKdsThYNLNEOioBZjJhQlreZE
+K67bzkMDhLQmMBUMtw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec
new file mode 100644
index 0000000000..adc8ebaf8b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Other test CA
+subject:Mismatch-Untrusted-Expired Test End-entity
+validity:20110101-20130101
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem
new file mode 100644
index 0000000000..bdbd0003c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMTCCAhmgAwIBAgIUI0pSyZahDeLfI4OrlVIzuliNY6owDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAtMSswKQYDVQQDDCJNaXNtYXRjaC1VbnRydXN0ZWQg
+VGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABo1owWDAiBgNVHREEGzAZghdkb2VzbnRtYXRj
+aC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6
+Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBABwg1CM4xUgHVS5v
+VuYG6xH6YskAdK2L2G2E+M+4pp1+1vGt377o2B8PIhIpJ2lyf37PMn2DjpsgvB2T
+lsl2IJpCa0WD0c6Wh+PzVF3B0rP7QtSdHGLIVbHYjRS6RtrC0tvleQaJF9KBTV2O
+3mUSs5o4LW9brR2aFnoWBY6iENwdme/bttHZxivMnOXHK8nCC0LUVEO4lEqYPojo
+oqFzGPHIdWNHF82u67zys6uZ4aVDZgPFeiOG/B62rhHivAv5am7FXWWpIJv1SKTR
+SW6LElRNpgMxvjvjOfDfbGIpUw2H1QRIpWvygr7fdEYWr27x21UdaEwlZHE2yBeN
+4OsHD8E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec
new file mode 100644
index 0000000000..91c5f548b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Other test CA
+subject:Mismatch-Untrusted Test End-entity
+extension:subjectAlternativeName:doesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem
new file mode 100644
index 0000000000..fe0a029e2b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIUQ8LmhXEMu/AAMhyTo605M/H4j2YwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhNaXNtYXRjaCBUZXN0IEVuZC1lbnRpdHkw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjeTB3MEEGA1UdEQQ6MDiCF2RvZXNudG1hdGNoLmV4YW1wbGUuY29tgh0q
+LmFsc29kb2VzbnRtYXRjaC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQAD
+ggEBAEsOUlth9scSnOZ6d4h1kkf4G2bYfkStM+DHB45DYrAYr3a8l1oHfnPcXhvN
+XMnT53sQ+BkTbx18OSlqo4ZSCbPPaJmHGNsqwqMMeCHDtE2do5uwimkT75Pwy9W+
+1LlTYOoRb5Ys4kY8ObpkhG8YM2W/mnQD6A70iusXaMyCiiP1fXdAPW8m2ltEeVne
+mz8PxwI+opq8/9m+IBcX/cXyoec062cUU+FibhpoKXxPtSGSVEbxw2k8gbndHIj5
+DIbcyZwJvzb08dkYWKjwQ0tgGOUzzgvXTa8gEp179LaWQPsyxGRQdSmv/6WVijpR
+7okOenn54XranHx+ObMSdNwKC24=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec
new file mode 100644
index 0000000000..b93599fc88
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Mismatch Test End-entity
+extension:subjectAlternativeName:doesntmatch.example.com,*.alsodoesntmatch.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem
new file mode 100644
index 0000000000..2be28b8a9f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAgIUaRjrHyGMBM67Q2Yf0pUNtNJYgHAwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdkb2VzbnRtYXRjaC5leGFtcGxlLmNvbTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAd0ZB7G4WhIDaiyYcP2quL3AoqbudHoo8
+0gHA9vAnoGDaOdjlcornKAXyyA0qrUNxmxKS3WavOZnyeCeu+2//nHJOOORRqUC9
+5b+8neKnuRFcTYGW4iS7+cTbHWWYdLH5Mmef/xfcEiGWsV/+pxNdCGVBf4eOK+mk
+0UqqcaOaO4HlC0mUyP39GR/WBYNMbtswAwqryAyXcBuAI5sq9vh4u9n+s+RMWUmD
+3/bBtz9Bff/9ClWTJJMZt8CQoZ4CoA7zowTbqLvf5NpQ96bzbX2Z5qTEh7sCb5zA
+mebrXm/pOBI9zTFYxqUMIwtGAbRZRfwHQBkQhMO3m3gKXu6tbWX2sA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec
new file mode 100644
index 0000000000..86ef45b7ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec
@@ -0,0 +1,2 @@
+issuer:Test CA
+subject:doesntmatch.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/mitm.pem b/security/manager/ssl/tests/unit/bad_certs/mitm.pem
new file mode 100644
index 0000000000..29181ab095
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mitm.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIUU4/FdNL/Ag71+mAHWRYV1h6cRF8wDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOVGVzdCBNSVRNIFJvb3QwIhgPMjAyMTExMjcwMDAwMDBa
+GA8yMDI0MDIwNTAwMDAwMFowMDEuMCwGA1UEAwwlVGVzdCBlbmQtZW50aXR5IGlz
+c3VlZCBmcm9tIE1JVE0gUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMfMB0wGwYDVR0RBBQwEoIQbWl0bS5l
+eGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEABA5ake5/3963f88QiBP87rs/
+2jnsI8uly83Jk7tw9xvAR7H6OAdcj/FCiTvYwlPPUcUKdEZVwrRk4YJnklAqtCiR
+9Li+i1g9ZbP2m+bIjJhg6vxQkKM3UeM17xERM7RdZ9o7axGozAmMl09gBGvSUVbD
+H2DsimUcD3iRjGyA9PH/IAOvCPK2Y5e6KyrrtqDgpgY4uMPMZq7P5spqf7DkLrW3
+TckaoxbyEiTy/EhwVmWS3AWHA7PJmD7BTUs6+m9AXnnHy4NjPQfAMALBhn6lCHe0
+QbxomBFUE/VvCk1mz9aPJvYRIl4zscMgCXTEbVqhnXck8b/GAs1xsrmvSUiVtw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec
new file mode 100644
index 0000000000..1439391f1b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test MITM Root
+subject:Test end-entity issued from MITM Root
+extension:subjectAlternativeName:mitm.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem
new file mode 100644
index 0000000000..daba5ce3c2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUe4uQBKpHl7C9PFr1wsXlC3MT1N4wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjApMScwJQYDVQQDDB5FbmQtZW50aXR5IHdpdGggbm8gdmFsaWQg
+bmFtZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjNjA0MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0
+cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAe1q3Kik/TDQW
+xhdRwHXBY+H5vwT6oWRNHj3KPH/fOwjNpSy5yEO0UIKDPzGzwb8yso7HDk+W+SrO
+n4Y+O6nRJbA+qU2ntCyzD5FfAuRqSuT0v6dVnzzgCOFtqwctr3W6CYAxMBm05shl
+kJcvW0mU7sDvVTQLWU41AAHN7UBHHK57rJIqJEvBIJN2hGm3yhEfj/XceAuFx33a
+fiZ4hUtYBlkrrbl/lVw3AwB0DDGIkngOShK+eSRmXtXd8anKtzKkMHAVDhn9/dFh
+FNI0R/FLdKo8Jb7DSXdBCufRwnHeZjeyzm4hWIofI2x+ibByQDYTOphv0YcDDoR5
+zlyArDIhog==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec
new file mode 100644
index 0000000000..87088e87e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:End-entity with no valid names
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem
new file mode 100644
index 0000000000..79cc10aa68
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJjCCAg6gAwIBAgIUH+AmYB0Pf6g+gBjtVqu94DStb3UwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMxMDEwMTAwMDAwMFoYDzIwMzIw
+MTAxMDAwMDAwWjAoMSYwJAYDVQQDDB1Ob3QgWWV0IFZhbGlkIFRlc3QgRW5kLWVu
+dGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXbm90eWV0dmFsaWQuZXhhbXBsZS5j
+b20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0
+Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB1xgChilLhS38NJG3FU3vyD8LN3uGV
+wgzFB33egzO4s4GkPK5zjGpkyQG0ofYFmlbP8NpVrjKykbhbgusdvsZOknuPBBAJ
+jgHDrt5fdT4ah7xlRr+o4KC8RpYOZ8pGy6eoheCZZdNvhV3cDVxYWrkFZbdbtvw9
+YqqgpgiFx/j85ZqFudq/ApdMwcueZWPjmc47Y2fsTtrqO7rVVtX9FrG4O3BWcrVH
+5RJpwN5mBsC//zNhhuvaGNWZB3XGNH0wgxEweI+cpfufWHnshJFKoEESJBrdHywz
++kuH3ha9W3JwyorON9M7uduDBdUBsjwjwLpYLd+Saie6X+XjROrGYe8f
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec
new file mode 100644
index 0000000000..5b60c29ebe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Not Yet Valid Test End-entity
+validity:20310101-20320101
+extension:subjectAlternativeName:notyetvalid.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem
new file mode 100644
index 0000000000..0a111582bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAdOgAwIBAgIUW7kXNYkW5OLObAOtdMQ9uL8FHUkwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMxMDEwMTAwMDAwMFoYDzIwMzMw
+MTAxMDAwMDAwWjAqMSgwJgYDVQQDDB9Ob3QgWWV0IFZhbGlkIFRlc3QgSW50ZXJt
+ZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB
+/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRx
+CHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMC
+OosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdm
+Wqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGz
+ey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUD
+rNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOCAQEAJgm8BvVnIEy9uGjgTxLcNnIoOZeLgQ9CPrNir6RHzGIK
+1hIHcNCDdC2mDc9DvyQ8MQPzJvAiMAOvo1v8yHDijC/mmYi6hTGuC6hDxF2YHKXu
+8VZZOSMdaE9pkKUQ8sckzKMS+Oxw8EJOV7VeW/WZsSLKSpba0qAioae7wEBMg0QS
+0Mp72+l4nMMUG5T/gzea6gy/nGTb0ghV97K1r5jekFNuy1pZZbKun9lLd9KJNmEs
+XiJCn2M7Ce3nEhJfaJcDmz9sde4HOlJ/BVLV9ljkOL2cQ3TxdEkLT9/Unp9dmcLo
+1sdvWkwimWiKT3XAs6Df64uM4GYl3PqPH5tQmUyPFg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec
new file mode 100644
index 0000000000..8a00f2ee23
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Not Yet Valid Test Intermediate
+validity:20310101-20330101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem
new file mode 100644
index 0000000000..1fb6797b43
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUDCCAjigAwIBAgIUfcJn/g+oQNFi8fCskf4b5iUfOVQwDQYJKoZIhvcNAQEL
+BQAwKjEoMCYGA1UEAwwfTm90IFlldCBWYWxpZCBUZXN0IEludGVybWVkaWF0ZTAi
+GA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA0MTIwMAYDVQQDDClU
+ZXN0IEVuZC1lbnRpdHkgd2l0aCBub3QgeWV0IHZhbGlkIGlzc3VlcjCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNg
+MF4wKAYDVR0RBCEwH4Idbm90eWV0dmFsaWRpc3N1ZXIuZXhhbXBsZS5jb20wMgYI
+KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgv
+MA0GCSqGSIb3DQEBCwUAA4IBAQCBdqR1GuJPvGxqGIJ1LxBnXfO7hd7uwJhPavoD
+8I9x+c7xy3avQat3GgC+IeWUTp7yr5VVNf/XXfi0nDo1RCiD10QsPVJ4FIXJi9VS
+pIorZQBorqAYmpEzV57wTvoIAJGFZLqBrgLZjQQU9x3TmnH0rm30ZMKWNxQTflSt
+PdqIw9twMtJ1SvYEFpaGHakCWng6bdwC31E4b8+6MD90vsA/8/p7T3HQ3CmDRa0c
+3jTKZZ2QF+bqYzSxw3M190UE2hJVj61WHnFodkWUF0Zye/e3EsVlIt9nPmjPQVSS
+BSMXf8JdX88ozxwbgDyzdBpKY+c7IEpow1EOwbTyG907vkFs
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec
new file mode 100644
index 0000000000..d8420898e7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Not Yet Valid Test Intermediate
+subject:Test End-entity with not yet valid issuer
+extension:subjectAlternativeName:notyetvalidissuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem
new file mode 100644
index 0000000000..4f3dba1d61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUX1ns5qA13/2mu4/kkB99AW7E32MwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNuc0NlcnRUeXBlIENyaXRpY2FsMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+oz0wOzAjBgNVHREEHDAagglsb2NhbGhvc3SCDSouZXhhbXBsZS5jb20wFAYJYIZI
+AYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBCwUAA4IBAQAzZtCyx0wSezpVnRYF
+stt0iAJyTPXPQNppz30cACWIEGPf88CvlYN/4LLFVRZ1Q1IuRghChDIYSv66qGt5
+D9RZRPzMhJ9FyQbh7UQ8pgSa6MoyaALLydACO7yZQgl3VCFEOzTsYwgasrJ0xK5I
+670hkVIPEDlfUxs+afvq0uzdJnuFpI3BdlSmAs9+EK4t5Dh+1msuYmdjl2D+7BRS
+SW7UTLB7EskZtWTNBGmhsIC7sUOamDlUYVbjV3Dt3Q/845sl/a9lsNZawzxzEn6X
+oPorbWHwvplhtx8Z4xa/d7PgyN/11x0HB/wT/oNLfWkDuas73ObfiPS3ud0NuyTz
+1VYg
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec
new file mode 100644
index 0000000000..b236bdea47
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:nsCertType Critical
+extension:subjectAlternativeName:localhost,*.example.com
+extension:nsCertType[critical]:sslServer
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem
new file mode 100644
index 0000000000..58271b08ee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCAhigAwIBAgIUd+v+QT/3riqABXPmtHDCRIIxatYwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRuc0NlcnRUeXBlIENyaXRpY2FsIFdpdGgg
+ZXh0S2V5VXNhZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjXTBbMCMGA1UdEQQcMBqCCWxvY2FsaG9zdIINKi5l
+eGFtcGxlLmNvbTAUBglghkgBhvhCAQEBAf8EBAMCBkAwCQYDVR0TBAIwADATBgNV
+HSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAKVajR2vlz1QcIzlK
+B23stAjqBtcf+DJI0bwSNWjfJ02fugSDo2H1tTQlNjzA2ayqkMLKdB7Ku7GFrz3U
+VX2Xx0iMeaCumQdETIdEz2MhtlStPQcTZ22t4Pb9sMFZQmyeTMH6cU831myosyGa
+LvGDYQMHIpml9XIi4gqLzyLQI9rshlsgvKN8vp0nyAERQYjw26x3U9Od6jYZzeOm
+73E8KJ2zLOMRbxzz0HjeEkxCMcSjW+AdXL15w/d0B7+Uw2ZdFRMOGtxnwf6F9bgM
+l5uCj5D3hsdfhoAF6sPHZDKGK+TbO0ZGjpOXRAZsTEN/jsR5evRN0lIE0vJ6dSHA
+N1uLVw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec
new file mode 100644
index 0000000000..0ae63e20f2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Test CA
+subject:nsCertType Critical With extKeyUsage
+extension:subjectAlternativeName:localhost,*.example.com
+extension:nsCertType[critical]:sslServer
+extension:basicConstraints:,
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem
new file mode 100644
index 0000000000..3aa7d7c6c1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDADCCAeigAwIBAgIUCQTyCes+6a+Y+69OlFxl12IzBpswDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAiMSAwHgYDVQQDDBduc0NlcnRUeXBlIE5vdCBDcml0aWNhbDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaM6MDgwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMBEG
+CWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQsFAAOCAQEAqYcAU8y2+5/Wfl3F
+ERZGxefQeivQXfa4pZg67fiN2Y0rNWodmTmOVlqFyBVwTO3q2Y63SBI/FyIB7dzV
+wUPW0GHk3WaGO7mOXB5H2URqlrdXJh/Tn7hXUHq+85tr3TgysWsJJZ/2CCve2OtX
+Jr1F3XiPvtHnHyKz8vONQrkIx93l+uSh/Jjr1M4Y+96XOgRLe3UBQ0KzWZVjeyP5
+i3yS4bZbNUyjk2uYvniY0nlJo0pSpD9tXLMiTrc0rSAj/0uvxI216YI0CptvypHY
+/G/U2ZTvk96bmL/9zily1tmmjZT+tznnzTnsTSszPBzkU4gpJ3avWnbBxoC76JAN
+bf9Uig==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec
new file mode 100644
index 0000000000..a44a1feeef
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:nsCertType Not Critical
+extension:subjectAlternativeName:localhost,*.example.com
+extension:nsCertType:sslServer
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem
new file mode 100644
index 0000000000..f4ee143e74
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIUUTjaq6eT9McB+Ix6ki/STTQfzwgwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAnMSUwIwYDVQQDDBxXcm9uZyBDQSBQaW4gVGVzdCBF
+bmQtRW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJ
+n3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYCl
+HDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzS
+pss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2
+mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq
+0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZV
+Lx0eGR1xIWjTuwIDAQABo4GtMIGqMHQGA1UdEQRtMGuCKCouaW5jbHVkZS1zdWJk
+b21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5z
+LnBpbm5pbmcuZXhhbXBsZS5jb22CFSoucGlubmluZy5leGFtcGxlLmNvbTAyBggr
+BgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8w
+DQYJKoZIhvcNAQELBQADggEBACq2BJPXiEEa2S95CPlJuTxEZMyzrrWWhdEHsLHP
+raOfY3Ct/XziwlYO3CJ7NrVGfrHmrBbROLqenbXLD0HwQp/WxY61fOIQeALVZmCU
+sxsDYiLhdFTyT7K/vd33SW+Mq2+L6yWr8B6ElSidNCnQdExcnROkwy8mjPEitq3o
+2iEDBeCfVG3aOo5AxW/JJFeusyRU6+Jo6voM2mpzpTVjEx22SoJBORon4knQsw42
+OjyD8SeU2n7Rwq5biDHQP+y8Gx7bZt5UFIaE/nLP7Hn+8NQau8bJihrK2yCdKJCK
+VKx9rPxi9I6txANEx33WCzlxq5Bi8PZHH6aduLGofTFFNR8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec
new file mode 100644
index 0000000000..a905a66ac2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Other test CA
+subject:Wrong CA Pin Test End-Entity
+issuerKey:alternate
+subjectKey:alternate
+extension:subjectAlternativeName:*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com,*.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key
new file mode 100644
index 0000000000..abde350c28
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBdcZSZgmfdwgq
+Z5HxuHbDf1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBIC
+RMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzH
+BuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZm
+JUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW
+8YfN1U6DKzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4Z
+HXEhaNO7AgMBAAECggEAfj9tfLg572auXX3ZL/VBC7NB3BRyjTkDRXDho3B5DzDw
+aBNV//QeKtTpqdn86/vRJ736uMAK/7Hzzqcyfq1HqhYh8qwe4UygLwSzsnhgF5gL
+GBpEnQOwPmnRErg1ceVUNPASBWV10oMu1nMdznmeN8g/bVHFWrcetYAVrwXhrxXH
+R2A+9/J9A6b/BJ2Wu/hUweTlDvWwWND7CBgOCsf3vo8v8Wc9l/yeVduoOAd7v4p8
+/ylihXeFJpzZ1brStXRp5K/NM8TKLS9pnxHnyPvc1ITwjY77ijy4qXLrJL7Zcu+q
+5LtxIJPkj+lKRutimodQeMQCGposk8mnA5Dp0KVEAQKBgQDmP8clprp2klp/+MtZ
+xPVt1+yD/oW/H1PhHKyagSWLz8CugZB3sPLRR3qvho3mqOy+r3uyKxlvKprYLTKG
+8NDMKd5xnl8r6OUJtyhNWWPt02L5J4h6TEqJeZ00DVGzAax2AasnF5Ak/KrdOL9l
+Iq9j6xZGHsAqfyewb+Cd3afAoQKBgQDXGLH+n4+Z8A6DKuH73G/iqyfzTgScSYAQ
++g63CEhSGCNGCDtclsPu5VksAUpBDGuTCxZcE7XCaqMurG58klqFUcJRNPL0pyxk
+IfGacxSKDt+rpdOmiIs1y6GMAP047lqvC1RXMdcgdhu8ze50SlLKQV6Y5N4Bzf52
+TBlns+jK2wKBgAHlrKJmyUqI0i4TwrkuokcRbGV6B2gXvf0w20s6nTCVuaS2dJZH
+4vhOenhPx4OLCMhZcc96A2+jDjuRw8TQ3yePgMG26FnYRWrbE33vqp8fCsW6yakY
+T9TqJ51yLqYm8WDXiq17yDhFzLKd8RXIP2G3YiuZvUOcYJtXkKY8WVGBAoGBAIDM
+RdENJITuDRKX/Ae/gLO+/0Yeon4fOPNxeJw69mtKDt0hksIneR208cd64ka/NC8x
+hWsPVlgbWKlbETHAxTltsqjDxvOeouM2vCBa5qKgs2hp/KmMu6czzwExmm+bsmt8
+oj0wF/xVHNjaiv3Rf2+i4w00hoeYHNYjTVcekLffAoGAb3fAwfKuesFpVhzKSZxS
+vfvgTN3M29wSrsWoVpHoWUt+4pkI8w57lqpiVLgO1K7sm5k3gr38ebadjVjGiHD6
+S+G8DDUnKIxcgrtK668V7f8RBAP8eOas5qgoJ79C8M+nUeUHZRxWONuTk90j3R9r
+KVFR3kS3f+Vaew3yceGaZcA=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec
new file mode 100644
index 0000000000..cbd5f309c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec
@@ -0,0 +1 @@
+alternate
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem
new file mode 100644
index 0000000000..a2e264030a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIURym6o+VN9xgZXT/QLrvN/nv1ZN4wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoY
+DzIwMjUwMTAxMDAwMDAwWjAYMRYwFAYDVQQDDA1PdGhlciB0ZXN0IENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5Tiw
+bErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROM
+AQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5Aql
+kdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFC
+IGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMP
+dLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAtXplrvls6HSbbibpzfGxOPmSuh2TH05bE4vQk+d7Kz6EOAFvgTiZbLwTxbrQ
+gfrM05t+67C2nAeiwAtW34nUnu6S8MYA6mJjURWICbl7cAvCHuNjg1atVr6f1Y+9
+VFFG6aUibw3bzKneREmDEVcxlEWUaMvv/JjfyMA5veSyX6iTJYkIBrEiVV5Alzg5
+yVHBi6+tpuJDO/YLlG8kmfzkYeJkTyAGx1EJ2yQHim7R232638yb0KrhS4zKsfFU
+egHhM4c+MpiCLc9q2EgblbYGx5GM+2leuzXunj1KPClHFrnmkRRm3rcESG2pK9RN
+/48Nd38VNofRojEbzDSCdOFmow==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec
new file mode 100644
index 0000000000..3bc975aa22
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec
@@ -0,0 +1,7 @@
+issuer:Other test CA
+subject:Other test CA
+issuerKey:alternate
+subjectKey:alternate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem
new file mode 100644
index 0000000000..312d57f83f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeTCCAmGgAwIBAgIUO0qfW1Ku2EK6yQlpOYG16M3C88MwDQYJKoZIhvcNAQEL
+BQAwMzExMC8GA1UEAwwoVGVzdCBTZWxmLXNpZ25lZCBFbmQtZW50aXR5IHdpdGgg
+Q0EgdHJ1ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAzMTEw
+LwYDVQQDDChUZXN0IFNlbGYtc2lnbmVkIEVuZC1lbnRpdHkgd2l0aCBDQSB0cnVl
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABo4GAMH4wDAYDVR0TBAUwAwEB/zAyBggrBgEFBQcBAQQmMCQwIgYIKwYB
+BQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wOgYDVR0RBDMwMYIvc2VsZi1z
+aWduZWQtZW5kLWVudGl0eS13aXRoLWNBLXRydWUuZXhhbXBsZS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAKHo7nO705MnFJrD51zJX5feNUmVlItGBRK67CO777vGRqYA
+YxBpKuugPxWvBVI7+P3SRvAQAL6vg9fUlf3OHkT4WISyQ06ru9V3kQXbJhS62fe8
+qKfom/iyDErkLEGojXqCoE13gsuQEXCbEKj1sLdKU1gpKA2iSooMkKvlJbhmlNjF
+Hy77/zZ7AeOmUblRMfhm8wF/AeoXSB+/JonOZ5MBCsKrjjK8vzDWBXICR2t/Uwce
+McvUFs5EiPJlveJ7POdUSQmQxnj0F9jdWF67tMLmktmMynEdSUv+9D++uUSSCbuS
+KU3Y4z6ntndjkhiyTQim9vETxcB92sfkIp4fZC4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec
new file mode 100644
index 0000000000..0ca92d7fd1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test Self-signed End-entity with CA true
+subject:Test Self-signed End-entity with CA true
+extension:basicConstraints:cA,
+extension:authorityInformationAccess:http://localhost:8888/
+extension:subjectAlternativeName:self-signed-end-entity-with-cA-true.example.com
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem
new file mode 100644
index 0000000000..2ab5904543
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIUdTEF+B9EJBrvwu6jqdZB5MXb5ogwDQYJKoZIhvcNAQEL
+BQAwNTEzMDEGA1UEAwwqU2VsZi1zaWduZWQgSW5hZGVxdWF0ZSBFS1UgVGVzdCBF
+bmQtZW50aXR5MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMDUx
+MzAxBgNVBAMMKlNlbGYtc2lnbmVkIEluYWRlcXVhdGUgRUtVIFRlc3QgRW5kLWVu
+dGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaOBijCBhzALBgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwEwLwYDVR0RBCgwJoIkc2VsZnNpZ25lZC1pbmFkZXF1YXRlRUtVLmV4YW1wbGUu
+Y29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9z
+dDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAats49K5yDWP8zxxbODXI9VItMfOG
+j2E8QdcFPYRVgkIcmM6chajB3IX0K9cua1fIyXaiFK4ZukXY5IClrNa3K4mchyrW
+t/sL0hd1JNcSiFpYRXuKlmmTh/29PUP3sFo29p4fmXTlEGNmZG10r+RMlnh1/iWz
+H0MmLqE7iabjD91IxR79bRNnaewvmB7p4ccVc/Oh2iJSdd1JhrHljYBL4vTBz8Jb
+1+1zHqgCIf0+Bd9sTHnuu6+iB8hAqcoQVs9RqCjdisgx0+hzjGTmPummdF7xxDdt
+meUKn8pbzUadJuna5SyRN0bXIRVicqi4/dw+gYgb80uA7BUYgqiXhzJnmQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec
new file mode 100644
index 0000000000..477b90ce14
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec
@@ -0,0 +1,6 @@
+issuer:Self-signed Inadequate EKU Test End-entity
+subject:Self-signed Inadequate EKU Test End-entity
+extension:keyUsage:keyEncipherment,dataEncipherment
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:selfsigned-inadequateEKU.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem
new file mode 100644
index 0000000000..a949efa150
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh+gAwIBAgIUQx4TWJqQt0JuIih8qLKCOJxOUMkwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbU2VsZi1zaWduZWQgVGVzdCBFbmQtZW50aXR5MCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCYxJDAiBgNVBAMMG1NlbGYt
+c2lnbmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNZMFcwIQYDVR0RBBowGIIWc2Vs
+ZnNpZ25lZC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGG
+Fmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBAA8/4PSt
+7wsHx00uSCMH+mDAwnI6YqmwoWQWg2qq6Ul4mXvupDqaGjXCi3LA+7wP+YXlzXz3
+GJzQopXQ0XObiXNK34GNlTL+8Sk3rvOO88y5hmRpqNxXNCqj0UNaTfqDApYhydET
+/EoowMbObWWKUknQxxH4XxOgXfr11XBLOgmCWUF1ZUZRRxzhDNfeR7GIInw7Z+bP
+a/ghCqgSqaqupQUky21bx6tT6Vte/NEGZSE0NptiatOwkdB3pTaN9ix3firArKhx
+phEkGr2JxWcCAQY14+4Qg/gII2YRY0AMV3ruHjayItpe0SOTxPvJLa//InmUcsof
+eNBIC56EPJcm2U8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec
new file mode 100644
index 0000000000..99a814be17
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Self-signed Test End-entity
+subject:Self-signed Test End-entity
+extension:subjectAlternativeName:selfsigned.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-ca.pem b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem
new file mode 100644
index 0000000000..67e7ca56e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUP5NBbozOXrtwcuQwu3pzUXbOl7owDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEABBSMkSBFq/bK
+LpntIx6QJdqPtmnjdjwTpCbQyKKfQjjrazCfru5SheZq7ACtQ0uWFokUOQhB+Xvv
+sqy9HqJhK4UN0zfNPjtkHOSbNefWXOseEzA6XxuaCzQXWOp1WNNPnfdtYZizy6hT
+fKuKjhniKLmIQD61KNl7Ev1hWUhWC7R8U+IFztXusYYFUUmqqaZ/v7lNfY1sHu4k
+zHQFp+xqeaXvkoRpTXhoSdwDQ7ldquwqMM0NIQXlhtcmg7IYwZBGlJgzoejN4k2H
+2WycvxPW70I10NeAAhtie1+K4JHwr6/SLLwCCnJDoRMMpMhM9/853Ye/4PTDGhuK
+fqhEoHH9Ig==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec
new file mode 100644
index 0000000000..5d2435d7bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test CA
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-int.pem b/security/manager/ssl/tests/unit/bad_certs/test-int.pem
new file mode 100644
index 0000000000..08249b863e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw
+MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd
+MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB
+AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00
+Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM
+8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA
+IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3
+B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk
+rGFLvocT/kym6r8galxCJUo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec
new file mode 100644
index 0000000000..33b42c2f41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem
new file mode 100644
index 0000000000..30143bb1ba
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIUP5JozopIN1u1syfEtUDb+7eHSs0wDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbVGVzdCBJbnRlcm1lZGlhdGUgdG8gZGVsZXRlMCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMC4xLDAqBgNVBAMMI1Rlc3Qg
+RW5kLWVudGl0eSBmcm9tIHVua25vd24gaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HCMIG/MIGIBgNV
+HREEgYAwfoIZdW5rbm93bmlzc3Vlci5leGFtcGxlLmNvbYI0dW5rbm93bmlzc3Vl
+ci5pbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbYIrdW5rbm93
+bmlzc3Vlci50ZXN0LW1vZGUucGlubmluZy5leGFtcGxlLmNvbTAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBAI2lkdtGlY+mEsp+k/1OMPP14sB/Rn3OY6Y0FNKKIrugQXa4
+V53aA0Uiopb5O+dCp9t6O6qX8hmiZkqO/24FnpJyT9HKGZWCA95gBAduVK27+LKz
+9a4HEnj5QuhtZw8oProRIukhgOr6AjJvzg1KNh0oJ67IIoqqwzZFFfOGNjoT3Rgu
+Z8WyMFPMI+ZTP7cHriMSPhAOz7v0d4zfRHmSBS+j3nyOkzFBSrjk8i2ODDXjsxjP
+RyCOAFXJRcoHUhY1E7WJ0qGGT3ckOD4gQ0NSJ8yGDtGqSCmoiQiGts9V7NVmnTfN
+RD9Q8KYGkyiZ6LpnQIN08aNZkkuflirZnl5zP4k=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec
new file mode 100644
index 0000000000..a735c730ca
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate to delete
+subject:Test End-entity from unknown issuer
+extension:subjectAlternativeName:unknownissuer.example.com,unknownissuer.include-subdomains.pinning.example.com,unknownissuer.test-mode.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem
new file mode 100644
index 0000000000..921d14583f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAh6gAwIBAgIUGTh5myT/JfbNsso9a1ZhGr8B11gwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoY
+DzIwMTMwMTAxMDAwMDAwWjAsMSowKAYDVQQDDCFVbnRydXN0ZWQtRXhwaXJlZCBU
+ZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAGjYDBeMCgGA1UdEQQhMB+CHXVudHJ1c3RlZC1l
+eHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAMktkDNyd
+MHFk4K4dcOfi0McOkxvdZW6/Nqts51scx8A3q8sT5pdW3ftBjvN7O+3c1cNGoThG
+9SA6uLDV2NT2EQp65yxMZe8j1OHX3qybqZ/RVY5r7VHF4JDsPHHXsgew5+CRGraj
+MTIFUqmgAYLMcv74vB0OLIt3JL4XnHVP7atULMLJrOP8QUmkUhZ49MDqyslN0i6w
+X7KwhdM00+JKadqUFqOAfhacMHsH5ErsQ3LXrQRMJiFoaVbElMy9e/jJmY7rg4pw
+0EMnkt+Vj650FkWsCnLndBia+6z+81L4EZ7uwBeeks2fYhXt85qqkuzmZq2T2diu
+ArcEblKIbUYlVg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec
new file mode 100644
index 0000000000..3efd1ce677
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Other test CA
+subject:Untrusted-Expired Test End-entity
+validity:20110101-20130101
+extension:subjectAlternativeName:untrusted-expired.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem
new file mode 100644
index 0000000000..44466870b7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgIUFTheHxum5x5zarr+9tuaXVyal6kwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVUZXN0IEVuZC1lbnRpdHkgd2l0
+aCB1bnRydXN0ZWQgaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo14wXDAmBgNVHREEHzAdght1bnRydXN0
+ZWRpc3N1ZXIuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB
+hhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQA4nTja
+7NV7jYhyX3eDGfoWyCHVM2PRIglZrHN1JsmzUOfyrw9T4jF2Jnuvl9lF0SyuBm+N
+X1lXJK4z8VYfM3t1SlGe2qwl+nXiYwoCFl0mfbBuihQNxa3eLWAmjz5ZghStjFwz
+QGwkgrsCaP8gKcU2j94KVhWaAXJJzBe1OPVJUhrjQjG4Q7mhon7qRrRYJaDR4GOe
+bLhJvrZO14Embo81DejBzoIHYeONhz9RqrTjcH15qpxwU8mX/DAZfkPlR85LY3F9
+FTBy7wEGuvoPZbWjtQEZMTeMdyJ1DZyi7TNFkJksf8b5oXtCGzftOv3cJeZIUYQs
+ZmUfzPtaDC9YkAeP
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec
new file mode 100644
index 0000000000..5ba0bc2535
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Other test CA
+subject:Test End-entity with untrusted issuer
+extension:subjectAlternativeName:untrustedissuer.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem
new file mode 100644
index 0000000000..8c24bc3d0b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAZcCFE8qjyl3WPAoW1Gpnx3TBAEyJJU6MA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEjEQMA4GA1UEAwwHVjEgQ2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEAqUwUJ06FNvZWgq5++nr3wKmfEW/hOI2Mr3+xjDbuvYm8/Z+H+TtIDgqJ+Ryf
+pxTL5/tGFmriX20DC9b+ZtZyEYVZFHbM/WmhKZlp6zfzxODErmX1JuPg+Ue0zCoz
+zQXTda4jB1j39LT88Ci5CLSnNrWFcbHxEp5nmikC6N76Whcw/4OflP0ui/MPeAu7
+wH5Ql7PzL3+m4HtCgri9Jgd/6LWkSeK2mN8AmnLUbV2szXi63eTrYxQ0KcxjTcuN
+4M2PuIXiI3c7V0jjfhIHc09lGUnLeh5pIQSQ17EMVMuh6sUjY26Gczj9CuWGZ+gS
+6B5LY90vNcK+MYRMF2jyXEt1Lg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec
new file mode 100644
index 0000000000..7824630bbc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:V1 Cert
+version:1
diff --git a/security/manager/ssl/tests/unit/corrupted_crlite_helper.js b/security/manager/ssl/tests/unit/corrupted_crlite_helper.js
new file mode 100644
index 0000000000..2587c5dad9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/corrupted_crlite_helper.js
@@ -0,0 +1,103 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Helper file for tests that initialize CRLite with corrupted `security_state`
+// files.
+//
+// Usage:
+//   Define nsILocalFile variables for the `crlite.filter`, `crlite.coverage`,
+//   and `crlite.enrollment` files that should be copied to the new profile, and
+//   then load this file. The variables should be called `filter`, `coverage`,
+//   and `enrollment`, respectively. To omit a file, leave the corresponding
+//   variable `undefined`.
+//
+// Example:
+//   let filter = do_get_file("some_test_dir/crlite.filter");
+//   let coverage = undefined;
+//   let enrollment = do_get_file("some_test_dir/crlite.enrollment");
+//   load("./corrupted_crlite_helper.js");
+//
+// Note:
+//   The cert_storage library only attempts to read security_state once. So
+//   this task can only be included once per test file.
+
+"use strict";
+
+/* eslint-disable no-undef */
+
+add_task(async function test_crlite_corrupted() {
+  let securityStateDirectory = do_get_profile();
+  securityStateDirectory.append("security_state");
+
+  Services.prefs.setIntPref(
+    "security.pki.crlite_mode",
+    CRLiteModeEnforcePrefValue
+  );
+
+  if (coverage != undefined) {
+    coverage.copyTo(securityStateDirectory, "crlite.coverage");
+  }
+  if (enrollment != undefined) {
+    enrollment.copyTo(securityStateDirectory, "crlite.enrollment");
+  }
+  if (filter != undefined) {
+    filter.copyTo(securityStateDirectory, "crlite.filter");
+  }
+
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+
+  let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+    Ci.nsICertStorage
+  );
+
+  // This certificate is revoked according to `test_crlite_filters/20201017-0-filter`.
+  // Its issuer is enrolled according to `test_crlite_preexisting/crlite.enrollment`,
+  // and it is covered according to `test_crlite_preexisting/crlite.coverage`.
+  let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+
+  // The issuer's certificate needs to be available for path building.
+  let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem");
+  ok(issuerCert, "issuer certificate should decode successfully");
+
+  // If we copied a corrupted file to security_state, then CRLite should not be
+  // initialized, and we should fall back to OCSP. By setting
+  // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY here we skip the OCSP test, so there's no
+  // revocation checking, and the revoked certificate should pass inspection.
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    undefined,
+    "us-datarecovery.com",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+
+  // We should not have a filter or a stash.
+  let hasFilter = await new Promise(resolve => {
+    certStorage.hasPriorData(
+      Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL,
+      (rv, result) => {
+        Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+        resolve(result);
+      }
+    );
+  });
+  Assert.equal(hasFilter, false, "CRLite should not have a filter");
+
+  let hasStash = await new Promise(resolve => {
+    certStorage.hasPriorData(
+      Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL,
+      (rv, result) => {
+        Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+        resolve(result);
+      }
+    );
+  });
+  Assert.equal(hasStash, false, "CRLite should not have a stash");
+});
diff --git a/security/manager/ssl/tests/unit/crlite_enrollment_id.py b/security/manager/ssl/tests/unit/crlite_enrollment_id.py
new file mode 100755
index 0000000000..2deb5ad379
--- /dev/null
+++ b/security/manager/ssl/tests/unit/crlite_enrollment_id.py
@@ -0,0 +1,33 @@
+#!/usr/bin/python
+
+# Given a PEM encoded X.509 certificate, outputs
+#   base64(SHA256(subject || spki))
+# where `subject` is the RFC 5280 RDNSequence encoding
+# the certificate's subject, and `spki` is the RFC 5280
+# SubjectPublicKeyInfo field encoding the certificate's
+# public key.
+
+import sys
+import base64
+
+from cryptography import x509
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives import hashes
+
+if len(sys.argv) != 2:
+    print(f"Usage: {sys.argv[0]} <path to pem cert>")
+    sys.exit(1)
+
+with open(sys.argv[1], "r") as f:
+    cert = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None)
+
+subj = cert.subject.public_bytes()
+spki = cert.public_key().public_bytes(
+    format=serialization.PublicFormat.SubjectPublicKeyInfo,
+    encoding=serialization.Encoding.DER,
+)
+
+digest = hashes.Hash(hashes.SHA256(), backend=None)
+digest.update(subj)
+digest.update(spki)
+print(base64.b64encode(digest.finalize()).decode("utf-8"))
diff --git a/security/manager/ssl/tests/unit/crlite_key.py b/security/manager/ssl/tests/unit/crlite_key.py
new file mode 100755
index 0000000000..53d2b2aeaf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/crlite_key.py
@@ -0,0 +1,58 @@
+#!/usr/bin/python
+
+# Given PEM encoded X.509 certificates Issuer and Subscriber,
+# outputs the urlsafe base64 encoding of the SHA256 hash of
+# the Issuer's SubjectPublicKeyInfo, and the ascii hex encoding
+# of the Subscriber's serial number.
+
+import sys
+import base64
+
+from cryptography import x509
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives import hashes
+
+
+def uint_to_serial_bytes(a):
+    # Encode the non-negative integer |a| as a DER integer without the leading
+    # tag and length prefix. The DER encoding of |a| is the shortest octet
+    # string that encodes |a| in big endian two's complement form.
+    assert a >= 0
+
+    # Since |a| is non-negative, the shortest bit string that encodes it in
+    # big-endian two's complement form has a leading 0 bit. Positive python
+    # integers have a `bit_length` method that gives the index of the leading 1
+    # bit. The minimal two's complement bit length is one more than this.
+    #
+    # NB: Python defines |int(0).bit_length() == 0|. The other cases are more
+    # intuitive; for integers x and k with x >= 0 and k > 0 with 2**k > x we
+    # have |int(2**k + x).bit_length() == k+1|.
+    bit_len = 1 + a.bit_length()
+    byte_len = (bit_len + 7) // 8
+    return a.to_bytes(byte_len, byteorder="big", signed=False)
+
+
+if len(sys.argv) != 3:
+    print(f"Usage: {sys.argv[0]} <path to issuer cert> <path to subscriber cert>")
+    sys.exit(1)
+
+with open(sys.argv[1], "r") as f:
+    issuer = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None)
+
+with open(sys.argv[2], "r") as f:
+    subscriber = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None)
+
+assert issuer.subject.public_bytes() == subscriber.issuer.public_bytes()
+
+issuer_spki = issuer.public_key().public_bytes(
+    format=serialization.PublicFormat.SubjectPublicKeyInfo,
+    encoding=serialization.Encoding.DER,
+)
+hasher = hashes.Hash(hashes.SHA256(), backend=None)
+hasher.update(issuer_spki)
+issuer_spki_hash = hasher.finalize()
+
+subscriber_serial = uint_to_serial_bytes(int(subscriber.serial_number))
+
+print(base64.urlsafe_b64encode(issuer_spki_hash).decode("utf-8"))
+print(subscriber_serial.hex())
diff --git a/security/manager/ssl/tests/unit/head_psm.js b/security/manager/ssl/tests/unit/head_psm.js
new file mode 100644
index 0000000000..bb770a1b63
--- /dev/null
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -0,0 +1,1192 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+"use strict";
+
+const { AppConstants } = ChromeUtils.importESModule(
+  "resource://gre/modules/AppConstants.sys.mjs"
+);
+const { ctypes } = ChromeUtils.importESModule(
+  "resource://gre/modules/ctypes.sys.mjs"
+);
+const { FileUtils } = ChromeUtils.importESModule(
+  "resource://gre/modules/FileUtils.sys.mjs"
+);
+const { HttpServer } = ChromeUtils.import("resource://testing-common/httpd.js");
+const { MockRegistrar } = ChromeUtils.importESModule(
+  "resource://testing-common/MockRegistrar.sys.mjs"
+);
+const { NetUtil } = ChromeUtils.import("resource://gre/modules/NetUtil.jsm");
+const { PromiseUtils } = ChromeUtils.importESModule(
+  "resource://gre/modules/PromiseUtils.sys.mjs"
+);
+const { XPCOMUtils } = ChromeUtils.importESModule(
+  "resource://gre/modules/XPCOMUtils.sys.mjs"
+);
+
+const { X509 } = ChromeUtils.importESModule(
+  "resource://gre/modules/psm/X509.sys.mjs"
+);
+
+const isDebugBuild = Cc["@mozilla.org/xpcom/debug;1"].getService(
+  Ci.nsIDebug2
+).isDebugBuild;
+
+// The test EV roots are only enabled in debug builds as a security measure.
+const gEVExpected = isDebugBuild;
+
+const CLIENT_AUTH_FILE_NAME = "ClientAuthRememberList.txt";
+const SSS_STATE_FILE_NAME = "SiteSecurityServiceState.txt";
+const CERT_OVERRIDE_FILE_NAME = "cert_override.txt";
+
+const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE;
+const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
+const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
+
+// This isn't really a valid PRErrorCode, but is useful for signalling that
+// a test is expected to succeed.
+const PRErrorCodeSuccess = 0;
+
+// Sort in numerical order
+const SEC_ERROR_INVALID_TIME = SEC_ERROR_BASE + 8;
+const SEC_ERROR_BAD_DER = SEC_ERROR_BASE + 9;
+const SEC_ERROR_BAD_SIGNATURE = SEC_ERROR_BASE + 10;
+const SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11;
+const SEC_ERROR_REVOKED_CERTIFICATE = SEC_ERROR_BASE + 12;
+const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13;
+const SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20;
+const SEC_ERROR_UNTRUSTED_CERT = SEC_ERROR_BASE + 21;
+const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = SEC_ERROR_BASE + 30;
+const SEC_ERROR_CA_CERT_INVALID = SEC_ERROR_BASE + 36;
+const SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION = SEC_ERROR_BASE + 41;
+const SEC_ERROR_PKCS7_BAD_SIGNATURE = SEC_ERROR_BASE + 47;
+const SEC_ERROR_INADEQUATE_KEY_USAGE = SEC_ERROR_BASE + 90;
+const SEC_ERROR_INADEQUATE_CERT_TYPE = SEC_ERROR_BASE + 91;
+const SEC_ERROR_CERT_NOT_IN_NAME_SPACE = SEC_ERROR_BASE + 112;
+const SEC_ERROR_CERT_BAD_ACCESS_LOCATION = SEC_ERROR_BASE + 117;
+const SEC_ERROR_OCSP_MALFORMED_REQUEST = SEC_ERROR_BASE + 120;
+const SEC_ERROR_OCSP_SERVER_ERROR = SEC_ERROR_BASE + 121;
+const SEC_ERROR_OCSP_TRY_SERVER_LATER = SEC_ERROR_BASE + 122;
+const SEC_ERROR_OCSP_REQUEST_NEEDS_SIG = SEC_ERROR_BASE + 123;
+const SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST = SEC_ERROR_BASE + 124;
+const SEC_ERROR_OCSP_UNKNOWN_CERT = SEC_ERROR_BASE + 126;
+const SEC_ERROR_OCSP_MALFORMED_RESPONSE = SEC_ERROR_BASE + 129;
+const SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE = SEC_ERROR_BASE + 130;
+const SEC_ERROR_OCSP_OLD_RESPONSE = SEC_ERROR_BASE + 132;
+const SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE = SEC_ERROR_BASE + 141;
+const SEC_ERROR_OCSP_INVALID_SIGNING_CERT = SEC_ERROR_BASE + 144;
+const SEC_ERROR_POLICY_VALIDATION_FAILED = SEC_ERROR_BASE + 160;
+const SEC_ERROR_OCSP_BAD_SIGNATURE = SEC_ERROR_BASE + 157;
+const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = SEC_ERROR_BASE + 176;
+
+const SSL_ERROR_NO_CYPHER_OVERLAP = SSL_ERROR_BASE + 2;
+const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12;
+const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
+const SSL_ERROR_WEAK_SERVER_CERT_KEY = SSL_ERROR_BASE + 132;
+const SSL_ERROR_DC_INVALID_KEY_USAGE = SSL_ERROR_BASE + 184;
+
+const SSL_ERROR_ECH_RETRY_WITH_ECH = SSL_ERROR_BASE + 188;
+const SSL_ERROR_ECH_RETRY_WITHOUT_ECH = SSL_ERROR_BASE + 189;
+const SSL_ERROR_ECH_FAILED = SSL_ERROR_BASE + 190;
+const SSL_ERROR_ECH_REQUIRED_ALERT = SSL_ERROR_BASE + 191;
+
+const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0;
+const MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY =
+  MOZILLA_PKIX_ERROR_BASE + 1;
+const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = MOZILLA_PKIX_ERROR_BASE + 2;
+const MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = MOZILLA_PKIX_ERROR_BASE + 3;
+const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE =
+  MOZILLA_PKIX_ERROR_BASE + 5;
+const MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE =
+  MOZILLA_PKIX_ERROR_BASE + 6;
+const MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING =
+  MOZILLA_PKIX_ERROR_BASE + 8;
+const MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING =
+  MOZILLA_PKIX_ERROR_BASE + 10;
+const MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = MOZILLA_PKIX_ERROR_BASE + 12;
+const MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED =
+  MOZILLA_PKIX_ERROR_BASE + 13;
+const MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = MOZILLA_PKIX_ERROR_BASE + 14;
+const MOZILLA_PKIX_ERROR_MITM_DETECTED = MOZILLA_PKIX_ERROR_BASE + 15;
+
+// Supported Certificate Usages
+const certificateUsageSSLClient = 0x0001;
+const certificateUsageSSLServer = 0x0002;
+const certificateUsageSSLCA = 0x0008;
+const certificateUsageEmailSigner = 0x0010;
+const certificateUsageEmailRecipient = 0x0020;
+
+// A map from the name of a certificate usage to the value of the usage.
+// Useful for printing debugging information and for enumerating all supported
+// usages.
+const allCertificateUsages = {
+  certificateUsageSSLClient,
+  certificateUsageSSLServer,
+  certificateUsageSSLCA,
+  certificateUsageEmailSigner,
+  certificateUsageEmailRecipient,
+};
+
+const NO_FLAGS = 0;
+
+const CRLiteModeDisabledPrefValue = 0;
+const CRLiteModeTelemetryOnlyPrefValue = 1;
+const CRLiteModeEnforcePrefValue = 2;
+const CRLiteModeConfirmRevocationsValue = 3;
+
+// Convert a string to an array of bytes consisting of the char code at each
+// index.
+function stringToArray(s) {
+  let a = [];
+  for (let i = 0; i < s.length; i++) {
+    a.push(s.charCodeAt(i));
+  }
+  return a;
+}
+
+// Converts an array of bytes to a JS string using fromCharCode on each byte.
+function arrayToString(a) {
+  let s = "";
+  for (let b of a) {
+    s += String.fromCharCode(b);
+  }
+  return s;
+}
+
+// Commonly certificates are represented as PEM. The format is roughly as
+// follows:
+//
+// -----BEGIN CERTIFICATE-----
+// [some lines of base64, each typically 64 characters long]
+// -----END CERTIFICATE-----
+//
+// However, nsIX509CertDB.constructX509FromBase64 and related functions do not
+// handle input of this form. Instead, they require a single string of base64
+// with no newlines or BEGIN/END headers. This is a helper function to convert
+// PEM to the format that nsIX509CertDB requires.
+function pemToBase64(pem) {
+  return pem
+    .replace(/-----BEGIN CERTIFICATE-----/, "")
+    .replace(/-----END CERTIFICATE-----/, "")
+    .replace(/[\r\n]/g, "");
+}
+
+function build_cert_chain(certNames, testDirectory = "bad_certs") {
+  let certList = [];
+  certNames.forEach(function (certName) {
+    let cert = constructCertFromFile(`${testDirectory}/${certName}.pem`);
+    certList.push(cert);
+  });
+  return certList;
+}
+
+function areCertsEqual(certA, certB) {
+  let derA = certA.getRawDER();
+  let derB = certB.getRawDER();
+  if (derA.length != derB.length) {
+    return false;
+  }
+  for (let i = 0; i < derA.length; i++) {
+    if (derA[i] != derB[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+
+function areCertArraysEqual(certArrayA, certArrayB) {
+  if (certArrayA.length != certArrayB.length) {
+    return false;
+  }
+
+  for (let i = 0; i < certArrayA.length; i++) {
+    const certA = certArrayA[i];
+    const certB = certArrayB[i];
+    if (!areCertsEqual(certA, certB)) {
+      return false;
+    }
+  }
+  return true;
+}
+
+function readFile(file) {
+  let fstream = Cc["@mozilla.org/network/file-input-stream;1"].createInstance(
+    Ci.nsIFileInputStream
+  );
+  fstream.init(file, -1, 0, 0);
+  let available = fstream.available();
+  let data =
+    available > 0 ? NetUtil.readInputStreamToString(fstream, available) : "";
+  fstream.close();
+  return data;
+}
+
+function addCertFromFile(certdb, filename, trustString) {
+  let certFile = do_get_file(filename, false);
+  let certBytes = readFile(certFile);
+  try {
+    return certdb.addCert(certBytes, trustString);
+  } catch (e) {}
+  // It might be PEM instead of DER.
+  return certdb.addCertFromBase64(pemToBase64(certBytes), trustString);
+}
+
+function constructCertFromFile(filename) {
+  let certFile = do_get_file(filename, false);
+  let certBytes = readFile(certFile);
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  try {
+    return certdb.constructX509(stringToArray(certBytes));
+  } catch (e) {}
+  // It might be PEM instead of DER.
+  return certdb.constructX509FromBase64(pemToBase64(certBytes));
+}
+
+function setCertTrust(cert, trustString) {
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  certdb.setCertTrustFromString(cert, trustString);
+}
+
+function getXPCOMStatusFromNSS(statusNSS) {
+  let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"].getService(
+    Ci.nsINSSErrorsService
+  );
+  return nssErrorsService.getXPCOMFromNSSError(statusNSS);
+}
+
+// Helper for checkCertErrorGenericAtTime
+class CertVerificationExpectedErrorResult {
+  constructor(certName, expectedError, expectedEVStatus, resolve) {
+    this.certName = certName;
+    this.expectedError = expectedError;
+    this.expectedEVStatus = expectedEVStatus;
+    this.resolve = resolve;
+  }
+
+  verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) {
+    equal(
+      aPRErrorCode,
+      this.expectedError,
+      `verifying ${this.certName}: should get error ${this.expectedError}`
+    );
+    if (this.expectedEVStatus != undefined) {
+      equal(
+        aHasEVPolicy,
+        this.expectedEVStatus,
+        `verifying ${this.certName}: ` +
+          `should ${this.expectedEVStatus ? "be" : "not be"} EV`
+      );
+    }
+    this.resolve();
+  }
+}
+
+// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation.
+// In particular, hostname is optional.
+function checkCertErrorGenericAtTime(
+  certdb,
+  cert,
+  expectedError,
+  usage,
+  time,
+  /* optional */ isEVExpected,
+  /* optional */ hostname,
+  /* optional */ flags = NO_FLAGS
+) {
+  return new Promise((resolve, reject) => {
+    let result = new CertVerificationExpectedErrorResult(
+      cert.commonName,
+      expectedError,
+      isEVExpected,
+      resolve
+    );
+    certdb.asyncVerifyCertAtTime(cert, usage, flags, hostname, time, result);
+  });
+}
+
+// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation.
+// In particular, hostname is optional.
+function checkCertErrorGeneric(
+  certdb,
+  cert,
+  expectedError,
+  usage,
+  /* optional */ isEVExpected,
+  /* optional */ hostname
+) {
+  let now = new Date().getTime() / 1000;
+  return checkCertErrorGenericAtTime(
+    certdb,
+    cert,
+    expectedError,
+    usage,
+    now,
+    isEVExpected,
+    hostname
+  );
+}
+
+function checkEVStatus(certDB, cert, usage, isEVExpected) {
+  return checkCertErrorGeneric(
+    certDB,
+    cert,
+    PRErrorCodeSuccess,
+    usage,
+    isEVExpected
+  );
+}
+
+function _getLibraryFunctionWithNoArguments(
+  functionName,
+  libraryName,
+  returnType
+) {
+  // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js
+  let path = ctypes.libraryName(libraryName);
+
+  // XXX really want to be able to pass specific dlopen flags here.
+  let nsslib;
+  try {
+    nsslib = ctypes.open(path);
+  } catch (e) {
+    // In case opening the library without a full path fails,
+    // try again with a full path.
+    let file = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+    file.append(path);
+    nsslib = ctypes.open(file.path);
+  }
+
+  let SECStatus = ctypes.int;
+  let func = nsslib.declare(
+    functionName,
+    ctypes.default_abi,
+    returnType || SECStatus
+  );
+  return func;
+}
+
+function clearOCSPCache() {
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  certdb.clearOCSPCache();
+}
+
+function clearSessionCache() {
+  let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
+  nssComponent.clearSSLExternalAndInternalSessionCache();
+}
+
+function getSSLStatistics() {
+  let SSL3Statistics = new ctypes.StructType("SSL3Statistics", [
+    { sch_sid_cache_hits: ctypes.long },
+    { sch_sid_cache_misses: ctypes.long },
+    { sch_sid_cache_not_ok: ctypes.long },
+    { hsh_sid_cache_hits: ctypes.long },
+    { hsh_sid_cache_misses: ctypes.long },
+    { hsh_sid_cache_not_ok: ctypes.long },
+    { hch_sid_cache_hits: ctypes.long },
+    { hch_sid_cache_misses: ctypes.long },
+    { hch_sid_cache_not_ok: ctypes.long },
+    { sch_sid_stateless_resumes: ctypes.long },
+    { hsh_sid_stateless_resumes: ctypes.long },
+    { hch_sid_stateless_resumes: ctypes.long },
+    { hch_sid_ticket_parse_failures: ctypes.long },
+  ]);
+  let SSL3StatisticsPtr = new ctypes.PointerType(SSL3Statistics);
+  let SSL_GetStatistics = null;
+  try {
+    SSL_GetStatistics = _getLibraryFunctionWithNoArguments(
+      "SSL_GetStatistics",
+      "ssl3",
+      SSL3StatisticsPtr
+    );
+  } catch (e) {
+    // On Windows, this is actually in the nss3 library.
+    SSL_GetStatistics = _getLibraryFunctionWithNoArguments(
+      "SSL_GetStatistics",
+      "nss3",
+      SSL3StatisticsPtr
+    );
+  }
+  if (!SSL_GetStatistics) {
+    throw new Error("Failed to get SSL statistics");
+  }
+  return SSL_GetStatistics();
+}
+
+// Set up a TLS testing environment that has a TLS server running and
+// ready to accept connections. This async function starts the server and
+// waits for the server to indicate that it is ready.
+//
+// Each test should have its own subdomain of example.com, for example
+// my-first-connection-test.example.com. The server can use the server
+// name (passed through the SNI TLS extension) to determine what behavior
+// the server side of the text should exhibit. See TLSServer.h for more
+// information on how to write the server side of tests.
+//
+// Create a new source file for your new server executable in
+// security/manager/ssl/tests/unit/tlsserver/cmd similar to the other ones in
+// that directory, and add a reference to it to the sources variable in that
+// directory's moz.build.
+//
+// Modify TEST_HARNESS_BINS in
+// testing/mochitest/Makefile.in and NO_PKG_FILES in
+// toolkit/mozapps/installer/packager.mk to make sure the new executable
+// gets included in the packages used for shipping the tests to the test
+// runners in our build/test farm. (Things will work fine locally without
+// these changes but will break on TBPL.)
+//
+// Your test script should look something like this:
+/*
+
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// <documentation on your test>
+
+function run_test() {
+  do_get_profile();
+  add_tls_server_setup("<test-server-name>", "<path-to-certificate-directory>");
+
+  add_connection_test("<test-name-1>.example.com",
+                      SEC_ERROR_xxx,
+                      function() { ... },
+                      function(aTransportSecurityInfo) { ... },
+                      function(aTransport) { ... });
+  [...]
+  add_connection_test("<test-name-n>.example.com", PRErrorCodeSuccess);
+
+  run_next_test();
+}
+*/
+
+function add_tls_server_setup(serverBinName, certsPath, addDefaultRoot = true) {
+  add_test(function () {
+    _setupTLSServerTest(serverBinName, certsPath, addDefaultRoot);
+  });
+}
+
+/**
+ * Add a TLS connection test case.
+ *
+ * @param {string} aHost
+ *   The hostname to pass in the SNI TLS extension; this should unambiguously
+ *   identify which test is being run.
+ * @param {PRErrorCode} aExpectedResult
+ *   The expected result of the connection. If an error is not expected, pass
+ *   in PRErrorCodeSuccess.
+ * @param {Function} aBeforeConnect
+ *   A callback function that takes no arguments that will be called before the
+ *   connection is attempted.
+ * @param {Function} aWithSecurityInfo
+ *   A callback function that takes an nsITransportSecurityInfo, which is called
+ *   after the TLS handshake succeeds.
+ * @param {Function} aAfterStreamOpen
+ *   A callback function that is called with the nsISocketTransport once the
+ *   output stream is ready.
+ * @param {OriginAttributes} aOriginAttributes (optional)
+ *   The origin attributes that the socket transport will have. This parameter
+ *   affects OCSP because OCSP cache is double-keyed by origin attributes' first
+ *   party domain.
+ *
+ * @param {OriginAttributes} aEchConfig (optional)
+ *   A Base64-encoded ECHConfig. If non-empty, it will be configured to the client
+ *   socket resulting in an Encrypted Client Hello extension being sent. The client
+ *   keypair is ephermeral and generated within NSS.
+ */
+function add_connection_test(
+  aHost,
+  aExpectedResult,
+  aBeforeConnect,
+  aWithSecurityInfo,
+  aAfterStreamOpen,
+  /* optional */ aOriginAttributes,
+  /* optional */ aEchConfig
+) {
+  add_test(function () {
+    if (aBeforeConnect) {
+      aBeforeConnect();
+    }
+    asyncConnectTo(
+      aHost,
+      aExpectedResult,
+      aWithSecurityInfo,
+      aAfterStreamOpen,
+      aOriginAttributes,
+      aEchConfig
+    ).then(run_next_test);
+  });
+}
+
+async function asyncConnectTo(
+  aHost,
+  aExpectedResult,
+  /* optional */ aWithSecurityInfo = undefined,
+  /* optional */ aAfterStreamOpen = undefined,
+  /* optional */ aOriginAttributes = undefined,
+  /* optional */ aEchConfig = undefined
+) {
+  const REMOTE_PORT = 8443;
+
+  function Connection(host) {
+    this.host = host;
+    this.thread = Services.tm.currentThread;
+    this.defer = PromiseUtils.defer();
+    let sts = Cc["@mozilla.org/network/socket-transport-service;1"].getService(
+      Ci.nsISocketTransportService
+    );
+    this.transport = sts.createTransport(
+      ["ssl"],
+      host,
+      REMOTE_PORT,
+      null,
+      null
+    );
+    if (aEchConfig) {
+      this.transport.setEchConfig(atob(aEchConfig));
+    }
+    // See bug 1129771 - attempting to connect to [::1] when the server is
+    // listening on 127.0.0.1 causes frequent failures on OS X 10.10.
+    this.transport.connectionFlags |= Ci.nsISocketTransport.DISABLE_IPV6;
+    this.transport.setEventSink(this, this.thread);
+    if (aOriginAttributes) {
+      this.transport.originAttributes = aOriginAttributes;
+    }
+    this.inputStream = null;
+    this.outputStream = null;
+    this.connected = false;
+  }
+
+  Connection.prototype = {
+    // nsITransportEventSink
+    onTransportStatus(aTransport, aStatus, aProgress, aProgressMax) {
+      if (
+        !this.connected &&
+        aStatus == Ci.nsISocketTransport.STATUS_CONNECTED_TO
+      ) {
+        this.connected = true;
+        this.outputStream.asyncWait(this, 0, 0, this.thread);
+      }
+    },
+
+    // nsIInputStreamCallback
+    onInputStreamReady(aStream) {
+      try {
+        // this will throw if the stream has been closed by an error
+        let str = NetUtil.readInputStreamToString(aStream, aStream.available());
+        Assert.equal(str, "0", "Should have received ASCII '0' from server");
+        this.inputStream.close();
+        this.outputStream.close();
+        this.result = Cr.NS_OK;
+      } catch (e) {
+        this.result = e.result;
+      }
+      this.defer.resolve(this);
+    },
+
+    // nsIOutputStreamCallback
+    onOutputStreamReady(aStream) {
+      if (aAfterStreamOpen) {
+        aAfterStreamOpen(this.transport);
+      }
+      this.outputStream.write("0", 1);
+      let inStream = this.transport
+        .openInputStream(0, 0, 0)
+        .QueryInterface(Ci.nsIAsyncInputStream);
+      this.inputStream = inStream;
+      this.inputStream.asyncWait(this, 0, 0, this.thread);
+    },
+
+    go() {
+      this.outputStream = this.transport
+        .openOutputStream(0, 0, 0)
+        .QueryInterface(Ci.nsIAsyncOutputStream);
+      return this.defer.promise;
+    },
+  };
+
+  /* Returns a promise to connect to host that resolves to the result of that
+   * connection */
+  function connectTo(host) {
+    Services.prefs.setCharPref("network.dns.localDomains", host);
+    let connection = new Connection(host);
+    return connection.go();
+  }
+
+  return connectTo(aHost).then(async function (conn) {
+    info("handling " + aHost);
+    let expectedNSResult =
+      aExpectedResult == PRErrorCodeSuccess
+        ? Cr.NS_OK
+        : getXPCOMStatusFromNSS(aExpectedResult);
+    Assert.equal(
+      conn.result,
+      expectedNSResult,
+      "Actual and expected connection result should match"
+    );
+    if (aWithSecurityInfo) {
+      aWithSecurityInfo(
+        await conn.transport.tlsSocketControl.asyncGetSecurityInfo()
+      );
+    }
+  });
+}
+
+function _getBinaryUtil(binaryUtilName) {
+  let utilBin = Services.dirsvc.get("GreD", Ci.nsIFile);
+  // On macOS, GreD is .../Contents/Resources, and most binary utilities
+  // are located there, but certutil is in GreBinD (or .../Contents/MacOS),
+  // so we have to change the path accordingly.
+  if (binaryUtilName === "certutil") {
+    utilBin = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+  }
+  utilBin.append(binaryUtilName + mozinfo.bin_suffix);
+  // If we're testing locally, the above works. If not, the server executable
+  // is in another location.
+  if (!utilBin.exists()) {
+    utilBin = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+    while (utilBin.path.includes("xpcshell")) {
+      utilBin = utilBin.parent;
+    }
+    utilBin.append("bin");
+    utilBin.append(binaryUtilName + mozinfo.bin_suffix);
+  }
+  // But maybe we're on Android, where binaries are in /data/local/xpcb.
+  if (!utilBin.exists()) {
+    utilBin.initWithPath("/data/local/xpcb/");
+    utilBin.append(binaryUtilName);
+  }
+  Assert.ok(utilBin.exists(), `Binary util ${binaryUtilName} should exist`);
+  return utilBin;
+}
+
+// Do not call this directly; use add_tls_server_setup
+function _setupTLSServerTest(serverBinName, certsPath, addDefaultRoot) {
+  asyncStartTLSTestServer(serverBinName, certsPath, addDefaultRoot).then(
+    run_next_test
+  );
+}
+
+async function asyncStartTLSTestServer(
+  serverBinName,
+  certsPath,
+  addDefaultRoot
+) {
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  // The trusted CA that is typically used for "good" certificates.
+  if (addDefaultRoot) {
+    addCertFromFile(certdb, `${certsPath}/test-ca.pem`, "CTu,u,u");
+  }
+
+  const CALLBACK_PORT = 8444;
+
+  let greBinDir = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+  Services.env.set("DYLD_LIBRARY_PATH", greBinDir.path);
+  // TODO(bug 1107794): Android libraries are in /data/local/xpcb, but "GreBinD"
+  // does not return this path on Android, so hard code it here.
+  Services.env.set("LD_LIBRARY_PATH", greBinDir.path + ":/data/local/xpcb");
+  Services.env.set("MOZ_TLS_SERVER_DEBUG_LEVEL", "3");
+  Services.env.set("MOZ_TLS_SERVER_CALLBACK_PORT", CALLBACK_PORT);
+
+  let httpServer = new HttpServer();
+  let serverReady = new Promise(resolve => {
+    httpServer.registerPathHandler(
+      "/",
+      function handleServerCallback(aRequest, aResponse) {
+        aResponse.setStatusLine(aRequest.httpVersion, 200, "OK");
+        aResponse.setHeader("Content-Type", "text/plain");
+        let responseBody = "OK!";
+        aResponse.bodyOutputStream.write(responseBody, responseBody.length);
+        executeSoon(function () {
+          httpServer.stop(resolve);
+        });
+      }
+    );
+    httpServer.start(CALLBACK_PORT);
+  });
+
+  let serverBin = _getBinaryUtil(serverBinName);
+  let process = Cc["@mozilla.org/process/util;1"].createInstance(Ci.nsIProcess);
+  process.init(serverBin);
+  let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+  certDir.append(`${certsPath}`);
+  Assert.ok(certDir.exists(), `certificate folder (${certsPath}) should exist`);
+  // Using "sql:" causes the SQL DB to be used so we can run tests on Android.
+  process.run(false, ["sql:" + certDir.path, Services.appinfo.processID], 2);
+
+  registerCleanupFunction(function () {
+    process.kill();
+  });
+
+  await serverReady;
+}
+
+// Returns an Array of OCSP responses for a given ocspRespArray and a location
+// for a nssDB where the certs and public keys are prepopulated.
+// ocspRespArray is an array of arrays like:
+// [ [typeOfResponse, certnick, extracertnick, thisUpdateSkew]...]
+function generateOCSPResponses(ocspRespArray, nssDBlocation) {
+  let utilBinName = "GenerateOCSPResponse";
+  let ocspGenBin = _getBinaryUtil(utilBinName);
+  let retArray = [];
+
+  for (let i = 0; i < ocspRespArray.length; i++) {
+    let argArray = [];
+    let ocspFilepre = do_get_file(i.toString() + ".ocsp", true);
+    let filename = ocspFilepre.path;
+    // Using "sql:" causes the SQL DB to be used so we can run tests on Android.
+    argArray.push("sql:" + nssDBlocation);
+    argArray.push(ocspRespArray[i][0]); // ocsRespType;
+    argArray.push(ocspRespArray[i][1]); // nick;
+    argArray.push(ocspRespArray[i][2]); // extranickname
+    argArray.push(ocspRespArray[i][3]); // thisUpdate skew
+    argArray.push(filename);
+    info("argArray = " + argArray);
+
+    let process = Cc["@mozilla.org/process/util;1"].createInstance(
+      Ci.nsIProcess
+    );
+    process.init(ocspGenBin);
+    process.run(true, argArray, argArray.length);
+    Assert.equal(0, process.exitValue, "Process exit value should be 0");
+    let ocspFile = do_get_file(i.toString() + ".ocsp", false);
+    retArray.push(readFile(ocspFile));
+    ocspFile.remove(false);
+  }
+  return retArray;
+}
+
+// Starts and returns an http responder that will cause a test failure if it is
+// queried. The server identities are given by a non-empty array
+// serverIdentities.
+function getFailingHttpServer(serverPort, serverIdentities) {
+  let httpServer = new HttpServer();
+  httpServer.registerPrefixHandler("/", function (request, response) {
+    Assert.ok(false, "HTTP responder should not have been queried");
+  });
+  httpServer.identity.setPrimary("http", serverIdentities.shift(), serverPort);
+  serverIdentities.forEach(function (identity) {
+    httpServer.identity.add("http", identity, serverPort);
+  });
+  httpServer.start(serverPort);
+  return httpServer;
+}
+
+// Starts an http OCSP responder that serves good OCSP responses and
+// returns an object with a method stop that should be called to stop
+// the http server.
+// NB: Because generating OCSP responses inside the HTTP request
+// handler can cause timeouts, the expected responses are pre-generated
+// all at once before starting the server. This means that their producedAt
+// times will all be the same. If a test depends on this not being the case,
+// perhaps calling startOCSPResponder twice (at different times) will be
+// necessary.
+//
+// serverPort is the port of the http OCSP responder
+// identity is the http hostname that will answer the OCSP requests
+// nssDBLocation is the location of the NSS database from where the OCSP
+//   responses will be generated (assumes appropiate keys are present)
+// expectedCertNames is an array of nicks of the certs to be responsed
+// expectedBasePaths is an optional array that is used to indicate
+//   what is the expected base path of the OCSP request.
+// expectedMethods is an optional array of methods ("GET" or "POST") indicating
+//   by which HTTP method the server is expected to be queried.
+// expectedResponseTypes is an optional array of OCSP response types to use (see
+//   GenerateOCSPResponse.cpp).
+// responseHeaderPairs is an optional array of HTTP header (name, value) pairs
+//   to set in each response.
+function startOCSPResponder(
+  serverPort,
+  identity,
+  nssDBLocation,
+  expectedCertNames,
+  expectedBasePaths,
+  expectedMethods,
+  expectedResponseTypes,
+  responseHeaderPairs = []
+) {
+  let ocspResponseGenerationArgs = expectedCertNames.map(function (
+    expectedNick
+  ) {
+    let responseType = "good";
+    if (expectedResponseTypes && expectedResponseTypes.length >= 1) {
+      responseType = expectedResponseTypes.shift();
+    }
+    return [responseType, expectedNick, "unused", 0];
+  });
+  let ocspResponses = generateOCSPResponses(
+    ocspResponseGenerationArgs,
+    nssDBLocation
+  );
+  let httpServer = new HttpServer();
+  httpServer.registerPrefixHandler(
+    "/",
+    function handleServerCallback(aRequest, aResponse) {
+      info("got request for: " + aRequest.path);
+      let basePath = aRequest.path.slice(1).split("/")[0];
+      if (expectedBasePaths.length >= 1) {
+        Assert.equal(
+          basePath,
+          expectedBasePaths.shift(),
+          "Actual and expected base path should match"
+        );
+      }
+      Assert.ok(
+        expectedCertNames.length >= 1,
+        "expectedCertNames should contain >= 1 entries"
+      );
+      if (expectedMethods && expectedMethods.length >= 1) {
+        Assert.equal(
+          aRequest.method,
+          expectedMethods.shift(),
+          "Actual and expected fetch method should match"
+        );
+      }
+      aResponse.setStatusLine(aRequest.httpVersion, 200, "OK");
+      aResponse.setHeader("Content-Type", "application/ocsp-response");
+      for (let headerPair of responseHeaderPairs) {
+        aResponse.setHeader(headerPair[0], headerPair[1]);
+      }
+      aResponse.write(ocspResponses.shift());
+    }
+  );
+  httpServer.identity.setPrimary("http", identity, serverPort);
+  httpServer.start(serverPort);
+  return {
+    stop(callback) {
+      // make sure we consumed each expected response
+      Assert.equal(
+        ocspResponses.length,
+        0,
+        "Should have 0 remaining expected OCSP responses"
+      );
+      if (expectedMethods) {
+        Assert.equal(
+          expectedMethods.length,
+          0,
+          "Should have 0 remaining expected fetch methods"
+        );
+      }
+      if (expectedBasePaths) {
+        Assert.equal(
+          expectedBasePaths.length,
+          0,
+          "Should have 0 remaining expected base paths"
+        );
+      }
+      if (expectedResponseTypes) {
+        Assert.equal(
+          expectedResponseTypes.length,
+          0,
+          "Should have 0 remaining expected response types"
+        );
+      }
+      httpServer.stop(callback);
+    },
+  };
+}
+
+// Given an OCSP responder (see startOCSPResponder), returns a promise that
+// resolves when the responder has successfully stopped.
+function stopOCSPResponder(responder) {
+  return new Promise((resolve, reject) => {
+    responder.stop(resolve);
+  });
+}
+
+// Utility functions for adding tests relating to certificate error overrides
+
+// Helper function for add_cert_override_test. Probably doesn't need to be
+// called directly.
+function add_cert_override(aHost, aSecurityInfo) {
+  let cert = aSecurityInfo.serverCert;
+  let certOverrideService = Cc[
+    "@mozilla.org/security/certoverride;1"
+  ].getService(Ci.nsICertOverrideService);
+  certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, true);
+}
+
+// Given a host and an expected error code, tests that an initial connection to
+// the host fails with the expected error and that adding an override results
+// in a subsequent connection succeeding.
+function add_cert_override_test(aHost, aExpectedError) {
+  add_connection_test(
+    aHost,
+    aExpectedError,
+    null,
+    add_cert_override.bind(this, aHost)
+  );
+  add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => {
+    Assert.ok(
+      aSecurityInfo.securityState &
+        Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+      "Cert override flag should be set on the security state"
+    );
+  });
+}
+
+// Helper function for add_prevented_cert_override_test. This is much like
+// add_cert_override except it may not be the case that the connection has an
+// SecInfo set on it. In this case, the error was not overridable anyway, so
+// we consider it a success.
+function attempt_adding_cert_override(aHost, aSecurityInfo) {
+  if (aSecurityInfo.serverCert) {
+    let cert = aSecurityInfo.serverCert;
+    let certOverrideService = Cc[
+      "@mozilla.org/security/certoverride;1"
+    ].getService(Ci.nsICertOverrideService);
+    certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, true);
+  }
+}
+
+// Given a host and an expected error code, tests that an initial connection to
+// the host fails with the expected error and that adding an override does not
+// result in a subsequent connection succeeding (i.e. the same error code is
+// encountered).
+// The idea here is that for HSTS hosts or hosts with key pins, no error is
+// overridable, even if an entry is added to the override service.
+function add_prevented_cert_override_test(aHost, aExpectedError) {
+  add_connection_test(
+    aHost,
+    aExpectedError,
+    null,
+    attempt_adding_cert_override.bind(this, aHost)
+  );
+  add_connection_test(aHost, aExpectedError);
+}
+
+// Helper for asyncTestCertificateUsages.
+class CertVerificationResult {
+  constructor(certName, usageString, successExpected, resolve) {
+    this.certName = certName;
+    this.usageString = usageString;
+    this.successExpected = successExpected;
+    this.resolve = resolve;
+  }
+
+  verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) {
+    if (this.successExpected) {
+      equal(
+        aPRErrorCode,
+        PRErrorCodeSuccess,
+        `verifying ${this.certName} for ${this.usageString} should succeed`
+      );
+    } else {
+      notEqual(
+        aPRErrorCode,
+        PRErrorCodeSuccess,
+        `verifying ${this.certName} for ${this.usageString} should fail`
+      );
+    }
+    this.resolve();
+  }
+}
+
+/**
+ * Asynchronously attempts to verify the given certificate for all supported
+ * usages (see allCertificateUsages). Verifies that the results match the
+ * expected successful usages. Returns a promise that will resolve when all
+ * verifications have been performed.
+ * Verification happens "now" with no specified flags or hostname.
+ *
+ * @param {nsIX509CertDB} certdb
+ *   The certificate database to use to verify the certificate.
+ * @param {nsIX509Cert} cert
+ *   The certificate to be verified.
+ * @param {number[]} expectedUsages
+ *   A list of usages (as their integer values) that are expected to verify
+ *   successfully.
+ * @returns {Promise}
+ *   A promise that will resolve with no value when all asynchronous operations
+ *   have completed.
+ */
+function asyncTestCertificateUsages(certdb, cert, expectedUsages) {
+  let now = new Date().getTime() / 1000;
+  let promises = [];
+  Object.keys(allCertificateUsages).forEach(usageString => {
+    let promise = new Promise((resolve, reject) => {
+      let usage = allCertificateUsages[usageString];
+      let successExpected = expectedUsages.includes(usage);
+      let result = new CertVerificationResult(
+        cert.commonName,
+        usageString,
+        successExpected,
+        resolve
+      );
+      let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY;
+      certdb.asyncVerifyCertAtTime(cert, usage, flags, null, now, result);
+    });
+    promises.push(promise);
+  });
+  return Promise.all(promises);
+}
+
+/**
+ * Loads the pkcs11testmodule.cpp test PKCS #11 module, and registers a cleanup
+ * function that unloads it once the calling test completes.
+ *
+ * @param {nsIFile} libraryFile
+ *                  The dynamic library file that implements the module to
+ *                  load.
+ * @param {string} moduleName
+ *                 What to call the module.
+ * @param {boolean} expectModuleUnloadToFail
+ *                  Should be set to true for tests that manually unload the
+ *                  test module, so the attempt to auto unload the test module
+ *                  doesn't cause a test failure. Should be set to false
+ *                  otherwise, so failure to automatically unload the test
+ *                  module gets reported.
+ */
+function loadPKCS11Module(libraryFile, moduleName, expectModuleUnloadToFail) {
+  ok(libraryFile.exists(), "The PKCS11 module file should exist");
+
+  let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+    Ci.nsIPKCS11ModuleDB
+  );
+  registerCleanupFunction(() => {
+    try {
+      pkcs11ModuleDB.deleteModule(moduleName);
+    } catch (e) {
+      Assert.ok(
+        expectModuleUnloadToFail,
+        `Module unload should suceed only when expected: ${e}`
+      );
+    }
+  });
+  pkcs11ModuleDB.addModule(moduleName, libraryFile.path, 0, 0);
+}
+
+/**
+ * @param {string} data
+ * @returns {string}
+ */
+function hexify(data) {
+  // |slice(-2)| chomps off the last two characters of a string.
+  // Therefore, if the Unicode value is < 0x10, we have a single-character hex
+  // string when we want one that's two characters, and unconditionally
+  // prepending a "0" solves the problem.
+  return Array.from(data, (c, i) =>
+    ("0" + data.charCodeAt(i).toString(16)).slice(-2)
+  ).join("");
+}
+
+/**
+ * @param {string[]} lines
+ *        Lines to write. Each line automatically has "\n" appended to it when
+ *        being written.
+ * @param {nsIFileOutputStream} outputStream
+ */
+function writeLinesAndClose(lines, outputStream) {
+  for (let line of lines) {
+    line += "\n";
+    outputStream.write(line, line.length);
+  }
+  outputStream.close();
+}
+
+/**
+ * @param {string} moduleName
+ *        The name of the module that should not be loaded.
+ * @param {string} libraryName
+ *        A unique substring of name of the dynamic library file of the module
+ *        that should not be loaded.
+ */
+function checkPKCS11ModuleNotPresent(moduleName, libraryName) {
+  let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+    Ci.nsIPKCS11ModuleDB
+  );
+  let modules = moduleDB.listModules();
+  ok(
+    modules.hasMoreElements(),
+    "One or more modules should be present with test module not present"
+  );
+  for (let module of modules) {
+    notEqual(
+      module.name,
+      moduleName,
+      `Non-test module name shouldn't equal '${moduleName}'`
+    );
+    ok(
+      !(module.libName && module.libName.includes(libraryName)),
+      `Non-test module lib name should not include '${libraryName}'`
+    );
+  }
+}
+
+/**
+ * Checks that the test module exists in the module list.
+ * Also checks various attributes of the test module for correctness.
+ *
+ * @param {string} moduleName
+ *                 The name of the module that should be present.
+ * @param {string} libraryName
+ *                 A unique substring of the name of the dynamic library file
+ *                 of the module that should be loaded.
+ * @returns {nsIPKCS11Module}
+ *          The test module.
+ */
+function checkPKCS11ModuleExists(moduleName, libraryName) {
+  let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+    Ci.nsIPKCS11ModuleDB
+  );
+  let modules = moduleDB.listModules();
+  ok(
+    modules.hasMoreElements(),
+    "One or more modules should be present with test module present"
+  );
+  let testModule = null;
+  for (let module of modules) {
+    if (module.name == moduleName) {
+      testModule = module;
+      break;
+    }
+  }
+  notEqual(testModule, null, "Test module should have been found");
+  notEqual(testModule.libName, null, "Test module lib name should not be null");
+  ok(
+    testModule.libName.includes(ctypes.libraryName(libraryName)),
+    `Test module lib name should include lib name of '${libraryName}'`
+  );
+
+  return testModule;
+}
+
+// Given an nsIX509Cert, return the bytes of its subject DN (as a JS string) and
+// the sha-256 hash of its subject public key info, base64-encoded.
+function getSubjectAndSPKIHash(nsCert) {
+  let certBytes = nsCert.getRawDER();
+  let cert = new X509.Certificate();
+  cert.parse(certBytes);
+  let subject = cert.tbsCertificate.subject._der._bytes;
+  let subjectString = arrayToString(subject);
+  let spkiHashString = nsCert.sha256SubjectPublicKeyInfoDigest;
+  return { subjectString, spkiHashString };
+}
+
+function run_certutil_on_directory(directory, args, expectSuccess = true) {
+  let greBinDir = Services.dirsvc.get("GreBinD", Ci.nsIFile);
+  Services.env.set("DYLD_LIBRARY_PATH", greBinDir.path);
+  // TODO(bug 1107794): Android libraries are in /data/local/xpcb, but "GreBinD"
+  // does not return this path on Android, so hard code it here.
+  Services.env.set("LD_LIBRARY_PATH", greBinDir.path + ":/data/local/xpcb");
+  let certutilBin = _getBinaryUtil("certutil");
+  let process = Cc["@mozilla.org/process/util;1"].createInstance(Ci.nsIProcess);
+  process.init(certutilBin);
+  args.push("-d");
+  args.push(`sql:${directory}`);
+  process.run(true, args, args.length);
+  if (expectSuccess) {
+    Assert.equal(process.exitValue, 0, "certutil should succeed");
+  }
+}
diff --git a/security/manager/ssl/tests/unit/moz.build b/security/manager/ssl/tests/unit/moz.build
new file mode 100644
index 0000000000..561502dd51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/moz.build
@@ -0,0 +1,10 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DIRS += ["tlsserver", "test_signed_apps"]
+
+if not CONFIG["MOZ_NO_SMART_CARDS"]:
+    DIRS += ["pkcs11testmodule"]
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem
new file mode 100644
index 0000000000..354741fc50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUAywOkzxiH/uWcwxb85Yy3OI46WgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IEludGVybWVkaWF0ZSB1c2VkIGFz
+IEVuZC1FbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjcjBwMAwGA1UdEwQFMAMBAf8wMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMCwGA1UdEQQl
+MCOCIWNhLXVzZWQtYXMtZW5kLWVudGl0eS5leGFtcGxlLmNvbTANBgkqhkiG9w0B
+AQsFAAOCAQEAN+g9N3uhls8y70fGORVEyYVjBmMCFeQz3DQw3u1J7+aHe6efygSP
+OKPXW3SbHSxlPFIsicVSHO3sso3zUGoedMw0KSyni4tR4yQ9jllrqijVCWorqRbU
+tlseF5hfw7DsKcl6jGA5UN0Aiq9SwKArdkRL+0Ykk0a/rxMEiOjf/Ao3ImfJnsCa
+frDKqziMWOmQtxrVTabpgRqCd1gtTg4cCsy7Yto8v4Gn1N/EL8FAXGWOieWDQ2Iv
+UFd9p0eTReBbRNC/QuZa7nEEAh4JO+JCAW4rHI6+beSPCT+lFQbF8sAJYSMGf0lb
+LAwyUGAPPLRx+SweIClb4EO+iVAFuR0Tug==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec
new file mode 100644
index 0000000000..8e16705b50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate used as End-Entity
+extension:basicConstraints:cA,
+extension:authorityInformationAccess:http://localhost:8888/
+extension:subjectAlternativeName:ca-used-as-end-entity.example.com
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem
new file mode 100644
index 0000000000..5dc7cf4ef8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti
+AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym
+qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc
+5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm
+lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo
+Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem
new file mode 100644
index 0000000000..f4fdae14e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAcugAwIBAgIUKXbCwsfJrBWAUYFNDXaeg/nfIPswDQYJKoZIhvcNAQEF
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAoMSYwJAYDVQQDDB1UZXN0IFNIQTEgRGVsZWdhdGVkIFJlc3Bv
+bmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpn
+kfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJE
+xYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG
+680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYl
+R5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbx
+h83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkd
+cSFo07sCAwEAAaMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF
+BQADggEBAJuSur2pt9LuJ+4USQAyLvqDma1oSdkBaXbB/fjkCF/grTsJRZ4ibOaW
+QN06nCHoqhML1Ygdief7unpXtIj9XQS2r7PT08tT3Dxr+2vJdJ4WQV6bb/hAorSp
+K3ow3irQVUmcRFq6ef0SJuluddll4jlxfc0gfd7SLQSFF5QwXEwAeXs3iy0W51Kr
+F47M/VMoTCFSa18x5omLBFx8SyGi4Ufmd+Pk2UW5vTP1S9RydAmZlzNT+v0IaRWD
+SQikynGTO1HA0ev8+RRmjtpZH7S8yJgbbF2BQ0FvDRMvhetn+Au+wn/WAsAf5vBF
+5/QwEp6OjNkmPPqOOyuQwMPrBhetPFM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec
new file mode 100644
index 0000000000..bdf3e2ee4d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test SHA1 Delegated Responder
+subjectKey:alternate
+signature:sha1WithRSAEncryption
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem
new file mode 100644
index 0000000000..5be9b76540
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3jCCAcagAwIBAgIUAewwnrqZ1D+uII39v6YmAKyJvBkwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhUZXN0IERlbGVnYXRlZCBSZXNwb25kZXIw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbD
+f1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRI
+MwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDs
+mMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJp
+CIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6D
+KzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7
+AgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IB
+AQBXSzxBevwLvKO1eCAbuJrNNXXY4Z816s/+Hlf8Ike2M5Zx9XuGmMRjimDksuip
+Jq/iWpwPOAWtQSzdyHYtQT8eY9KAGxzdZL78P+VTLhQVOVdTxoPd/W3yBoHofnNF
+xmJy2MS/3aRO8s8fIh3B/RwXrh18nFVc9zSwwHOjGeu3r3cbdgr2TuabDaxB7EFu
+e2P6NEiAhbK3GzXrxx2P3SoAf08AznoU1ByQ2FxM9xLdSvvM0zLilDuMu1E/VPcB
+7Qf7yLjlYJ/zj1rXGlJeNpDxUJS1hHUmv3csLPiYVPBIgDlnMPbZbEgZMByCLKvr
+EYnk3LpYcUin64yag3fy8ND5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec
new file mode 100644
index 0000000000..19971eeb4d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test Delegated Responder
+subjectKey:alternate
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem
new file mode 100644
index 0000000000..82e866fb1d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAjCCAeqgAwIBAgIUTdVj/pzuxlxEfL7vEQpILaExEJowDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowPTE7MDkGA1UEAwwyVGVzdCBJbnZhbGlkIERl
+bGVnYXRlZCBSZXNwb25kZXIgRnJvbSBJbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbDf1zlOLBsSs0iscvU
+b6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRIMwXlE4wBBs8IvpqG
+J2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDsmMzkCqWR1ylaf3HF
+vmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJpCIgIEUIgaZiKQ/7k
+jOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6DKzW4kw90upCqi8dh
+ZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7AgMBAAGjFzAVMBMG
+A1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQBsAeKHkIwoG0QZ
+yLFd+txRTVP7Qetuipuvlk+n1/L1Nf1oGKrW66aJXgtdIerHnvLsODNqHHyhCY8e
+2wI9sMcWQXMi+ceFZc8iqp+qE0GmDs9XLh26tW1GMLWb/BjEzHD+sOGaKNT61fhY
+Y9FD19LU4P3ORbafT97TfkjGH+YublvdGVOtvRETnSrPfJgGeMYACVMFLaFFxzsg
+JX2AH4zUIa4usme2gCOTgs7SjHXCOV/tAmoG672kvsaFswpd+CJUYf84CAqm3gvh
+YWFoBO19lK40Je/eUYU3WvAUTKsnRh2xY29r7Pp91aspZFgTdGRttUl0s7WfutTc
+HQlKG3tJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec
new file mode 100644
index 0000000000..be0d3e9e5f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate
+subject:Test Invalid Delegated Responder From Intermediate
+subjectKey:alternate
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem
new file mode 100644
index 0000000000..c0356e01ec
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgIUMy0wGcubgpwZ35tXDgLmzbETHSEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjA/MT0wOwYDVQQDDDRUZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl
+c3BvbmRlciBrZXlVc2FnZSBjcmxTaWduaW5nMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHI
+wkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNv
+I8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7I
+SURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIram
+nNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIU
+DRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQABow8wDTALBgNVHQ8EBAMC
+AQIwDQYJKoZIhvcNAQELBQADggEBAA3bDvQitwX8KjvlT11SuggsrbQvwWN4QMFr
+Rqre+0XQexGsVPxBbo44T71AYSYOQHIaOje5yETj23Uw6aiH8eNYdt61mspkRQ68
+v6laay/+txJZFqByGpbK24saFVThj21WIVc9s7HCvVpeSoYWidfWtLIKlmsQ8qLi
+XzBRqsbaRtfxDRrAW2WmmUfX34gL19ztHKOa84hnFyTahMIPFt9XVixWa1Tdg8Ny
+bGGb8SpPNPXuDoBbnHRvlEWjANs5qKPzH2X3HzEkfQIG0o3+WwgXqZ+wzdruO+SP
+LYcNF2gBvXBTfxN25r3G8DfHuaaPxfDLpc0E6+yWQzvIIsFSVqY=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec
new file mode 100644
index 0000000000..2833ed9b52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test Invalid Delegated Responder keyUsage crlSigning
+subjectKey:alternate
+extension:keyUsage:cRLSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem
new file mode 100644
index 0000000000..197aac8ba1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcSgAwIBAgIUR5DeATqHByZLzUBs0J6D5tz7veEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjA6MTgwNgYDVQQDDC9UZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl
+c3BvbmRlciBObyBleHRLZXlVc2FnZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSj
+s8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMT
+ud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvF
+o+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UT
+H5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4
+xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
+XrKScU1DSiU4Wyk+16PPc8LW3nboaHG+GYOY615veGXsKwVx7OV3aaOvscU57Qng
+2HFPJl8J7wX18aYqAwkIcE5yVtlzygGhVQoEZLo5VsTuJI5BNJ2hY0OgOI2J2yHR
+IGgUp3ypjYxl3QvGKJ41l8lCtZbsvm5tc5uyek0hLqi1SNbMBqPMLlUj5jDYVfmw
+CnqI4fGJ/Abhmv5RF9AfQTGSUNcHuHVmOkbJjRLXymdf2ugmxaDc/ub5TzecW0Bk
+QM5tkGp8gylULaBG1arfGYiiBsHyB5g8aXkbPCF3JpdLw77KEaaecAodLADpolFl
+ivwFQr1BpNeNOTML58CAbg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec
new file mode 100644
index 0000000000..92444c94ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:Test Invalid Delegated Responder No extKeyUsage
+subjectKey:alternate
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem
new file mode 100644
index 0000000000..0aeb81e4f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+DCCAeCgAwIBAgIUTYsUyQ3d/zW8mtQDOm0FSHaNj9owDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjA9MTswOQYDVQQDDDJUZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl
+c3BvbmRlciBXcm9uZyBleHRLZXlVc2FnZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJ
+isSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF
+2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElE
+WQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzS
+g3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0Y
+xMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMXMBUwEwYDVR0lBAwwCgYI
+KwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAHpiUjR7ajUbQR7xFFMgOQ07scjM
+nPo7lDUwtnbM7jFVtEAuSCeSkifDj4/ProqoQSU5fcLfKDScTbD1boxspjnoJXtQ
+tHMwzQB+bldObBAgmolWGqPbTBAhCMajlOZrXBVMVZPRefP8+1OqnNLp9ZZMUyNk
+thRWcRXaGbhJliVaynxxtNE4PBW7PxKgQ/apmXFyuqRPSJZ1E0VOX6z0VgXPdMX9
+BguPjLQP6k3LGZBWKdyHM6PgGcMmplvaE/96KeFat4fZ+75VstEuym1JffQe3iQ6
+uYyilCfdEAKyF87AlmB0EejnxyDNYXLR8QtAoCtdPJptUfbbESKPPnl8H/0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec
new file mode 100644
index 0000000000..bc704fbd41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test Invalid Delegated Responder Wrong extKeyUsage
+subjectKey:alternate
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem
new file mode 100644
index 0000000000..4ff3d7f896
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAgygAwIBAgIUP/7EjIlvsUJM2IjufQuGIZ0rkqUwDQYJKoZIhvcNAQEL
+BQAwNzE1MDMGA1UEAwwsVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdWx0aXBsZSBU
+TFMgRmVhdHVyZXMwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFow
+LDEqMCgGA1UEAwwhTXVsdGkgVExTIEZlYXR1cmUgVGVzdCBFbmQtRW50aXR5MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABoy8wLTAYBgNVHREEETAPgg0qLmV4YW1wbGUuY29tMBEGCCsGAQUFBwEYBAUw
+AwIBBTANBgkqhkiG9w0BAQsFAAOCAQEAt0ShK8cvzeMbCn9QkZMRzjYIWGXDSOr8
+05nKaKmumAGSp3ZYmVa3ux1TkVSJZ2TQuxiomUdv7tQabswMI8tW33QwjUsNv8zD
+/6+3PyLyFJKsStn3wYxoL/3DAimkxGwBoruS1UD89oZrkkFJCk0RQ5cJPh32mgvh
+p9vAB85TC1xRdr/VPkDoTFj1wIZrzwkcx9ReG1engf7fluaKy/duXP4WDDmiGP93
+ulBYr8HbvhAXbnaVSo4FcIe22lIqUoizzL3yoFLLqmu2IaQm9Oxt/+6rcLsOBTwD
+lQtXGg3nayKap5GPXEkhN7PRAqQ5HwKMsdlQ9MEjDvjzvci0pJ2JAg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec
new file mode 100644
index 0000000000..3fa2793b30
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate With Multiple TLS Features
+subject:Multi TLS Feature Test End-Entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem
new file mode 100644
index 0000000000..470d99a725
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIUXSCXXXLmmsba5ku37x7zJJ4isEEwDQYJKoZIhvcNAQEL
+BQAwNzE1MDMGA1UEAwwsVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdWx0aXBsZSBU
+TFMgRmVhdHVyZXMwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFow
+LDEqMCgGA1UEAwwhTXVsdGkgVExTIEZlYXR1cmUgVGVzdCBFbmQtRW50aXR5MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABozIwMDAYBgNVHREEETAPgg0qLmV4YW1wbGUuY29tMBQGCCsGAQUFBwEYBAgw
+BgIBBQIBBjANBgkqhkiG9w0BAQsFAAOCAQEAo5Z4o5AYQSGGGaTVTlbbthu9zFwg
+Zvf9kqcEnq1HjAfs0zaOwX1M4VMbrzzfyiqqKVxTOmtwcW2yKVPE1ik3CKH8BVCj
+o3VwRTrPMkBqBGjrOg15NTSwbNxknYB7HyokfNdH4ANQnCs0DYDZVBAt157rIG3K
+oMYyK3aSlEDG2+GIX/fhDBXmkII2b8t7QS9ZT2lwzLxNXz+bKJ+HpAKYcgs7vMGt
+ykZSsRuPEfq/5WnbKpjIc6E2/l1kkpFsR54582kjYPjSA1Y579IoYgbPsk5VHhSV
+7Qg8SJopYa2yo69dFevXsDU2Tv2n4HcX0Cl3c6yermBS6wQUoN4Ek88IuQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec
new file mode 100644
index 0000000000..7a8dd223d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate With Multiple TLS Features
+subject:Multi TLS Feature Test End-Entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple,6
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem
new file mode 100644
index 0000000000..353301df55
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCDCCAfCgAwIBAgIUExI7fUz3GmcjMScLiiOCQIkXurQwDQYJKoZIhvcNAQEL
+BQAwLTErMCkGA1UEAwwiVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdXN0LVN0YXBs
+ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQD
+DA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAtMBgGA1UdEQQRMA+CDSouZXhhbXBs
+ZS5jb20wEQYIKwYBBQUHARgEBTADAgEFMA0GCSqGSIb3DQEBCwUAA4IBAQAZLyDW
+Mx2MhSfaOkL1LUymUrWbyB97LRlg/6gj/V9KX0+lu1uKGCpAVkie70JY1kCmDZGY
+PraE+08mqS2dakJAG8fF3G39nHBKOIHV6pgC1oFwdIQNji6Gfng+bW7wY2V/CvpF
+kxvDti4zNqxWFeulyqVY+9HElVqUHaU6cwU3Jyp6F1JY9IXKmp/Qn9/qpc/jVYtg
+hIzXC0ek4Idoun/g0xyPdvGSqV1xOqNQLln6VrDGVgTHY8MvhERdpobaGeCjcIr4
+dHy2QRXOZ9teBu99hjrUs5orw0cU3VrYqquZmkT5hlHzB88uCzCL9yanRiRu7sT6
+AT1rIoY65dulzXxu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec
new file mode 100644
index 0000000000..352a60675d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate With Must-Staple
+subject:Test End-entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem
new file mode 100644
index 0000000000..9ef0a6cd32
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDITCCAgmgAwIBAgIUQTtN9ShJt1pBjl2mkQLi2h6ZarAwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjYzBh
+MBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wEQYIKwYBBQUHARgEBTADAgEFMDIG
+CCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4
+LzANBgkqhkiG9w0BAQsFAAOCAQEAOGWQ8cQnxcL3TyI+iGwT1QaoQKWZ73wNAfKM
+5jOslqRAWYXa5wvSWs4U5EnNhL5BxTGQJodJX9nSTwLnG3UnFAORu/zong8A31tj
+mEuKfsOr2AyLcldaIPGhSSbHkIh3lTOmsGavpBKCiOgTdZDJ0m9XmIWZQquPAUU5
+YrYpdYmE3uyduhz3yRJPpbMGjqUVBJ2JxNlJZKBe6rOksfbDqZOnAeFCDwMPmu5u
+qKGU1ZdPftOd9kUjgDUL8VdfyJYQTalsCEOnwbfeeXVj3uQM+K7GKkIXpM65odyN
+A2ixTwF+4F+O0Ud5gbsv6SRL2NuQ9QS8AWck5sFgNeXCp7lpxQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec
new file mode 100644
index 0000000000..43edfff0d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:*.example.com
+extension:TLSFeature:OCSPMustStaple
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem
new file mode 100644
index 0000000000..5224806264
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9TCCAd2gAwIBAgIUBTqttZK9tUuSoydawQZiIsRJzMgwDQYJKoZIhvcNAQEL
+BQAwLTErMCkGA1UEAwwiVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdXN0LVN0YXBs
+ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQD
+DA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHDAaMBgGA1UdEQQRMA+CDSouZXhhbXBs
+ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAGSfCLtcdh40aAmR7FuDlsEFNB6WCFiA
+KZqgmPKAgwUxz06fzjRD6WKaUIu9EWc2EWOm33mT0ZxDCKveNH7PWaWncqiD+39e
+ufBp/9wchIYRL20RnCjSyWgoY0q2GQcpce4VkKEMsvqVX9PawPHDtDtN83j26Bpt
+ss+WaxmMPMr10M2mXiA4p7YxtyvMUC7mM0uz4oLMVy0zr6u+aYES24wFbMHtDSuv
+luxEdukhgft60ZWRQ87WlLBXthPbF51DOQuMdJkaT9xgWXOQYAHSe9B9mJuHHgne
+ldtJmEHhMY56HZnq5lCfH88HLQ3hjdkvW2C/s/cUTzmOg9K2v9dxehs=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec
new file mode 100644
index 0000000000..8e4a6ac0c5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate With Must-Staple
+subject:Test End-entity
+extension:subjectAlternativeName:*.example.com
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem
new file mode 100644
index 0000000000..eeba74d122
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUa3IIjkCGtQbW1mfI5/tlV15JkwYwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhVGVzdCBFbmQtZW50aXR5
+IHdpdGggSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAagglsb2NhbGhv
+c3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo
+dHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBQdbi6gS1G
+Dcd5PlWuNRCK9xO4hKNZWsLVtjomtwkGJ2rLlQzdjyOAOMMLBPAHwXr4/sL4XMfz
+g4yw99gpcHViVXr1LZ/ARsatRU2EiGm9At3c2BeES9dxuY7E8TNOyh/JzD4aeBHB
+IHji5+BfqWBNtX9KiuzKI1/rk9jNkqX43vlH+g0NDgRR+qzFZ7d+4cI9RCAjIn+l
+tDq+SXHeE6qNVhgPVrusCJ2BCUYdTurQJlN6SexScXADVduOH/A6Wgn6wqBk590B
+Pyo2uwGOQqPUdmZjuOZT3uEP3S/HZvU1CWhTolTngRU6hYYRUs/bOfa07YvnWfN+
+/pXB66XSWvAu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec
new file mode 100644
index 0000000000..ae3a51565a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test Intermediate
+subject:Test End-entity with Intermediate
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem
new file mode 100644
index 0000000000..ecba24b47e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFDCCAfygAwIBAgIUZfBhvLmi3hqAmDxDC+6crWnZTTYwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAVMRMwEQYDVQQDDApPdGhlciBDZXJ0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNV
+HREEHDAagglsb2NhbGhvc3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAk
+MCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEB
+CwUAA4IBAQCLXvngvubhkgVriBewAl1S6mx6VygmmNBglPAXKZMn9z46bmdFmoAZ
+oz6yV3/w0xO07EauQwZCdZesVpkLZYDmIgJdJT0qhXoke6hhBb05Lv9ybqPsNyWA
+1ezX8ZevXX19GOBZCuasCQhLrzn838OIfD9VPPHYhPEjjbuHDzK9vCkJXdRtb8QL
+jJxRQ2zrhyQAW83JdGhKKcERU+lcrwohKxEGnIMbjeaHkBhHAQqeQ/ZXS1ZXQREf
+sU9w5OMAkmcHPbjQqsrBfW4JBZE17oan+dkDlLDD7tpKwDVtnTgcU4bn9l2Tkn8M
+FE8s5Z7aVz2HVz5OeEkSs2tMubzFn8LO
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec
new file mode 100644
index 0000000000..5756f6ab5f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Other Cert
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key
new file mode 100644
index 0000000000..abde350c28
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBdcZSZgmfdwgq
+Z5HxuHbDf1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBIC
+RMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzH
+BuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZm
+JUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW
+8YfN1U6DKzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4Z
+HXEhaNO7AgMBAAECggEAfj9tfLg572auXX3ZL/VBC7NB3BRyjTkDRXDho3B5DzDw
+aBNV//QeKtTpqdn86/vRJ736uMAK/7Hzzqcyfq1HqhYh8qwe4UygLwSzsnhgF5gL
+GBpEnQOwPmnRErg1ceVUNPASBWV10oMu1nMdznmeN8g/bVHFWrcetYAVrwXhrxXH
+R2A+9/J9A6b/BJ2Wu/hUweTlDvWwWND7CBgOCsf3vo8v8Wc9l/yeVduoOAd7v4p8
+/ylihXeFJpzZ1brStXRp5K/NM8TKLS9pnxHnyPvc1ITwjY77ijy4qXLrJL7Zcu+q
+5LtxIJPkj+lKRutimodQeMQCGposk8mnA5Dp0KVEAQKBgQDmP8clprp2klp/+MtZ
+xPVt1+yD/oW/H1PhHKyagSWLz8CugZB3sPLRR3qvho3mqOy+r3uyKxlvKprYLTKG
+8NDMKd5xnl8r6OUJtyhNWWPt02L5J4h6TEqJeZ00DVGzAax2AasnF5Ak/KrdOL9l
+Iq9j6xZGHsAqfyewb+Cd3afAoQKBgQDXGLH+n4+Z8A6DKuH73G/iqyfzTgScSYAQ
++g63CEhSGCNGCDtclsPu5VksAUpBDGuTCxZcE7XCaqMurG58klqFUcJRNPL0pyxk
+IfGacxSKDt+rpdOmiIs1y6GMAP047lqvC1RXMdcgdhu8ze50SlLKQV6Y5N4Bzf52
+TBlns+jK2wKBgAHlrKJmyUqI0i4TwrkuokcRbGV6B2gXvf0w20s6nTCVuaS2dJZH
+4vhOenhPx4OLCMhZcc96A2+jDjuRw8TQ3yePgMG26FnYRWrbE33vqp8fCsW6yakY
+T9TqJ51yLqYm8WDXiq17yDhFzLKd8RXIP2G3YiuZvUOcYJtXkKY8WVGBAoGBAIDM
+RdENJITuDRKX/Ae/gLO+/0Yeon4fOPNxeJw69mtKDt0hksIneR208cd64ka/NC8x
+hWsPVlgbWKlbETHAxTltsqjDxvOeouM2vCBa5qKgs2hp/KmMu6czzwExmm+bsmt8
+oj0wF/xVHNjaiv3Rf2+i4w00hoeYHNYjTVcekLffAoGAb3fAwfKuesFpVhzKSZxS
+vfvgTN3M29wSrsWoVpHoWUt+4pkI8w57lqpiVLgO1K7sm5k3gr38ebadjVjGiHD6
+S+G8DDUnKIxcgrtK668V7f8RBAP8eOas5qgoJ79C8M+nUeUHZRxWONuTk90j3R9r
+KVFR3kS3f+Vaew3yceGaZcA=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec
new file mode 100644
index 0000000000..cbd5f309c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec
@@ -0,0 +1 @@
+alternate
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem
new file mode 100644
index 0000000000..a2e264030a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIURym6o+VN9xgZXT/QLrvN/nv1ZN4wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoY
+DzIwMjUwMTAxMDAwMDAwWjAYMRYwFAYDVQQDDA1PdGhlciB0ZXN0IENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5Tiw
+bErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROM
+AQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5Aql
+kdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFC
+IGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMP
+dLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAtXplrvls6HSbbibpzfGxOPmSuh2TH05bE4vQk+d7Kz6EOAFvgTiZbLwTxbrQ
+gfrM05t+67C2nAeiwAtW34nUnu6S8MYA6mJjURWICbl7cAvCHuNjg1atVr6f1Y+9
+VFFG6aUibw3bzKneREmDEVcxlEWUaMvv/JjfyMA5veSyX6iTJYkIBrEiVV5Alzg5
+yVHBi6+tpuJDO/YLlG8kmfzkYeJkTyAGx1EJ2yQHim7R232638yb0KrhS4zKsfFU
+egHhM4c+MpiCLc9q2EgblbYGx5GM+2leuzXunj1KPClHFrnmkRRm3rcESG2pK9RN
+/48Nd38VNofRojEbzDSCdOFmow==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec
new file mode 100644
index 0000000000..3bc975aa22
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec
@@ -0,0 +1,7 @@
+issuer:Other test CA
+subject:Other test CA
+issuerKey:alternate
+subjectKey:alternate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key
new file mode 100644
index 0000000000..d43495f851
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICcAIBADANBgkqhkiG9w0BAQEFAASCAlowggJWAgEAAoGAANKbsS+4T93NKbOl
+GctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZ
+BX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvmnZoIMTbh
+WvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAQJ/PEllBwvzkMJR1aLFJ3xbX9C97oXK
+1/4rJ5grsoURSlBwBANq4c+K5Usl5Ns5IVq9fpA/YYwtiy8IzGzRLbzNciBeSUW2
+s984nl5D3goUi7LITiQx/b5ZILBEuycvRez/ByG337YDl/xhOp6jXCIwBTDK6PkV
+nFNN878JEJUZAQJAD58XWXyFuAUbnGmvtV71dsmW29CQR9DM3ludYOpcZ/5PrGe+
+gD9LasWj8FD3a5ZvsU9c8QV2HlrebdlgsYO6VQJADXtjcRLOYaVRaMD5yThvsnmr
+QMug1Ukza7plJ3JjqseCYRosgdm2Nc94xAAYhZ4BjF6QBtEuPS7m80bnn6QzaQJA
+Cf1smj6m6RrjIHD5/BwhD/k1L5e+XR7rlRuzloHp3FtnKlMiIbPYkAyanZm50KTh
+AtxFDKG4ewsTid5lFsCuDQJAAUG4MkkbfdSoMwiSACTHnK5kvUR9+IO7TFZyqWur
+SLcSOzTyYyRFLNzrF/IeVw40fL4v1MLY+ZEOrCy22JW4yQJABFjdau4YyIsvm4Hx
+vDB1riDcH5lz0gck8gsGBD1hR8h4nUoHroi8gshDjIk+AXsTlH9i4LGJWKMetmSx
+nmTT4A==
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec
new file mode 100644
index 0000000000..21ed73d60b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec
@@ -0,0 +1 @@
+rsa1016
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem
new file mode 100644
index 0000000000..b454679f59
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICazCCAVOgAwIBAgIUeyDBOS9mtFv5N72V2YIHiWmPZdIwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjA1MTMwMQYDVQQDDCpSU0EgMTAxNiBLZXkgU2l6ZSBUZXN0IERl
+bGVnYXRlZCBSZXNwb25kZXIwgZ4wDQYJKoZIhvcNAQEBBQADgYwAMIGIAoGAANKb
+sS+4T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJ
+aj7SBxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyv
+bXvmnZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAaMXMBUwEwYDVR0lBAww
+CgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEBAINTMoS5aPwzfldv/8/emhhg
+PWe+KWFgeyO1el82X0EsrazazEKLk1dtARBDYWCL5BnksnLGpWYZgW4/yqf0CUq+
+MQSxid5YA1/wNhleZV4j2zz+ztdjDMzp2bltPBJjczdck5k9BHBcJcYJ/lnysW+b
+6w1ezHDbv2UfdCIch+W+W1NotJDR7DpZ6oXt9+q/sM7pmRPBaAsKWogXYbSPvPca
+fqSgYlgkk3QCm1I4wjlGX4O9mIGwKPkdqpCKyQFkiK2nS1RX2TBzx+iRJhVFUXRF
+OmVG+yNaEYHgD/SJWWmM6aN7sKSn4Ijr5IniPlhJkE2B+wSyikeEMBrRso8eoF0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec
new file mode 100644
index 0000000000..05f73368a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:RSA 1016 Key Size Test Delegated Responder
+subjectKey:rsa1016
+extension:extKeyUsage:OCSPSigning
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem
new file mode 100644
index 0000000000..67e7ca56e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUP5NBbozOXrtwcuQwu3pzUXbOl7owDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEABBSMkSBFq/bK
+LpntIx6QJdqPtmnjdjwTpCbQyKKfQjjrazCfru5SheZq7ACtQ0uWFokUOQhB+Xvv
+sqy9HqJhK4UN0zfNPjtkHOSbNefWXOseEzA6XxuaCzQXWOp1WNNPnfdtYZizy6hT
+fKuKjhniKLmIQD61KNl7Ev1hWUhWC7R8U+IFztXusYYFUUmqqaZ/v7lNfY1sHu4k
+zHQFp+xqeaXvkoRpTXhoSdwDQ7ldquwqMM0NIQXlhtcmg7IYwZBGlJgzoejN4k2H
+2WycvxPW70I10NeAAhtie1+K4JHwr6/SLLwCCnJDoRMMpMhM9/853Ye/4PTDGhuK
+fqhEoHH9Ig==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec
new file mode 100644
index 0000000000..5d2435d7bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test CA
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem
new file mode 100644
index 0000000000..08249b863e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw
+MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd
+MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB
+AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00
+Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM
+8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA
+IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3
+B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk
+rGFLvocT/kym6r8galxCJUo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec
new file mode 100644
index 0000000000..33b42c2f41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate
+validity:20150101-20250101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem
new file mode 100644
index 0000000000..1dc63c35df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAfagAwIBAgIURRwvssJseXcmi8J+DidsPsKTfhEwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjA3MTUwMwYDVQQDDCxUZXN0IEludGVybWVkaWF0ZSBXaXRoIE11
+bHRpcGxlIFRMUyBGZWF0dXJlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMzMDEwDAYDVR0TBAUwAwEB/zALBgNV
+HQ8EBAMCAQYwFAYIKwYBBQUHARgECDAGAgEFAgEGMA0GCSqGSIb3DQEBCwUAA4IB
+AQARO+X9UxpurzrcJYzIVlqj5EB2i8Z3NFXat159KiOjX6AK58VtIAAWl8d+q1FU
+s40sJ7wFks7h2f/WW9/Yu51nrrtUPIwy/G/gFU09Y9k4eRKLaE+Mi7pIkmp1txvd
+DoZZ1tnxF48zer8jOWCQkuj3P0G0IGs2brHAapWoGlGvIec0jw864f6rj/5YCioi
+BAAy8uRJUmrIq5F2vxl5DjbOzTvNVuG59vTGzFYVMYOWG4QppJVL2rh7zv4jf0z1
+PQj1yFceL34Xghpq9ZlKI6QuQepJDYZlQTiHHAvBl+cIqr59qXiIL0BV/0f4I3+E
+Y7drz37LNNez8NejKWP0gArr
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec
new file mode 100644
index 0000000000..3f0e925aae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate With Multiple TLS Features
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:TLSFeature:OCSPMustStaple,6
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem
new file mode 100644
index 0000000000..38f4fffd53
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDATCCAemgAwIBAgIUG5VJbCoDE3nEodUerxQAr2DeaFswDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAtMSswKQYDVQQDDCJUZXN0IEludGVybWVkaWF0ZSBXaXRoIE11
+c3QtU3RhcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABozAwLjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAR
+BggrBgEFBQcBGAQFMAMCAQUwDQYJKoZIhvcNAQELBQADggEBAAxbb8Gv/Uq2Hz87
+midUQPnDCNSoBdHrZQfKDe9thI3K+U6sRleKFXHr/c3ZMNYIDKAx0viokFzBnGzS
+sAdW+So5bFaL2TZWoW9dfxpKVk0bzesKYlovD+BCbSkIM+YLBSL47yGox2n1dgca
+b293XtdBglEZcMaDhSGLt846OdFG6UdIWvO/VYd8cW+Ozqey/Boq6ZFihQkGKhqv
+ifDOsvsCU1W75lhqz5kcdfB+iS7pwo9S5tXkguYlIKEQe71Wi6YXrux8D75o3Nbi
+xwdp0yyuaKl58iKb3WntO0IquEhQzwpSURXEP+NNE1TacfKwvTSyD95tfFosfp1F
+d6sL4wc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec
new file mode 100644
index 0000000000..7c29aa0ad1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Test CA
+subject:Test Intermediate With Must-Staple
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:TLSFeature:OCSPMustStaple
diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build b/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build
new file mode 100644
index 0000000000..0eef91b076
--- /dev/null
+++ b/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build
@@ -0,0 +1,20 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+FINAL_TARGET = "_tests/xpcshell/security/manager/ssl/tests/unit/pkcs11testmodule"
+
+UNIFIED_SOURCES += [
+    "pkcs11testmodule.cpp",
+]
+
+SharedLibrary("pkcs11testmodule")
+
+# C_GetFunctionList needs to be exported. As it turns out, it's much easier to
+# just export all the symbols.
+NoVisibilityFlags()
+SYMBOLS_FILE = "pkcs11testmodule.symbols"
+
+NO_PGO = True
diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp
new file mode 100644
index 0000000000..74c5620eb2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp
@@ -0,0 +1,597 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a testing PKCS #11 module that simulates a token being inserted and
+// removed from a slot every 50ms. This is achieved mainly in
+// Test_C_WaitForSlotEvent. If the application that loaded this module calls
+// C_WaitForSlotEvent, this module waits for 50ms and returns, having changed
+// its internal state to report that the token has either been inserted or
+// removed, as appropriate.
+// This module also provides an alternate token that is always present for tests
+// that don't want the cyclic behavior described above.
+
+#include <assert.h>
+#include <atomic>
+#include <string.h>
+
+#if defined(WIN32)
+#  include <windows.h>  // for Sleep
+#else
+#  include <unistd.h>  // for usleep
+#endif
+
+#include "pkcs11.h"
+
+CK_RV Test_C_Initialize(CK_VOID_PTR) { return CKR_OK; }
+
+CK_RV Test_C_Finalize(CK_VOID_PTR) { return CKR_OK; }
+
+static const CK_VERSION CryptokiVersion = {2, 2};
+static const CK_VERSION TestLibraryVersion = {0, 0};
+static const char TestLibraryDescription[] = "Test PKCS11 Library";
+static const char TestManufacturerID[] = "Test PKCS11 Manufacturer ID";
+
+/* The dest buffer is one in the CK_INFO or CK_TOKEN_INFO structs.
+ * Those buffers are padded with spaces. DestSize corresponds to the declared
+ * size for those buffers (e.g. 32 for `char foo[32]`).
+ * The src buffer is a string literal. SrcSize includes the string
+ * termination character (e.g. 4 for `const char foo[] = "foo"` */
+template <size_t DestSize, size_t SrcSize>
+void CopyString(unsigned char (&dest)[DestSize], const char (&src)[SrcSize]) {
+  static_assert(DestSize >= SrcSize - 1, "DestSize >= SrcSize - 1");
+  memcpy(dest, src, SrcSize - 1);
+  memset(dest + SrcSize - 1, ' ', DestSize - SrcSize + 1);
+}
+
+CK_RV Test_C_GetInfo(CK_INFO_PTR pInfo) {
+  if (!pInfo) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  pInfo->cryptokiVersion = CryptokiVersion;
+  CopyString(pInfo->manufacturerID, TestManufacturerID);
+  pInfo->flags = 0;  // must be 0
+  CopyString(pInfo->libraryDescription, TestLibraryDescription);
+  pInfo->libraryVersion = TestLibraryVersion;
+  return CKR_OK;
+}
+
+CK_RV Test_C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR) { return CKR_OK; }
+
+static int tokenPresent = 0;
+
+CK_RV Test_C_GetSlotList(CK_BBOOL limitToTokensPresent,
+                         CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
+  if (!pulCount) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  // We always return slot 2
+  CK_ULONG slotCount = 1;
+  if (!limitToTokensPresent) {
+    // If we want empty slots, we also return slots 1 and 3
+    slotCount += 2;
+  } else if (tokenPresent) {
+    // If we don't want empty slots, but token 1 is present, return that (but
+    // not slot 3)
+    slotCount++;
+  }
+
+  if (pSlotList) {
+    if (*pulCount < slotCount) {
+      return CKR_BUFFER_TOO_SMALL;
+    }
+    // apparently CK_SLOT_IDs are integers [1,N] because
+    // who likes counting from 0 all the time?
+    switch (slotCount) {
+      case 1:
+        pSlotList[0] = 2;
+        break;
+      case 2:
+        if (tokenPresent) {
+          pSlotList[0] = 1;
+          pSlotList[1] = 2;
+        } else {
+          pSlotList[0] = 2;
+          pSlotList[1] = 3;
+        }
+        break;
+      case 3:
+        pSlotList[0] = 1;
+        pSlotList[1] = 2;
+        pSlotList[2] = 3;
+        break;
+      default:
+        assert("Unexpected slot count in Test_C_GetSlotList" == NULL);
+        return CKR_GENERAL_ERROR;
+    }
+  }
+
+  *pulCount = slotCount;
+  return CKR_OK;
+}
+
+static const char TestSlotDescription[] = "Test PKCS11 Slot";
+static const char TestSlot2Description[] = "Test PKCS11 Slot 二";
+static const char TestSlot3Description[] = "Empty PKCS11 Slot";
+
+CK_RV Test_C_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
+  if (!pInfo) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  switch (slotID) {
+    case 1:
+      CopyString(pInfo->slotDescription, TestSlotDescription);
+      pInfo->flags =
+          (tokenPresent ? CKF_TOKEN_PRESENT : 0) | CKF_REMOVABLE_DEVICE;
+      break;
+    case 2:
+      CopyString(pInfo->slotDescription, TestSlot2Description);
+      pInfo->flags = CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE;
+      break;
+    case 3:
+      CopyString(pInfo->slotDescription, TestSlot3Description);
+      pInfo->flags = CKF_REMOVABLE_DEVICE;
+      break;
+    default:
+      return CKR_ARGUMENTS_BAD;
+  }
+
+  CopyString(pInfo->manufacturerID, TestManufacturerID);
+  pInfo->hardwareVersion = TestLibraryVersion;
+  pInfo->firmwareVersion = TestLibraryVersion;
+  return CKR_OK;
+}
+
+// Deliberately include énye to ensure we're handling encoding correctly.
+// The PKCS #11 base specification v2.20 specifies that strings be encoded
+// as UTF-8.
+static const char TestTokenLabel[] = "Test PKCS11 Tokeñ Label";
+static const char TestToken2Label[] = "Test PKCS11 Tokeñ 2 Label";
+static const char TestTokenModel[] = "Test Model";
+
+std::atomic<bool> sLoggedIn = false;
+
+CK_RV Test_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) {
+  if (!pInfo) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  switch (slotID) {
+    case 1:
+      CopyString(pInfo->label, TestTokenLabel);
+      break;
+    case 2:
+      CopyString(pInfo->label, TestToken2Label);
+      break;
+    default:
+      return CKR_ARGUMENTS_BAD;
+  }
+
+  CopyString(pInfo->manufacturerID, TestManufacturerID);
+  CopyString(pInfo->model, TestTokenModel);
+  memset(pInfo->serialNumber, 0, sizeof(pInfo->serialNumber));
+  pInfo->flags = CKF_TOKEN_INITIALIZED;
+  if (slotID == 2) {
+    pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH |
+                    CKF_USER_PIN_INITIALIZED | CKF_LOGIN_REQUIRED;
+  }
+  pInfo->ulMaxSessionCount = 1;
+  pInfo->ulSessionCount = 0;
+  pInfo->ulMaxRwSessionCount = 1;
+  pInfo->ulRwSessionCount = 0;
+  pInfo->ulMaxPinLen = 4;
+  pInfo->ulMinPinLen = 4;
+  pInfo->ulTotalPublicMemory = 1024;
+  pInfo->ulFreePublicMemory = 1024;
+  pInfo->ulTotalPrivateMemory = 1024;
+  pInfo->ulFreePrivateMemory = 1024;
+  pInfo->hardwareVersion = TestLibraryVersion;
+  pInfo->firmwareVersion = TestLibraryVersion;
+  memset(pInfo->utcTime, 0, sizeof(pInfo->utcTime));
+
+  return CKR_OK;
+}
+
+CK_RV Test_C_GetMechanismList(CK_SLOT_ID, CK_MECHANISM_TYPE_PTR,
+                              CK_ULONG_PTR pulCount) {
+  if (!pulCount) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  *pulCount = 0;
+  return CKR_OK;
+}
+
+CK_RV Test_C_GetMechanismInfo(CK_SLOT_ID, CK_MECHANISM_TYPE,
+                              CK_MECHANISM_INFO_PTR) {
+  return CKR_OK;
+}
+
+CK_RV Test_C_InitToken(CK_SLOT_ID, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR) {
+  return CKR_OK;
+}
+
+CK_RV Test_C_InitPIN(CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SetPIN(CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG,
+                    CK_UTF8CHAR_PTR, CK_ULONG) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY,
+                         CK_SESSION_HANDLE_PTR phSession) {
+  switch (slotID) {
+    case 1:
+      *phSession = 1;
+      break;
+    case 2:
+      *phSession = 2;
+      break;
+    default:
+      return CKR_ARGUMENTS_BAD;
+  }
+
+  return CKR_OK;
+}
+
+CK_RV Test_C_CloseSession(CK_SESSION_HANDLE) { return CKR_OK; }
+
+CK_RV Test_C_CloseAllSessions(CK_SLOT_ID) { return CKR_OK; }
+
+CK_RV Test_C_GetSessionInfo(CK_SESSION_HANDLE hSession,
+                            CK_SESSION_INFO_PTR pInfo) {
+  if (!pInfo) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  switch (hSession) {
+    case 1:
+      pInfo->slotID = 1;
+      pInfo->state = CKS_RO_PUBLIC_SESSION;
+      break;
+    case 2:
+      pInfo->slotID = 2;
+      pInfo->state = sLoggedIn ? CKS_RO_USER_FUNCTIONS : CKS_RO_PUBLIC_SESSION;
+      break;
+    default:
+      return CKR_ARGUMENTS_BAD;
+  }
+
+  pInfo->flags = CKF_SERIAL_SESSION;
+
+  return CKR_OK;
+}
+
+CK_RV Test_C_GetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                               CK_OBJECT_HANDLE, CK_OBJECT_HANDLE) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Login(CK_SESSION_HANDLE, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG) {
+  // Sleep for 3 seconds to simulate the user using a protected auth path.
+#ifdef WIN32
+  Sleep(3000);  // Sleep takes the duration argument as milliseconds
+#else
+  usleep(3000000);  // usleep takes the duration argument as microseconds
+#endif
+  sLoggedIn = true;
+  return CKR_OK;
+}
+
+CK_RV Test_C_Logout(CK_SESSION_HANDLE) {
+  sLoggedIn = false;
+  return CKR_OK;
+}
+
+CK_RV Test_C_CreateObject(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG,
+                          CK_OBJECT_HANDLE_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_CopyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR,
+                        CK_ULONG, CK_OBJECT_HANDLE_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DestroyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GetObjectSize(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
+                               CK_ATTRIBUTE_PTR, CK_ULONG) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
+                               CK_ATTRIBUTE_PTR, CK_ULONG) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_FindObjectsInit(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG) {
+  return CKR_OK;
+}
+
+CK_RV Test_C_FindObjects(CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG,
+                         CK_ULONG_PTR pulObjectCount) {
+  *pulObjectCount = 0;
+  return CKR_OK;
+}
+
+CK_RV Test_C_FindObjectsFinal(CK_SESSION_HANDLE) { return CKR_OK; }
+
+CK_RV Test_C_EncryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+                         CK_OBJECT_HANDLE) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Encrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                     CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_EncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                           CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_EncryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+                         CK_OBJECT_HANDLE) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Decrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                     CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                           CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Digest(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                    CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestKey(CK_SESSION_HANDLE, CK_OBJECT_HANDLE) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Sign(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                  CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+                             CK_OBJECT_HANDLE) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                         CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_Verify(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                    CK_ULONG) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+                               CK_OBJECT_HANDLE) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_VerifyRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                           CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DigestEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                                 CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptDigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                                 CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SignEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                               CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DecryptVerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                                 CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GenerateKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR,
+                         CK_ULONG, CK_OBJECT_HANDLE_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GenerateKeyPair(CK_SESSION_HANDLE, CK_MECHANISM_PTR,
+                             CK_ATTRIBUTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR,
+                             CK_ULONG, CK_OBJECT_HANDLE_PTR,
+                             CK_OBJECT_HANDLE_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_WrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+                     CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_UnwrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+                       CK_BYTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG,
+                       CK_OBJECT_HANDLE_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_DeriveKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+                       CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_SeedRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GenerateRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_GetFunctionStatus(CK_SESSION_HANDLE) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_CancelFunction(CK_SESSION_HANDLE) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV Test_C_WaitForSlotEvent(CK_FLAGS, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR) {
+#ifdef WIN32
+  Sleep(50);  // Sleep takes the duration argument as milliseconds
+#else
+  usleep(50000);    // usleep takes the duration argument as microseconds
+#endif
+  *pSlot = 1;
+  tokenPresent = !tokenPresent;
+  return CKR_OK;
+}
+
+static CK_FUNCTION_LIST FunctionList = {{2, 2},
+                                        Test_C_Initialize,
+                                        Test_C_Finalize,
+                                        Test_C_GetInfo,
+                                        Test_C_GetFunctionList,
+                                        Test_C_GetSlotList,
+                                        Test_C_GetSlotInfo,
+                                        Test_C_GetTokenInfo,
+                                        Test_C_GetMechanismList,
+                                        Test_C_GetMechanismInfo,
+                                        Test_C_InitToken,
+                                        Test_C_InitPIN,
+                                        Test_C_SetPIN,
+                                        Test_C_OpenSession,
+                                        Test_C_CloseSession,
+                                        Test_C_CloseAllSessions,
+                                        Test_C_GetSessionInfo,
+                                        Test_C_GetOperationState,
+                                        Test_C_SetOperationState,
+                                        Test_C_Login,
+                                        Test_C_Logout,
+                                        Test_C_CreateObject,
+                                        Test_C_CopyObject,
+                                        Test_C_DestroyObject,
+                                        Test_C_GetObjectSize,
+                                        Test_C_GetAttributeValue,
+                                        Test_C_SetAttributeValue,
+                                        Test_C_FindObjectsInit,
+                                        Test_C_FindObjects,
+                                        Test_C_FindObjectsFinal,
+                                        Test_C_EncryptInit,
+                                        Test_C_Encrypt,
+                                        Test_C_EncryptUpdate,
+                                        Test_C_EncryptFinal,
+                                        Test_C_DecryptInit,
+                                        Test_C_Decrypt,
+                                        Test_C_DecryptUpdate,
+                                        Test_C_DecryptFinal,
+                                        Test_C_DigestInit,
+                                        Test_C_Digest,
+                                        Test_C_DigestUpdate,
+                                        Test_C_DigestKey,
+                                        Test_C_DigestFinal,
+                                        Test_C_SignInit,
+                                        Test_C_Sign,
+                                        Test_C_SignUpdate,
+                                        Test_C_SignFinal,
+                                        Test_C_SignRecoverInit,
+                                        Test_C_SignRecover,
+                                        Test_C_VerifyInit,
+                                        Test_C_Verify,
+                                        Test_C_VerifyUpdate,
+                                        Test_C_VerifyFinal,
+                                        Test_C_VerifyRecoverInit,
+                                        Test_C_VerifyRecover,
+                                        Test_C_DigestEncryptUpdate,
+                                        Test_C_DecryptDigestUpdate,
+                                        Test_C_SignEncryptUpdate,
+                                        Test_C_DecryptVerifyUpdate,
+                                        Test_C_GenerateKey,
+                                        Test_C_GenerateKeyPair,
+                                        Test_C_WrapKey,
+                                        Test_C_UnwrapKey,
+                                        Test_C_DeriveKey,
+                                        Test_C_SeedRandom,
+                                        Test_C_GenerateRandom,
+                                        Test_C_GetFunctionStatus,
+                                        Test_C_CancelFunction,
+                                        Test_C_WaitForSlotEvent};
+
+CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
+  *ppFunctionList = &FunctionList;
+  return CKR_OK;
+}
diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols
new file mode 100644
index 0000000000..562ecea21d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols
@@ -0,0 +1 @@
+C_GetFunctionList
diff --git a/security/manager/ssl/tests/unit/requirements.txt b/security/manager/ssl/tests/unit/requirements.txt
new file mode 100644
index 0000000000..095fcb04fc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/requirements.txt
@@ -0,0 +1,6 @@
+lxml
+pyasn1 == 0.3.7
+pyasn1_modules == 0.1.5
+ecc
+mock
+rsa
diff --git a/security/manager/ssl/tests/unit/sign_app.py b/security/manager/ssl/tests/unit/sign_app.py
new file mode 100755
index 0000000000..a2767c54eb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/sign_app.py
@@ -0,0 +1,426 @@
+#!/usr/bin/env python3
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Given a directory of files, packages them up and signs the
+resulting zip file. Mainly for creating test inputs to the
+nsIX509CertDB.openSignedAppFileAsync API.
+"""
+from base64 import b64encode
+from cbor2 import dumps
+from cbor2.types import CBORTag
+from hashlib import sha1, sha256
+import argparse
+from io import StringIO
+import os
+import re
+import six
+import sys
+import zipfile
+
+# These libraries moved to security/manager/tools/ in bug 1699294.
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "tools"))
+import pycert
+import pycms
+import pykey
+
+ES256 = -7
+ES384 = -35
+ES512 = -36
+KID = 4
+ALG = 1
+COSE_Sign = 98
+
+
+def coseAlgorithmToPykeyHash(algorithm):
+    """Helper function that takes one of (ES256, ES384, ES512)
+    and returns the corresponding pykey.HASH_* identifier."""
+    if algorithm == ES256:
+        return pykey.HASH_SHA256
+    if algorithm == ES384:
+        return pykey.HASH_SHA384
+    if algorithm == ES512:
+        return pykey.HASH_SHA512
+    raise UnknownCOSEAlgorithmError(algorithm)
+
+
+# COSE_Signature = [
+#     protected : serialized_map,
+#     unprotected : {},
+#     signature : bstr
+# ]
+
+
+def coseSignature(payload, algorithm, signingKey, signingCertificate, bodyProtected):
+    """Returns a COSE_Signature structure.
+    payload is a string representing the data to be signed
+    algorithm is one of (ES256, ES384, ES512)
+    signingKey is a pykey.ECKey to sign the data with
+    signingCertificate is a byte string
+    bodyProtected is the serialized byte string of the protected body header
+    """
+    protected = {ALG: algorithm, KID: signingCertificate}
+    protectedEncoded = dumps(protected)
+    # Sig_structure = [
+    #     context : "Signature"
+    #     body_protected : bodyProtected
+    #     sign_protected : protectedEncoded
+    #     external_aad : nil
+    #     payload : bstr
+    # ]
+    sigStructure = [u"Signature", bodyProtected, protectedEncoded, None, payload]
+    sigStructureEncoded = dumps(sigStructure)
+    pykeyHash = coseAlgorithmToPykeyHash(algorithm)
+    signature = signingKey.signRaw(sigStructureEncoded, pykeyHash)
+    return [protectedEncoded, {}, signature]
+
+
+# COSE_Sign = [
+#     protected : serialized_map,
+#     unprotected : {},
+#     payload : nil,
+#     signatures : [+ COSE_Signature]
+# ]
+
+
+def coseSig(payload, intermediates, signatures):
+    """Returns the entire (tagged) COSE_Sign structure.
+    payload is a string representing the data to be signed
+    intermediates is an array of byte strings
+    signatures is an array of (algorithm, signingKey,
+               signingCertificate) triplets to be passed to
+               coseSignature
+    """
+    protected = {KID: intermediates}
+    protectedEncoded = dumps(protected)
+    coseSignatures = []
+    for (algorithm, signingKey, signingCertificate) in signatures:
+        coseSignatures.append(
+            coseSignature(
+                payload, algorithm, signingKey, signingCertificate, protectedEncoded
+            )
+        )
+    tagged = CBORTag(COSE_Sign, [protectedEncoded, {}, None, coseSignatures])
+    return dumps(tagged)
+
+
+def walkDirectory(directory):
+    """Given a relative path to a directory, enumerates the
+    files in the tree rooted at that location. Returns a list
+    of pairs of paths to those files. The first in each pair
+    is the full path to the file. The second in each pair is
+    the path to the file relative to the directory itself."""
+    paths = []
+    for path, _dirs, files in os.walk(directory):
+        for f in files:
+            fullPath = os.path.join(path, f)
+            internalPath = re.sub(r"^/", "", fullPath.replace(directory, ""))
+            paths.append((fullPath, internalPath))
+    return paths
+
+
+def addManifestEntry(filename, hashes, contents, entries):
+    """Helper function to fill out a manifest entry.
+    Takes the filename, a list of (hash function, hash function name)
+    pairs to use, the contents of the file, and the current list
+    of manifest entries."""
+    entry = "Name: %s\n" % filename
+    for (hashFunc, name) in hashes:
+        base64hash = b64encode(hashFunc(contents).digest()).decode("ascii")
+        entry += "%s-Digest: %s\n" % (name, base64hash)
+    entries.append(entry)
+
+
+def getCert(subject, keyName, issuerName, ee, issuerKey="", validity=""):
+    """Helper function to create an X509 cert from a specification.
+    Takes the subject, the subject key name to use, the issuer name,
+    a bool whether this is an EE cert or not, and optionally an issuer key
+    name."""
+    certSpecification = (
+        "issuer:%s\n" % issuerName
+        + "subject:"
+        + subject
+        + "\n"
+        + "subjectKey:%s\n" % keyName
+    )
+    if ee:
+        certSpecification += "extension:keyUsage:digitalSignature"
+    else:
+        certSpecification += (
+            "extension:basicConstraints:cA,\n"
+            + "extension:keyUsage:cRLSign,keyCertSign"
+        )
+    if issuerKey:
+        certSpecification += "\nissuerKey:%s" % issuerKey
+    if validity:
+        certSpecification += "\nvalidity:%s" % validity
+    certSpecificationStream = StringIO()
+    print(certSpecification, file=certSpecificationStream)
+    certSpecificationStream.seek(0)
+    return pycert.Certificate(certSpecificationStream)
+
+
+def coseAlgorithmToSignatureParams(coseAlgorithm, issuerName, certValidity):
+    """Given a COSE algorithm ('ES256', 'ES384', 'ES512') and an issuer
+    name, returns a (algorithm id, pykey.ECCKey, encoded certificate)
+    triplet for use with coseSig.
+    """
+    if coseAlgorithm == "ES256":
+        keyName = "secp256r1"
+        algId = ES256
+    elif coseAlgorithm == "ES384":
+        keyName = "secp384r1"
+        algId = ES384
+    elif coseAlgorithm == "ES512":
+        keyName = "secp521r1"  # COSE uses the hash algorithm; this is the curve
+        algId = ES512
+    else:
+        raise UnknownCOSEAlgorithmError(coseAlgorithm)
+    key = pykey.ECCKey(keyName)
+    # The subject must differ to avoid errors when importing into NSS later.
+    ee = getCert(
+        "xpcshell signed app test signer " + keyName,
+        keyName,
+        issuerName,
+        True,
+        "default",
+        certValidity,
+    )
+    return (algId, key, ee.toDER())
+
+
+def signZip(
+    appDirectory,
+    outputFile,
+    issuerName,
+    rootName,
+    certValidity,
+    manifestHashes,
+    signatureHashes,
+    pkcs7Hashes,
+    coseAlgorithms,
+    emptySignerInfos,
+    headerPaddingFactor,
+):
+    """Given a directory containing the files to package up,
+    an output filename to write to, the name of the issuer of
+    the signing certificate, the name of trust anchor, a list of hash algorithms
+    to use in the manifest file, a similar list for the signature file,
+    a similar list for the pkcs#7 signature, a list of COSE signature algorithms
+    to include, whether the pkcs#7 signer info should be kept empty, and how
+    many MB to pad the manifests by (to test handling large manifest files),
+    packages up the files in the directory and creates the output as
+    appropriate."""
+    # The header of each manifest starts with the magic string
+    # 'Manifest-Version: 1.0' and ends with a blank line. There can be
+    # essentially anything after the first line before the blank line.
+    mfEntries = ["Manifest-Version: 1.0"]
+    if headerPaddingFactor > 0:
+        # In this format, each line can only be 72 bytes long. We make
+        # our padding 50 bytes per line (49 of content and one newline)
+        # so the math is easy.
+        singleLinePadding = "a" * 49
+        # 1000000 / 50 = 20000
+        allPadding = [singleLinePadding] * (headerPaddingFactor * 20000)
+        mfEntries.extend(allPadding)
+    # Append the blank line.
+    mfEntries.append("")
+
+    with zipfile.ZipFile(outputFile, "w", zipfile.ZIP_DEFLATED) as outZip:
+        for (fullPath, internalPath) in walkDirectory(appDirectory):
+            with open(fullPath, "rb") as inputFile:
+                contents = inputFile.read()
+            outZip.writestr(internalPath, contents)
+
+            # Add the entry to the manifest we're building
+            addManifestEntry(internalPath, manifestHashes, contents, mfEntries)
+
+        if len(coseAlgorithms) > 0:
+            coseManifest = "\n".join(mfEntries)
+            outZip.writestr("META-INF/cose.manifest", coseManifest)
+            coseManifest = six.ensure_binary(coseManifest)
+            addManifestEntry(
+                "META-INF/cose.manifest", manifestHashes, coseManifest, mfEntries
+            )
+            intermediates = []
+            coseIssuerName = issuerName
+            if rootName:
+                coseIssuerName = "xpcshell signed app test issuer"
+                intermediate = getCert(
+                    coseIssuerName,
+                    "default",
+                    rootName,
+                    False,
+                    "",
+                    certValidity,
+                )
+                intermediate = intermediate.toDER()
+                intermediates.append(intermediate)
+            signatures = [
+                coseAlgorithmToSignatureParams(
+                    coseAlgorithm,
+                    coseIssuerName,
+                    certValidity,
+                )
+                for coseAlgorithm in coseAlgorithms
+            ]
+            coseSignatureBytes = coseSig(coseManifest, intermediates, signatures)
+            outZip.writestr("META-INF/cose.sig", coseSignatureBytes)
+            addManifestEntry(
+                "META-INF/cose.sig", manifestHashes, coseSignatureBytes, mfEntries
+            )
+
+        if len(pkcs7Hashes) != 0 or emptySignerInfos:
+            mfContents = "\n".join(mfEntries)
+            sfContents = "Signature-Version: 1.0\n"
+            for (hashFunc, name) in signatureHashes:
+                hashed = hashFunc(six.ensure_binary(mfContents)).digest()
+                base64hash = b64encode(hashed).decode("ascii")
+                sfContents += "%s-Digest-Manifest: %s\n" % (name, base64hash)
+
+            cmsSpecification = ""
+            for name in pkcs7Hashes:
+                hashFunc, _ = hashNameToFunctionAndIdentifier(name)
+                cmsSpecification += "%s:%s\n" % (
+                    name,
+                    hashFunc(six.ensure_binary(sfContents)).hexdigest(),
+                )
+            cmsSpecification += (
+                "signer:\n"
+                + "issuer:%s\n" % issuerName
+                + "subject:xpcshell signed app test signer\n"
+                + "extension:keyUsage:digitalSignature"
+            )
+            if certValidity:
+                cmsSpecification += "\nvalidity:%s" % certValidity
+            cmsSpecificationStream = StringIO()
+            print(cmsSpecification, file=cmsSpecificationStream)
+            cmsSpecificationStream.seek(0)
+            cms = pycms.CMS(cmsSpecificationStream)
+            p7 = cms.toDER()
+            outZip.writestr("META-INF/A.RSA", p7)
+            outZip.writestr("META-INF/A.SF", sfContents)
+            outZip.writestr("META-INF/MANIFEST.MF", mfContents)
+
+
+class Error(Exception):
+    """Base class for exceptions in this module."""
+
+    pass
+
+
+class UnknownHashAlgorithmError(Error):
+    """Helper exception type to handle unknown hash algorithms."""
+
+    def __init__(self, name):
+        super(UnknownHashAlgorithmError, self).__init__()
+        self.name = name
+
+    def __str__(self):
+        return "Unknown hash algorithm %s" % repr(self.name)
+
+
+class UnknownCOSEAlgorithmError(Error):
+    """Helper exception type to handle unknown COSE algorithms."""
+
+    def __init__(self, name):
+        super(UnknownCOSEAlgorithmError, self).__init__()
+        self.name = name
+
+    def __str__(self):
+        return "Unknown COSE algorithm %s" % repr(self.name)
+
+
+def hashNameToFunctionAndIdentifier(name):
+    if name == "sha1":
+        return (sha1, "SHA1")
+    if name == "sha256":
+        return (sha256, "SHA256")
+    raise UnknownHashAlgorithmError(name)
+
+
+def main(outputFile, appPath, *args):
+    """Main entrypoint. Given an already-opened file-like
+    object, a path to the app directory to sign, and some
+    optional arguments, signs the contents of the directory and
+    writes the resulting package to the 'file'."""
+    parser = argparse.ArgumentParser(description="Sign an app.")
+    parser.add_argument(
+        "-i",
+        "--issuer",
+        action="store",
+        help="Issuer name",
+        default="xpcshell signed apps test root",
+    )
+    parser.add_argument("-r", "--root", action="store", help="Root name", default="")
+    parser.add_argument(
+        "--cert-validity",
+        action="store",
+        help="Certificate validity; YYYYMMDD-YYYYMMDD or duration in days",
+        default="",
+    )
+    parser.add_argument(
+        "-m",
+        "--manifest-hash",
+        action="append",
+        help="Hash algorithms to use in manifest",
+        default=[],
+    )
+    parser.add_argument(
+        "-s",
+        "--signature-hash",
+        action="append",
+        help="Hash algorithms to use in signature file",
+        default=[],
+    )
+    parser.add_argument(
+        "-c",
+        "--cose-sign",
+        action="append",
+        help="Append a COSE signature with the given "
+        + "algorithms (out of ES256, ES384, and ES512)",
+        default=[],
+    )
+    parser.add_argument(
+        "-z",
+        "--pad-headers",
+        action="store",
+        default=0,
+        help="Pad the header sections of the manifests "
+        + "with X MB of repetitive data",
+    )
+    group = parser.add_mutually_exclusive_group()
+    group.add_argument(
+        "-p",
+        "--pkcs7-hash",
+        action="append",
+        help="Hash algorithms to use in PKCS#7 signature",
+        default=[],
+    )
+    group.add_argument(
+        "-e",
+        "--empty-signerInfos",
+        action="store_true",
+        help="Emit pkcs#7 SignedData with empty signerInfos",
+    )
+    parsed = parser.parse_args(args)
+    if len(parsed.manifest_hash) == 0:
+        parsed.manifest_hash.append("sha256")
+    if len(parsed.signature_hash) == 0:
+        parsed.signature_hash.append("sha256")
+    signZip(
+        appPath,
+        outputFile,
+        parsed.issuer,
+        parsed.root,
+        parsed.cert_validity,
+        [hashNameToFunctionAndIdentifier(h) for h in parsed.manifest_hash],
+        [hashNameToFunctionAndIdentifier(h) for h in parsed.signature_hash],
+        parsed.pkcs7_hash,
+        parsed.cose_sign,
+        parsed.empty_signerInfos,
+        int(parsed.pad_headers),
+    )
diff --git a/security/manager/ssl/tests/unit/test_add_preexisting_cert.js b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
new file mode 100644
index 0000000000..8e165b2b8d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
@@ -0,0 +1,46 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests that adding a certificate already present in the certificate database
+// with different trust bits than those stored in the database does not result
+// in the new trust bits being ignored.
+
+do_get_profile();
+var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function load_cert(cert, trust) {
+  let file = "test_intermediate_basic_usage_constraints/" + cert + ".pem";
+  return addCertFromFile(certDB, file, trust);
+}
+
+add_task(async function () {
+  load_cert("ca", "CTu,CTu,CTu");
+  let int_cert = load_cert("int-limited-depth", "CTu,CTu,CTu");
+  let file =
+    "test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem";
+  let cert_pem = readFile(do_get_file(file));
+  let ee = certDB.constructX509FromBase64(pemToBase64(cert_pem));
+  await checkCertErrorGeneric(
+    certDB,
+    ee,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+  // Change the already existing intermediate certificate's trust using
+  // addCertFromBase64().
+  notEqual(int_cert, null, "Intermediate cert should be in the cert DB");
+  let base64_cert = int_cert.getBase64DERString();
+  let returnedEE = certDB.addCertFromBase64(base64_cert, "p,p,p");
+  notEqual(returnedEE, null, "addCertFromBase64 should return a certificate");
+  await checkCertErrorGeneric(
+    certDB,
+    ee,
+    SEC_ERROR_UNTRUSTED_ISSUER,
+    certificateUsageSSLServer
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js b/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js
new file mode 100644
index 0000000000..6bcd71aaf3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js
@@ -0,0 +1,25 @@
+/* -*- tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+"use strict";
+
+function run_test() {
+  do_get_profile();
+  let certOverrideService = Cc[
+    "@mozilla.org/security/certoverride;1"
+  ].getService(Ci.nsICertOverrideService);
+  certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
+    true
+  );
+
+  add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+  add_connection_test("expired.example.com", PRErrorCodeSuccess);
+  add_test(function () {
+    certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
+      false
+    );
+    run_next_test();
+  });
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem
new file mode 100644
index 0000000000..161ce88377
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUXwklABFZn09Yj1azSdQ4kpuizxYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCdpP06UqpAnAAak/i4+LShrIG/
+DdjHLQ8qLChBdPkT6Gxx1XVoNfG3GJsIGCoOf6isORMfBlBXiR5kmLFTE3kJhA/I
+pDxDGYDqt9DNb0fxeMpOJxwQ+mBMZIKLPu+nk4jTqUrOX8bLwDMiXTbFeY91SUr8
+4b43YzXVorVQSlYOfcsmrnEfmfJNauHBrzak5BQhsEXHqAI7qV9TCQA1+cGwH8jb
+Aw2SyVu1usAyHkM2wCisHXeidf3qR6PxmfLMAgHKXBLz3DsXY30xDI4jJS9MySu9
+lhrs1IJf5PdJk5z5viYqZQemuv0R+R7ItbpCHpreUXh2GutiAY4Xsgrhfcer
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec
new file mode 100644
index 0000000000..9c21e7adcf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:ca
+validity:20100101-20500101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem
new file mode 100644
index 0000000000..a13b0cbcd1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUS00fexo4Y4FagP1oiKQiGCJKd/swDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAGjMx1NAs2guKp3wRRAWdiAw9NCeX+qCsxxkr4jUdgQ14wZwU2fZ/2rK
+7Z/StpwlWN+G4dWwCRCjibKvjauQs+XLT9wMO3U/1VBcQda36duX70ss2SAF9crs
+dmZdISevFItTn+W6JNyr1Wt2sSiD4buXpW1UzNwuxnWGpo/a++bMEYaM8KDdz73t
+KA9VShYNbcrUZgf70bvCbc8BR3vYUwyIp3fP7TngD/dRLYJyv5ayo9VXVJxOzYU7
+/aRrBvAdAL2w8eQzzYm6uyHlOE+imWYix2QOGNFJIiRXFRTii9Rr0o4geW7x2wZJ
++TzO4XPVlax1h6KDPRLsmwhbJDAMuUU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec
new file mode 100644
index 0000000000..7a34d0758f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:example.com
+validity:20160724-20160924
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem
new file mode 100644
index 0000000000..f2bb8c97d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUZ3gdKZRvWFYArMRStT2zAGE6JDQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBABERZmWOEZAI2dQHbpXo7BJFw8eigDs8xWGtnu5UbNFs7zGnXzta0L8T
+RBoaWeEbsaVpuGQ648eorgQRGwNdL3JkJb0qHtaSl5/raAOvv+YqmGzZhFWcj3ib
+WUOWODdFlY3oUzpPjA+IeRzULya6//s8DhEKfVi2mJXc/sS6fE9J234IhKBysyr1
+cRIApw6OCr0V78TbHzEPh1z0QuMKY8hH0lz3JvQqGD59oTEdSJ5VVbmDLxqqmVtA
+/i4j2lYkDos2HvHGP7a/LC20FI0lOcSqazSeKc+y2Mand9tDXCU/dEEYMj1IW5rM
+z2+96XzCbJBesYFEEfWXG6XysP3UtE0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec
new file mode 100644
index 0000000000..aa682a7afd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:example.com
+validity:20150724-20160924
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem
new file mode 100644
index 0000000000..7ac56a0689
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUWxGwhSb8roUQoLNpJajl0X8jk10wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAKxEoWUrHht8zENUlC/3tj/KbDSeaIy5nVE49aJRqHwuSczG5PTDn7sD
+rjl6Qq2rx3Z3ftZxJNIdpS3BUeUJ+FsQ2fK3ckDyeWkzxADlWp2l2bgKDtnW5Xjw
+lfzFt1Z/4PUmz0JyNGqijvpT/YYM9uM5OOKmKvy6C/6HiIMI2f5pVHM2bFWLuHLI
+p9yqp056EKPWCEQbkqseXLS0O8ZyxAyW4kHezUQzn1KFq9IGZu5sBZ8Imop0xnal
+2wXCuEisuAIOQNb1l9t+hf/P53+oRLjPbJzuzLZGSNA5PzoTbmZOqOdJS+kCNGCX
+IahLlU3dPILDlvl8DLFhk+lz9mA8x90=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec
new file mode 100644
index 0000000000..e38478165c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:example.com
+validity:20160824-20160924
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem
new file mode 100644
index 0000000000..ba11dcc152
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUOWkKeR6blD0zzhElEnCm4eSqLTAwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl
+MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B
+AQsFAAOCAQEACPZ4Ed3iONrIIKtg3865taT5TUj4Ts3tnYn4riFqojr6h/CHEDPR
+LStAJ4yYGQoTTzQzaxYjEZXHIEI/bCZ1VpGNpZt8DXWsJWwJgt8QUNeYT0eFFE2M
+CjrLJC1OIQRvlR89WEbk/q45KBQC0faeizqkAn+YUSG8mjHHbmSO8PWbh4z0YYlg
+BjwhTRFWUmWfQKC+mHyWblbYyFKlsFWf6cGOd4qE8N/hIz7oPzI4IPN1EQ/IfaQy
+WOOyxPZeu+J5VPlPE10nV5afoRcPLh/6vTwH85tPGzxWU4Jo4NDtFOtZAZR/S7sO
+OB/ST8Dbvs7qQFfRtgCtpEMicG7kxO1F+Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec
new file mode 100644
index 0000000000..41817bde75
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:example.com
+validity:20160724-20160924
+extension:subjectAlternativeName:/O=Example Organization
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem
new file mode 100644
index 0000000000..6882ba0554
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUG1q3+RCKIizPHadkamCYLL7cp2swDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl
+MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B
+AQsFAAOCAQEAqa/ayP8zXODUJJmuZLTJsdT2VaqbOh2WWk2bC2A82feGvCevLuL0
+0gPk+001Zx49Y1erMmt2M1cKtf2Lob8SGLNGUlJf2K7SNJTk7nyog+4UIlK4Hsxo
+CQ9sqKGJjkwHTDK1rB9gSW4e27Taj6tudnsUfgKWVzERxipebtLsCvz8Jfa0YLRI
+bGr6L4LoWiN2RNiK7/IOycfJ8VLDlBRouHD2Xfu0pFcvymMvfOC7GG4oBAacCKGn
+muUfoODgKw2yCIOSe7jsJOQ9yOp03sRipISfO0TALFzJX0V5+7CYDLZYR8vs/F/4
+0cIqkhwyCfUWYsGI4gPPR/nVxNvTRZhiFw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec
new file mode 100644
index 0000000000..65acf0b024
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:example.com
+validity:20150724-20160924
+extension:subjectAlternativeName:/O=Example Organization
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem
new file mode 100644
index 0000000000..cd87acfe48
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUD1kNqQ0aKQ2TJjGUYztUh8I7j4AwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl
+MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B
+AQsFAAOCAQEAU9n5I/Hdfod2fPBYWHZA/5/SabHkOBUHfrg6UUQYeHagVbqmoTQD
+M5F/DcDna+w6nHagIC/GRHBHkgY3Syh8QK5LnL3zi5tC0u4dzysDUjWtEAEgIcWA
+/pYtp6qZwJzxvn68PTnYnFDL61+LDLxlUBa2iRieRkCUOokCLL4ce3jsSTuJ+mGk
+XoaRrRREgtG5loYK8hFXM1RDkzyCa82DF/qD+iYgUJS9LMXrsksIRHP7Lqzhnwba
+Q4N8rgsBDFkNTEAmGcnTLMTlfO+SyKdHZI4n9VHdUQ1n38qFn70jj1YjcqEOFKXb
+wldSrYMedEOFVWyXaVWmxMwMTiDIKWMoxg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec
new file mode 100644
index 0000000000..140c201434
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:example.com
+validity:20160824-20160924
+extension:subjectAlternativeName:/O=Example Organization
diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
new file mode 100644
index 0000000000..514964b5fb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
@@ -0,0 +1,78 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function certFromFile(certName) {
+  return constructCertFromFile(`test_baseline_requirements/${certName}.pem`);
+}
+
+function loadCertWithTrust(certName, trustString) {
+  addCertFromFile(
+    gCertDB,
+    `test_baseline_requirements/${certName}.pem`,
+    trustString
+  );
+}
+
+function checkCertOn25August2016(cert, expectedResult) {
+  // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
+  const VALIDATION_TIME = 1472083200;
+  return checkCertErrorGenericAtTime(
+    gCertDB,
+    cert,
+    expectedResult,
+    certificateUsageSSLServer,
+    VALIDATION_TIME,
+    false,
+    "example.com"
+  );
+}
+
+add_task(async function () {
+  registerCleanupFunction(() => {
+    Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
+  });
+
+  Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
+
+  loadCertWithTrust("ca", "CTu,,");
+
+  // At one time there was a preference security.pki.name_matching_mode that
+  // controlled whether or not mozilla::pkix would fall back to using a
+  // certificate's subject common name during name matching. This no longer
+  // exists, and certificates that previously required the fallback should fail
+  // to verify.
+
+  await checkCertOn25August2016(
+    certFromFile("no-san-recent"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  await checkCertOn25August2016(
+    certFromFile("no-san-old"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  await checkCertOn25August2016(
+    certFromFile("no-san-older"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  await checkCertOn25August2016(
+    certFromFile("san-contains-no-hostnames-recent"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  await checkCertOn25August2016(
+    certFromFile("san-contains-no-hostnames-old"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  await checkCertOn25August2016(
+    certFromFile("san-contains-no-hostnames-older"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_blocklist_onecrl.js b/security/manager/ssl/tests/unit/test_blocklist_onecrl.js
new file mode 100644
index 0000000000..d82a493f16
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_blocklist_onecrl.js
@@ -0,0 +1,148 @@
+"use strict";
+
+do_get_profile();
+
+const { Utils } = ChromeUtils.importESModule(
+  "resource://services-settings/Utils.sys.mjs"
+);
+const { RemoteSettings } = ChromeUtils.importESModule(
+  "resource://services-settings/remote-settings.sys.mjs"
+);
+const { RemoteSecuritySettings } = ChromeUtils.importESModule(
+  "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs"
+);
+const { OneCRLBlocklistClient } = RemoteSecuritySettings.init();
+
+add_task(async function test_uses_a_custom_signer() {
+  Assert.notEqual(
+    OneCRLBlocklistClient.signerName,
+    RemoteSettings("not-specified").signerName
+  );
+});
+
+add_task(async function test_has_initial_dump() {
+  Assert.ok(
+    await Utils.hasLocalDump(
+      OneCRLBlocklistClient.bucketName,
+      OneCRLBlocklistClient.collectionName
+    )
+  );
+});
+
+add_task(async function test_default_jexl_filter_is_used() {
+  Assert.deepEqual(
+    OneCRLBlocklistClient.filterFunc,
+    RemoteSettings("not-specified").filterFunc
+  );
+});
+
+add_task(
+  async function test_revocations_are_updated_on_sync_with_cert_storage() {
+    const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+      Ci.nsICertStorage
+    );
+    const has_revocations = () =>
+      new Promise(resolve => {
+        certStorage.hasPriorData(
+          Ci.nsICertStorage.DATA_TYPE_REVOCATION,
+          (rv, hasPriorData) => {
+            if (rv == Cr.NS_OK) {
+              return resolve(hasPriorData);
+            }
+            return resolve(false);
+          }
+        );
+      });
+
+    Assert.ok(!(await has_revocations()));
+
+    await OneCRLBlocklistClient.emit("sync", {
+      data: {
+        current: [],
+        created: [
+          {
+            issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+            serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+          },
+        ],
+        updated: [],
+        deleted: [],
+      },
+    });
+
+    Assert.ok(await has_revocations());
+  }
+);
+
+add_task(async function test_updated_entry() {
+  // Revoke a particular issuer/serial number.
+  await OneCRLBlocklistClient.emit("sync", {
+    data: {
+      current: [],
+      created: [
+        {
+          issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+          serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+        },
+      ],
+      updated: [],
+      deleted: [],
+    },
+  });
+  const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+    Ci.nsICertStorage
+  );
+  let issuerArray = [
+    0x30, 0x12, 0x31, 0x10, 0x30, 0xe, 0x6, 0x3, 0x55, 0x4, 0x3, 0xc, 0x7, 0x54,
+    0x65, 0x73, 0x74, 0x20, 0x43, 0x41,
+  ];
+  let serialArray = [
+    0x6b, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d, 0xa7, 0x9d, 0xa6, 0xa, 0xc8, 0x26,
+    0xd, 0xb9, 0x88, 0x13, 0xce, 0x90, 0x83,
+  ];
+  let revocationState = certStorage.getRevocationState(
+    issuerArray,
+    serialArray,
+    [],
+    []
+  );
+  Assert.equal(revocationState, Ci.nsICertStorage.STATE_ENFORCE);
+
+  // Update the revocation to be a different serial number; the original
+  // (issuer, serial) pair should now not be revoked.
+  await OneCRLBlocklistClient.emit("sync", {
+    data: {
+      current: [],
+      created: [],
+      updated: [
+        {
+          old: {
+            issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+            serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+          },
+          new: {
+            issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+            serialNumber: "ALtF+/+w5U0=",
+          },
+        },
+      ],
+      deleted: [],
+    },
+  });
+  let oldRevocationState = certStorage.getRevocationState(
+    issuerArray,
+    serialArray,
+    [],
+    []
+  );
+  Assert.equal(oldRevocationState, Ci.nsICertStorage.STATE_UNSET);
+
+  let newSerialArray = [0x00, 0xbb, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d];
+  let newRevocationState = certStorage.getRevocationState(
+    issuerArray,
+    newSerialArray,
+    [],
+    []
+  );
+  Assert.equal(newRevocationState, Ci.nsICertStorage.STATE_ENFORCE);
+});
diff --git a/security/manager/ssl/tests/unit/test_broken_fips.js b/security/manager/ssl/tests/unit/test_broken_fips.js
new file mode 100644
index 0000000000..2aac2496f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_broken_fips.js
@@ -0,0 +1,61 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that if Firefox attempts and fails to load a PKCS#11 module DB that was
+// in FIPS mode, Firefox can still make use of keys in the key database.
+// secomd.db can be created via `certutil -N -d <dir>`. Putting it in FIPS mode
+// involves running `modutil -fips true -dbdir <dir>`. key4.db is from
+// test_sdr_preexisting/key4.db.
+
+function run_test() {
+  // Append a single quote and non-ASCII characters to the profile path.
+  let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR");
+  let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
+  file.initWithPath(profd);
+  file.append("'÷1");
+  Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path);
+
+  let profile = do_get_profile(); // must be called before getting nsIX509CertDB
+  Assert.ok(
+    /[^\x20-\x7f]/.test(profile.path),
+    "the profile path should contain a non-ASCII character"
+  );
+
+  let keyDBName = "key4.db";
+  let keyDBFile = do_get_file(`test_broken_fips/${keyDBName}`);
+  keyDBFile.copyTo(profile, keyDBName);
+
+  let pkcs11modDBName = "pkcs11.txt";
+  let pkcs11modDBFile = do_get_file(`test_broken_fips/${pkcs11modDBName}`);
+  pkcs11modDBFile.copyTo(profile, pkcs11modDBName);
+
+  let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+    Ci.nsIPKCS11ModuleDB
+  );
+  ok(!moduleDB.isFIPSEnabled, "FIPS should not be enabled");
+
+  let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+    Ci.nsISecretDecoderRing
+  );
+
+  const encrypted =
+    "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d";
+  const expectedResult = "password";
+  let decrypted = sdr.decryptString(encrypted);
+  equal(
+    decrypted,
+    expectedResult,
+    "decrypted ciphertext should match expected plaintext"
+  );
+
+  let pkcs11modDBFileFIPS = do_get_profile();
+  pkcs11modDBFileFIPS.append(`${pkcs11modDBName}.fips`);
+  ok(
+    pkcs11modDBFileFIPS.exists(),
+    "backed-up PKCS#11 module db should now exist"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_broken_fips/key4.db b/security/manager/ssl/tests/unit/test_broken_fips/key4.db
new file mode 100644
index 0000000000..8f320dfdbd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_broken_fips/key4.db
diff --git a/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt
new file mode 100644
index 0000000000..78a11f5fa7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal FIPS PKCS #11 Module
+parameters=configdir='.' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM ] }  Flags=internal,FIPS,critical
+
diff --git a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js
new file mode 100644
index 0000000000..04fa1c655c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js
@@ -0,0 +1,56 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests exporting a certificate and key as a PKCS#12 blob and importing it
+// again with a new password set.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx";
+const CERT_COMMON_NAME = "test_cert_from_windows";
+const TEST_CERT_PASSWORD = "黒�";
+
+function findCertByCommonName(commonName) {
+  for (let cert of gCertDB.getCerts()) {
+    if (cert.commonName == commonName) {
+      return cert;
+    }
+  }
+  return null;
+}
+
+function run_test() {
+  // Import the certificate and key so we have something to export.
+  let cert = findCertByCommonName(CERT_COMMON_NAME);
+  equal(cert, null, "cert should not be found before import");
+  let certFile = do_get_file(PKCS12_FILE);
+  ok(certFile, `${PKCS12_FILE} should exist`);
+  let errorCode = gCertDB.importPKCS12File(certFile, TEST_CERT_PASSWORD);
+  equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be imported");
+  cert = findCertByCommonName(CERT_COMMON_NAME);
+  notEqual(cert, null, "cert should be found now");
+
+  // Export the certificate and key.
+  let output = do_get_tempdir();
+  output.append("output.p12");
+  ok(!output.exists(), "output shouldn't exist before exporting PKCS12 file");
+  errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD);
+  equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be exported");
+  ok(output.exists(), "output should exist after exporting PKCS12 file");
+
+  // We should be able to import the exported blob again using the new password.
+  errorCode = gCertDB.importPKCS12File(output, TEST_CERT_PASSWORD);
+  equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be imported");
+  output.remove(false /* not a directory; recursive doesn't apply */);
+
+  // Ideally there would be some way to confirm that this actually did anything.
+  // Unfortunately, since deleting a certificate currently doesn't actually do
+  // anything until the platform is restarted, we can't confirm that we
+  // successfully re-imported the certificate.
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js
new file mode 100644
index 0000000000..25f4ab58bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js
@@ -0,0 +1,117 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests exporting a certificate and key as a PKCS#12 blob if the user has a
+// primary password set.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx";
+const CERT_COMMON_NAME = "test_cert_from_windows";
+const TEST_CERT_PASSWORD = "黒�";
+
+var gPrompt = {
+  password: "password",
+  clickOk: true,
+
+  QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+
+  // This intentionally does not use arrow function syntax to avoid an issue
+  // where in the context of the arrow function, |this != gPrompt| due to
+  // how objects get wrapped when going across xpcom boundaries.
+  alert(title, text) {
+    info(`alert('${text}')`);
+    ok(false, "not expecting alert() to be called");
+  },
+
+  promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+    equal(
+      text,
+      "Please enter your Primary Password.",
+      "password prompt text should be as expected"
+    );
+    equal(checkMsg, null, "checkMsg should be null");
+    password.value = this.password;
+    return this.clickOk;
+  },
+};
+
+const gPromptFactory = {
+  QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]),
+  getPrompt: (aWindow, aIID) => gPrompt,
+};
+
+function findCertByCommonName(commonName) {
+  for (let cert of gCertDB.getCerts()) {
+    if (cert.commonName == commonName) {
+      return cert;
+    }
+  }
+  return null;
+}
+
+function run_test() {
+  let promptFactoryCID = MockRegistrar.register(
+    "@mozilla.org/prompter;1",
+    gPromptFactory
+  );
+
+  registerCleanupFunction(() => {
+    MockRegistrar.unregister(promptFactoryCID);
+  });
+
+  // Set a primary password.
+  let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+    Ci.nsIPK11TokenDB
+  );
+  let token = tokenDB.getInternalKeyToken();
+  token.initPassword("password");
+  token.logoutSimple();
+
+  // Import the certificate and key so we have something to export.
+  let cert = findCertByCommonName(CERT_COMMON_NAME);
+  equal(cert, null, "cert should not be found before import");
+  let certFile = do_get_file(PKCS12_FILE);
+  ok(certFile, `${PKCS12_FILE} should exist`);
+  let errorCode = gCertDB.importPKCS12File(certFile, TEST_CERT_PASSWORD);
+  equal(errorCode, Ci.nsIX509CertDB.Success, "cert should import");
+  cert = findCertByCommonName(CERT_COMMON_NAME);
+  notEqual(cert, null, "cert should be found now");
+
+  // Log out so we're prompted for the password.
+  token.logoutSimple();
+
+  // Export the certificate and key (and don't cancel the password request
+  // dialog).
+  let output = do_get_tempdir();
+  output.append("output.p12");
+  ok(!output.exists(), "output shouldn't exist before exporting PKCS12 file");
+  errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD);
+  equal(errorCode, Ci.nsIX509CertDB.Success, "cert should export");
+  ok(output.exists(), "output should exist after exporting PKCS12 file");
+  output.remove(false /* not a directory; recursive doesn't apply */);
+
+  // Log out again so we're prompted for the password.
+  token.logoutSimple();
+
+  // Attempt to export the certificate and key, but this time cancel the
+  // password request dialog. The export operation should also be canceled.
+  gPrompt.clickOk = false;
+  let output2 = do_get_tempdir();
+  output2.append("output2.p12");
+  ok(!output2.exists(), "output2 shouldn't exist before exporting PKCS12 file");
+  errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD);
+  equal(
+    errorCode,
+    Ci.nsIX509CertDB.ERROR_PKCS12_BACKUP_FAILED,
+    "cert should not export"
+  );
+
+  ok(!output2.exists(), "output2 shouldn't exist after failing to export");
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_import.js b/security/manager/ssl/tests/unit/test_certDB_import.js
new file mode 100644
index 0000000000..86c66f4989
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import.js
@@ -0,0 +1,187 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the various nsIX509CertDB import methods.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const CA_CERT_COMMON_NAME = "importedCA";
+const TEST_EMAIL_ADDRESS = "test@example.com";
+
+let gCACertImportDialogCount = 0;
+
+// Mock implementation of nsICertificateDialogs.
+const gCertificateDialogs = {
+  confirmDownloadCACert: (ctx, cert, trust) => {
+    gCACertImportDialogCount++;
+    equal(
+      cert.commonName,
+      CA_CERT_COMMON_NAME,
+      "CA cert to import should have the correct CN"
+    );
+    trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL;
+    return true;
+  },
+  setPKCS12FilePassword: (ctx, password) => {
+    // This is only relevant to exporting.
+    ok(false, "setPKCS12FilePassword() should not have been called");
+  },
+  getPKCS12FilePassword: (ctx, password) => {
+    // We don't test anything that calls this method yet.
+    ok(false, "getPKCS12FilePassword() should not have been called");
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]),
+};
+
+// Implements nsIInterfaceRequestor. Mostly serves to mock nsIPrompt.
+const gInterfaceRequestor = {
+  alert: (title, text) => {
+    // We don't test anything that calls this method yet.
+    ok(false, `alert() should not have been called: ${text}`);
+  },
+
+  getInterface: iid => {
+    if (iid.equals(Ci.nsIPrompt)) {
+      return this;
+    }
+
+    throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE);
+  },
+};
+
+function getCertAsByteArray(certPath) {
+  let certFile = do_get_file(certPath, false);
+  let certBytes = readFile(certFile);
+
+  let byteArray = [];
+  for (let i = 0; i < certBytes.length; i++) {
+    byteArray.push(certBytes.charCodeAt(i));
+  }
+
+  return byteArray;
+}
+
+function commonFindCertBy(propertyName, value) {
+  for (let cert of gCertDB.getCerts()) {
+    if (cert[propertyName] == value) {
+      return cert;
+    }
+  }
+  return null;
+}
+
+function findCertByCommonName(commonName) {
+  return commonFindCertBy("commonName", commonName);
+}
+
+function findCertByEmailAddress(emailAddress) {
+  return commonFindCertBy("emailAddress", emailAddress);
+}
+
+function testImportCACert() {
+  // Sanity check the CA cert is missing.
+  equal(
+    findCertByCommonName(CA_CERT_COMMON_NAME),
+    null,
+    "CA cert should not be in the database before import"
+  );
+
+  // Import and check for success.
+  let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem");
+  gCertDB.importCertificates(
+    caArray,
+    caArray.length,
+    Ci.nsIX509Cert.CA_CERT,
+    gInterfaceRequestor
+  );
+  equal(
+    gCACertImportDialogCount,
+    1,
+    "Confirmation dialog for the CA cert should only be shown once"
+  );
+
+  let caCert = findCertByCommonName(CA_CERT_COMMON_NAME);
+  notEqual(caCert, null, "CA cert should now be found in the database");
+  ok(
+    gCertDB.isCertTrusted(
+      caCert,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.TRUSTED_EMAIL
+    ),
+    "CA cert should be trusted for e-mail"
+  );
+}
+
+function testImportEmptyCertPackage() {
+  // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown.
+  let byteArray = [
+    0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+    0x05, 0xa0, 0x02, 0x30, 0x00,
+  ];
+  gCertDB.importCertificates(
+    byteArray,
+    byteArray.length,
+    Ci.nsIX509Cert.CA_CERT,
+    gInterfaceRequestor
+  );
+}
+
+function testImportEmptyUserCert() {
+  // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown.
+  let byteArray = [
+    0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+    0x05, 0xa0, 0x02, 0x30, 0x00,
+  ];
+  gCertDB.importUserCertificate(
+    byteArray,
+    byteArray.length,
+    gInterfaceRequestor
+  );
+}
+
+function run_test() {
+  let certificateDialogsCID = MockRegistrar.register(
+    "@mozilla.org/nsCertificateDialogs;1",
+    gCertificateDialogs
+  );
+  registerCleanupFunction(() => {
+    MockRegistrar.unregister(certificateDialogsCID);
+  });
+
+  // Sanity check the e-mail cert is missing.
+  equal(
+    findCertByEmailAddress(TEST_EMAIL_ADDRESS),
+    null,
+    "E-mail cert should not be in the database before import"
+  );
+
+  // Import the CA cert so that the e-mail import succeeds.
+  testImportCACert();
+  testImportEmptyCertPackage();
+  testImportEmptyUserCert();
+
+  // Import the e-mail cert and check for success.
+  let emailArray = getCertAsByteArray("test_certDB_import/emailEE.pem");
+  gCertDB.importEmailCertificate(
+    emailArray,
+    emailArray.length,
+    gInterfaceRequestor
+  );
+  let emailCert = findCertByEmailAddress(TEST_EMAIL_ADDRESS);
+  notEqual(emailCert, null, "E-mail cert should now be found in the database");
+  let bundle = Services.strings.createBundle(
+    "chrome://pipnss/locale/pipnss.properties"
+  );
+  equal(
+    emailCert.tokenName,
+    bundle.GetStringFromName("PrivateTokenDescription"),
+    "cert's tokenName should be the expected localized value"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx
new file mode 100644
index 0000000000..e969d672d7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx
new file mode 100644
index 0000000000..879d424b85
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx
new file mode 100644
index 0000000000..7dcd668121
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem
new file mode 100644
index 0000000000..a3e58933f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUO3XveEEK2bu0gx8Lu8vi1NxEGdIwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAhMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAnhH0WY14SMcVDXj6OvvxHuaRRO8lA
+A6vDrn/AmWg0gN7e0aQgvonedXY4OgefAj17X345yZj8VpPFgOjUIb7PYErMxdeB
+biKGv/psCB1uDk68Gn1KrFMZ2BtlLeYRWRejgSo53GYH1PBpZZ6owjicqIKKo9cW
+Y/EFyauQCQGhWub+tshNFbucSrNDk1Q0uu1Ogs8QFve3x+YbdceAwK835XzLROvS
+pWBeWDK1Eqvqun1yWUHVn6aAbZZgKn9yUG7kZqWoBc1InRwaZcImttQF//OJw08y
+b0KVWoM5qo2c20qaxNW66GW/tpWnDfUvSTIHZuaDiar4mlSK/0O2aGa8
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec
new file mode 100644
index 0000000000..0528bc624a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec
@@ -0,0 +1,2 @@
+issuer:importedCA
+subject:/emailAddress=test@example.com
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12 b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12
new file mode 100644
index 0000000000..105f918782
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem
new file mode 100644
index 0000000000..e45812f786
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICzDCCAbSgAwIBAgIUd0wCxJoXOgEeMrd0+AIGybyqYgEwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDAppbXBvcnRlZENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5N5HCphrUqEmwLj+1graV
+zneZbDyL2nb1ooITiJj+i+NaOg383Sr/lvWyhw+51o5qx1hnBu8JZ/HlBhFsz/OH
+mujJmot+jVg/MRpaTdxZNfpxVZqfroyx1qzr7TC8wgHggxI/DWeCifQmEgNdKIgI
+JL0BvVLasGOMhmprRRK3DabjzOjW5xMbY1B3+msbtQtxB6eCXa4byNIZ7vAUdg8L
+x2+TovO4c1cs8AzLdpgECImdcHaBFyOYd5sK7f6gcJHtiEx+7JkIF+53wHbFIFlp
+s7zkbDA4v97bm5oYMmaW4JEZ8rW07a62ILrNOezvEZCccOnfo+miHcr1AwuJSx9z
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec
new file mode 100644
index 0000000000..b168253544
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:importedCA
+subject:importedCA
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js
new file mode 100644
index 0000000000..9ddba36c4e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js
@@ -0,0 +1,126 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests import PKCS12 file by nsIX509CertDB.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx";
+const PKCS12_FILE_EMPTY_PASS =
+  "test_certDB_import/cert_from_windows_emptypass.pfx";
+const PKCS12_FILE_NO_PASS = "test_certDB_import/cert_from_windows_nopass.pfx";
+const CERT_COMMON_NAME = "test_cert_from_windows";
+const TEST_CERT_PASSWORD = "黒�";
+
+let gTestcases = [
+  // Test that importing a PKCS12 file with the wrong password fails.
+  {
+    name: "import using incorrect password",
+    filename: PKCS12_FILE,
+    passwordToUse: "this is the wrong password",
+    successExpected: false,
+    errorCode: Ci.nsIX509CertDB.ERROR_BAD_PASSWORD,
+    checkCertExist: true,
+    certCommonName: CERT_COMMON_NAME,
+  },
+  // Test that importing something that isn't a PKCS12 file fails.
+  {
+    name: "import non-PKCS12 file",
+    filename: "test_certDB_import_pkcs12.js",
+    passwordToUse: TEST_CERT_PASSWORD,
+    successExpected: false,
+    errorCode: Ci.nsIX509CertDB.ERROR_DECODE_ERROR,
+    checkCertExist: true,
+    certCommonName: CERT_COMMON_NAME,
+  },
+  // Test that importing a PKCS12 file with the correct password succeeds.
+  // This needs to be last because currently there isn't a way to delete the
+  // imported certificate (and thus reset the test state) that doesn't depend on
+  // the garbage collector running.
+  {
+    name: "import PKCS12 file",
+    filename: PKCS12_FILE,
+    passwordToUse: TEST_CERT_PASSWORD,
+    successExpected: true,
+    errorCode: Ci.nsIX509CertDB.Success,
+    checkCertExist: true,
+    certCommonName: CERT_COMMON_NAME,
+  },
+  // Same cert file protected with empty string password
+  {
+    name: "import PKCS12 file empty password",
+    filename: PKCS12_FILE_EMPTY_PASS,
+    passwordToUse: "",
+    successExpected: true,
+    errorCode: Ci.nsIX509CertDB.Success,
+    checkCertExist: false,
+    certCommonName: CERT_COMMON_NAME,
+  },
+  // Same cert file protected with no password
+  {
+    name: "import PKCS12 file no password",
+    filename: PKCS12_FILE_NO_PASS,
+    passwordToUse: null,
+    successExpected: true,
+    errorCode: Ci.nsIX509CertDB.Success,
+    checkCertExist: false,
+    certCommonName: CERT_COMMON_NAME,
+  },
+  // Test a PKCS12 file encrypted using AES
+  {
+    name: "import PKCS12 file using AES",
+    filename: "test_certDB_import/encrypted_with_aes.p12",
+    passwordToUse: "password",
+    successExpected: true,
+    errorCode: Ci.nsIX509CertDB.Success,
+    checkCertExist: true,
+    certCommonName: "John Doe",
+  },
+];
+
+function doesCertExist(commonName) {
+  let allCerts = gCertDB.getCerts();
+  for (let cert of allCerts) {
+    if (cert.isBuiltInRoot) {
+      continue;
+    }
+    if (cert.commonName == commonName) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+function runOneTestcase(testcase) {
+  info(`running ${testcase.name}`);
+  if (testcase.checkCertExist) {
+    ok(
+      !doesCertExist(testcase.certCommonName),
+      "cert should not be in the database before import"
+    );
+  }
+
+  // Import and check for failure.
+  let certFile = do_get_file(testcase.filename);
+  ok(certFile, `${testcase.filename} should exist`);
+  let errorCode = gCertDB.importPKCS12File(certFile, testcase.passwordToUse);
+  equal(errorCode, testcase.errorCode, `verifying error code`);
+  equal(
+    doesCertExist(testcase.certCommonName),
+    testcase.successExpected,
+    `cert should${testcase.successExpected ? "" : " not"} be found now`
+  );
+}
+
+function run_test() {
+  for (let testcase of gTestcases) {
+    runOneTestcase(testcase);
+  }
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js
new file mode 100644
index 0000000000..ab1ad36fd2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js
@@ -0,0 +1,148 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that a CA certificate can still be imported if the user has a primary
+// password set.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const CA_CERT_COMMON_NAME = "importedCA";
+
+let gCACertImportDialogCount = 0;
+
+// Mock implementation of nsICertificateDialogs.
+const gCertificateDialogs = {
+  confirmDownloadCACert: (ctx, cert, trust) => {
+    gCACertImportDialogCount++;
+    equal(
+      cert.commonName,
+      CA_CERT_COMMON_NAME,
+      "CA cert to import should have the correct CN"
+    );
+    trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL;
+    return true;
+  },
+  setPKCS12FilePassword: (ctx, password) => {
+    // This is only relevant to exporting.
+    ok(false, "setPKCS12FilePassword() should not have been called");
+  },
+  getPKCS12FilePassword: (ctx, password) => {
+    // We don't test anything that calls this method yet.
+    ok(false, "getPKCS12FilePassword() should not have been called");
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]),
+};
+
+var gMockPrompter = {
+  passwordToTry: "password",
+  numPrompts: 0,
+
+  // This intentionally does not use arrow function syntax to avoid an issue
+  // where in the context of the arrow function, |this != gMockPrompter| due to
+  // how objects get wrapped when going across xpcom boundaries.
+  promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+    this.numPrompts++;
+    if (this.numPrompts > 1) {
+      // don't keep retrying a bad password
+      return false;
+    }
+    equal(
+      text,
+      "Please enter your Primary Password.",
+      "password prompt text should be as expected"
+    );
+    equal(checkMsg, null, "checkMsg should be null");
+    ok(this.passwordToTry, "passwordToTry should be non-null");
+    password.value = this.passwordToTry;
+    return true;
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+
+  // Again with the arrow function issue.
+  getInterface(iid) {
+    if (iid.equals(Ci.nsIPrompt)) {
+      return this;
+    }
+
+    throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE);
+  },
+};
+
+function getCertAsByteArray(certPath) {
+  let certFile = do_get_file(certPath, false);
+  let certBytes = readFile(certFile);
+
+  let byteArray = [];
+  for (let i = 0; i < certBytes.length; i++) {
+    byteArray.push(certBytes.charCodeAt(i));
+  }
+
+  return byteArray;
+}
+
+function findCertByCommonName(commonName) {
+  for (let cert of gCertDB.getCerts()) {
+    if (cert.commonName == commonName) {
+      return cert;
+    }
+  }
+  return null;
+}
+
+function run_test() {
+  let certificateDialogsCID = MockRegistrar.register(
+    "@mozilla.org/nsCertificateDialogs;1",
+    gCertificateDialogs
+  );
+  registerCleanupFunction(() => {
+    MockRegistrar.unregister(certificateDialogsCID);
+  });
+
+  // Set a primary password.
+  let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+    Ci.nsIPK11TokenDB
+  );
+  let token = tokenDB.getInternalKeyToken();
+  token.initPassword("password");
+  token.logoutSimple();
+
+  // Sanity check the CA cert is missing.
+  equal(
+    findCertByCommonName(CA_CERT_COMMON_NAME),
+    null,
+    "CA cert should not be in the database before import"
+  );
+
+  // Import and check for success.
+  let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem");
+  gCertDB.importCertificates(
+    caArray,
+    caArray.length,
+    Ci.nsIX509Cert.CA_CERT,
+    gMockPrompter
+  );
+  equal(
+    gCACertImportDialogCount,
+    1,
+    "Confirmation dialog for the CA cert should only be shown once"
+  );
+
+  let caCert = findCertByCommonName(CA_CERT_COMMON_NAME);
+  notEqual(caCert, null, "CA cert should now be found in the database");
+  ok(
+    gCertDB.isCertTrusted(
+      caCert,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.TRUSTED_EMAIL
+    ),
+    "CA cert should be trusted for e-mail"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_chains.js b/security/manager/ssl/tests/unit/test_cert_chains.js
new file mode 100644
index 0000000000..471bc42c03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_chains.js
@@ -0,0 +1,394 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// We hard-code the following certificates for the pkcs7 export tests so that we
+// don't have to change the test data when the certificates change each year.
+// Luckily these tests don't depend on the certificates being valid, so it's ok
+// to let them expire.
+const gDefaultEEPEM = `-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6TIyPRSIwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvlaob
+K2YRb4OGMxySIKuQ80N0XlO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4s
+v0swx/+oUxCfLb0VIl/kdUqLkbGYrAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU
++aL9QOuvT/j3rXoimcdo6X3TK1SN2/64fGMyG/pwas+JXehbReUf4n1ewk84ADtb
++ew8tRAKf/uxzKUj5t/UgqDsnTWq5wUc5IJKwoHT41sQnNqPg12x4+WGWiAsWCpR
+/hKYHFGr7rb4JTGEPAJpWcv9WtZYAvwT78a2xpHp5XNglj16IjWEukvJuU1W
+-----END CERTIFICATE-----`;
+
+const gTestCAPEM = `-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUKaFwIwCwHXUgKRuOhAX4pjYsmbgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAw
+MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIMgnywHFbPzJ
+BEcbpx/aWQOI2tUFlo7MUoPSoACHzoI/HOUTx25eKHlpNK2jSljLufhUd//eCCXg
++OQt4f2N/tRw8gumbs3YDF7+t3ZNGt+iQxZTwN7MKsGIZy+6R523XHw8lpzFX5iz
+XgIS+0APlX+XyZk7MRCcBWh6PSaSqEOOvUXVp6Omh3it034kBWnm809TEWmwiVw3
+ssPDmpUCArdDNMMdvQehzaH96cdjcSsguqpX9NcMDUmmiG7HLQ2iy+WSzek9S46S
+bKKDLw8Ebevfkl6PEpg+GDulq+EPXayN3AsFXkF8MaFLgfeprkENjN1g4jM+WSyN
+6DC7vCkj7A==
+-----END CERTIFICATE-----`;
+
+const gUnknownIssuerPEM = `
+-----BEGIN CERTIFICATE-----
+MIIDqTCCApGgAwIBAgIUMRiJ9TrwqTOoVFU+j5FDWDWS1X8wDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbVGVzdCBJbnRlcm1lZGlhdGUgdG8gZGVsZXRlMCIYDzIw
+MTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMC4xLDAqBgNVBAMMI1Rlc3Qg
+RW5kLWVudGl0eSBmcm9tIHVua25vd24gaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HCMIG/MIGIBgNV
+HREEgYAwfoIZdW5rbm93bmlzc3Vlci5leGFtcGxlLmNvbYI0dW5rbm93bmlzc3Vl
+ci5pbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbYIrdW5rbm93
+bmlzc3Vlci50ZXN0LW1vZGUucGlubmluZy5leGFtcGxlLmNvbTAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZI
+hvcNAQELBQADggEBALAnJjBJ+MOc7kMRzmESYZRSxKak7A1K67xBXWzWmK3t3WXv
+e/RLjV/RhbyTN20h2ZjSVcuDzgNYC/RJ/z3Xd5Q9QEGoi1ly84HeaeHw/3kUSHxv
+J3JnbPu2lk96U5y7tXEVfbEVZYpx4Us72fuURPWriVldILH2lgrEg+iKZWbY/wcT
+vfu1j/flMkGEOpc1HytlmR9fkCDnqzFfcmv7Eh3X1BiSBOIemGnUHxONwlthSE68
+IItE5l3c82G8oQGmve6r0N9h7t6opIjH1koFWMck/pzDA01FmWey4ASdlmjE8NSJ
+Al1zsF8EiLOZeI1rvurcXwVOd0Olk9/QT5hwTkk=
+-----END CERTIFICATE-----`;
+
+const gOCSPEEWithIntermediatePEM = `
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUZ67hS7lHVnCQtXx7oXFlzihqh0cwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAxNzExMjcwMDAw
+MDBaGA8yMDIwMDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhVGVzdCBFbmQtZW50aXR5
+IHdpdGggSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAagglsb2NhbGhv
+c3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo
+dHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQAo043hM4Gi
+UtoXKOQB2v0C8nF4Yyzpf+i0LlxQCFZkiLYu9pIuQu16I3TbLQRBwhCC0ml7TqJB
+AbryzILTorCQP8A1WQa1kt6cb30jCyXLcWnDA/ULPexn9cYm6I0YyLFlnkcVzMGL
+Fc+LyWTAPEW5rMauu5iOOp/6L5rBF0M9bg5yXSGNDv8gk3Jc+opJbBDTrAuKDNLp
+JSEp4rqovNFnirzlJWDS+ScAsWHtoLcrH6gnQRPsEV1WFQnYr3HkAakYQok9xs5A
+ikBS6mgz4/cFBts8bSGSuXxctkN2Ss7Y5l3YmTYKCxPz6retVfrhi/islH4W3z9H
+pu3ZqyACO6Lb
+-----END CERTIFICATE-----`;
+
+const gTestIntPEM = `
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw
+MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd
+MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB
+AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00
+Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM
+8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA
+IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3
+B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk
+rGFLvocT/kym6r8galxCJUo=
+-----END CERTIFICATE-----`;
+
+function build_cert_list_from_pem_list(pemList) {
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  let certList = [];
+  for (let pem of pemList) {
+    let cert = certdb.constructX509FromBase64(pemToBase64(pem));
+    certList.push(cert);
+  }
+  return certList;
+}
+
+function test_cert_pkcs7_export() {
+  // This was generated by running BadCertAndPinningServer locally on the bad_certs
+  // directory and visiting:
+  // https://good.include-subdomains.pinning.example.com:8443/
+  // and then viewing the certificate chain presented (in the page info dialog)
+  // and exporting it.
+  // (NB: test-ca must be imported and trusted for the connection to succeed)
+  const expectedPKCS7ForDefaultEE =
+    "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCBmQwggLTMIIBu6ADAgE" +
+    "CAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZX" +
+    "N0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB" +
+    "1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI" +
+    "BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xz" +
+    "VJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCy" +
+    "uwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW" +
+    "7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE" +
+    "LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8" +
+    "wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1Q" +
+    "WWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMX" +
+    "v63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKo" +
+    "Q469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf" +
+    "01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoU" +
+    "uB96muQQ2M3WDiMz5ZLI3oMLu8KSPsMIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6T" +
+    "IyPRSIwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAw" +
+    "MDAwMFoYDzIwMjAwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggE" +
+    "iMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNU" +
+    "q07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0" +
+    "DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ" +
+    "sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJH" +
+    "dtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFz" +
+    "G4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob" +
+    "3N0gg0qLmV4YW1wbGUuY29tghUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1z" +
+    "dWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnB" +
+    "pbm5pbmcuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi" +
+    "8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvl" +
+    "aobK2YRb4OGMxySIKuQ80N0XlO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4sv0sw" +
+    "x/+oUxCfLb0VIl/kdUqLkbGYrAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU+aL9QOuvT/j" +
+    "3rXoimcdo6X3TK1SN2/64fGMyG/pwas+JXehbReUf4n1ewk84ADtb+ew8tRAKf/uxzKUj5t" +
+    "/UgqDsnTWq5wUc5IJKwoHT41sQnNqPg12x4+WGWiAsWCpR/hKYHFGr7rb4JTGEPAJpWcv9W" +
+    "tZYAvwT78a2xpHp5XNglj16IjWEukvJuU1WMQAAAAAAAAA=";
+  let certListDefaultEE = build_cert_list_from_pem_list([
+    gDefaultEEPEM,
+    gTestCAPEM,
+  ]);
+
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  let pkcs7DefaultEE = certdb.asPKCS7Blob(certListDefaultEE);
+
+  equal(
+    btoa(pkcs7DefaultEE),
+    expectedPKCS7ForDefaultEE,
+    "PKCS7 export should work as expected for default-ee chain"
+  );
+
+  // This was generated by running BadCertAndPinningServer locally on the bad_certs
+  // directory and visiting:
+  // https://unknownissuer.example.com:8443/
+  // and then viewing the certificate presented (in the add certificate
+  // exception dialog) and exporting it.
+  const expectedPKCS7ForUnknownIssuer =
+    "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCA60wggOpMIICkaADAgE" +
+    "CAhQxGIn1OvCpM6hUVT6PkUNYNZLVfzANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtUZX" +
+    "N0IEludGVybWVkaWF0ZSB0byBkZWxldGUwIhgPMjAxNzExMjcwMDAwMDBaGA8yMDIwMDIwN" +
+    "TAwMDAwMFowLjEsMCoGA1UEAwwjVGVzdCBFbmQtZW50aXR5IGZyb20gdW5rbm93biBpc3N1" +
+    "ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTw" +
+    "T2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs" +
+    "1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkf" +
+    "bmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA" +
+    "dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/" +
+    "l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcIwgb8wgYgGA1UdEQSBgDB+ghl1bm" +
+    "tub3duaXNzdWVyLmV4YW1wbGUuY29tgjR1bmtub3duaXNzdWVyLmluY2x1ZGUtc3ViZG9tY" +
+    "Wlucy5waW5uaW5nLmV4YW1wbGUuY29tgit1bmtub3duaXNzdWVyLnRlc3QtbW9kZS5waW5u" +
+    "aW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2x" +
+    "vY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAsCcmMEn4w5zuQxHOYRJhlFLEpq" +
+    "TsDUrrvEFdbNaYre3dZe979EuNX9GFvJM3bSHZmNJVy4POA1gL9En/Pdd3lD1AQaiLWXLzg" +
+    "d5p4fD/eRRIfG8ncmds+7aWT3pTnLu1cRV9sRVlinHhSzvZ+5RE9auJWV0gsfaWCsSD6Ipl" +
+    "Ztj/BxO9+7WP9+UyQYQ6lzUfK2WZH1+QIOerMV9ya/sSHdfUGJIE4h6YadQfE43CW2FITrw" +
+    "gi0TmXdzzYbyhAaa97qvQ32Hu3qikiMfWSgVYxyT+nMMDTUWZZ7LgBJ2WaMTw1IkCXXOwXw" +
+    "SIs5l4jWu+6txfBU53Q6WT39BPmHBOSTEAAAAAAAAA";
+  let certListUnknownIssuer = build_cert_list_from_pem_list([
+    gUnknownIssuerPEM,
+  ]);
+  let pkcs7UnknownIssuer = certdb.asPKCS7Blob(certListUnknownIssuer);
+  equal(
+    btoa(pkcs7UnknownIssuer),
+    expectedPKCS7ForUnknownIssuer,
+    "PKCS7 export should work as expected for unknown issuer"
+  );
+
+  // This was generated by running OCSPStaplingServer locally on the ocsp_certs
+  // directory and visiting:
+  // https://ocsp-stapling-with-intermediate.example.com:8443/
+  // and then viewing the certificate chain presented (in the page info dialog)
+  // and exporting it.
+  // (NB: test-ca must be imported and trusted for the connection to succeed)
+  const expectedPKCS7WithIntermediate =
+    "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCCPEwggLTMIIBu6ADAgE" +
+    "CAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZX" +
+    "N0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB" +
+    "1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI" +
+    "BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xz" +
+    "VJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCy" +
+    "uwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW" +
+    "7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE" +
+    "LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8" +
+    "wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1Q" +
+    "WWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMX" +
+    "v63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKo" +
+    "Q469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf" +
+    "01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoU" +
+    "uB96muQQ2M3WDiMz5ZLI3oMLu8KSPsMIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25i" +
+    "BPOkIMwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAw" +
+    "MDAwMFoYDzIwMjUwMTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTC" +
+    "CASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6u" +
+    "Q1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8H" +
+    "mnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh" +
+    "eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaM" +
+    "Mkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5" +
+    "kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EB" +
+    "AMCAQYwDQYJKoZIhvcNAQELBQADggEBAILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC" +
+    "2BQF0kMEEB547p+Ms8zdJY00Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77Tk" +
+    "fmnSnxvPi+0nlA+eM8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22" +
+    "+AIU7w6wyAIbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubji" +
+    "Mr3B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpykrGFL" +
+    "vocT/kym6r8galxCJUowggM1MIICHaADAgECAhRnruFLuUdWcJC1fHuhcWXOKGqHRzANBgk" +
+    "qhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTAiGA8yMDE3MTEyNz" +
+    "AwMDAwMFoYDzIwMjAwMjA1MDAwMDAwWjAsMSowKAYDVQQDDCFUZXN0IEVuZC1lbnRpdHkgd" +
+    "2l0aCBJbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo" +
+    "RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHE" +
+    "IeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7q" +
+    "dw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCAB" +
+    "iTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd" +
+    "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjWzBZMCMGA1U" +
+    "dEQQcMBqCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKw" +
+    "YBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBACjTj" +
+    "eEzgaJS2hco5AHa/QLycXhjLOl/6LQuXFAIVmSIti72ki5C7XojdNstBEHCEILSaXtOokEB" +
+    "uvLMgtOisJA/wDVZBrWS3pxvfSMLJctxacMD9Qs97Gf1xibojRjIsWWeRxXMwYsVz4vJZMA" +
+    "8Rbmsxq67mI46n/ovmsEXQz1uDnJdIY0O/yCTclz6iklsENOsC4oM0uklISniuqi80WeKvO" +
+    "UlYNL5JwCxYe2gtysfqCdBE+wRXVYVCdivceQBqRhCiT3GzkCKQFLqaDPj9wUG2zxtIZK5f" +
+    "Fy2Q3ZKztjmXdiZNgoLE/Pqt61V+uGL+KyUfhbfP0em7dmrIAI7otsxAAAAAAAAAA==";
+  let certListWithIntermediate = build_cert_list_from_pem_list([
+    gOCSPEEWithIntermediatePEM,
+    gTestIntPEM,
+    gTestCAPEM,
+  ]);
+  let pkcs7WithIntermediate = certdb.asPKCS7Blob(certListWithIntermediate);
+  equal(
+    btoa(pkcs7WithIntermediate),
+    expectedPKCS7WithIntermediate,
+    "PKCS7 export should work as expected for chain with intermediate"
+  );
+}
+
+function test_cert_pkcs7_empty_array() {
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+
+  throws(
+    () => certdb.asPKCS7Blob([]),
+    /NS_ERROR_ILLEGAL_VALUE/,
+    "trying to convert an empty array to pkcs7 should throw"
+  );
+}
+
+function run_test() {
+  do_get_profile();
+  add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+  add_test(function () {
+    test_cert_pkcs7_export();
+    run_next_test();
+  });
+
+  add_test(function () {
+    test_cert_pkcs7_empty_array();
+    run_next_test();
+  });
+
+  // Test successful connection (failedCertChain should be null)
+  add_connection_test(
+    // re-use pinning certs (keeler)
+    "good.include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess,
+    null,
+    function withSecurityInfo(aTransportSecurityInfo) {
+      equal(
+        aTransportSecurityInfo.failedCertChain.length,
+        0,
+        "failedCertChain for a successful connection should be null"
+      );
+    }
+  );
+
+  // Test overrideable connection failure (failedCertChain should be non-null)
+  add_connection_test(
+    "expired.example.com",
+    SEC_ERROR_EXPIRED_CERTIFICATE,
+    null,
+    function withSecurityInfo(securityInfo) {
+      notEqual(
+        securityInfo.failedCertChain,
+        null,
+        "failedCertChain should not be null for an overrideable" +
+          " connection failure"
+      );
+      let originalCertChain = build_cert_chain(["expired-ee", "test-ca"]);
+      ok(
+        areCertArraysEqual(originalCertChain, securityInfo.failedCertChain),
+        "failedCertChain should equal the original cert chain for an" +
+          " overrideable connection failure"
+      );
+    }
+  );
+
+  // Test overrideable connection failure (failedCertChain should be non-null)
+  add_connection_test(
+    "unknownissuer.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER,
+    null,
+    function withSecurityInfo(securityInfo) {
+      notEqual(
+        securityInfo.failedCertChain,
+        null,
+        "failedCertChain should not be null for an overrideable" +
+          " connection failure"
+      );
+      let originalCertChain = build_cert_chain(["unknownissuer"]);
+      ok(
+        areCertArraysEqual(originalCertChain, securityInfo.failedCertChain),
+        "failedCertChain should equal the original cert chain for an" +
+          " overrideable connection failure"
+      );
+    }
+  );
+
+  // Test non-overrideable error (failedCertChain should be non-null)
+  add_connection_test(
+    "inadequatekeyusage.example.com",
+    SEC_ERROR_INADEQUATE_KEY_USAGE,
+    null,
+    function withSecurityInfo(securityInfo) {
+      notEqual(
+        securityInfo.failedCertChain,
+        null,
+        "failedCertChain should not be null for a non-overrideable" +
+          " connection failure"
+      );
+      let originalCertChain = build_cert_chain([
+        "inadequatekeyusage-ee",
+        "test-ca",
+      ]);
+      ok(
+        areCertArraysEqual(originalCertChain, securityInfo.failedCertChain),
+        "failedCertChain should equal the original cert chain for a" +
+          " non-overrideable connection failure"
+      );
+    }
+  );
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_dbKey.js b/security/manager/ssl/tests/unit/test_cert_dbKey.js
new file mode 100644
index 0000000000..3ff36f905c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_dbKey.js
@@ -0,0 +1,225 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// This test tests that the nsIX509Cert.dbKey and nsIX509CertDB.findCertByDBKey
+// APIs work as expected. That is, getting a certificate's dbKey and using it
+// in findCertByDBKey should return the same certificate. Also, for backwards
+// compatibility, findCertByDBKey should ignore any whitespace in its input
+// (even though now nsIX509Cert.dbKey will never have whitespace in it).
+
+function hexStringToBytes(hex) {
+  let bytes = [];
+  for (let hexByteStr of hex.split(":")) {
+    bytes.push(parseInt(hexByteStr, 16));
+  }
+  return bytes;
+}
+
+function encodeCommonNameAsBytes(commonName) {
+  // The encoding will look something like this (in hex):
+  // 30 (SEQUENCE) <length of contents>
+  //    31 (SET) <length of contents>
+  //       30 (SEQUENCE) <length of contents>
+  //          06 (OID) 03 (length)
+  //             55 04 03 (id-at-commonName)
+  //          0C (UTF8String) <length of common name>
+  //             <common name bytes>
+  // To make things simple, it would be nice to have the length of each
+  // component be less than 128 bytes (so we can have single-byte lengths).
+  // For this to hold, the maximum length of the contents of the outermost
+  // SEQUENCE must be 127. Everything not in the contents of the common name
+  // will take up 11 bytes, so the value of the common name itself can be at
+  // most 116 bytes.
+  ok(
+    commonName.length <= 116,
+    "test assumption: common name can't be longer than 116 bytes (makes " +
+      "DER encoding easier)"
+  );
+  let commonNameOIDBytes = [0x06, 0x03, 0x55, 0x04, 0x03];
+  let commonNameBytes = [0x0c, commonName.length];
+  for (let i = 0; i < commonName.length; i++) {
+    commonNameBytes.push(commonName.charCodeAt(i));
+  }
+  let bytes = commonNameOIDBytes.concat(commonNameBytes);
+  bytes.unshift(bytes.length);
+  bytes.unshift(0x30); // SEQUENCE
+  bytes.unshift(bytes.length);
+  bytes.unshift(0x31); // SET
+  bytes.unshift(bytes.length);
+  bytes.unshift(0x30); // SEQUENCE
+  return bytes;
+}
+
+function testInvalidDBKey(certDB, dbKey) {
+  throws(
+    () => certDB.findCertByDBKey(dbKey),
+    /NS_ERROR_ILLEGAL_INPUT/,
+    `findCertByDBKey(${dbKey}) should raise NS_ERROR_ILLEGAL_INPUT`
+  );
+}
+
+function testDBKeyForNonexistentCert(certDB, dbKey) {
+  let cert = certDB.findCertByDBKey(dbKey);
+  ok(!cert, "shouldn't find cert for given dbKey");
+}
+
+function byteArrayToByteString(bytes) {
+  let byteString = "";
+  for (let b of bytes) {
+    byteString += String.fromCharCode(b);
+  }
+  return byteString;
+}
+
+function run_test() {
+  do_get_profile();
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  let cert = constructCertFromFile("bad_certs/test-ca.pem");
+  equal(
+    cert.issuerName,
+    "CN=" + cert.issuerCommonName,
+    "test assumption: this certificate's issuer distinguished name " +
+      "consists only of a common name"
+  );
+  let issuerBytes = encodeCommonNameAsBytes(cert.issuerCommonName);
+  ok(
+    issuerBytes.length < 256,
+    "test assumption: length of encoded issuer is less than 256 bytes"
+  );
+  let serialNumberBytes = hexStringToBytes(cert.serialNumber);
+  ok(
+    serialNumberBytes.length < 256,
+    "test assumption: length of encoded serial number is less than 256 bytes"
+  );
+  let dbKeyHeader = [
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    serialNumberBytes.length,
+    0,
+    0,
+    0,
+    issuerBytes.length,
+  ];
+  let expectedDbKeyBytes = dbKeyHeader.concat(serialNumberBytes, issuerBytes);
+  let expectedDbKey = btoa(byteArrayToByteString(expectedDbKeyBytes));
+  equal(
+    cert.dbKey,
+    expectedDbKey,
+    "actual and expected dbKey values should match"
+  );
+
+  let certFromDbKey = certDB.findCertByDBKey(expectedDbKey);
+  ok(
+    areCertsEqual(certFromDbKey, cert),
+    "nsIX509CertDB.findCertByDBKey should find the right certificate"
+  );
+
+  ok(
+    expectedDbKey.length > 64,
+    "test assumption: dbKey should be longer than 64 characters"
+  );
+  let expectedDbKeyWithCRLF = expectedDbKey.replace(/(.{64})/, "$1\r\n");
+  ok(
+    expectedDbKeyWithCRLF.indexOf("\r\n") == 64,
+    "test self-check: adding CRLF to dbKey should succeed"
+  );
+  certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithCRLF);
+  ok(
+    areCertsEqual(certFromDbKey, cert),
+    "nsIX509CertDB.findCertByDBKey should work with dbKey with CRLF"
+  );
+
+  let expectedDbKeyWithSpaces = expectedDbKey.replace(/(.{64})/, "$1  ");
+  ok(
+    expectedDbKeyWithSpaces.indexOf("  ") == 64,
+    "test self-check: adding spaces to dbKey should succeed"
+  );
+  certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithSpaces);
+  ok(
+    areCertsEqual(certFromDbKey, cert),
+    "nsIX509CertDB.findCertByDBKey should work with dbKey with spaces"
+  );
+
+  // Test some invalid dbKey values.
+  testInvalidDBKey(certDB, "AAAA"); // Not long enough.
+  // No header.
+  testInvalidDBKey(
+    certDB,
+    btoa(
+      byteArrayToByteString(
+        [0, 0, 0, serialNumberBytes.length, 0, 0, 0, issuerBytes.length].concat(
+          serialNumberBytes,
+          issuerBytes
+        )
+      )
+    )
+  );
+  testInvalidDBKey(
+    certDB,
+    btoa(
+      byteArrayToByteString([
+        0,
+        0,
+        0,
+        0,
+        0,
+        0,
+        0,
+        0,
+        255,
+        255,
+        255,
+        255, // serial number length is way too long
+        255,
+        255,
+        255,
+        255, // issuer length is way too long
+        0,
+        0,
+        0,
+        0,
+      ])
+    )
+  );
+  // Truncated issuer.
+  testInvalidDBKey(
+    certDB,
+    btoa(
+      byteArrayToByteString([
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 10, 1, 1, 2, 3,
+      ])
+    )
+  );
+  // Issuer doesn't decode to valid common name.
+  testDBKeyForNonexistentCert(
+    certDB,
+    btoa(
+      byteArrayToByteString([
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 3, 1, 1, 2, 3,
+      ])
+    )
+  );
+
+  // zero-length serial number and issuer -> no such certificate
+  testDBKeyForNonexistentCert(
+    certDB,
+    btoa(
+      byteArrayToByteString([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
+    )
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_eku.js b/security/manager/ssl/tests/unit/test_cert_eku.js
new file mode 100644
index 0000000000..de1d5fcbfe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku.js
@@ -0,0 +1,189 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that the extended key usage extension is properly processed by the
+// platform when verifying certificates. There are already comprehensive tests
+// in mozilla::pkix itself, but these tests serve as integration tests to ensure
+// that the cases we're particularly concerned about are correctly handled.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function certFromFile(certName) {
+  return constructCertFromFile(`test_cert_eku/${certName}.pem`);
+}
+
+function loadCertWithTrust(certName, trustString) {
+  addCertFromFile(certdb, `test_cert_eku/${certName}.pem`, trustString);
+}
+
+function checkEndEntity(cert, expectedResult) {
+  return checkCertErrorGeneric(
+    certdb,
+    cert,
+    expectedResult,
+    certificateUsageSSLServer
+  );
+}
+
+function checkCertOn25August2016(cert, expectedResult) {
+  // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
+  const VALIDATION_TIME = 1472083200;
+  return checkCertErrorGenericAtTime(
+    certdb,
+    cert,
+    expectedResult,
+    certificateUsageSSLServer,
+    VALIDATION_TIME
+  );
+}
+
+add_task(async function () {
+  registerCleanupFunction(() => {
+    Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
+  });
+  Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
+
+  loadCertWithTrust("ca", "CTu,,");
+  // end-entity has id-kp-serverAuth => success
+  await checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess);
+  // end-entity has id-kp-serverAuth => success
+  await checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess);
+  // end-entity has extended key usage, but id-kp-serverAuth is not present =>
+  // failure
+  await checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+  // end-entity has id-kp-serverAuth => success
+  await checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess);
+
+  // end-entity has extended key usage, but id-kp-serverAuth is not present =>
+  // failure (in particular, Netscape Server Gated Crypto (also known as
+  // Netscape Step Up) is not an acceptable substitute for end-entity
+  // certificates).
+  // Verify this for all Netscape Step Up policy configurations.
+  // 0 = "always accept nsSGC in place of serverAuth for CA certificates"
+  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
+  await checkEndEntity(
+    certFromFile("ee-nsSGC"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+  // 1 = "accept nsSGC before 23 August 2016"
+  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
+  await checkEndEntity(
+    certFromFile("ee-nsSGC"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+  // 2 = "accept nsSGC before 23 August 2015"
+  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
+  await checkEndEntity(
+    certFromFile("ee-nsSGC"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+  // 3 = "never accept nsSGC"
+  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
+  await checkEndEntity(
+    certFromFile("ee-nsSGC"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+
+  // end-entity has id-kp-OCSPSigning, which is not acceptable for end-entity
+  // certificates being verified as TLS server certificates => failure
+  await checkEndEntity(
+    certFromFile("ee-SA-OCSP"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+
+  // intermediate has id-kp-serverAuth => success
+  loadCertWithTrust("int-SA", ",,");
+  await checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess);
+  // intermediate has id-kp-serverAuth => success
+  loadCertWithTrust("int-SA-CA", ",,");
+  await checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess);
+  // intermediate has extended key usage, but id-kp-serverAuth is not present
+  // => failure
+  loadCertWithTrust("int-CA", ",,");
+  await checkEndEntity(
+    certFromFile("ee-int-CA"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+  // intermediate has id-kp-serverAuth => success
+  loadCertWithTrust("int-SA-nsSGC", ",,");
+  await checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess);
+
+  // Intermediate has Netscape Server Gated Crypto. Success will depend on the
+  // Netscape Step Up policy configuration and the notBefore property of the
+  // intermediate.
+  loadCertWithTrust("int-nsSGC-recent", ",,");
+  loadCertWithTrust("int-nsSGC-old", ",,");
+  loadCertWithTrust("int-nsSGC-older", ",,");
+  // 0 = "always accept nsSGC in place of serverAuth for CA certificates"
+  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
+  info("Netscape Step Up policy: always accept");
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-recent"),
+    PRErrorCodeSuccess
+  );
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-old"),
+    PRErrorCodeSuccess
+  );
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-older"),
+    PRErrorCodeSuccess
+  );
+  // 1 = "accept nsSGC before 23 August 2016"
+  info("Netscape Step Up policy: accept before 23 August 2016");
+  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-recent"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-old"),
+    PRErrorCodeSuccess
+  );
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-older"),
+    PRErrorCodeSuccess
+  );
+  // 2 = "accept nsSGC before 23 August 2015"
+  info("Netscape Step Up policy: accept before 23 August 2015");
+  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-recent"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-old"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-older"),
+    PRErrorCodeSuccess
+  );
+  // 3 = "never accept nsSGC"
+  info("Netscape Step Up policy: never accept");
+  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-recent"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-old"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+  await checkCertOn25August2016(
+    certFromFile("ee-int-nsSGC-older"),
+    SEC_ERROR_INADEQUATE_CERT_TYPE
+  );
+
+  // intermediate has id-kp-OCSPSigning, which is acceptable for CA
+  // certificates => success
+  loadCertWithTrust("int-SA-OCSP", ",,");
+  await checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.pem b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem
new file mode 100644
index 0000000000..790e942fbd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvDCCAaSgAwIBAgIUbYeck7JVOWdVm1AGwsw/DzdRnaYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTAxMDEwMDAwMDBaGA8yMDM1MDEwMTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAI0AO+ZBY1oImSrpifcmQZTE/C4xIu7Uu5GX/A7ApQU7
+8UAXivMgRDbtrjOie1HNH9DIxHBCFY/Y7f0VRXxWmPEmT+5LpHrLoi+YF0h2wh/1
+RuiJV1AfaEdVJyNCVDSQrS8BQG5O3LebBq00gjSJSQ4+DHu7YHWkyMIZk+lbBiO1
+GsD0FWBDlOtiMpL/CQWjyiskiqQjrDCs5m0NayqgzYAMtdlEd+pAKEMNO8Fr8xSI
+tAlcG4frvH0kLJ2scX9ayvKTZrAiAxJz9CjmmnXOyL78yyr/hkJbzYTvk0+1cClg
+J2aGnsFIHgUxEx7sApOqlmG8g1lqL7UPqpi8ItVNl48=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec
new file mode 100644
index 0000000000..c6e443f5d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+validity:20150101-20350101
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem
new file mode 100644
index 0000000000..3cb03da8f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUC03diwvrB4IClE/zsjnrM/hOwWQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEDEOMAwGA1UEAwwFZWUtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsG
+AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAnfkwf3dUtHoAqV8RNSvFz7KJ0RQui
+nIvnUmKUtzbVoIyC4rJQjVbjOPlh+//Qq7UjLdOicvePiu5kK5lzckaKieFcp8Mh
+IYvhiK0awUMH6Xs5sZbjwcUwWkWr1/7LuuZZa1k54vj5M4XwSQ4snrRQkzibUL7X
+kRKaDfIG2GTKQiK3Snl8o0X9nlTdGUVstAT6QtzkvwDRbs/vcjJUPkW0E8RZitkP
+E8n/QuW6+7Lf/zSO9wKUQdCa/m4dFlIzEDwUPGdk+BHbHOkEfd3+al+zmXwayBn0
+apP+bXWRBMPEZ6eXvdSrYx7bYFvJBiZX3WyGXzOQg+aOXnHebQjfDpvo
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec
new file mode 100644
index 0000000000..d49cabaa2f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-CA
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem
new file mode 100644
index 0000000000..ede5b867bd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUSfuClZeHYlvEYfPk7WTIXpRXbM0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEzERMA8GA1UEAwwIZWUtU0EtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjITAfMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAc1UdQZONXBiW
+PHmGb+irQkZK7cET3oPn2iuHlHGgs4rgeXzbZkxFF6/wp84iSf7Svb7pWVmW/FaI
+iigoRROXBwssvrfz2yqYF+5uPrZst7OzyQ5iDEzOc+tXC2051sdPNOXNJDQeE4ac
+sr+e39xBMUwcOVIJE5bMtlcYhQGppTZA9PMfz137aQHdzV4g+1Io0pT851rhPP3p
+EhehyM2GyqwIP7KcHG1p4ncPD6Ninge6ar7nv1WV81vc8SkOUIBfD5JcjRobe80F
+AeSTTqRmlkFVbvOtnLctYdXWCIKg1GRUwk/89Xnhg3DdIANEhCW1jRxKsFwVTM7e
+D2TMbbw0aw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec
new file mode 100644
index 0000000000..5250cc4a84
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA-CA
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem
new file mode 100644
index 0000000000..9c195b89bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIUE6Hbt6pxuVOgduBB/3H+COBki0owDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtU0EtT0NTUDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMhMB8wHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQBR2xe6V/V9
+jEBWS4Vyx9xsi3B9I44I85iQZKVMQARWJg24MBcPw6P0gNnv2n2VUHsA6XED9R0a
+naYxCzXRm/UPHUbJp+GQpX4khsTA4Vf5NfyaUMyvnrmVQnfXEISmVS3aoPZUyDrJ
+F6+v3hqNllT9Ub1VaszCybRjxGvjyMqlGQ9Cc8okeDdw2k0B6w2/61DEkQ8ZEQHQ
+Z+jzGCAeEyVC3UsASL4qSeXQYCkjKHPzwK3co8tyX/YuEZFrRz0wUNvSwx0Byp6t
+2egt51hgnO8mCEzfrEA37vEkzsmv/gFzoSSJvh0WttKLMgHVAIhP4e1K6tkGNTqN
+QXkdhBwi53N4
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec
new file mode 100644
index 0000000000..3b3eff9ae4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA-OCSP
+extension:extKeyUsage:serverAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem
new file mode 100644
index 0000000000..2b3c805a5b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAb+gAwIBAgIUSWceP1hy2YehKHlNAGJTud5AQBEwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtU0EtbnNTR0MwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjIjAgMB4GA1UdJQQX
+MBUGCCsGAQUFBwMBBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQADggEBADR8iLp+
+wdwL+F6xHrZoRZ0twse/VXPZdCtYiII93zZnkT5/Kw9L0jPqSrXkAPECCyRAArFE
+M1sggTtgmDZqSegcihlFIQwwcKmEtvGy47IxgQ8M0r2N+2Tt1LLnQ5lyaxvaRLRk
+P7wRsVJMdzX9lhF9gIo5j+YJPjK68EXxLceDyfz1M9PNQIqjGz3efoAmsVry2HoS
+j10B53rKh/UcwpYv+++qVZwzZrfFK6bRGoRzO4zapDRmsXKWmEJZWL7EFYh85SXO
+J35mFJJDnswKajLpPdNrzc5Dvki/XM/50Yshli96S5uQeEKSfYBIWXS9yKq8VOXJ
+FXCbtkWVe+B8fOQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec
new file mode 100644
index 0000000000..4c51425ce7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA-nsSGC
+extension:extKeyUsage:serverAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem
new file mode 100644
index 0000000000..6975921b9d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIULzA2uHt40mZircmlebIa0o2nR0MwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEDEOMAwGA1UEAwwFZWUtU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsG
+AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCb+rwpPNCs9bg0lFWJLo9YzubV9eM3
+ktSIWubXVwjRnXrd9rwKU7OSpcD8LkJTMLqLHlBhsu32hWd3EEgBwpEpPDTcoHNH
+4zDWAc8I+5gpFdB6IEeM2CIOcpA+52PAo02mafj/WDfIcyKTbtK/DJfKSg+I6TpC
+mwYwwKQYw8CW+BuAIFP39f+000oEuf7rPfAeZIvF4YV3pWnZ9wuXhW+4+SYO0+KD
+B0EI41phP/wOmG7+haKZ1AG/H0j+/SMBS1ErByw9VvW2Y3Wd440wrhBHeXI7Wx2W
+qIrd2k4ksd4pM4m+yojtc4vSS2P+At6rvdWL7NvIKgfhAFzqfqZoAGLQ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec
new file mode 100644
index 0000000000..690f579afa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-SA
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem
new file mode 100644
index 0000000000..039b1f6f6f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ2gAwIBAgIUdUT/GdLxD1B7t8/7+yrahnifL1MwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLWludC1DQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEAhJfneO1hs5/bpWCTWgYIEzWsjD/hAFaEaokmyM7mvgt2ZGSqWnyE
+qJ4fQ08cdfuHHv1mjTcLs8V77ahdar+9alW8Z5t+rZYhgOiu9LJo8O9BThd64JxO
+1MJ6HSdtdyJcfwSW+OsVWotFZtSRI2fIX7ent0rujJX5GMZpiP32KhCjqxQtcf1x
+HFiTgzro+n7umZDLd3jH1e+Y5dn0EY4Y9vwAQ4YYXsJIFl0lhLACjG+mZj29hMct
+hxO3DYLrKFlfZTUrz+KZtx6etN0I7M0ChBpMWHmPECfXhg/ffkJqFZtl94oCr5hB
+gi6ZhjoAaGyxVKxuujtVpRaYIRT5B9OZXw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec
new file mode 100644
index 0000000000..670973930d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-CA
+subject:ee-int-CA
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem
new file mode 100644
index 0000000000..50c26d7ba3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuzCCAaOgAwIBAgIUB8K+R7AzVbDqn7RA4hMZWP9Kbf8wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJaW50LVNBLUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy
+NDAyMDUwMDAwMDBaMBcxFTATBgNVBAMMDGVlLWludC1TQS1DQTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkq
+hkiG9w0BAQsFAAOCAQEAmiDm0St0AQ9a+RPBC95ycM8cHDsSiY8aRdfIEojLUCwJ
+3BSMAWh65tSSy59YFM/+hZquxW6mFKenKsvcVghBTUVxKONJKr8pnrpJiK1rkZxe
+euN3VOuv+nio4byTol9AQGKOg5GUtDtFsYIXrDH2wd6aUxGbi2cuD8q+YyjLpOr2
+1galNh18R9vXXlec/59Jp3hkSzgMs07RlbS8+G6qGRiSE5T6Yjf3vnv2rqQKE7xn
+Wiw+enu/RjPoZeXq6pzBupSo8FiunxT3dXESvjGxamG38T2w1n0NEz6jNs0E90/V
+R34SITuc+/Hk6AQUy04U9AiOx0Kb7DRNlXXb6/rZdQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec
new file mode 100644
index 0000000000..bd012ab712
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA-CA
+subject:ee-int-SA-CA
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem
new file mode 100644
index 0000000000..68d799dfd4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvzCCAaegAwIBAgIUZQ9IB4KTIRfOUcb3bOGwbFEnUI4wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LVNBLU9DU1AwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowGTEXMBUGA1UEAwwOZWUtaW50LVNBLU9DU1AwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEw
+DQYJKoZIhvcNAQELBQADggEBAHLWWm2bWrApkz4OyZNVTyNNFHgcAGQPsAOAv4BO
+tm6DppAewakqHOEOJ+DBvTmyVvx66tpl48IHW5am2e0zoV3N6VTZhfZ1zzavS2h5
+SF4xMUWeJSjtmkjAxHFnz9JcR53CselhMj2ZRXQVMyr1W6QxBi1AfMtR96hWcY3f
+v4nBtIz/FkIFjTN/GU+vt5Rtc0Gns/kbl21ifuRM0QaXOj8u81gAQ3wEh0NLmy8Z
+ACTcy787xTRspMB3WOCJFHY2GqxrG5t7bS2EeUYu6xq1fnnRCfvemKUEALpCzzZn
+t8zmO7PVgNbBfXta0cXGFn5WNRSpOZGxXiQoBqnYWLStXFI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec
new file mode 100644
index 0000000000..2374d248f6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA-OCSP
+subject:ee-int-SA-OCSP
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem
new file mode 100644
index 0000000000..8722e2f71c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwTCCAamgAwIBAgIUG/gIwkS6ibsfvsd3knsfZ5AkaEswDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LVNBLW5zU0dDMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD2VlLWludC1TQS1uc1NHQzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+ATANBgkqhkiG9w0BAQsFAAOCAQEADKzVNVhzBer5Tt4j61bsP8UL5/bJ6KPL9oHR
+WSgBGoaamfyn1gG9vOFKTI1/GjEzCrbIQPfsJypWj2MAER/msMiuucnzdjD9iUpK
+tkzTPFeO4hwAR9rImy0C4MiEXlY51Z2Ir+GH7DDVqVu5OPSDeuYUEF2mrL8T0Y/Q
+f7UTfbCinecnznWTgvC8EhXCUwMMnPjHqpJGVKwXuPjqVYA83htZ6m5kvg9/MWpZ
+YeRa4HO9A1Ui5OXsWnk4Uzp4cX5cMlc5VhnaMQV0gCPrcYw4x34t75Pu2VZPKlO4
+XmDiy90kfGat0wuOzqOGb9FEPkmvrbRhc6+LLCBHbHSIXlKWLA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec
new file mode 100644
index 0000000000..6c3cb64730
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA-nsSGC
+subject:ee-int-SA-nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem
new file mode 100644
index 0000000000..2af207eed6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ2gAwIBAgIUc1s5H7wRuokI6INDaqXAJUUghNIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LVNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLWludC1TQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEANXVEEPwO3d4e8tBtwYHr78z3X1Fmtrjwb594Zp4xxx79mAUmAXnr
++SHJKfInLgdr0f85Pml5EAR7dlvqC0RMmkoljmlsPOLkEgiRxc/++ohEf2rn1QLL
+6+4tXjuHZ5u1qFa/tgdNqWzNqeGHA1y/+5KAB80mTiytFMBieKgVdv7ijvbClJRg
+V4vybtDD8RZMveGrOd1i+nPR5TLI5OnEmwP8duVLdq5eB/M2CYa+uPg8WgM8BlFP
+B4e9w99MW39z86MAwzw+tpgBT03uSQeV9UxcQVwLm+gjcxaHFPaKhRnqUaVH7A4F
+ZFMb168XWz34MCjJ3AWt4FfP6UwGn8L+nA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec
new file mode 100644
index 0000000000..72ddb78dfd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-SA
+subject:ee-int-SA
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem
new file mode 100644
index 0000000000..8e8d4c2c04
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwzCCAaugAwIBAgIUB/nCi+kTmIkobMVqQFtJnevhGwEwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNaW50LW5zU0dDLW9sZDAiGA8yMDE2MDcyNDAwMDAwMFoY
+DzIwMTYwOTI0MDAwMDAwWjAbMRkwFwYDVQQDDBBlZS1pbnQtbnNTR0Mtb2xkMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABMA0GCSqGSIb3DQEBCwUAA4IBAQBcxzg5hx9tQ57Jv3wibAhPktjmqapB2suH
+eGE253Xn5haGq+0E3Qkmn7oF1ou6QyLvP+qbElhkx7+eEvhMhzRZFU8XmxzHRqbb
+dZ0/MQw+aLEOc4Utl+1n3pDbVhBjoG3yVxyErndHfyXg+hNPMBEPvtfMYnSkKHX1
+3w3pJSs8HtUNMG3jecwXOJic0kUu6V5npNC0KTeZq4OOzp48WCpEfsQ6W5MzR4PN
+mrCVU2t1GzCKRNA8E8a9unOcxnukz8FaY9RCkeW3cTwRNt0VaFprX32d1C4mz5rV
+vNz/TGA0jy2b4Mg/dpGXrxqyRy1mG3zfs7sDhEoCxLsd/7ytu/bs
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec
new file mode 100644
index 0000000000..a21b49b783
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nsSGC-old
+subject:ee-int-nsSGC-old
+validity:20160724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem
new file mode 100644
index 0000000000..4acdf7b59d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxzCCAa+gAwIBAgIUYfx/2lyIWKMRlK/zS6/kmkp+t/MwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPaW50LW5zU0dDLW9sZGVyMCIYDzIwMTUwNzI0MDAwMDAw
+WhgPMjAxNjA5MjQwMDAwMDBaMB0xGzAZBgNVBAMMEmVlLWludC1uc1NHQy1vbGRl
+cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAbCqK5OcHMj28V1PKiL4CHeN2oTCj
+pObUJrAUqsHJbqS2Q+huzzoSsL+yT4uKeiuDMZnKOm8OIZMtM7M4zQb6b5H1Wqm+
+fM5384kUubmSG+CzUd4adK8NjSwgYhgdvAecbzhPS1GUlai9qDJU+elQVIrNZCL4
+6B634koCQkarYybibdXgoum9zzcla0TRXe9rHjb8VYe+BH7tLAnWGpUqw4x36Buz
+gv605ApVb+QDAB9NH4/EZ1TXuKby6I9I19EkfADHL5XUKHGFH2EE+6Fsqihgu3QG
+NRYMU2GL79bZcwOm2t2v+ZB2fp+UlEs8nykWY7PgwbJ+ObgSauNHhKi5DA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec
new file mode 100644
index 0000000000..93e1831a32
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nsSGC-older
+subject:ee-int-nsSGC-older
+validity:20150724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem
new file mode 100644
index 0000000000..557c8276e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUE/PT07mikR8SeEYcqdLT8IL5vMIwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LW5zU0dDLXJlY2VudDAiGA8yMDE2MDgyNDAwMDAw
+MFoYDzIwMTcwODI0MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1pbnQtbnNTR0MtcmVj
+ZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAKnYtenyuUSykB8EP4IkEeeVPo
+PeZpLKEHHr9CnjIC8b0lHhTsFQhIiNsCWt8xh+JS273QJi/A2rdo1M4KiMZyURne
+RZvTBpFu5F8E+VixDP9xmpAffrgqPqgNRyN+co7tUQZgsJHhb8LSKKMHQTMTBOgW
+nrVlMR+MwXBBQx7Yc7KkVob8DMWmIAAXlv0JY6ID2lRb4haBVS1gsPIj24mVF8XG
+dRJIgtVUvey49/PvErG6FNA32QPDCyv9UOkX9mtpnu9dT+v6mAkbRcSDYAsTTWh2
+seog8fOBA8WoqO+EtTIY2VLiO2G8pTp8MftYVc1Mhd5Kh/ZT+PtdngloPnDM
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec
new file mode 100644
index 0000000000..4a3ad8ec05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-nsSGC-recent
+subject:ee-int-nsSGC-recent
+validity:20160824-20170824
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem
new file mode 100644
index 0000000000..10bae6542e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUTe5MT0p0so5MFykddr1kBAMk1J4wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowEzERMA8GA1UEAwwIZWUtbnNTR0MwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGDAWMBQGA1UdJQQNMAsG
+CWCGSAGG+EIEATANBgkqhkiG9w0BAQsFAAOCAQEAcGPEiH/hfb1EbEuv66X9c3fD
+g71Pe3qqOJ6QEW5S6Y1qwmVNOA0e7awGKj0i9MCMMb6sw0bWxmPJyR4QTsEG4lbi
+SazRgS2n6FAnaQMyU/qE8jG2epIJRWECEbhuviv88Rci2/w7/N3ED1mu2/f/19Zo
+UPNydVnAU5M1xRiV/lqlo2ZzNJHOw8raezoedrh15jUwcFs1WAqcxAUTearZYjr4
+GMYqOiDY0AzndK9XHHTyuj4rrHd+XgLRbHP/JPfAGzWyTa3Yqwe0fD2mORBtEDT8
+Y+nZIhKzM5Hra+TeeDs5jNFC9JH5ZMQgos4l6N5UeyqB1H+J0owl7VuvqLxrHQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec
new file mode 100644
index 0000000000..43d58ab6d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-nsSGC
+extension:extKeyUsage:nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem
new file mode 100644
index 0000000000..2195a06582
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIUYf8P4Z0RmA/uflirA4xHoKNqtHUwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowETEPMA0GA1UEAwwGaW50LUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyUwIzAMBgNVHRMEBTADAQH/
+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQA/izUgZ12n
+DeYVPwvRzgoQ6oZNoZNGwSip5AKfpdC/RtFsDMH5AjaUMrSGvJjSCgcEXSey1fTV
+wdkQs1gYOdDTu935Gg0K13kHZSN0bGEwBA7Gh8gBaOrA/PElx6q8FEG1+qg20GQB
+vN174zjsSy9M6lXu90jApAh4whwgSTOO8JJ4VR9k9jnTzb+5lL5DTvWjFaR0M0zE
++XCDMUr90pGtg/qLzfSiaLaHEBMZu1cpVwtg3lLmMZhQXm067jP/nNZpe0yvPwz5
+HLFA7vrHAZkmtuKg22Le3FLyhtgQRLd6KT92pg33yhD5jqJskI0jq8EGvNvUKLbV
+cZbtU1Px/vOt
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec
new file mode 100644
index 0000000000..e5bc18198c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-CA
+extension:basicConstraints:cA,
+extension:extKeyUsage:clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem
new file mode 100644
index 0000000000..3dbec3ad5a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUK2ufphp0ShP+8H3RzpTFrZY/NrQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFDESMBAGA1UEAwwJaW50LVNBLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoy8wLTAMBgNVHRMEBTAD
+AQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsF
+AAOCAQEAOclvzLUjmZihoAVTCzyH04vhIEfzSl3gbZsooUdY1CZ05+i95YhA8IOM
+Q9YDkIYGsLyMaX/X5OV96KKMRsfSldEWNiNMqXJamqHh1ZalfVFtmmI+k5P/pWX9
+hOzCm12CcxGpaklkyrJ1zQ9CE3Upil34X/Wfmzwiz88zUjc+jpfWU7/VQASoGNku
+AiOswyAuuTSWQ89GBzwH06Q6Ty4sICDdD+69RFnY9sBKPCiTDO1W85d/A/QqnCkj
++Be27/lFmpHV64u6vIa6WUdJ5FA8b/ernVvdZJc42jyTPy8Cwh/l7Onphy0cmHe8
+fm5lAou5Gh6pc3UB4haso1ib5hdkVw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec
new file mode 100644
index 0000000000..94e9a42d48
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA-CA
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem
new file mode 100644
index 0000000000..b4642e5e09
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIUHyOa9EUn1y5E6yT4ne+opcI/RbwwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LVNBLU9DU1AwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAtMAwGA1UdEwQF
+MAMBAf8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEB
+CwUAA4IBAQC2VSyElSFe/z7BdCgAot834Eer4HgxBtimrb1YNZgsaZjjU8v9Cv9h
+yBvs4M3J5ZuikyU5AyYiOF+YH9FouWbrsFnJezSpNI1MBqR8QDxdAwBCMqpHPsjT
+7Bw7N0ajkvWHA1PzzphFXthjNTYiIWQHLly6D/MQYHetyv3WvOevNQjl56B9uMdc
+pf5N/JDbxh23euSHuBTGICxMAOg4JkgqXlxVbTAXfQhLVmnvGY6/cjtyhz7tbfEC
+2fL9hnDPOciusR8WIYYi3TF8TWrZL5vhImQZimETuSQBMm5cygsaPFy3J28P2bPe
+lk6ehrv5e8pAHUak+OrbaWtyP4bh3tiK
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec
new file mode 100644
index 0000000000..c38a640b9b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA-OCSP
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,OCSPSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem
new file mode 100644
index 0000000000..d0c8b0f89a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUYeEyTSJzsgBm34At1b54YQbcruYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LVNBLW5zU0dDMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozAwLjAMBgNVHRME
+BTADAQH/MB4GA1UdJQQXMBUGCCsGAQUFBwMBBglghkgBhvhCBAEwDQYJKoZIhvcN
+AQELBQADggEBACQdyOExX0WnOgZHDOcJFSxGXQ5B4d7DxdH5EKRYtCgq7zbqolvE
+qzi4fsDxbeRCrzVsCKDYqU69fO4sTAJRhBsEsz5Ybzi1Djfm3awjoCGl/kMJDZ8h
+trRh3pUlmwh6NXbF6IBlNrw2EqRR8TS+w71VDqFbvF0J2AKYSD9Fu44ArwLlPN2q
++nAKZnh1PDEW+jsKrZ6lKoft1A6894bp5g34wx2W5LR6RDk3xRGGoMFQXi//OQG1
+YWthV2tBPOWd8pJ7KJJBkliidsg3/vJzsGZXvd6bzd34LjJxNZfG3UNKP0RfHX4q
+El1zBn59yclrtG7vYKGITSJLbwv7E8vdBLQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec
new file mode 100644
index 0000000000..c84201d874
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA-nsSGC
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,nsSGC
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem
new file mode 100644
index 0000000000..43e5d861b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIUE7YXyGbnrzogbe8A8yh1856yWAAwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowETEPMA0GA1UEAwwGaW50LVNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyUwIzAMBgNVHRMEBTADAQH/
+MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQAhGBv+d4uZ
+qUeJf7MoPJhW+aN9BzuOpzvo12DbAdQNOTEgzpx/OmpwOQq7+8QTKgusYvn6+O/l
+U4MxwKhXWPD5kZXXIPdYKiGmClxhAszP6jfhpaIyjfw04Bhj50uSv41fAastSygm
+rxUv95dc4K4PbyWxu+Yhz67bZ69wcU/wV6GPrkm4dlRPtTCZy6Y59mdlskfky7g9
+/jpfS0E7zZgjLRRCgk3QGeCvNV9aPHxbGZwVCZ4M7wNkFx+P/rhVDj2x6aAFTSaB
+acAkLEek+eY9tgmfTMEY9iZ80dUZV5XHTaQGRuoQNtSjJEkk0mjGTvG56xV1bP8f
+yv/QLk/RFMfi
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec
new file mode 100644
index 0000000000..74bec2b21c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-SA
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem
new file mode 100644
index 0000000000..e0deef7c3f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUbXK8dZ2kTHVUtKZ1Uamdr5h27tQwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowGDEWMBQGA1UEAwwNaW50LW5zU0dDLW9sZDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMmMCQwDAYDVR0T
+BAUwAwEB/zAUBgNVHSUEDTALBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQADggEB
+AK/99QYaWy5/SG7iKiGwSgJ49hobsVUf4DTN9+4FIesvXNUtXc+vmPVNwgy8S4Kn
+23zOUmp2LaRBQ3VxaiQ0o/RN3ZjULhPhGi3cHsjDTKXH3U0snAloUYONx1JCFOif
+RWwLeiyps1oW9ARfUQrbQRtw87ospU5aJ7JSPoVgbCMXubmEpRSeTMv0SHdOs6g7
+ahSaoT7BBRuHDnCb8+ZR509H9Dc4M2Dv4lQ9vlWGZjXnfM1ImIeUBTWQ0fngyoZW
+neTStGeL5MmCjjMMupJYbjNsenQXd9doD08+voOfmKgaMQDH0fgEACJHjmmt+eQ4
+j8WZP3lRZHZm/s23xNl+6S4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec
new file mode 100644
index 0000000000..35f61671ed
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-nsSGC-old
+extension:basicConstraints:cA,
+extension:extKeyUsage:nsSGC
+validity:20160724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem
new file mode 100644
index 0000000000..dd709c343d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUITNR+z5zrXNAq+3y9u3et1fNp6YwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw
+MDAwMFowGjEYMBYGA1UEAwwPaW50LW5zU0dDLW9sZGVyMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyYwJDAMBgNV
+HRMEBTADAQH/MBQGA1UdJQQNMAsGCWCGSAGG+EIEATANBgkqhkiG9w0BAQsFAAOC
+AQEAtkFQHiG8UeleNMgvJVneYQzIQt8wiZwudAH2FdiyeCtYUp95z19IzPlZeYq0
+FXlMJJ+SOn2wSZ9jHshV5VF8S4Rb3ou0EVJcu+X7cs3jOuLtV/KwFDKXrncWpF7L
+sH1yGVkAUNMQlE52MgPxg7P6yd+lbU9MlqD5rpifsAecrXzctzi8l3qb2UJvkHku
+BLE+ViTnn9RFDQFQ/1AAF9cbSJaUF0rwWznXpB0PAu+v9lBpn9a83/GXZc1SO2mE
+MIdgRpuB1Lr+wZq5ulXHAeBJ+kH8lrG2CIXSQPFQjPfiS2D5hM1cdd7GSEh4BoZv
+AbTKG12NXN9AG7RpG7upSBG4mQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec
new file mode 100644
index 0000000000..f7a870c0f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-nsSGC-older
+extension:basicConstraints:cA,
+extension:extKeyUsage:nsSGC
+validity:20150724-20160924
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem
new file mode 100644
index 0000000000..c5c8e724c2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUec5AldPAXDY+y1Q7RfO4SfvteiEwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE3MDgyNDAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LW5zU0dDLXJlY2VudDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMmMCQwDAYD
+VR0TBAUwAwEB/zAUBgNVHSUEDTALBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQAD
+ggEBAJO1C5eYEk2/+xvgWsCsUZi7PMoZLhb5Jb2V61JMWREfCozmYepqlamR6IZV
+fn5Q9OClLtAzSybeia40nsW/xb/o+5zJn0rPzk6JIsMToJk07fqp+uG9LbAM82IV
+RnHzmCS4/3n4fl1k1GGL0A/NYBUsilY9oKhVl1zukB/z3ALp9LyProNLsEZmWkl7
+F07+lR9PPMOqA1SuDJmZMyZ4cKDyYYF7NYKGi57xpgpUXGq8IPOKKGq4XlYqQhOQ
+sVSuc+16A+NlPwMogczcgTgy7QD6DF4WNOCDGwuF0YB7uROEbYvh4lkKJfhnAtb7
+1/xnmTVssnCTsbppIiXtKs8zzu0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec
new file mode 100644
index 0000000000..f421ddc1a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-nsSGC-recent
+extension:basicConstraints:cA,
+extension:extKeyUsage:nsSGC
+validity:20160824-20170824
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null.js b/security/manager/ssl/tests/unit/test_cert_embedded_null.js
new file mode 100644
index 0000000000..c23717252f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null.js
@@ -0,0 +1,54 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that a certificate with a clever subject common name like
+// 'www.bank1.com[NUL]www.bad-guy.com' (where [NUL] is a single byte with
+// value 0) will not be treated as valid for www.bank1.com.
+// Includes a similar test case but for the subject alternative name extension.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+async function do_testcase(certname, checkCommonName) {
+  let cert = constructCertFromFile(`test_cert_embedded_null/${certname}.pem`);
+  // Where applicable, check that the testcase is meaningful (i.e. that the
+  // certificate's subject common name has an embedded NUL in it).
+  if (checkCommonName) {
+    equal(
+      cert.commonName,
+      "www.bank1.com\\00www.bad-guy.com",
+      "certificate subject common name should have an embedded NUL byte"
+    );
+  }
+  await checkCertErrorGeneric(
+    certdb,
+    cert,
+    SSL_ERROR_BAD_CERT_DOMAIN,
+    certificateUsageSSLServer,
+    undefined,
+    "www.bank1.com"
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    cert,
+    SSL_ERROR_BAD_CERT_DOMAIN,
+    certificateUsageSSLServer,
+    undefined,
+    "www.bad-guy.com"
+  );
+}
+
+add_task(async function () {
+  addCertFromFile(certdb, "test_cert_embedded_null/ca.pem", "CTu,,");
+
+  await do_testcase("embeddedNull", true);
+  await do_testcase("embeddedNullSAN", false);
+  await do_testcase("embeddedNullCNAndSAN", true);
+  await do_testcase("embeddedNullSAN2", false);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem
new file mode 100644
index 0000000000..91233a79dd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUW0tAkXslaf5AkE2ROwvnEvMo79MwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA/1uiRtJJ6gASZfaGdmjTgHNnG
+OX3VBb8CGbu7yrmlUU0/oiH9BHb9/gq+Gwwcjg++2AEmUWd4damMXKUtRzouP6dV
+Z02jnExdXqq3xLDP71/bY3eneqg/KVIv3wDaHhatmVqWB4oy4itNmvVbbtCjUOyX
+DF3RM5HPQEDjMJO0TjKZMXp5HbyggAvGTbyw6kz+6EVuxxhFqVq1bti1CU4tGBdk
+b6ZOVQhxgJljogn70syXX+CUuUtu9+ufklWQjMtITjBKTSP5cg/NMnKrAL7dF30n
+aUcXz8fpmzjseQjk6uzkDYSFW2HiQtMHKhpCOXAoZ0hGtQ4BXhyhScK2sSB8
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec
new file mode 100644
index 0000000000..6660f5d478
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem
new file mode 100644
index 0000000000..d1e1dc03b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAgIUdfhUzL690DlZ9ozJDIeI+5x3M4cwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowKDEmMCQGA1UEAwwdd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20w
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGL6BtraqvvOT9jKF7MGo6Q36s9ZX1E0
+N8D0PJnsexXKWOrnqGOT1rrp+YN0zgLc783pqH+pOkYHMKk88L9FKDeZeK8zo6j5
+E/X609Bdo+S89EW0qBqEvpWCAsF9I/F/sbuTf49hS8kE9mwMW0dbqcBuQYviCN4Y
+AEQCACkjdrI8KBG54Q4iVzvUP4+Ub+/QGuDEZC6n9yeiYQjw4LnY/uNO22dGKgU1
+wJbTRSsTsT7iXQkhag/3/pCMHURzJ3jWlNZMa+lhvm30Af/AqAqIrcidP1QwdifS
+QcNZlY0cSlqwqYe8By10B3oLKLu9ChutTerw7p0j3H3WDSAbmOiSfQI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec
new file mode 100644
index 0000000000..d1a32349a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem
new file mode 100644
index 0000000000..60672695da
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUFUHbA2Pa/0TJflA2QO7eNc/EC1gwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowKDEmMCQGA1UEAwwdd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20w
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjLDAqMCgGA1UdEQQhMB+CHXd3dy5iYW5rMS5jb20Ad3d3LmJhZC1ndXku
+Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQATiTRzyQxrGnwWmRATYy3TWChqhzFECBSU
+iVrdAZ2bFJxb4FJWRbwPI6d67GK0C6DLtdtNt9q2jWxdfDZCkpR7rFH2hj0sW1hm
+knYaQKmNmd64FS4nH26FMD5YxgykxQAEJzXSCYHUwM0UX72ebLaFn55wdA+onc/g
+JijC3UI62fYYUzEu8TwbAnqfzclevWBHpZJgZxdUK/tk2RRPz4MAWrKOL1R1jX2i
+57CDGXOC3fQtu7pKjMLcZv3T/vkttJNqmSD4YeA6+xd117ig5d0OqLzFxrwA83Ls
+ltkxkS4rsphX9zkgcAb1x0/VgoZbmeLTZM6INyWOkE4W+IXYh7kN
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec
new file mode 100644
index 0000000000..1029d6cdd0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:www.bank1.com\0www.bad-guy.com
+extension:subjectAlternativeName:www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem
new file mode 100644
index 0000000000..fc3b0ad73a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUDzUDem23kK14+ubqJMXuQR5ZhjUwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHjEcMBoGA1UEAwwTZW1iZWRkZWQgTlVMIGluIFNBTjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMsMCow
+KAYDVR0RBCEwH4Idd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAHkWUv8gAyNjRQyOlWm9JetvuBKy6d446LbaSQdEoDZAK6Oa
+WAAQ2ao1d5/dIWJLZPHCJYLUjBWj1EOS/no96FjTK+xg99zdweMPUAyK2uzKmsNS
+lfrwTktv21xT6QamLhFXMspTwPV6VYcIgQpUI8wuhAEN858xPcbO+bLQtQ+XvklP
+ZReejgox6quiKEw5qFbX9jDeZDq713dnnUqwL1FczdFjTm1uP1o3SoUGHsGH3FPJ
+p6LsyKiUfaTBglFNN+iasl50e/MDJZmCIjqVvv/tCVCN2VPpWNYeyP1e2DxPL+yb
+nVqbdSGVqOMWz4sRSjEnb9Xf9Uy1EigO8rb48VA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec
new file mode 100644
index 0000000000..f224888eee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:embedded NUL in SAN
+extension:subjectAlternativeName:www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem
new file mode 100644
index 0000000000..3aea7c6b5c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7jCCAdagAwIBAgIURTMxPbOwfgpUVoSWuyXAKlS8e00wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLYmFkLWd1eS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOTA3MDUGA1UdEQQu
+MCyCC2JhZC1ndXkuY29tgh13d3cuYmFuazEuY29tAHd3dy5iYWQtZ3V5LmNvbTAN
+BgkqhkiG9w0BAQsFAAOCAQEAoMSmJIxxm9N/qNkADdIYDwEByibG4CLYD7EqtclQ
+gTKUW5RWLcF1xkAfqSKsRkfE0965SofgH31J7sGnL02ROEdPK3Tc1/R7INS05yCp
+QHAYLwz9rWhJaF42tfn06cOpaoAVvU/0reOLUwwCg4j+0bDTErkZZyY0QX4i+ou0
+f2I/oGK0HfdkxiKjCExz5qsgdAVfPk8Kp5sJ7S/kJzkKQbQ58qAD9ObiF4zl5wtR
+5KveoFUckVXrznd9haqMlyj/kd3s4hKNl7n/kbXdiaxxvSh57c7K1O+mugREiwCA
+Oa57wZV4F6N2FpJrwlsvYH+J5ejNTCU1VJqWffqJbdPpdg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec
new file mode 100644
index 0000000000..d352d034b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:bad-guy.com
+extension:subjectAlternativeName:bad-guy.com,www.bank1.com\0www.bad-guy.com
diff --git a/security/manager/ssl/tests/unit/test_cert_expiration_canary.js b/security/manager/ssl/tests/unit/test_cert_expiration_canary.js
new file mode 100644
index 0000000000..4f76555096
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_expiration_canary.js
@@ -0,0 +1,40 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Attempts to verify a certificate for a time a few weeks into the future in
+// the hopes of avoiding mass test failures when the certificates all expire.
+// If this test fails, the certificates probably need to be regenerated.
+// See bug 1525191.
+
+// If this test and only this test fails, do the following:
+// 1. Create a bug for the issue in "Core :: Security: PSM".
+// 2. Write a patch to temporarily disable the test.
+// 3. Land the patch.
+// 4. Write a patch to reenable the test but don't land it.
+// 5. Needinfo the triage owner of Bugzilla's "Core :: Security: PSM" component
+//    in the bug.
+// 6. Patches to update certificates get created.
+// 7. Test the patches with a Try push.
+// 8. Land the patches on all trees whose code will still be used when the
+//    certificates expire in 3 weeks.
+add_task(async function () {
+  do_get_profile();
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  addCertFromFile(certDB, "bad_certs/test-ca.pem", "CTu,,");
+  let threeWeeksFromNowInSeconds = Date.now() / 1000 + 3 * 7 * 24 * 60 * 60;
+  let ee = constructCertFromFile("bad_certs/default-ee.pem");
+  await checkCertErrorGenericAtTime(
+    certDB,
+    ee,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    threeWeeksFromNowInSeconds,
+    false,
+    "test.example.com"
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js
new file mode 100644
index 0000000000..13ae5e31e2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js
@@ -0,0 +1,89 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that nsIX509Cert.isBuiltInRoot works as expected.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+// This is a certificate that (currently) ships with the platform.
+// It should be considered a built-in root.
+const sNaverBase64 =
+  "" +
+  "MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEM" +
+  "BQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRG" +
+  "T1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0" +
+  "aW9uIEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkx" +
+  "CzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBD" +
+  "b3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBB" +
+  "dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVA" +
+  "iQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gvQnXp2XskWjFlqxcX0TM62RHcQDaH" +
+  "38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtSAuXaMl3Dxeb57hHHi8lE" +
+  "HoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/6imBEtRTkZaz" +
+  "kVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABIqKYP" +
+  "szuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8Obtoq" +
+  "vC8MC3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHf" +
+  "nZ3zVHbOUzoBppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaG" +
+  "YQ5fG8Ir4ozVu53BA0K6lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo" +
+  "0es+nPxdGoMuK8u180SdOqcXYZaicdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3a" +
+  "CJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv8ejyYhbLgGvtPe31HzClrkvJE+2K" +
+  "AQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0IwQDAdBgNVHQ4EFgQU0p+I" +
+  "36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB" +
+  "Af8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7gyKoN" +
+  "qo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatj" +
+  "cu3cvuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm" +
+  "+LUx5vR1yblTmXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCL" +
+  "hr0N8F5OSza7OyAfikJW4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQe" +
+  "lHsIJchxzIdFV4XTnyliIoNRlwAYl3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7" +
+  "p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzyqkn+Zvjp2DXrDige7kgvOtB5CTh8" +
+  "piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmWNcf7I4GOODm4RStDeKLR" +
+  "LBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX" +
+  "5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF4+KO" +
+  "dh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul" +
+  "9XXeifdy";
+
+// This is a certificate that does not ship with the platform.
+// It should not be considered a built-in root.
+const sLetsEncryptBase64 =
+  "" +
+  "MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw" +
+  "PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD" +
+  "Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa" +
+  "MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD" +
+  "ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD" +
+  "ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB" +
+  "BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg" +
+  "PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG" +
+  "dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1" +
+  "gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4" +
+  "4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud" +
+  "EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy" +
+  "BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j" +
+  "b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv" +
+  "ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ" +
+  "MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH" +
+  "AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw" +
+  "MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM" +
+  "LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3" +
+  "pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd" +
+  "v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd" +
+  "ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW" +
+  "ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk" +
+  "6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj" +
+  "f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=";
+
+function run_test() {
+  let builtInCert = certdb.constructX509FromBase64(sNaverBase64);
+  ok(builtInCert, "should be able to decode base-64 of built-in cert");
+  ok(builtInCert.isBuiltInRoot, "cert should be considered built-in");
+
+  let notBuiltInCert = certdb.constructX509FromBase64(sLetsEncryptBase64);
+  ok(notBuiltInCert, "should be able to decode base-64 of built-in cert");
+  ok(!notBuiltInCert.isBuiltInRoot, "cert should not be considered built-in");
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js
new file mode 100644
index 0000000000..deb6ba914a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js
@@ -0,0 +1,143 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that nsIX509Cert.isBuiltInRoot works as expected. Differs from
+// test_cert_isBuiltInRoot.js in that this test uses a preexisting NSS
+// certificate DB that already contains some of the certificates in question.
+//
+// To create the necessary preexisting files, obtain the "NAVER Global Root
+// Certification Authority" certificate and the "Let's Encrypt Authority
+// X1" certificate (copied below for reference) and perform the following steps:
+//
+// `certutil -d . -N` (use an empty password)
+// `certutil -d . -A -n "NAVER Global Root Certification Authority" -t ,, \
+//   -a -i naverrc1.pem`
+// `certutil -d . -A -n "Let's Encrypt Authority X1" -t ,, -a \
+//   -i LetsEncrypt.pem`
+//
+// This should create the cert9.db and key4.db files.
+//
+// To determine the new DBKey associated to the replacement root,
+// one can print builtInRoot.dbKey in test_cert_isBuiltInRoot.js.
+//
+// (The crucial property of the first certificate is that it is a built-in trust
+// anchor, so any replacement must also have this property. The second
+// certificate is not a built-in trust anchor, so any replacement must not be a
+// built-in trust anchor.)
+//
+//
+// NAVER Global Root Certification Authority:
+// -----BEGIN CERTIFICATE-----
+// MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEM
+// BQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRG
+// T1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0
+// aW9uIEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkx
+// CzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBD
+// b3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBB
+// dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVA
+// iQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gvQnXp2XskWjFlqxcX0TM62RHcQDaH
+// 38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtSAuXaMl3Dxeb57hHHi8lE
+// HoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/6imBEtRTkZaz
+// kVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABIqKYP
+// szuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8Obtoq
+// vC8MC3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHf
+// nZ3zVHbOUzoBppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaG
+// YQ5fG8Ir4ozVu53BA0K6lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo
+// 0es+nPxdGoMuK8u180SdOqcXYZaicdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3a
+// CJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv8ejyYhbLgGvtPe31HzClrkvJE+2K
+// AQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0IwQDAdBgNVHQ4EFgQU0p+I
+// 36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
+// Af8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7gyKoN
+// qo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatj
+// cu3cvuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm
+// +LUx5vR1yblTmXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCL
+// hr0N8F5OSza7OyAfikJW4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQe
+// lHsIJchxzIdFV4XTnyliIoNRlwAYl3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7
+// p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzyqkn+Zvjp2DXrDige7kgvOtB5CTh8
+// piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmWNcf7I4GOODm4RStDeKLR
+// LBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX
+// 5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF4+KO
+// dh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul
+// 9XXeifdy
+// -----END CERTIFICATE-----
+//
+// Let's Encrypt Authority X1:
+// -----BEGIN CERTIFICATE-----
+// MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw
+// PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+// Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa
+// MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+// ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD
+// ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB
+// BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg
+// PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG
+// dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1
+// gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4
+// 4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud
+// EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy
+// BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j
+// b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv
+// ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ
+// MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH
+// AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw
+// MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM
+// LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3
+// pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd
+// v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd
+// ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW
+// ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk
+// 6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj
+// f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=
+// -----END CERTIFICATE-----
+
+"use strict";
+
+function run_test() {
+  const certDBName = "cert9.db";
+  const keyDBName = "key4.db";
+  let profile = do_get_profile();
+  let certDBFile = do_get_file(`test_cert_isBuiltInRoot_reload/${certDBName}`);
+  certDBFile.copyTo(profile, certDBName);
+  let keyDBFile = do_get_file(`test_cert_isBuiltInRoot_reload/${keyDBName}`);
+  keyDBFile.copyTo(profile, keyDBName);
+
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+
+  // This is a built-in root, but not one that was added to the preexisting
+  // certificate DB.
+  // Verisign Class 1 Public Primary Certification Authority - G3
+  // Certificate fingerprint (SHA1): 204285DCF7EB764195578E136BD4B7D1E98E46A5
+  // https://crt.sh/?id=8984570
+  const veriSignCertDBKey = `AAAAAAAAAAAAAAARAAAAzQCLW3VWhFSFCwDPrzhI
+    zrGkMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdB
+    gNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IF
+    ZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAM
+    TPFZlcmlTaWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB
+    dXRob3JpdHkgLSBHMw==`;
+  let veriSignCert = certdb.findCertByDBKey(veriSignCertDBKey);
+  ok(veriSignCert, "Should be able to find VeriSign root");
+  ok(veriSignCert.isBuiltInRoot, "VeriSign root is a built-in");
+
+  // This is a built-in root. It was added to the preexisting certificate DB. It
+  // should still be considered a built-in.
+  const naverCertDBKey = `AAAAAAAAAAAAAAAUAAAAawGUMB6iC93
+    1xTMqsUNEcfjWUE0NMGkxCzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVN
+    JTkVTUyBQTEFURk9STSBDb3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3Q
+    gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHk=`;
+  let naverCert = certdb.findCertByDBKey(naverCertDBKey);
+  ok(naverCert, "Should be able to find NAVER root");
+  ok(naverCert.isBuiltInRoot, "NAVER root is a built-in");
+
+  // This is not a built-in root. It was added to the preexisting certificate
+  // DB. It should not be considered a built-in root.
+  const letsEncryptCertDBKey = `AAAAAAAAAAAAAAARAAAAQQCYE
+    /R1E+V1C0PnQx6XHkS9MD8xJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRyd
+    XN0IENvLjEXMBUGA1UEAxMORFNUIFJvb3QgQ0EgWDM=`;
+  let letsEncryptCert = certdb.findCertByDBKey(letsEncryptCertDBKey);
+  ok(letsEncryptCert, "Should be able to find LetsEncrypt root");
+  ok(!letsEncryptCert.isBuiltInRoot, "LetsEncrypt root is not a built-in");
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert9.db b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert9.db
new file mode 100644
index 0000000000..7d48c6b133
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert9.db
diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key4.db b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key4.db
new file mode 100644
index 0000000000..e41477dfd9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key4.db
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage.js b/security/manager/ssl/tests/unit/test_cert_keyUsage.js
new file mode 100644
index 0000000000..a327cb41fa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage.js
@@ -0,0 +1,76 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const caList = [
+  "ca-no-keyUsage-extension",
+  "ca-missing-keyCertSign",
+  "ca-all-usages",
+];
+const eeList = [
+  "ee-no-keyUsage-extension",
+  "ee-keyCertSign-only",
+  "ee-keyEncipherment-only",
+  "ee-keyCertSign-and-keyEncipherment",
+];
+
+const caUsage = [certificateUsageSSLCA];
+const allEEUsages = [
+  certificateUsageSSLClient,
+  certificateUsageSSLServer,
+  certificateUsageEmailSigner,
+  certificateUsageEmailRecipient,
+];
+const serverEEUsages = [
+  certificateUsageSSLServer,
+  certificateUsageEmailRecipient,
+];
+
+const expectedUsagesMap = {
+  "ca-no-keyUsage-extension": caUsage,
+  "ca-missing-keyCertSign": [],
+  "ca-all-usages": caUsage,
+
+  "ee-no-keyUsage-extension-ca-no-keyUsage-extension": allEEUsages,
+  "ee-no-keyUsage-extension-ca-missing-keyCertSign": [],
+  "ee-no-keyUsage-extension-ca-all-usages": allEEUsages,
+
+  "ee-keyCertSign-only-ca-no-keyUsage-extension": [],
+  "ee-keyCertSign-only-ca-missing-keyCertSign": [],
+  "ee-keyCertSign-only-ca-all-usages": [],
+
+  "ee-keyEncipherment-only-ca-no-keyUsage-extension": serverEEUsages,
+  "ee-keyEncipherment-only-ca-missing-keyCertSign": [],
+  "ee-keyEncipherment-only-ca-all-usages": serverEEUsages,
+
+  "ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension": serverEEUsages,
+  "ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign": [],
+  "ee-keyCertSign-and-keyEncipherment-ca-all-usages": serverEEUsages,
+};
+
+add_task(async function () {
+  for (let ca of caList) {
+    addCertFromFile(certdb, "test_cert_keyUsage/" + ca + ".pem", "CTu,CTu,CTu");
+    let caCert = constructCertFromFile("test_cert_keyUsage/" + ca + ".pem");
+    await asyncTestCertificateUsages(certdb, caCert, expectedUsagesMap[ca]);
+    for (let ee of eeList) {
+      let eeFullName = ee + "-" + ca;
+      let eeCert = constructCertFromFile(
+        "test_cert_keyUsage/" + eeFullName + ".pem"
+      );
+      await asyncTestCertificateUsages(
+        certdb,
+        eeCert,
+        expectedUsagesMap[eeFullName]
+      );
+    }
+  }
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem
new file mode 100644
index 0000000000..7ef812e4c9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUE5r8LYaA73SA25Y8MhWmudWklrowDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1jYS1hbGwtdXNhZ2VzMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB/jANBgkqhkiG9w0BAQsFAAOC
+AQEAbfCeYrdUfCn8yN8rtt69olTC8huRW7dWFr8LcRgoU+jQO5myXPvZc6r4Kig7
+SuXueQCvX7IRipDf6lB8t911vHwvvZATTvXB4MJ0QZTSjn2P61bekoAVfexFfM1n
+QE4ONlo/3f/p/RtP6VKJnErdwSFyNzIuEBdSNPUwyJIOgBge3qi5BMM7Lm0oiTIw
+L1E++BcBffAEociBiCaB1nd6jbIUtnTY8jyWIr/trzG5BmIKjZGzzrS8zCI8brq6
+M7lT7oOXwD5Q0aP+OUPrtLPC3norMKVuyo4HJdT1XZVjc/15GbwbSeTI3jiYGxWv
+RY288eAkTXZvXxwQvT7W7q1Owg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..2ca523c74e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-all-usages
+subject:ca-all-usages
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..cb8d04ae3f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUCaFrRP9EdV/s2molg6t0aH4/M9QwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAhMR8wHQYDVQQDDBZjYS1taXNzaW5n
+LWtleUNlcnRTaWduMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
++jANBgkqhkiG9w0BAQsFAAOCAQEAMT30/3FlLT0SRLla9/6nUnhM18/h5te+HEew
+3PwtcRv0JwUBdYXxNK/MVIMDaL9GC/6S9zqlGw4N86tP2E3s8giwbLcNWelou8Zu
+nmnz8BU4MtfW+lkF/0ZNhDRBFXFWTNM7pdKDfVHJhMvzZdk0tEgU2hCZwMu4PGRs
+6oJTrBacjc27s3mVRaxi6NdGZIJQBlfakn7FXI2RcP/+WYgTNNBzvFyRO1pvJdTq
+cGR1fykBoiFZrKOO+MSAWEXke3w/U/lQCM5odDAFngxsHrSftc44XgP2DG08vovH
+wl3MGpr2RDqovYSWKJSv2VeLqSdpeIG/y4ixFBXwmRF/YVUyrQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..26e0158ebe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-missing-keyCertSign
+subject:ca-missing-keyCertSign
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..29a39ee751
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgIUaZMM8r1k443E+DQLRBc1j34OAGYwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGNhLW5vLWtl
+eVVzYWdlLWV4dGVuc2lvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAPBRfUuVZulBelyNkd9A9UP5svL4sM8HjbYfggMGh8wHudlH9
+mghp/up5ZEuqyfrwJ8G2yCRC8pvZv4BcBvtlUngWsuBuGKJ0+8OMFdGk5gLhjiDm
+tVQR99o2MFzG8fCjqpNwB+MfSrt2Mbu5hV66UjSvjar6qVcwjWpdKmDnJGgvs6Ib
+t2mZIyoV1pSJNkDai7o1GtXj2WFL9VwjYhi4EDfdUz5xOuLWdBMMRlnfDq1pDpub
+LZ+8FqHJCbFL6G9q3RXPjRhmWIePc/gZLEkVd9S092ePb18gs62UHxK68n+4DOQp
+BdFdrTMeqehtapMkO5G2RMCa7seL6hStoTsxJQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..d32e6a6496
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ca-no-keyUsage-extension
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem
new file mode 100644
index 0000000000..393380d981
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUGWYB9e9ARnyr9cvrxtuO7gAvALIwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAtMSswKQYDVQQDDCJlZS1rZXlDZXJ0U2lnbi1hbmQt
+a2V5RW5jaXBoZXJtZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAiQwDQYJKoZIhvcN
+AQELBQADggEBADQMLlcZMsXMKfScNpZZ4KSSWr20vhhXerUk9hK6QqCSUjxlD/QH
+Bib9+T3w0qfEL9QBt5ic/BIN9V9Z5bfLW5IuCT1Gq4yL9aQNkRtTNEtXPZjsAyP5
+OBcsWcsqdNvPn7DOCE4DSo7Omqx1QOGGD3F9ico1NykgUZNN/xdK3kstrugY9Gnv
+FpHvrlkpMxFEmKzxx2AKgsdr4ZxiZnzu87Cv0ICWYjRTTOflJmwKkfO+hR6K5XrP
+TWbyoX2AYkWXWlierE5nTDWAG4Z2fi5FFQfGbGBxdBU/febJZwLBghRCLFQRjkYK
+GOThHpemmJV2UPxfbWXX1pqQkEGb+a4Aqis=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..0bb2721a31
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-all-usages
+subject:ee-keyCertSign-and-keyEncipherment
+extension:keyUsage:keyEncipherment,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..6f9425e546
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIULaOT+liPEeD1woYhMEmcCYf8h4IwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAtMSswKQYDVQQDDCJlZS1rZXlDZXJ0
+U2lnbi1hbmQta2V5RW5jaXBoZXJtZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAiQw
+DQYJKoZIhvcNAQELBQADggEBACbwD8VRRCFLZFSp31okFWXBJLTqilYjzZChoQVS
+/rbz6ae8P8ScX8ppi2eGFNB2vVETTtKwpI8bdncmtInk/JtUncnmU5wjqKsG1gmI
+Lzz3ZC+x62R/6ocCRw0FfEa9C87BYHy3oRHa6qpSv+ZjNWMc9Me15WIt9JPFrENs
+SWWTF005OXT6/SN9Db3DL2yOGn9cB6GbwsbNptBd9joBFbhpZNY7XMakkVDKGL/W
+JeKZEzeyiR2EGxFYxOn4lNuJty3DOjClP8++iQFClBO5E6c+9jV0Rsew3aL7Q87y
+JWouTF7sYRjwBf+lWsRJ4sZCe6yEhNkGQKXGBAOiWtxeuUI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..567ab0ce2d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-missing-keyCertSign
+subject:ee-keyCertSign-and-keyEncipherment
+extension:keyUsage:keyEncipherment,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..8344820c66
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIULe9oCGYjHMm9s2kUkeaGeYDfkYowDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMC0xKzApBgNVBAMMImVlLWtleUNl
+cnRTaWduLWFuZC1rZXlFbmNpcGhlcm1lbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQEAwIC
+JDANBgkqhkiG9w0BAQsFAAOCAQEAbvM/6pDn9yYnnEKzEoEC5rSpQVZkgunP2WNc
+dJ9s0zkZeT5HCnPbcntHfjbK217iwja9k/eSg8ukDofstkExjRswRS4F4rCb3ciB
+yEsb5QX2mFAFnFE4b/i3XFDlYSzw2hWOOB2+WXmYNu82eZOvfiM4UvSV2wwFQiOf
+XAYbW5rd7umW5YS8K6heBuFbS1aJLFasDgPb7bHCCYJH/GyLcvDn45e0Y89m3us9
+e2OHLsVN6Mjaq1UO0zXwsSb0GwoYxagHy8h5c3m8tNpe254X6f6jnKbVNUK6SJ2Q
+293EF9vGzv0q1FUZDP/y/qiVlbFJ1QT4cos7Ryzg1KVQSDqL1Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..c48ef66126
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-keyCertSign-and-keyEncipherment
+extension:keyUsage:keyEncipherment,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem
new file mode 100644
index 0000000000..92e5f92177
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAb+gAwIBAgIUCWQJroNopActb60dEoJJYUXC6YQwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1rZXlDZXJ0U2lnbi1vbmx5
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABow8wDTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAGU/zN/j
+eXCJzlYjTcRRZF8/3kDauNwfQMHFD2ftNcdsTDHBZt+8ZN7aGau8038f0tw3//CL
+C2VJNkhy9DvizdzgITO315HIM9wYaITDxpLob+z27/Wb7NPfYFb26Z9mY91l89ku
+umemthFmh4oHRDmEbDa1tUD0bcqmdg5zChemA/LuKV3nw6oZsHEy5NUESXicNhSx
+9zm8F32/SyTur75mJ4a2AHqFr8fbLAgYCtj7RWmAI4sPGgk1C689Aj4oGWkkFkgE
+uifRyiui2GRiTH82wvzWh3UNYyJZEOnKE4jxGljE9I5BjK95vyU13d3IkIvJJ1pH
+tfQSjzOe6SsNvP4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..c495ca6d0e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-all-usages
+subject:ee-keyCertSign-only
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..74a3be06df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUWbCPLRav9EW2uQgTKqbUCxb/sUAwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1rZXlDZXJ0
+U2lnbi1vbmx5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQAD
+ggEBADXuaMRmW0SKcP3hLgeoE5J/Sw7cm+ffo9j192akaHTnI/H/pD+j6JkEOsw/
+2gyrKPQdcKqWNqSIDpZMEcQrCi2LnYgJEZFGRHol7oS7FnQaZ5Bp+cx5wnz37Ig5
+UkYHoBoa2JYD6HmibtsB9d83CG/b9B7ulEE4pYJga+0nRcIRLIbEP87mRFPmMAe9
+i8yvZI1FbzFYILehOYcIBVUT1O4U1Xyt/k1lPGOlKs8VUQ66XY+7+iLu53pxv9ja
+dIgPcFer+dRC7GVtneOnggHQ3aYxrnSBlOFd54Y+O7QfESSZsrXbrZmzhd617UeW
+7spMsdHfI1rsc8aQ6gVFqlXd6mw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..23ddd0eb8a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-missing-keyCertSign
+subject:ee-keyCertSign-only
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..086f2ac5d1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUfcLeIvoPPBJMolgBDz+v3K8mAEEwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMB4xHDAaBgNVBAMME2VlLWtleUNl
+cnRTaWduLW9ubHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsF
+AAOCAQEAq9eg9Xq7glTjKJtItaRt8PPhXeVZIbMoabIuDdHMq7hT4YXS5vWysT8V
+M6oNOsvnSuwAm+9Y1fTsB/mR8l0BpaYadLizagIHSFZ57bPZzzfEQngu2NkGd+v2
+wxQIrp1KkZCHzYRenT6sZGuAxqqX0KVsEnwen0N93UIrOn3D6T2EE1QT5IMI9IPU
+3OX3UtOVYzUOia+IV0VEpQ0r1o8BmZopx1dkMFvsj7rciF4pR9UQQDzkCs8z60iK
+oG1zzqnwW0ZA9PAmB0pAJbHf3gKOka6I137QvYhCWlFUr5LqVKY/A2IACbIeBQJG
+WKib6YiVMFSI0vdEqNgH38F5c+SaFg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..a5a2d62a7d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-keyCertSign-only
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem
new file mode 100644
index 0000000000..321ceca492
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2zCCAcOgAwIBAgIUYfQJjxnw4OD0vXwmpPInpoGAILowDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdlZS1rZXlFbmNpcGhlcm1lbnQt
+b25seTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBCwUAA4IBAQAc
+KoBdffm/erD9x/k7jvpq99n6AYDeWpIfLdAA3FUTLZItlNNjEYZGDaLd2NRYB0ay
+mbJgYnwdnuac0pylWfTxDMQfcC1ztsXeB8DF/H3v3/iWXUoHbtmCFa3OBac6PJQQ
+K4+ssbipWUaCTP+79lT6e0cs7PXnLLxEyLYlLJFxO6t3Y3knsH3/UEu/86ZWJs5F
+e6BamdM26itAfe30rzTzSr0WxiHZYGX3K5mSZ0+p/FD4Up0MFALukn1xZ6+WLd8c
+gsi0li246g2aUf+rjjKlg4wmx2JndYL5vUP2SJJfFxulvzgDtHw2RfsgA2eN9Zvi
+5a/1QH9m39qO6LXZxwVu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..08154a53ee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-all-usages
+subject:ee-keyEncipherment-only
+extension:keyUsage:keyEncipherment
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..8e45895208
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIUf2jeIliw8Hs+4yN24J1B9he7DEIwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdlZS1rZXlFbmNp
+cGhlcm1lbnQtb25seTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEB
+CwUAA4IBAQAto3rwCaozt9tPSju24aTGvGPQwoiZ1uJzp9PJGKTMKpm2jobT1c1o
+RLjpfa5P2TM6vUCOS7M+uLkzlYsr8aW5WrD0ehJX3Ge1oOFA2A/xwHbffwPpUXgS
+euBMN/RV5Oq9pPLlI5FCG2nWTNjG1u2oEx9Lxf0iMs4YpPwFU1w/mbgFqdnQNn5N
+54DWg3MFNMeNXpGJZrJnKZj7iPFpDtGbTVAKe9tsR4wu5EbReOxa4LvN79BP2Z44
+jivHsnId2SMu1xbaqXLg8ZoTTNX8zL9Mls6kQkjf7vunGrK968x6wDffhz+FTafZ
+qx0xbp/j82UxSPGnj+MYe3dPKU+yZaAZ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..9bdcf4b7b8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-missing-keyCertSign
+subject:ee-keyEncipherment-only
+extension:keyUsage:keyEncipherment
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..2cf8010b45
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUOXP432q/p9DYN1yjp9TtbUn7sCMwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCIxIDAeBgNVBAMMF2VlLWtleUVu
+Y2lwaGVybWVudC1vbmx5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCBSAwDQYJKoZIhvcN
+AQELBQADggEBAJ/fbi3UftOoyyTSyNPq2zRMDDpEkHx7jcmSDB72wVVfiIDD0tYW
+BaI0zVBHa7PtePCWorCc1SR9rzMKRLl4jpKmfBdmFWDKBrzA+Yd6s2eN+G7zQw9R
+CN0BTou7vHPqAdVeT8e0XhQPBB4IyPw0Zk/8KO3kin5g5Dyf2Eaqc1CY63PzS0F7
+U9MAGwHo8o1ikA6gdKM/vi282sd2Nqa/HaYR4TXgFOCe3zzkq1DKAm+26lfWznmO
+L2KINdoqRhtEEc69NAsoJa5xKXm5+aemk5YNA5JpUH3NgACaUomIseU1JwSgJauk
+3BreCw1pwCuWG/ArNgCkMG4bNJA7I5nc49E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..a2383ecfdd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-keyEncipherment-only
+extension:keyUsage:keyEncipherment
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem
new file mode 100644
index 0000000000..3c8fd4266e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyzCCAbOgAwIBAgIUE3y2+REalJVr9BJgRHvD/0X6kggwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhlZS1uby1rZXlVc2FnZS1leHRl
+bnNpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAH710Q5yUWJdwRYPAucysm6E
+cJtzX5CD2fs8pJkKtFY4CTofI7rKdU+dIuTsfX/xrnIhdknMAit8kbkQzRsyk0c3
+Am1qgD8pBbrBtNkzHD1cWvNIQGuntI8+4CWqSNkgFtDEmhNH4N3gr4I7ozNfeZKy
+vaZQCqrDpZ6hJdrFbkKeuivZisCXT6OMkhCtJmUz1g2Vlzq1JD5Jffj6nz5u88+G
+gYQ8oJ//R3+AkYmdbF1SzL3XAGFKgJ752UowrCVRTWhe7jj7qqgjMTLwHd7WbRfW
+eyPcDf8l8Fx40I8W4mv7SYArfYpSBohHHMA2ajD2ZglVmkYweK8vO3V3as62lXw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec
new file mode 100644
index 0000000000..6d2e672961
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-all-usages
+subject:ee-no-keyUsage-extension
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem
new file mode 100644
index 0000000000..ca06b96af7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAgIUN3Gtxz6p1g5APefpvRImgppez0gwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhlZS1uby1rZXlV
+c2FnZS1leHRlbnNpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJ5tsZ2pBNLa
+SQyu952+mbY0McHswPvp34q9ihKtUAaZiwusSnVDGP09FTzu6ejRO857Mjqk4oCf
+C77FyXsWhAVSEqZyYeKwn+UZyZONA3ZY6plx5rpn5CFVZleh5G0TC6eAVmUcJ13J
+x2mmhgPyU2LvHxIRFOaWhTJ9r0qikIDr+96Vti6qDdBeroKuSi2eWUKyofwgV3zK
+FsXauOjGzzLZT3va4c0NUdC4+/qppAoC6ejma0iqj3A1gm00DnYU3GMsBXtSSHAH
+iZGsbtiuZtCZXxgf2os0NLl5demKOcOzKAHs1No2KwVcxonE6t5uqbKsQFbC47x+
+mT2WDtwpQSo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..3cba2f0d81
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-missing-keyCertSign
+subject:ee-no-keyUsage-extension
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem
new file mode 100644
index 0000000000..c667430b40
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1jCCAb6gAwIBAgIUcUkpEkAlszLM+q9hdNYNVNbjhhQwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGVlLW5vLWtl
+eVVzYWdlLWV4dGVuc2lvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcX+eZ5QZ
+2ji/0gf+sLsw5M/OGw6LMqCKUd5X36XybPCbY1xx8D9Z9dGMV1kzq5TkCSpLOg6f
+1qBqUCIQa/Cpeg1ScHJC9zgmo9XFIniX2ZhiT0o33dDXvTn7l6AuKA4hicbdTcx2
+aGI2MoNpIFINwrNnr6gKQMrBUCBPkWYuCOANqhH8jV9BYgVvYuqK1ecmll5/Cgxp
+ikQ6dzmpUHXFgN46UokyFfaudvt/PVqnukiYfjarKltAH5sfFjCQzrkXrK4QjWUW
+vjd2AJSsxJb6N3wQgfjEI2WTxLfr2DzhNSFB/SdB2tOcJTxIaIkHbS65aimhNXOx
+mppJ0lp9HXjpeg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec
new file mode 100644
index 0000000000..c850725a63
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-no-keyUsage-extension
+subject:ee-no-keyUsage-extension
diff --git a/security/manager/ssl/tests/unit/test_cert_override_read.js b/security/manager/ssl/tests/unit/test_cert_override_read.js
new file mode 100644
index 0000000000..800f82872d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_override_read.js
@@ -0,0 +1,188 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This test checks parsing of the the certificate override file
+
+function run_test() {
+  // These are hard-coded to avoid initialization of NSS before setup is complete
+  // bad_certs/mitm.pem
+  let cert1 = {
+    sha256Fingerprint:
+      "E9:3A:91:F6:15:11:FB:DD:02:76:DD:45:8C:4B:F4:9B:D1:14:13:91:2E:96:4B:EC:D2:4F:90:D5:F4:BB:29:5C",
+  };
+  // bad_certs/selfsigned.pem
+  let cert2 = {
+    sha256Fingerprint:
+      "51:BC:41:90:C1:FD:6E:73:18:19:B0:60:08:DD:A3:3D:59:B2:5B:FB:D0:3D:DD:89:19:A5:BB:C6:2B:5A:72:A7",
+  };
+  // bad_certs/noValidNames.pem
+  let cert3 = {
+    sha256Fingerprint:
+      "C3:A3:61:02:CA:64:CC:EC:45:1D:24:B6:A0:69:DB:DB:F0:D8:58:76:FC:50:36:52:5A:E8:40:4C:55:72:08:F4",
+  };
+
+  let profileDir = do_get_profile();
+  let overrideFile = profileDir.clone();
+  overrideFile.append(CERT_OVERRIDE_FILE_NAME);
+  // Assuming we're working with a clean slate, the file shouldn't exist
+  // until we create it.
+  ok(!overrideFile.exists());
+  let outputStream = FileUtils.openFileOutputStream(overrideFile);
+  let lines = [
+    "# PSM Certificate Override Settings file",
+    "# This is a generated file!  Do not edit.",
+    "test.example.com:443:^privateBrowsingId=1\tOID.2.16.840.1.101.3.4.2.1\t" +
+      cert1.sha256Fingerprint +
+      "\t",
+    "test.example.com:443:^privateBrowsingId=2\tOID.2.16.840.1.101.3.4.2.1\t" +
+      cert1.sha256Fingerprint +
+      "\t",
+    "test.example.com:443:^privateBrowsingId=3\tOID.2.16.840.1.101.3.4.2.1\t" + // includes bits and dbKey (now obsolete)
+      cert1.sha256Fingerprint +
+      "\tM\t" +
+      "AAAAAAAAAAAAAAACAAAAFjA5MBQxEjAQBgNVBAMMCWxvY2FsaG9zdA==",
+    "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" +
+      cert2.sha256Fingerprint +
+      "\t",
+    "[::1]:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // IPv6
+      cert2.sha256Fingerprint +
+      "\t",
+    "old.example.com:443\tOID.2.16.840.1.101.3.4.2.1\t" + // missing attributes (defaulted)
+      cert1.sha256Fingerprint +
+      "\t",
+    ":443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing host name
+      cert3.sha256Fingerprint +
+      "\t",
+    "example.com::\tOID.2.16.840.1.101.3.4.2.1\t" + // missing port
+      cert3.sha256Fingerprint +
+      "\t",
+    "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // wrong fingerprint
+      cert2.sha256Fingerprint +
+      "\t",
+    "example.com:443:\tOID.0.00.000.0.000.0.0.0.0\t" + // bad OID
+      cert3.sha256Fingerprint +
+      "\t",
+    "example.com:443:\t.0.0.0.0\t" + // malformed OID
+      cert3.sha256Fingerprint +
+      "\t",
+    "example.com:443:\t\t" + // missing OID
+      cert3.sha256Fingerprint +
+      "\t",
+    "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t", // missing fingerprint
+  ];
+  writeLinesAndClose(lines, outputStream);
+  let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
+    Ci.nsICertOverrideService
+  );
+  notEqual(overrideService, null);
+
+  // Now that the override service is initialized we can actually read the certificates
+  cert1 = constructCertFromFile("bad_certs/mitm.pem");
+  info(
+    `if this test fails, try updating cert1.sha256Fingerprint to "${cert1.sha256Fingerprint}"`
+  );
+  cert2 = constructCertFromFile("bad_certs/selfsigned.pem");
+  info(
+    `if this test fails, try updating cert2.sha256Fingerprint to "${cert2.sha256Fingerprint}"`
+  );
+  cert3 = constructCertFromFile("bad_certs/noValidNames.pem");
+  info(
+    `if this test fails, try updating cert3.sha256Fingerprint to "${cert3.sha256Fingerprint}"`
+  );
+
+  const OVERRIDES = [
+    {
+      host: "test.example.com",
+      port: 443,
+      cert: cert1,
+      attributes: { privateBrowsingId: 1 },
+    },
+    {
+      host: "test.example.com",
+      port: 443,
+      cert: cert1,
+      attributes: { privateBrowsingId: 2 },
+    },
+    {
+      host: "test.example.com",
+      port: 443,
+      cert: cert1,
+      attributes: { privateBrowsingId: 3 },
+    },
+    {
+      host: "example.com",
+      port: 443,
+      cert: cert2,
+      attributes: {},
+    },
+    {
+      host: "::1",
+      port: 443,
+      cert: cert2,
+      attributes: {},
+    },
+    {
+      host: "example.com",
+      port: 443,
+      cert: cert2,
+      attributes: { userContextId: 1 }, // only privateBrowsingId is used
+    },
+    {
+      host: "old.example.com",
+      port: 443,
+      cert: cert1,
+      attributes: {},
+    },
+  ];
+  const BAD_OVERRIDES = [
+    {
+      host: "test.example.com",
+      port: 443,
+      cert: cert1,
+      attributes: { privateBrowsingId: 4 }, // wrong attributes
+    },
+    {
+      host: "test.example.com",
+      port: 443,
+      cert: cert3, // wrong certificate
+      attributes: { privateBrowsingId: 1 },
+    },
+    {
+      host: "example.com",
+      port: 443,
+      cert: cert3,
+      attributes: {},
+    },
+  ];
+
+  for (let override of OVERRIDES) {
+    let temp = {};
+    ok(
+      overrideService.hasMatchingOverride(
+        override.host,
+        override.port,
+        override.attributes,
+        override.cert,
+        temp
+      ),
+      `${JSON.stringify(override)} should have an override`
+    );
+    equal(temp.value, false);
+  }
+
+  for (let override of BAD_OVERRIDES) {
+    let temp = {};
+    ok(
+      !overrideService.hasMatchingOverride(
+        override.host,
+        override.port,
+        override.attributes,
+        override.cert,
+        temp
+      ),
+      `${override} should not have an override`
+    );
+  }
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides.js b/security/manager/ssl/tests/unit/test_cert_overrides.js
new file mode 100644
index 0000000000..7ae45b7ef2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -0,0 +1,734 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests the certificate overrides we allow.
+// add_cert_override_test will queue a test that does the following:
+// 1. Attempt to connect to the given host. This should fail with the
+//    given error.
+// 2. Add an override for that host/port/certificate.
+// 3. Connect again. This should succeed.
+
+do_get_profile();
+
+function check_telemetry() {
+  let histogram = Services.telemetry
+    .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
+    .snapshot();
+  equal(histogram.values[0], 0, "Should have 0 unclassified values");
+  equal(
+    histogram.values[2],
+    9,
+    "Actual and expected SEC_ERROR_UNKNOWN_ISSUER values should match"
+  );
+  equal(
+    histogram.values[3],
+    1,
+    "Actual and expected SEC_ERROR_CA_CERT_INVALID values should match"
+  );
+  equal(
+    histogram.values[4] || 0,
+    0,
+    "Actual and expected SEC_ERROR_UNTRUSTED_ISSUER values should match"
+  );
+  equal(
+    histogram.values[5],
+    1,
+    "Actual and expected SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE values should match"
+  );
+  equal(
+    histogram.values[6] || 0,
+    0,
+    "Actual and expected SEC_ERROR_UNTRUSTED_CERT values should match"
+  );
+  equal(
+    histogram.values[7] || 0,
+    0,
+    "Actual and expected SEC_ERROR_INADEQUATE_KEY_USAGE values should match"
+  );
+  equal(
+    histogram.values[8],
+    2,
+    "Actual and expected SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED values should match"
+  );
+  equal(
+    histogram.values[9],
+    9,
+    "Actual and expected SSL_ERROR_BAD_CERT_DOMAIN values should match"
+  );
+  equal(
+    histogram.values[10],
+    1,
+    "Actual and expected SEC_ERROR_EXPIRED_CERTIFICATE values should match"
+  );
+  equal(
+    histogram.values[11],
+    2,
+    "Actual and expected MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY values should match"
+  );
+  equal(
+    histogram.values[12],
+    1,
+    "Actual and expected MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA values should match"
+  );
+  equal(
+    histogram.values[13],
+    1,
+    "Actual and expected MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE values should match"
+  );
+  equal(
+    histogram.values[14],
+    1,
+    "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE values should match"
+  );
+  equal(
+    histogram.values[15],
+    1,
+    "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE values should match"
+  );
+  equal(
+    histogram.values[16],
+    2,
+    "Actual and expected SEC_ERROR_INVALID_TIME values should match"
+  );
+  equal(
+    histogram.values[17],
+    1,
+    "Actual and expected MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME values should match"
+  );
+  equal(
+    histogram.values[19],
+    4,
+    "Actual and expected MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT values should match"
+  );
+  equal(
+    histogram.values[20],
+    1,
+    "Actual and expected MOZILLA_PKIX_ERROR_MITM_DETECTED values should match"
+  );
+
+  let keySizeHistogram = Services.telemetry
+    .getHistogramById("CERT_CHAIN_KEY_SIZE_STATUS")
+    .snapshot();
+  equal(
+    keySizeHistogram.values[0],
+    0,
+    "Actual and expected unchecked key size values should match"
+  );
+  equal(
+    keySizeHistogram.values[1],
+    16,
+    "Actual and expected successful verifications of 2048-bit keys should match"
+  );
+  equal(
+    keySizeHistogram.values[2] || 0,
+    0,
+    "Actual and expected successful verifications of 1024-bit keys should match"
+  );
+  equal(
+    keySizeHistogram.values[3],
+    70,
+    "Actual and expected verification failures unrelated to key size should match"
+  );
+
+  run_next_test();
+}
+
+// Internally, specifying "port" -1 is the same as port 443. This tests that.
+function run_port_equivalency_test(inPort, outPort) {
+  Assert.ok(
+    (inPort == 443 && outPort == -1) || (inPort == -1 && outPort == 443),
+    "The two specified ports must be -1 and 443 (in any order)"
+  );
+  let certOverrideService = Cc[
+    "@mozilla.org/security/certoverride;1"
+  ].getService(Ci.nsICertOverrideService);
+  let cert = constructCertFromFile("bad_certs/default-ee.pem");
+  let expectedTemporary = true;
+  certOverrideService.rememberValidityOverride(
+    "example.com",
+    inPort,
+    {},
+    cert,
+    expectedTemporary
+  );
+  let actualTemporary = {};
+  Assert.ok(
+    certOverrideService.hasMatchingOverride(
+      "example.com",
+      outPort,
+      {},
+      cert,
+      actualTemporary
+    ),
+    `override set on port ${inPort} should match port ${outPort}`
+  );
+  equal(
+    actualTemporary.value,
+    expectedTemporary,
+    "input override temporary value should match output temporary value"
+  );
+  Assert.ok(
+    !certOverrideService.hasMatchingOverride("example.com", 563, {}, cert, {}),
+    `override set on port ${inPort} should not match port 563`
+  );
+  certOverrideService.clearValidityOverride("example.com", inPort, {});
+  Assert.ok(
+    !certOverrideService.hasMatchingOverride(
+      "example.com",
+      outPort,
+      {},
+      cert,
+      {}
+    ),
+    `override cleared on port ${inPort} should match port ${outPort}`
+  );
+}
+
+function run_test() {
+  run_port_equivalency_test(-1, 443);
+  run_port_equivalency_test(443, -1);
+
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+  let fakeOCSPResponder = new HttpServer();
+  fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+  });
+  fakeOCSPResponder.start(8888);
+
+  add_simple_tests();
+  add_localhost_tests();
+  add_combo_tests();
+  add_distrust_tests();
+
+  add_test(function () {
+    fakeOCSPResponder.stop(check_telemetry);
+  });
+
+  run_next_test();
+}
+
+function add_simple_tests() {
+  add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE);
+  add_cert_override_test(
+    "notyetvalid.example.com",
+    MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE
+  );
+  add_cert_override_test("before-epoch.example.com", SEC_ERROR_INVALID_TIME);
+  add_cert_override_test(
+    "before-epoch-self-signed.example.com",
+    MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+  );
+  add_cert_override_test(
+    "selfsigned.example.com",
+    MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+  );
+  add_cert_override_test("unknownissuer.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+  add_cert_override_test(
+    "expiredissuer.example.com",
+    SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
+  );
+  add_cert_override_test(
+    "notyetvalidissuer.example.com",
+    MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE
+  );
+  add_cert_override_test(
+    "before-epoch-issuer.example.com",
+    SEC_ERROR_INVALID_TIME
+  );
+  add_cert_override_test(
+    "md5signature.example.com",
+    SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  );
+  add_cert_override_test(
+    "emptyissuername.example.com",
+    MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME
+  );
+  // This has name information in the subject alternative names extension,
+  // but not the subject common name.
+  add_cert_override_test("mismatch.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
+  // This has name information in the subject common name but not the subject
+  // alternative names extension.
+  add_cert_override_test("mismatch-CN.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
+
+  // A Microsoft IIS utility generates self-signed certificates with
+  // properties similar to the one this "host" will present.
+  add_cert_override_test(
+    "selfsigned-inadequateEKU.example.com",
+    MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+  );
+
+  add_prevented_cert_override_test(
+    "inadequatekeyusage.example.com",
+    SEC_ERROR_INADEQUATE_KEY_USAGE
+  );
+
+  // Test triggering the MitM detection. We don't set-up a proxy here. Just
+  // set the pref. Without the pref set we expect an unkown issuer error.
+  add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+  add_test(function () {
+    Services.prefs.setStringPref(
+      "security.pki.mitm_canary_issuer",
+      "CN=Test MITM Root"
+    );
+    let certOverrideService = Cc[
+      "@mozilla.org/security/certoverride;1"
+    ].getService(Ci.nsICertOverrideService);
+    certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
+    run_next_test();
+  });
+  add_cert_override_test("mitm.example.com", MOZILLA_PKIX_ERROR_MITM_DETECTED);
+  add_test(function () {
+    Services.prefs.setStringPref(
+      "security.pki.mitm_canary_issuer",
+      "CN=Other MITM Root"
+    );
+    let certOverrideService = Cc[
+      "@mozilla.org/security/certoverride;1"
+    ].getService(Ci.nsICertOverrideService);
+    certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
+    run_next_test();
+  });
+  // If the canary issuer doesn't match the one we see, we exepct and unknown
+  // issuer error.
+  add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+  // If security.pki.mitm_canary_issuer.enabled is false, there should always
+  // be an unknown issuer error.
+  add_test(function () {
+    Services.prefs.setBoolPref(
+      "security.pki.mitm_canary_issuer.enabled",
+      false
+    );
+    let certOverrideService = Cc[
+      "@mozilla.org/security/certoverride;1"
+    ].getService(Ci.nsICertOverrideService);
+    certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
+    run_next_test();
+  });
+  add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
+  add_test(function () {
+    Services.prefs.clearUserPref("security.pki.mitm_canary_issuer");
+    run_next_test();
+  });
+
+  // This is intended to test the case where a verification has failed for one
+  // overridable reason (e.g. unknown issuer) but then, in the process of
+  // reporting that error, a non-overridable error is encountered. The
+  // non-overridable error should be prioritized.
+  add_test(function () {
+    let rootCert = constructCertFromFile("bad_certs/test-ca.pem");
+    setCertTrust(rootCert, ",,");
+    run_next_test();
+  });
+  add_prevented_cert_override_test(
+    "nsCertTypeCritical.example.com",
+    SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION
+  );
+  add_test(function () {
+    let rootCert = constructCertFromFile("bad_certs/test-ca.pem");
+    setCertTrust(rootCert, "CTu,,");
+    run_next_test();
+  });
+
+  // Bug 990603: Apache documentation has recommended generating a self-signed
+  // test certificate with basic constraints: CA:true. For compatibility, this
+  // is a scenario in which an override is allowed.
+  add_cert_override_test(
+    "self-signed-end-entity-with-cA-true.example.com",
+    MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+  );
+
+  add_cert_override_test(
+    "ca-used-as-end-entity.example.com",
+    MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+  );
+
+  // If an X.509 version 1 certificate is not a trust anchor, we will
+  // encounter an overridable error.
+  add_cert_override_test(
+    "end-entity-issued-by-v1-cert.example.com",
+    MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
+  );
+  // If we make that certificate a trust anchor, the connection will succeed.
+  add_test(function () {
+    let certOverrideService = Cc[
+      "@mozilla.org/security/certoverride;1"
+    ].getService(Ci.nsICertOverrideService);
+    certOverrideService.clearValidityOverride(
+      "end-entity-issued-by-v1-cert.example.com",
+      8443,
+      {}
+    );
+    let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem");
+    setCertTrust(v1Cert, "CTu,,");
+    clearSessionCache();
+    run_next_test();
+  });
+  add_connection_test(
+    "end-entity-issued-by-v1-cert.example.com",
+    PRErrorCodeSuccess
+  );
+  // Reset the trust for that certificate.
+  add_test(function () {
+    let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem");
+    setCertTrust(v1Cert, ",,");
+    clearSessionCache();
+    run_next_test();
+  });
+
+  // Due to compatibility issues, we allow overrides for certificates issued by
+  // certificates that are not valid CAs.
+  add_cert_override_test(
+    "end-entity-issued-by-non-CA.example.com",
+    SEC_ERROR_CA_CERT_INVALID
+  );
+
+  // This host presents a 1016-bit RSA key.
+  add_cert_override_test(
+    "inadequate-key-size-ee.example.com",
+    MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+  );
+
+  add_cert_override_test(
+    "ipAddressAsDNSNameInSAN.example.com",
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  add_cert_override_test("noValidNames.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
+  add_cert_override_test(
+    "badSubjectAltNames.example.com",
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+
+  add_cert_override_test(
+    "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_test(function () {
+    // At this point, the override for bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
+    // is still valid. Do some additional tests relating to IDN handling.
+    let certOverrideService = Cc[
+      "@mozilla.org/security/certoverride;1"
+    ].getService(Ci.nsICertOverrideService);
+    let uri = Services.io.newURI(
+      "https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp"
+    );
+    let cert = constructCertFromFile("bad_certs/idn-certificate.pem");
+    Assert.ok(
+      certOverrideService.hasMatchingOverride(
+        uri.asciiHost,
+        8443,
+        {},
+        cert,
+        {}
+      ),
+      "IDN certificate should have matching override using ascii host"
+    );
+    Assert.throws(
+      () =>
+        !certOverrideService.hasMatchingOverride(
+          uri.displayHost,
+          8443,
+          {},
+          cert,
+          {}
+        ),
+      /NS_ERROR_ILLEGAL_VALUE/,
+      "IDN certificate should not have matching override using (non-ascii) host"
+    );
+    let invalidHost = uri.asciiHost.replace(/./g, c =>
+      String.fromCharCode(c.charCodeAt(0) | 0x100)
+    );
+    Assert.throws(
+      () =>
+        !certOverrideService.hasMatchingOverride(
+          invalidHost,
+          8443,
+          {},
+          cert,
+          {}
+        ),
+      /NS_ERROR_ILLEGAL_VALUE/,
+      "hasMatchingOverride should not truncate high-bytes"
+    );
+    run_next_test();
+  });
+
+  add_test(function () {
+    // Add a bunch of overrides...
+    let certOverrideService = Cc[
+      "@mozilla.org/security/certoverride;1"
+    ].getService(Ci.nsICertOverrideService);
+    let cert = constructCertFromFile("bad_certs/default-ee.pem");
+    certOverrideService.rememberValidityOverride(
+      "example.com",
+      443,
+      {},
+      cert,
+      false
+    );
+    Assert.ok(
+      certOverrideService.hasMatchingOverride("example.com", 443, {}, cert, {}),
+      "Should have added override for example.com:443"
+    );
+    certOverrideService.rememberValidityOverride(
+      "example.com",
+      80,
+      {},
+      cert,
+      false
+    );
+    certOverrideService.rememberValidityOverride("::1", 80, {}, cert, false);
+    Assert.ok(
+      certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}),
+      "Should have added override for example.com:80"
+    );
+    certOverrideService.rememberValidityOverride(
+      "example.org",
+      443,
+      {},
+      cert,
+      false
+    );
+    Assert.ok(
+      certOverrideService.hasMatchingOverride("example.org", 443, {}, cert, {}),
+      "Should have added override for example.org:443"
+    );
+    Assert.ok(
+      certOverrideService.hasMatchingOverride("::1", 80, {}, cert, {}),
+      "Should have added override for [::1]:80"
+    );
+    // When in a private browsing context, overrides added in non-private
+    // contexts should match (but not vice-versa).
+    Assert.ok(
+      certOverrideService.hasMatchingOverride(
+        "example.org",
+        443,
+        { privateBrowsingId: 1 },
+        cert,
+        {}
+      ),
+      "Should have override for example.org:443 with privateBrowsingId 1"
+    );
+    Assert.ok(
+      certOverrideService.hasMatchingOverride(
+        "example.org",
+        443,
+        { privateBrowsingId: 2 },
+        cert,
+        {}
+      ),
+      "Should have override for example.org:443 with privateBrowsingId 2"
+    );
+    Assert.ok(
+      certOverrideService.hasMatchingOverride(
+        "example.org",
+        443,
+        { firstPartyDomain: "example.org", userContextId: 1 },
+        cert,
+        {}
+      ),
+      "Should ignore firstPartyDomain and userContextId when checking overrides"
+    );
+    certOverrideService.rememberValidityOverride(
+      "example.org",
+      80,
+      {},
+      cert,
+      true
+    );
+    Assert.ok(
+      certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}),
+      "Should have added override for example.org:80"
+    );
+    certOverrideService.rememberValidityOverride(
+      "test.example.org",
+      443,
+      { firstPartyDomain: "example.org", userContextId: 1 },
+      cert,
+      false
+    );
+    Assert.ok(
+      certOverrideService.hasMatchingOverride(
+        "test.example.org",
+        443,
+        {},
+        cert,
+        {}
+      ),
+      "Should ignore firstPartyDomain and userContextId when adding overrides"
+    );
+    Assert.ok(
+      certOverrideService.hasMatchingOverride(
+        "test.example.org",
+        443,
+        { firstPartyDomain: "example.com", userContextId: 2 },
+        cert,
+        {}
+      ),
+      "Should ignore firstPartyDomain and userContextId when checking overrides"
+    );
+    certOverrideService.rememberValidityOverride(
+      "example.test",
+      443,
+      { privateBrowsingId: 1 },
+      cert,
+      false
+    );
+    Assert.ok(
+      certOverrideService.hasMatchingOverride(
+        "example.test",
+        443,
+        { privateBrowsingId: 1 },
+        cert,
+        {}
+      ),
+      "Should have added override for example.test:443 with privateBrowsingId 1"
+    );
+    Assert.ok(
+      !certOverrideService.hasMatchingOverride(
+        "example.test",
+        443,
+        { privateBrowsingId: 2 },
+        cert,
+        {}
+      ),
+      "Should not have override for example.test:443 with privateBrowsingId 2"
+    );
+    Assert.ok(
+      !certOverrideService.hasMatchingOverride(
+        "example.test",
+        443,
+        {},
+        cert,
+        {}
+      ),
+      "Should not have override for example.test:443 with non-private OriginAttributes"
+    );
+    // Clear them all...
+    certOverrideService.clearAllOverrides();
+
+    // And ensure they're all gone.
+    Assert.ok(
+      !certOverrideService.hasMatchingOverride(
+        "example.com",
+        443,
+        {},
+        cert,
+        {}
+      ),
+      "Should have removed override for example.com:443"
+    );
+    Assert.ok(
+      !certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}),
+      "Should have removed override for example.com:80"
+    );
+    Assert.ok(
+      !certOverrideService.hasMatchingOverride(
+        "example.org",
+        443,
+        {},
+        cert,
+        {}
+      ),
+      "Should have removed override for example.org:443"
+    );
+    Assert.ok(
+      !certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}),
+      "Should have removed override for example.org:80"
+    );
+    Assert.ok(
+      !certOverrideService.hasMatchingOverride(
+        "example.org",
+        443,
+        { privateBrowsingId: 1 },
+        cert,
+        {}
+      ),
+      "Should have removed override for example.org:443 with privateBrowsingId 1"
+    );
+
+    run_next_test();
+  });
+}
+
+function add_localhost_tests() {
+  add_cert_override_test("localhost", SEC_ERROR_UNKNOWN_ISSUER);
+  add_cert_override_test("127.0.0.1", SSL_ERROR_BAD_CERT_DOMAIN);
+  add_cert_override_test("::1", SSL_ERROR_BAD_CERT_DOMAIN);
+}
+
+function add_combo_tests() {
+  add_cert_override_test(
+    "mismatch-expired.example.com",
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  add_cert_override_test(
+    "mismatch-notYetValid.example.com",
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  add_cert_override_test(
+    "mismatch-untrusted.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_cert_override_test(
+    "untrusted-expired.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_cert_override_test(
+    "mismatch-untrusted-expired.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+
+  add_cert_override_test(
+    "md5signature-expired.example.com",
+    SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  );
+
+  add_cert_override_test(
+    "ca-used-as-end-entity-name-mismatch.example.com",
+    MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+  );
+}
+
+function add_distrust_tests() {
+  // Before we specifically distrust this certificate, it should be trusted.
+  add_connection_test("untrusted.example.com", PRErrorCodeSuccess);
+
+  add_distrust_test(
+    "bad_certs/default-ee.pem",
+    "untrusted.example.com",
+    SEC_ERROR_UNTRUSTED_CERT
+  );
+
+  add_distrust_test(
+    "bad_certs/other-test-ca.pem",
+    "untrustedissuer.example.com",
+    SEC_ERROR_UNTRUSTED_ISSUER
+  );
+
+  add_distrust_test(
+    "bad_certs/test-ca.pem",
+    "ca-used-as-end-entity.example.com",
+    SEC_ERROR_UNTRUSTED_ISSUER
+  );
+}
+
+function add_distrust_test(certFileName, hostName, expectedResult) {
+  let certToDistrust = constructCertFromFile(certFileName);
+
+  add_test(function () {
+    // Add an entry to the NSS certDB that says to distrust the cert
+    setCertTrust(certToDistrust, "pu,,");
+    clearSessionCache();
+    run_next_test();
+  });
+  add_prevented_cert_override_test(hostName, expectedResult);
+  add_test(function () {
+    setCertTrust(certToDistrust, "u,,");
+    run_next_test();
+  });
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js
new file mode 100644
index 0000000000..1d2c2c1727
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js
@@ -0,0 +1,94 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests that permanent certificate error overrides can be added even if the
+// certificate/key databases are in read-only mode.
+
+// Helper function for add_read_only_cert_override_test. Probably doesn't need
+// to be called directly.
+function add_read_only_cert_override(aHost, aSecurityInfo) {
+  let cert = aSecurityInfo.serverCert;
+  let certOverrideService = Cc[
+    "@mozilla.org/security/certoverride;1"
+  ].getService(Ci.nsICertOverrideService);
+  // Setting the last argument to false here ensures that we attempt to store a
+  // permanent override (which is what was failing in bug 1427273).
+  certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, false);
+}
+
+// Given a host and an expected error code, tests that an initial connection to
+// the host fails with the expected errors and that adding an override results
+// in a subsequent connection succeeding.
+function add_read_only_cert_override_test(aHost, aExpectedError) {
+  add_connection_test(
+    aHost,
+    aExpectedError,
+    null,
+    add_read_only_cert_override.bind(this, aHost)
+  );
+  add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => {
+    Assert.ok(
+      aSecurityInfo.securityState &
+        Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+      "Cert override flag should be set on the security state"
+    );
+  });
+}
+
+function run_test() {
+  let profile = do_get_profile();
+  const KEY_DB_NAME = "key4.db";
+  const CERT_DB_NAME = "cert9.db";
+  let srcKeyDBFile = do_get_file(
+    `test_cert_overrides_read_only/${KEY_DB_NAME}`
+  );
+  srcKeyDBFile.copyTo(profile, KEY_DB_NAME);
+  let srcCertDBFile = do_get_file(
+    `test_cert_overrides_read_only/${CERT_DB_NAME}`
+  );
+  srcCertDBFile.copyTo(profile, CERT_DB_NAME);
+
+  // set the databases to read-only
+  let keyDBFile = do_get_profile();
+  keyDBFile.append(KEY_DB_NAME);
+  keyDBFile.permissions = 0o400;
+  let certDBFile = do_get_profile();
+  certDBFile.append(CERT_DB_NAME);
+  certDBFile.permissions = 0o400;
+
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  // Specifying false as the last argument means we don't try to add the default
+  // test root CA (which would fail).
+  add_tls_server_setup("BadCertAndPinningServer", "bad_certs", false);
+
+  let fakeOCSPResponder = new HttpServer();
+  fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+  });
+  fakeOCSPResponder.start(8888);
+
+  // Since we can't add the root CA to the (read-only) trust db, all of these
+  // will result in an "unknown issuer error" and need the "untrusted" error bit
+  // set in addition to whatever other specific error bits are necessary.
+  add_read_only_cert_override_test(
+    "expired.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_read_only_cert_override_test(
+    "selfsigned.example.com",
+    MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
+  );
+  add_read_only_cert_override_test(
+    "mismatch.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+
+  add_test(function () {
+    fakeOCSPResponder.stop(run_next_test);
+  });
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db
new file mode 100644
index 0000000000..3d452f335c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db
new file mode 100644
index 0000000000..44d0cb1728
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1.js b/security/manager/ssl/tests/unit/test_cert_sha1.js
new file mode 100644
index 0000000000..f0a95bcd61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1.js
@@ -0,0 +1,53 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests the rejection of SHA-1 certificates.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+// (new Date("2016-03-01")).getTime() / 1000
+const VALIDATION_TIME = 1456790400;
+
+function certFromFile(certName) {
+  return constructCertFromFile("test_cert_sha1/" + certName + ".pem");
+}
+
+function loadCertWithTrust(certName, trustString) {
+  addCertFromFile(certdb, "test_cert_sha1/" + certName + ".pem", trustString);
+}
+
+function checkEndEntity(cert, expectedResult) {
+  return checkCertErrorGenericAtTime(
+    certdb,
+    cert,
+    expectedResult,
+    certificateUsageSSLServer,
+    VALIDATION_TIME
+  );
+}
+
+add_task(async function () {
+  loadCertWithTrust("ca", "CTu,,");
+  loadCertWithTrust("int-pre", ",,");
+  loadCertWithTrust("int-post", ",,");
+
+  await checkEndEntity(
+    certFromFile("ee-pre_int-pre"),
+    SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  );
+  await checkEndEntity(
+    certFromFile("ee-post_int-pre"),
+    SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  );
+  await checkEndEntity(
+    certFromFile("ee-post_int-post"),
+    SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem
new file mode 100644
index 0000000000..60140056de
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUUbC4F7yPobFDd+B73iWKejQ3THkwDQYJKoZIhvcNAQEF
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCU+Y0AeMXFIfX4/L2aX37uSR70
+pGpPrh0FPOwBO2ETUc4j7Whol9wOSPnUwuPIpiDhar5qRuhY6aCPGTIJbRZrVeXv
+T5uFQXq+3CQdIyI55AkFDh9tO7wX7p3pRgzma47mBxIH082Uwy7+eEeQfhuJ5cU4
+e/zyHf6FEdkSrDjgwDip+dn8Q7tnjdaN3WYQjOFRXkHyYCIFkORDPTbYSYZ6DAqq
+Q/loKTdrcbyeEwFVBZxQu4Nb6mjhkfk8U+8TIGMCTQXhoQhgMWMeMo2E0kWvYbjc
+YDiRzmnsdvPu2LKnTvH28M9ODi3ZzcOuLs6jAKAiXISq0CbmwaddV/oAMoF2
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec
new file mode 100644
index 0000000000..7e65e9ee30
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec
@@ -0,0 +1,6 @@
+issuer:ca
+subject:ca
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem
new file mode 100644
index 0000000000..8fb93e69e3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ2gAwIBAgIUJWQl8gkrLL7gPn47YYMdN7qBP5wwDQYJKoZIhvcNAQEF
+BQAwEzERMA8GA1UEAwwIaW50LXBvc3QwIhgPMjAxNjAxMDIwMDAwMDBaGA8yMDE3
+MDIwMTAwMDAwMFowEjEQMA4GA1UEAwwHZWUtcG9zdDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQUFAAOCAQEAVOPvLS8zwos/RdClnabdxMh5g1WN5T1BsIMExE6oU6sJ7n4HyIXt
+RnFTFe0t2CdXBCQPK6qG8ymeLQFNKykYlQxVZb8m5YgUK3k4IeMS/EoX4g7taREI
+IwK9/n7+oKZYlz2Q/ro/R2HFmLXsCIUrsxV3vAWQCm8rSeCKzEVNlDaQ5FEMVAM7
+VlNhNNKtUnXkzZ3SRj6O4eOq3G4azr5DNo5kAQPaIbAI3k/3AHyPqIjHcoSiG1Ug
+aqzIK6fNNCIAxIKAY2ERJfxA4fPlBZXono2sCOgCdFfF7QAo+o9SO8v3B+djuHgb
+flbfdyEnN+y32UpYe3qV8LnFmRqGAe/vbQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec
new file mode 100644
index 0000000000..76834f8447
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-post
+subject:ee-post
+validity:20160102-20170201
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem
new file mode 100644
index 0000000000..2385322a64
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUIVsTCuql4BDO2r4O5zePBEoHg3QwDQYJKoZIhvcNAQEF
+BQAwEjEQMA4GA1UEAwwHaW50LXByZTAiGA8yMDE2MDEwMTAwMDAwMFoYDzIwMTcw
+MjAxMDAwMDAwWjASMRAwDgYDVQQDDAdlZS1wb3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4IBAQCW5zeJg+LzGn07GtdBprRLarL7aLNFSr+s+3yzphq9kN43prElX6eD
+gdggPWicZozTm3IFLfJfsuhiodBZjWmkF/dsvvT3W77AcKzNWjShCnnA/Vf5IF6k
+U01ROfjmgcX0mMuhVUB7b9Fl6G5DFxJgny2jYehZcJIzWUBLiwu41TIxj5Cv5F9p
++XIHEyygqm8rYzbW8F49FRbsDD9nvhmdVqXsoTaKxY8bsKKu1EpBSBXozRbLKcAn
+/zrLy0HHS4qfXTHm0UKt+RCYVylL5I5YGR6rapXHChkBTBHFXdkPVsW5uHKBdBqY
+98zoAAMWRvJ3xOuqAbtKG6DKadiOpz6l
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec
new file mode 100644
index 0000000000..1e8bb35b34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-pre
+subject:ee-post
+validity:20160101-20170201
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem
new file mode 100644
index 0000000000..11a5e41e99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUOU+CyYnf3GRRgGHvbeJB8HTUvJ4wDQYJKoZIhvcNAQEF
+BQAwEjEQMA4GA1UEAwwHaW50LXByZTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMTcw
+MjAxMDAwMDAwWjARMQ8wDQYDVQQDDAZlZS1wcmUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEF
+BQADggEBACWLcVnT0nNyU/qFZNDZPGDFPuZCXuodBf3sgz1XDmcp5wlH+IjW3J8H
+3HH6ZwIUpTtppqVxuvo2y9GP+GNyeXhxmokHTVdKDj8HqYl5lV+reO1UmzEH0AU8
+x3hd2Fkzv/h3N3EPVETWuPiFSB0oAN/xwsXC/7Yi4AY0s/I/4q/vkS76Oa2RyL3f
+gbaa80+nR73BX+0wRqyg+Sgo2hOzjkCQchtZPUFYsRLhsHHBnokD8GJlT7NBKSN1
+TFt6uXpfEmqDICoyZoAw6rtnFfdEsZNo+PU6NDN3T0fkolBQPvuzfqcqAl85dpJK
+ow8mFKkb2t6qQH98yabi/172l03/P34=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec
new file mode 100644
index 0000000000..0f4a6ec257
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-pre
+subject:ee-pre
+validity:20150101-20170201
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem
new file mode 100644
index 0000000000..94ab4f5b15
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAbegAwIBAgIUYQ6xulHM0FrQ0sKMdbPI2ecC3PcwDQYJKoZIhvcNAQEF
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjAxMDEwMDAwMDBaGA8yMDI2MDEwMTAw
+MDAwMFowEzERMA8GA1UEAwwIaW50LXBvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIB
+BjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCJN8/XexXMusXYbhVW
+uYA1YpaSTrz96CXlckIuABnzCrGD5iHkfFoB0LPKd+EZ80fdHIvS1zQTYohy6O95
+JageOaTY9HsOEqsgr1BA9VKZW4QlGp7csQzNMa52WRetimv6XY/lrfPf4qAhomWG
+/ImmLJpGTVPhEdz6Pl4Kvmf9zNf/BcXtBTWLSGWUC5UItC58WTopqcr5kLg3DmXB
+Qr7DjqA7DT92N6qefFkTYspDZJzv0nL9OfqkdCj/s6bm3iisTQq3aek6IP6OEkXF
+4TWUF3RDBsyRpG8jt/XsOsrwJDOGZGFPmMTz2uZPsZkeZhU+sfFDWL7wojl7kHV1
+c7f5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec
new file mode 100644
index 0000000000..50156c9f6e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec
@@ -0,0 +1,6 @@
+issuer:ca
+subject:int-post
+validity:20160101-20260101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem
new file mode 100644
index 0000000000..0b916d5755
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIUYW27TGzVOIbjpG1ADx7m7mZnrNQwDQYJKoZIhvcNAQEF
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDIwMDEwMTAw
+MDAwMFowEjEQMA4GA1UEAwwHaW50LXByZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEG
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAESNgcKkxBwkaBykKo2Q
+GzgimnI3eNw8O8GrhefL+r3Ek/CH4/oBHGvfvrz6D19uemdOyHxo5QNW2iWEq0No
+pE6Hhm504P1fdkfQvjqjIhu/h3y5QjO3zdMGeVE/39TWAGrGsNFKE+jSxm8IbycF
+Ue6165agasf+PhQdorjFca48iLcowKYs5Df0SAhY7zbw1fM1HTr1YGAXc1K9aCA5
+fTmu8Nd0fNKc1NcbNDpdCG2YEj1nox1iMN5A4nY1ve88zJsnlpfsoJkHJqo2Cy+M
+mpQSnkTlf3Gfpl8NO3UW9FTcnK8L4Ix2DSNBDe8Yg2YL5w/VIxecFwlmwV0wWdg6
+vl0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec
new file mode 100644
index 0000000000..9f0a59ee99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec
@@ -0,0 +1,6 @@
+issuer:ca
+subject:int-pre
+validity:20100101-20200101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
+signature:sha1WithRSAEncryption
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures.js b/security/manager/ssl/tests/unit/test_cert_signatures.js
new file mode 100644
index 0000000000..73858afe37
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -0,0 +1,140 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that certificates cannot be tampered with without being detected.
+// Tests a combination of cases: RSA signatures, ECDSA signatures, certificate
+// chains where the intermediate has been tampered with, chains where the
+// end-entity has been tampered, tampering of the signature, and tampering in
+// the rest of the certificate.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+// Reads a PEM-encoded certificate, modifies the nth byte (0-indexed), and
+// returns the base64-encoded bytes of the certificate. Negative indices may be
+// specified to modify a byte from the end of the certificate.
+function readAndTamperWithNthByte(certificatePath, n) {
+  let pem = readFile(do_get_file(certificatePath, false));
+  let der = atob(pemToBase64(pem));
+  if (n < 0) {
+    // remember, n is negative at this point
+    n = der.length + n;
+  }
+  let replacement = "\x22";
+  if (der.charCodeAt(n) == replacement) {
+    replacement = "\x23";
+  }
+  der = der.substring(0, n) + replacement + der.substring(n + 1);
+  return btoa(der);
+}
+
+// The signature on certificates appears last. This should modify the contents
+// of the signature such that it no longer validates correctly while still
+// resulting in a structurally valid certificate.
+const BYTE_IN_SIGNATURE = -8;
+function addSignatureTamperedCertificate(certificatePath) {
+  let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE);
+  certdb.addCertFromBase64(base64, ",,");
+}
+
+function ensureSignatureVerificationFailure(certificatePath) {
+  let cert = constructCertFromFile(certificatePath);
+  return checkCertErrorGeneric(
+    certdb,
+    cert,
+    SEC_ERROR_BAD_SIGNATURE,
+    certificateUsageSSLServer
+  );
+}
+
+function tamperWithSignatureAndEnsureVerificationFailure(certificatePath) {
+  let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE);
+  let cert = certdb.constructX509FromBase64(base64);
+  return checkCertErrorGeneric(
+    certdb,
+    cert,
+    SEC_ERROR_BAD_SIGNATURE,
+    certificateUsageSSLServer
+  );
+}
+
+// The beginning of a certificate looks like this (in hex, using DER):
+// 30 XX XX XX [the XX encode length - there are probably 3 bytes here]
+//    30 XX XX XX [length again]
+//       A0 03
+//          02 01
+//             02
+//       02 XX [length again - 1 byte as long as we're using pycert]
+//          XX XX ... [serial number - 20 bytes as long as we're using pycert]
+// Since we want to modify the serial number, we need to change something from
+// byte 15 to byte 34 (0-indexed). If it turns out that the two length sections
+// we assumed were 3 bytes are shorter (they can't be longer), modifying
+// something from byte 15 to byte 30 will still get us what we want. Since the
+// serial number is a DER INTEGER and because it must be positive, it's best to
+// skip the first two bytes of the serial number so as to not run into any
+// issues there. Thus byte 17 is a good byte to modify.
+const BYTE_IN_SERIAL_NUMBER = 17;
+function addSerialNumberTamperedCertificate(certificatePath) {
+  let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SERIAL_NUMBER);
+  certdb.addCertFromBase64(base64, ",,");
+}
+
+function tamperWithSerialNumberAndEnsureVerificationFailure(certificatePath) {
+  let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SERIAL_NUMBER);
+  let cert = certdb.constructX509FromBase64(base64);
+  return checkCertErrorGeneric(
+    certdb,
+    cert,
+    SEC_ERROR_BAD_SIGNATURE,
+    certificateUsageSSLServer
+  );
+}
+
+add_task(async function () {
+  addCertFromFile(certdb, "test_cert_signatures/ca-rsa.pem", "CTu,,");
+  addCertFromFile(certdb, "test_cert_signatures/ca-secp384r1.pem", "CTu,,");
+
+  // Tamper with the signatures on intermediate certificates and ensure that
+  // end-entity certificates issued by those intermediates do not validate
+  // successfully.
+  addSignatureTamperedCertificate("test_cert_signatures/int-rsa.pem");
+  addSignatureTamperedCertificate("test_cert_signatures/int-secp384r1.pem");
+  await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
+  await ensureSignatureVerificationFailure(
+    "test_cert_signatures/ee-secp384r1.pem"
+  );
+
+  // Tamper with the signatures on end-entity certificates and ensure that they
+  // do not validate successfully.
+  await tamperWithSignatureAndEnsureVerificationFailure(
+    "test_cert_signatures/ee-rsa-direct.pem"
+  );
+  await tamperWithSignatureAndEnsureVerificationFailure(
+    "test_cert_signatures/ee-secp384r1-direct.pem"
+  );
+
+  // Tamper with the serial numbers of intermediate certificates and ensure
+  // that end-entity certificates issued by those intermediates do not validate
+  // successfully.
+  addSerialNumberTamperedCertificate("test_cert_signatures/int-rsa.pem");
+  addSerialNumberTamperedCertificate("test_cert_signatures/int-secp384r1.pem");
+  await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
+  await ensureSignatureVerificationFailure(
+    "test_cert_signatures/ee-secp384r1.pem"
+  );
+
+  // Tamper with the serial numbers of end-entity certificates and ensure that
+  // they do not validate successfully.
+  await tamperWithSerialNumberAndEnsureVerificationFailure(
+    "test_cert_signatures/ee-rsa-direct.pem"
+  );
+  await tamperWithSerialNumberAndEnsureVerificationFailure(
+    "test_cert_signatures/ee-secp384r1-direct.pem"
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem
new file mode 100644
index 0000000000..60fb8c8280
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUT8jfl072RlfOreJkjWraanVZqnUwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBExDzANBgNVBAMMBmNhLXJzYTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBACAWVqoxSxIyJ0Am
+28SrJn1ussg8npP2ETHrTfoynoV5bz8qNIoK0draCheU4gKNut8dZ68mkj8gMSoj
+vxGfXMRW3FNIrAKbn/Asuyjz2MD9LHRvf4ELypEIywS0bBDdV1sWSbek9XU7uobz
+mQMvn/HzTo4PW2+N9M+V0SEj2WV8fY7j1YHmggnmDy2TJrgrviXeJC9StlifNQy8
+GwN7EDctuJ0epoKzpKJGTdSLOty4FyuAEfY2MKQcvvP5xk6u8rEWCbbEq7gW4Voo
+F8EbC8AauuFRyXgD3hN3YHgFvRatXMF0y/w/g6RH3Phl+1P5kxTz702UJradTjzo
+zRHh5Pc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec
new file mode 100644
index 0000000000..5890d2db60
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-rsa
+subject:ca-rsa
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem
new file mode 100644
index 0000000000..7a6421456b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjzCCARSgAwIBAgIUU56dEINjI+b83xJvJn1PQt/p41YwCgYIKoZIzj0EAwIw
+FzEVMBMGA1UEAwwMY2Etc2VjcDM4NHIxMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy
+NDAyMDUwMDAwMDBaMBcxFTATBgNVBAMMDGNhLXNlY3AzODRyMTB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMt
+qM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC
+8Fr3Gh/dzIN0qm6pzqMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYI
+KoZIzj0EAwIDaQAwZgIxAO0GJz6haDpUtNgaQ3SESJY85j6+gRcD7Nc9cvCiVAZZ
+1OxFRuhW515lVbeTqfcA8wIxAIr+3diKqPT5EEiOXgoswSP8CwuLNe4pc6AjdCV+
+dnE9Ibr64s45zjHfjcRLja/Z+w==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec
new file mode 100644
index 0000000000..0701c23c1e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ca-secp384r1
+subject:ca-secp384r1
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem
new file mode 100644
index 0000000000..46e6e5ceae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuTCCAaGgAwIBAgIUGzRGmvrzu+NFvnMfZjX1GG3QF4gwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBgxFjAUBgNVBAMMDWVlLXJzYS1kaXJlY3QwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZI
+hvcNAQELBQADggEBAHtV0do2QpXEzm8OwnFt1LVlNqxaVCRKFENCc9nOKBHODbhS
+/6YZcvI/CNn1JNFhDgHKiTdiiYdu2aqy0Y6WbnSzHqfHmGrvLBskMH+6xDK+6qSp
+bvTR6iWyUql7X4K/J1VGeXAZHFysbxlvrhONSkRHZBDv+4nu3zEB6euIFeCMfGNH
+sxgp9I51d3vb8JiRqvB0FA5FcN7Od2MHv008rcXRAcCfKvm7DX25ZLVX9hSmPD/4
+KiJFK6nidDiguIkaD558IFp0Oc/5zOP0iGpynzICRuuAOdO5lAXMpzRrJzftvQiP
+B3+ED28z7nuI0nkSMBWlpIy/uL7s4VaChR/uSEo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec
new file mode 100644
index 0000000000..4e25ddcf94
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca-rsa
+subject:ee-rsa-direct
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem
new file mode 100644
index 0000000000..1eafd948f2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUSTmi0SZM0FZ2whVeqfymGPKOiZ8wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHaW50LXJzYTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjARMQ8wDQYDVQQDDAZlZS1yc2EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAIFbfCcJOg5Q4wsfmHgwyx4P80o11WKLC6UytwA17yc47sCGx8+df/Ac
+KxrG4j0pVqee/61NxpwvIozJV8k2aoj8pDmECa4CfbHpikSU6Gd0xWX3zl/z6gAl
+6w0LIrIFk5edWlcLwrH3zX5FmukXcXb5oiEubSoaO2F78ws1UXzA7AzMoY5yZEbM
+0fAJr3f1KMpdOY8nNLIctzD23oFxeiN/HuzE4KI2FLXjYsMFYGXo8cMJlwnRxr05
+L5Po1VCe6lzFAZpC62S4l9BKlPHOOtBL77RNVz07KDxKyzoTMWRw7EgYp5HyvBa6
+lG8GpcFyJcMN5eq2PTKxrEaZKu73PQ8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec
new file mode 100644
index 0000000000..b974a0a0a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-rsa
+subject:ee-rsa
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem
new file mode 100644
index 0000000000..d66fd61ef5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBdjCB/KADAgECAhRFwdFDhUYutDxj04OT4wqoqfIMRTAKBggqhkjOPQQDAjAX
+MRUwEwYDVQQDDAxjYS1zZWNwMzg0cjEwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0
+MDIwNTAwMDAwMFowHjEcMBoGA1UEAwwTZWUtc2VjcDM4NHIxLWRpcmVjdDB2MBAG
+ByqGSM49AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22CO
+JS3ktxMtqM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXED
+viiIz/AC8Fr3Gh/dzIN0qm6pzjAKBggqhkjOPQQDAgNpADBmAjEA7QYnPqFoOlS0
+2BpDdIRIljzmPr6BFwPs1z1y8KJUBlnU7EVG6FbnXmVVt5Op9wDzAjEAu7C/bumy
+Dq9mke/MI7TCi3WKCJ5jFXDA2qErfTjJQ2FvSVk4970Vd78vSR8e7xZ3
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec
new file mode 100644
index 0000000000..386ab95f78
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-secp384r1
+subject:ee-secp384r1-direct
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem
new file mode 100644
index 0000000000..b3a310303a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbzCB9qADAgECAhRHCf3/9aTW4X0AHQfxJGe+P2tNazAKBggqhkjOPQQDAjAY
+MRYwFAYDVQQDDA1pbnQtc2VjcDM4NHIxMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy
+NDAyMDUwMDAwMDBaMBcxFTATBgNVBAMMDGVlLXNlY3AzODRyMTB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMt
+qM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC
+8Fr3Gh/dzIN0qm6pzjAKBggqhkjOPQQDAgNoADBlAjEA7QYnPqFoOlS02BpDdIRI
+ljzmPr6BFwPs1z1y8KJUBlnU7EVG6FbnXmVVt5Op9wDzAjBtn1PwZNY1ZR//hvpP
+r6deQnBTAS/f09KRS1DnuZypQdLFxlHVuGb3U5PL5bF298A=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec
new file mode 100644
index 0000000000..b8f7993be8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-secp384r1
+subject:ee-secp384r1
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem
new file mode 100644
index 0000000000..f886a9a3a6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0jCCAbqgAwIBAgIUActQ49AIBGNcpw2ugrUFaaE2qMIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBIxEDAOBgNVBAMMB2ludC1yc2EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQF
+MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBskZ1Lc1PHuC2r
+Jk317zOhzQlXtGCx7EbKq+wd4kdb/1dnjEiLqgASktBIaNd2249DZC1bpiF+DGYR
+k1D7DBfduygiukI3/MY19+tvUaM0C2RCo+H69pjFKGS0y9mVSxm15iwk4+DzAOpC
+Q/duzYUflOQJVDL6adPWubRAlAk9p1n4LDD9JQhuGIE5Tt4MytjxN6aGSNb6erFd
+mDgRS4dLN8JdwyI0b1AVIFulCpimnS/jf9PSEKD63xZmL/ofqXGe/V5OA3LsmHkw
+rIocCL7q/F4wImI2hELlEVsT9O6hAFSC6yVtvSCsh1421+QR1xqrfqY6luO4rMK2
+AdB34jUa
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec
new file mode 100644
index 0000000000..a86d28b44a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca-rsa
+subject:int-rsa
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem
new file mode 100644
index 0000000000..5a62aaf50a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjzCCARWgAwIBAgIUKebpNrQIc1+bS1ss5l/kfaGctGwwCgYIKoZIzj0EAwIw
+FzEVMBMGA1UEAwwMY2Etc2VjcDM4NHIxMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy
+NDAyMDUwMDAwMDBaMBgxFjAUBgNVBAMMDWludC1zZWNwMzg0cjEwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAAShaHJDNitcexiJ83kVRhWhxz+0je6GPgIpFdtgjiUt5LcT
+LajOmOgxU05qnAwLCcjWOa3oMgbluoE0c6EfozDgXajJbkOD/ieHPalxA74oiM/w
+AvBa9xof3cyDdKpuqc6jHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA2gAMGUCMQDtBic+oWg6VLTYGkN0hEiWPOY+voEXA+zXPXLwolQG
+WdTsRUboVudeZVW3k6n3APMCMD4MFMoR0AN/qV8Z7nT39tgi0LNpH8s05ltV61rc
+qqcPR+e8kOLUxDV29JfJM4icfg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec
new file mode 100644
index 0000000000..e002a1569a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ca-secp384r1
+subject:int-secp384r1
+issuerKey:secp384r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_cert_storage.js b/security/manager/ssl/tests/unit/test_cert_storage.js
new file mode 100644
index 0000000000..e6bd4d944b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage.js
@@ -0,0 +1,258 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This test checks a number of things:
+// * it ensures that data loaded from revocations.txt on startup is present
+// * it ensures that data served from OneCRL are persisted correctly
+// * it ensures that items in the CertBlocklist are seen as revoked by the
+//   cert verifier
+// * it does a sanity check to ensure other cert verifier behavior is
+//   unmodified
+
+const { RemoteSecuritySettings } = ChromeUtils.importESModule(
+  "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs"
+);
+
+// First, we need to setup appInfo for the blocklist service to work
+var id = "xpcshell@tests.mozilla.org";
+var appName = "XPCShell";
+var version = "1";
+var platformVersion = "1.9.2";
+const { updateAppInfo } = ChromeUtils.importESModule(
+  "resource://testing-common/AppInfo.sys.mjs"
+);
+updateAppInfo({
+  name: appName,
+  ID: id,
+  version,
+  platformVersion: platformVersion ? platformVersion : "1.0",
+  crashReporter: true,
+});
+
+// we need to ensure we setup revocation data before certDB, or we'll start with
+// no revocation.txt in the profile
+var gProfile = do_get_profile();
+
+var gRevocations = gProfile.clone();
+gRevocations.append("revocations.txt");
+if (!gRevocations.exists()) {
+  let existing = do_get_file("test_onecrl/sample_revocations.txt", false);
+  existing.copyTo(gProfile, "revocations.txt");
+}
+
+var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const certBlocklist = [
+  // test with some bad data ...
+  {
+    issuerName: "Some nonsense in issuer",
+    serialNumber: "AkHVNA==",
+  },
+  {
+    issuerName: "MA0xCzAJBgNVBAMMAmNh",
+    serialNumber: "some nonsense in serial",
+  },
+  {
+    issuerName: "and serial",
+    serialNumber: "some nonsense in both issuer",
+  },
+  // some mixed
+  // In these case, the issuer name and the valid serialNumber correspond
+  // to test-int.pem in bad_certs/
+  {
+    issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+    serialNumber: "oops! more nonsense.",
+  },
+  {
+    issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+    serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
+  },
+  // ... and some good
+  // In this case, the issuer name and the valid serialNumber correspond
+  // to other-test-ca.pem in bad_certs/ (for testing root revocation)
+  {
+    issuerName: "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=",
+    serialNumber: "Rym6o+VN9xgZXT/QLrvN/nv1ZN4=",
+  },
+  // These items correspond to an entry in sample_revocations.txt where:
+  // isser name is the base-64 encoded subject DN for the shared Test
+  // Intermediate and the serialNumbers are base-64 encoded 78 and 31,
+  // respectively.
+  // We need this to ensure that existing items are retained if they're
+  // also in the blocklist
+  {
+    issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl",
+    serialNumber: "Tg==",
+  },
+  {
+    issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl",
+    serialNumber: "Hw==",
+  },
+  // This item revokes same-issuer-ee.pem by subject and pubKeyHash.
+  {
+    subject: "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5",
+    pubKeyHash: "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=",
+  },
+];
+
+function verify_cert(file, expectedError) {
+  let ee = constructCertFromFile(file);
+  return checkCertErrorGeneric(
+    certDB,
+    ee,
+    expectedError,
+    certificateUsageSSLServer
+  );
+}
+
+// The certificate blocklist currently only applies to TLS server certificates.
+async function verify_non_tls_usage_succeeds(file) {
+  let ee = constructCertFromFile(file);
+  await checkCertErrorGeneric(
+    certDB,
+    ee,
+    PRErrorCodeSuccess,
+    certificateUsageSSLClient
+  );
+  await checkCertErrorGeneric(
+    certDB,
+    ee,
+    PRErrorCodeSuccess,
+    certificateUsageEmailSigner
+  );
+  await checkCertErrorGeneric(
+    certDB,
+    ee,
+    PRErrorCodeSuccess,
+    certificateUsageEmailRecipient
+  );
+}
+
+function load_cert(cert, trust) {
+  let file = "bad_certs/" + cert + ".pem";
+  addCertFromFile(certDB, file, trust);
+}
+
+async function update_blocklist() {
+  const { OneCRLBlocklistClient } = RemoteSecuritySettings.init();
+
+  const fakeEvent = {
+    current: certBlocklist, // with old .txt revocations.
+    deleted: [],
+    created: certBlocklist, // with new cert storage.
+    updated: [],
+  };
+  await OneCRLBlocklistClient.emit("sync", { data: fakeEvent });
+  // Save the last check timestamp, used by cert_storage to assert
+  // if the blocklist is «fresh».
+  Services.prefs.setIntPref(
+    OneCRLBlocklistClient.lastCheckTimePref,
+    Math.floor(Date.now() / 1000)
+  );
+}
+
+function run_test() {
+  // import the certificates we need
+  load_cert("test-ca", "CTu,CTu,CTu");
+  load_cert("test-int", ",,");
+  load_cert("other-test-ca", "CTu,CTu,CTu");
+
+  add_task(async function () {
+    // check some existing items in revocations.txt are blocked.
+    // This test corresponds to:
+    // issuer: MBIxEDAOBgNVBAMMB1Rlc3QgQ0E= (CN=Test CA)
+    // serial: Kg== (42)
+    let file = "test_onecrl/ee-revoked-by-revocations-txt.pem";
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+    // This test corresponds to:
+    // issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate)
+    // serial: Tg== (78)
+    file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem";
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+    // And this test corresponds to:
+    // issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate)
+    // serial: Hw== (31)
+    // (we test this issuer twice to ensure we can read multiple serials)
+    file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem";
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+    // Test that a certificate revoked by subject and public key hash in
+    // revocations.txt is revoked
+    // subject: MCsxKTAnBgNVBAMMIEVFIFJldm9rZWQgQnkgU3ViamVjdCBhbmQgUHViS2V5
+    // (CN=EE Revoked By Subject and PubKey)
+    // pubkeyhash: VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8= (this is the
+    // shared RSA SPKI)
+    file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem";
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+    // Soon we'll load a blocklist which revokes test-int.pem, which issued
+    // test-int-ee.pem.
+    // Check the cert validates before we load the blocklist
+    file = "test_onecrl/test-int-ee.pem";
+    await verify_cert(file, PRErrorCodeSuccess);
+
+    // The blocklist also revokes other-test-ca.pem, which issued
+    // other-ca-ee.pem. Check the cert validates before we load the blocklist
+    file = "bad_certs/other-issuer-ee.pem";
+    await verify_cert(file, PRErrorCodeSuccess);
+
+    // The blocklist will revoke same-issuer-ee.pem via subject / pubKeyHash.
+    // Check the cert validates before we load the blocklist
+    file = "test_onecrl/same-issuer-ee.pem";
+    await verify_cert(file, PRErrorCodeSuccess);
+  });
+
+  // blocklist load is async so we must use add_test from here
+  add_task(update_blocklist);
+
+  add_task(async function () {
+    // The blocklist will be loaded now. Let's check the data is sane.
+    // In particular, we should still have the revoked issuer / serial pair
+    // that was in revocations.txt but not the blocklist.
+    let file = "test_onecrl/ee-revoked-by-revocations-txt.pem";
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+    // We should also still have the revoked issuer / serial pairs that were in
+    // revocations.txt and are also in the blocklist.
+    file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem";
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+    file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem";
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+    // The cert revoked by subject and pubkeyhash should still be revoked.
+    file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem";
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
+    // Check the blocklisted intermediate now causes a failure
+    file = "test_onecrl/test-int-ee.pem";
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+    await verify_non_tls_usage_succeeds(file);
+
+    // Check the ee with the blocklisted root also causes a failure
+    file = "bad_certs/other-issuer-ee.pem";
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+    await verify_non_tls_usage_succeeds(file);
+
+    // Check the ee blocked by subject / pubKey causes a failure
+    file = "test_onecrl/same-issuer-ee.pem";
+    await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+    await verify_non_tls_usage_succeeds(file);
+
+    // Check a non-blocklisted chain still validates OK
+    file = "bad_certs/default-ee.pem";
+    await verify_cert(file, PRErrorCodeSuccess);
+
+    // Check a bad cert is still bad (unknown issuer)
+    file = "bad_certs/unknownissuer.pem";
+    await verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER);
+  });
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js b/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js
new file mode 100644
index 0000000000..cabf16b48d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js
@@ -0,0 +1,72 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file tests cert_storage's automatic database recreation mechanism. If
+// opening the database for the first time fails, cert_storage will re-create
+// it.
+
+function call_has_prior_data(certStorage, type) {
+  return new Promise(resolve => {
+    certStorage.hasPriorData(type, (rv, hasPriorData) => {
+      Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+      resolve(hasPriorData);
+    });
+  });
+}
+
+async function check_has_prior_revocation_data(certStorage, expectedResult) {
+  let hasPriorRevocationData = await call_has_prior_data(
+    certStorage,
+    Ci.nsICertStorage.DATA_TYPE_REVOCATION
+  );
+  Assert.equal(
+    hasPriorRevocationData,
+    expectedResult,
+    `should ${expectedResult ? "have" : "not have"} prior revocation data`
+  );
+}
+
+async function check_has_prior_cert_data(certStorage, expectedResult) {
+  let hasPriorCertData = await call_has_prior_data(
+    certStorage,
+    Ci.nsICertStorage.DATA_TYPE_CERTIFICATE
+  );
+  Assert.equal(
+    hasPriorCertData,
+    expectedResult,
+    `should ${expectedResult ? "have" : "not have"} prior cert data`
+  );
+}
+
+add_task(async function () {
+  // Create an invalid database.
+  let fileToCopy = do_get_file("test_cert_storage_broken_db.js");
+  let dbDirectory = do_get_profile();
+  dbDirectory.append("security_state");
+  fileToCopy.copyTo(dbDirectory, "data.mdb");
+
+  let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+    Ci.nsICertStorage
+  );
+  check_has_prior_revocation_data(certStorage, false);
+  check_has_prior_cert_data(certStorage, false);
+
+  let result = await new Promise(resolve => {
+    certStorage.setRevocations([], resolve);
+  });
+  Assert.equal(result, Cr.NS_OK, "setRevocations should succeed");
+
+  check_has_prior_revocation_data(certStorage, true);
+  check_has_prior_cert_data(certStorage, false);
+
+  result = await new Promise(resolve => {
+    certStorage.addCerts([], resolve);
+  });
+  Assert.equal(result, Cr.NS_OK, "addCerts should succeed");
+
+  check_has_prior_revocation_data(certStorage, true);
+  check_has_prior_cert_data(certStorage, true);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct.js b/security/manager/ssl/tests/unit/test_cert_storage_direct.js
new file mode 100644
index 0000000000..a1ba818dd9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct.js
@@ -0,0 +1,417 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file consists of unit tests for cert_storage (whereas test_cert_storage.js is more of an
+// integration test).
+
+do_get_profile();
+
+this.certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+  Ci.nsICertStorage
+);
+
+async function addCerts(certInfos) {
+  let result = await new Promise(resolve => {
+    certStorage.addCerts(certInfos, resolve);
+  });
+  Assert.equal(result, Cr.NS_OK, "addCerts should succeed");
+}
+
+async function removeCertsByHashes(hashesBase64) {
+  let result = await new Promise(resolve => {
+    certStorage.removeCertsByHashes(hashesBase64, resolve);
+  });
+  Assert.equal(result, Cr.NS_OK, "removeCertsByHashes should succeed");
+}
+
+function getLongString(uniquePart, length) {
+  return String(uniquePart).padStart(length, "0");
+}
+
+class CertInfo {
+  constructor(cert, subject) {
+    this.cert = btoa(cert);
+    this.subject = btoa(subject);
+    this.trust = Ci.nsICertStorage.TRUST_INHERIT;
+  }
+}
+CertInfo.prototype.QueryInterface = ChromeUtils.generateQI(["nsICertInfo"]);
+
+add_task(async function test_common_subject() {
+  let someCert1 = new CertInfo(
+    "some certificate bytes 1",
+    "some common subject"
+  );
+  let someCert2 = new CertInfo(
+    "some certificate bytes 2",
+    "some common subject"
+  );
+  let someCert3 = new CertInfo(
+    "some certificate bytes 3",
+    "some common subject"
+  );
+  await addCerts([someCert1, someCert2, someCert3]);
+  let storedCerts = certStorage.findCertsBySubject(
+    stringToArray("some common subject")
+  );
+  let storedCertsAsStrings = storedCerts.map(arrayToString);
+  let expectedCerts = [
+    "some certificate bytes 1",
+    "some certificate bytes 2",
+    "some certificate bytes 3",
+  ];
+  Assert.deepEqual(
+    storedCertsAsStrings.sort(),
+    expectedCerts.sort(),
+    "should find expected certs"
+  );
+
+  await addCerts([
+    new CertInfo("some other certificate bytes", "some other subject"),
+  ]);
+  storedCerts = certStorage.findCertsBySubject(
+    stringToArray("some common subject")
+  );
+  storedCertsAsStrings = storedCerts.map(arrayToString);
+  Assert.deepEqual(
+    storedCertsAsStrings.sort(),
+    expectedCerts.sort(),
+    "should still find expected certs"
+  );
+
+  let storedOtherCerts = certStorage.findCertsBySubject(
+    stringToArray("some other subject")
+  );
+  let storedOtherCertsAsStrings = storedOtherCerts.map(arrayToString);
+  let expectedOtherCerts = ["some other certificate bytes"];
+  Assert.deepEqual(
+    storedOtherCertsAsStrings,
+    expectedOtherCerts,
+    "should have other certificate"
+  );
+});
+
+add_task(async function test_many_entries() {
+  const NUM_CERTS = 500;
+  const CERT_LENGTH = 3000;
+  const SUBJECT_LENGTH = 40;
+  let certs = [];
+  for (let i = 0; i < NUM_CERTS; i++) {
+    certs.push(
+      new CertInfo(
+        getLongString(i, CERT_LENGTH),
+        getLongString(i, SUBJECT_LENGTH)
+      )
+    );
+  }
+  await addCerts(certs);
+  for (let i = 0; i < NUM_CERTS; i++) {
+    let subject = stringToArray(getLongString(i, SUBJECT_LENGTH));
+    let storedCerts = certStorage.findCertsBySubject(subject);
+    Assert.equal(
+      storedCerts.length,
+      1,
+      "should have 1 certificate (lots of data test)"
+    );
+    let storedCertAsString = arrayToString(storedCerts[0]);
+    Assert.equal(
+      storedCertAsString,
+      getLongString(i, CERT_LENGTH),
+      "certificate should be as expected (lots of data test)"
+    );
+  }
+});
+
+add_task(async function test_removal() {
+  // As long as cert_storage is given valid base64, attempting to delete some nonexistent
+  // certificate will "succeed" (it'll do nothing).
+  await removeCertsByHashes([btoa("thishashisthewrongsize")]);
+
+  let removalCert1 = new CertInfo(
+    "removal certificate bytes 1",
+    "common subject to remove"
+  );
+  let removalCert2 = new CertInfo(
+    "removal certificate bytes 2",
+    "common subject to remove"
+  );
+  let removalCert3 = new CertInfo(
+    "removal certificate bytes 3",
+    "common subject to remove"
+  );
+  await addCerts([removalCert1, removalCert2, removalCert3]);
+
+  let storedCerts = certStorage.findCertsBySubject(
+    stringToArray("common subject to remove")
+  );
+  let storedCertsAsStrings = storedCerts.map(arrayToString);
+  let expectedCerts = [
+    "removal certificate bytes 1",
+    "removal certificate bytes 2",
+    "removal certificate bytes 3",
+  ];
+  Assert.deepEqual(
+    storedCertsAsStrings.sort(),
+    expectedCerts.sort(),
+    "should find expected certs before removing them"
+  );
+
+  // echo -n "removal certificate bytes 2" | sha256sum | xxd -r -p | base64
+  await removeCertsByHashes(["2nUPHwl5TVr1mAD1FU9FivLTlTb0BAdnVUhsYgBccN4="]);
+  storedCerts = certStorage.findCertsBySubject(
+    stringToArray("common subject to remove")
+  );
+  storedCertsAsStrings = storedCerts.map(arrayToString);
+  expectedCerts = [
+    "removal certificate bytes 1",
+    "removal certificate bytes 3",
+  ];
+  Assert.deepEqual(
+    storedCertsAsStrings.sort(),
+    expectedCerts.sort(),
+    "should only have first and third certificates now"
+  );
+
+  // echo -n "removal certificate bytes 1" | sha256sum | xxd -r -p | base64
+  await removeCertsByHashes(["8zoRqHYrklr7Zx6UWpzrPuL+ol8KL1Ml6XHBQmXiaTY="]);
+  storedCerts = certStorage.findCertsBySubject(
+    stringToArray("common subject to remove")
+  );
+  storedCertsAsStrings = storedCerts.map(arrayToString);
+  expectedCerts = ["removal certificate bytes 3"];
+  Assert.deepEqual(
+    storedCertsAsStrings.sort(),
+    expectedCerts.sort(),
+    "should only have third certificate now"
+  );
+
+  // echo -n "removal certificate bytes 3" | sha256sum | xxd -r -p | base64
+  await removeCertsByHashes(["vZn7GwDSabB/AVo0T+N26nUsfSXIIx4NgQtSi7/0p/w="]);
+  storedCerts = certStorage.findCertsBySubject(
+    stringToArray("common subject to remove")
+  );
+  Assert.equal(storedCerts.length, 0, "shouldn't have any certificates now");
+
+  // echo -n "removal certificate bytes 3" | sha256sum | xxd -r -p | base64
+  // Again, removing a nonexistent certificate should "succeed".
+  await removeCertsByHashes(["vZn7GwDSabB/AVo0T+N26nUsfSXIIx4NgQtSi7/0p/w="]);
+});
+
+add_task(async function test_batched_removal() {
+  let removalCert1 = new CertInfo(
+    "batch removal certificate bytes 1",
+    "batch subject to remove"
+  );
+  let removalCert2 = new CertInfo(
+    "batch removal certificate bytes 2",
+    "batch subject to remove"
+  );
+  let removalCert3 = new CertInfo(
+    "batch removal certificate bytes 3",
+    "batch subject to remove"
+  );
+  await addCerts([removalCert1, removalCert2, removalCert3]);
+  let storedCerts = certStorage.findCertsBySubject(
+    stringToArray("batch subject to remove")
+  );
+  let storedCertsAsStrings = storedCerts.map(arrayToString);
+  let expectedCerts = [
+    "batch removal certificate bytes 1",
+    "batch removal certificate bytes 2",
+    "batch removal certificate bytes 3",
+  ];
+  Assert.deepEqual(
+    storedCertsAsStrings.sort(),
+    expectedCerts.sort(),
+    "should find expected certs before removing them"
+  );
+  // echo -n "batch removal certificate bytes 1" | sha256sum | xxd -r -p | base64
+  // echo -n "batch removal certificate bytes 2" | sha256sum | xxd -r -p | base64
+  // echo -n "batch removal certificate bytes 3" | sha256sum | xxd -r -p | base64
+  await removeCertsByHashes([
+    "EOEEUTuanHZX9NFVCoMKVT22puIJC6g+ZuNPpJgvaa8=",
+    "Xz6h/Kvn35cCLJEZXkjPqk1GG36b56sreLyAXpO+0zg=",
+    "Jr7XdiTT8ZONUL+ogNNMW2oxKxanvYOLQPKBPgH/has=",
+  ]);
+  storedCerts = certStorage.findCertsBySubject(
+    stringToArray("batch subject to remove")
+  );
+  Assert.equal(storedCerts.length, 0, "shouldn't have any certificates now");
+});
+
+class CRLiteCoverage {
+  constructor(ctLogID, minTimestamp, maxTimestamp) {
+    this.b64LogID = ctLogID;
+    this.minTimestamp = minTimestamp;
+    this.maxTimestamp = maxTimestamp;
+  }
+}
+CRLiteCoverage.prototype.QueryInterface = ChromeUtils.generateQI([
+  "nsICRLiteCoverage",
+]);
+
+add_task(async function test_crlite_filter() {
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  addCertFromFile(
+    certdb,
+    "test_cert_storage_direct/valid-cert-issuer.pem",
+    ",,"
+  );
+  let validCert = constructCertFromFile(
+    "test_cert_storage_direct/valid-cert.pem"
+  );
+  addCertFromFile(
+    certdb,
+    "test_cert_storage_direct/revoked-cert-issuer.pem",
+    ",,"
+  );
+  let revokedCert = constructCertFromFile(
+    "test_cert_storage_direct/revoked-cert.pem"
+  );
+  let filterFile = do_get_file(
+    "test_cert_storage_direct/test-filter.crlite",
+    false
+  );
+  ok(filterFile.exists(), "test filter file should exist");
+  let enrollment = [];
+  let coverage = [];
+  let filterBytes = stringToArray(readFile(filterFile));
+  // First simualte a filter that does not cover any certificates. With CRLite
+  // enabled, none of the certificates should appear to be revoked.
+  let setFullCRLiteFilterResult = await new Promise(resolve => {
+    certStorage.setFullCRLiteFilter(filterBytes, enrollment, coverage, resolve);
+  });
+  Assert.equal(
+    setFullCRLiteFilterResult,
+    Cr.NS_OK,
+    "setFullCRLiteFilter should succeed"
+  );
+
+  Services.prefs.setIntPref(
+    "security.pki.crlite_mode",
+    CRLiteModeEnforcePrefValue
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    validCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+    false,
+    "skynew.jp",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+    false,
+    "schunk-group.com",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+
+  // Now replace the filter with one that covers the "valid" and "revoked"
+  // certificates. CRLite should flag the revoked certificate.
+  coverage.push(
+    new CRLiteCoverage(
+      "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",
+      0,
+      1641612275000
+    )
+  );
+
+  // crlite_enrollment_id.py test_crlite_filters/issuer.pem
+  enrollment.push("UbH9/ZAnjuqf79Xhah1mFOWo6ZvgQCgsdheWfjvVUM8=");
+  // crlite_enrollment_id.py test_crlite_filters/no-sct-issuer.pem
+  enrollment.push("Myn7EasO1QikOtNmo/UZdh6snCAw0BOY6wgU8OsUeeY=");
+  // crlite_enrollment_id.py test_cert_storage_direct/revoked-cert-issuer.pem
+  enrollment.push("HTvSp2263dqBYtgYA2fldKAoTYcEVLPVTlRia9XaoCQ=");
+
+  setFullCRLiteFilterResult = await new Promise(resolve => {
+    certStorage.setFullCRLiteFilter(filterBytes, enrollment, coverage, resolve);
+  });
+  Assert.equal(
+    setFullCRLiteFilterResult,
+    Cr.NS_OK,
+    "setFullCRLiteFilter should succeed"
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    validCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+    false,
+    "skynew.jp",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+    false,
+    "schunk-group.com",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+
+  // If we're only collecting telemetry, none of the certificates should appear to be revoked.
+  Services.prefs.setIntPref(
+    "security.pki.crlite_mode",
+    CRLiteModeTelemetryOnlyPrefValue
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    validCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+    false,
+    "skynew.jp",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+    false,
+    "schunk-group.com",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+
+  // If CRLite is disabled, none of the certificates should appear to be revoked.
+  Services.prefs.setIntPref(
+    "security.pki.crlite_mode",
+    CRLiteModeDisabledPrefValue
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    validCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+    false,
+    "skynew.jp",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+    false,
+    "schunk-group.com",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem
new file mode 100644
index 0000000000..d775817b33
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEoDCCA4igAwIBAgIQBpaPlkroI1bHThfCtTZbADANBgkqhkiG9w0BAQsFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTE3MTEwNjEyMjI1N1oXDTI3MTEwNjEyMjI1N1owXzEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTEeMBwGA1UEAxMVVGhhd3RlIEVWIFJTQSBDQSAyMDE4MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0Cu52zmdJFnSezXMKvL0rso
+WgA/1X7OxjMQHsAllID1eDG836ptJXSTPg+DoEenHfkKyw++wXobgahr0cU/2v8R
+WR3fID53ZDhEGHzS+Ol7V+HRtZG5teMWCY7gldtBQH0r7xUEp/3ISVsZUVBqtUmL
+VJlf9nxJD6Cxp4LBlcJJ8+N6kSkV+fA+WdQc0HYhXSg3PxJP7XSU28Wc7gf6y9kZ
+zQhK4WrZLRrHHbHC2QXdqQYUxR927QV+UCNXnlbTcZy2QpxWTPLzK+/cKXX4cwP6
+MGF7+8RnUgHlij/5V2k/tIF9ep4B72ucqaS/UhEPpIN/T7A3OAw995yrB38glQID
+AQABo4IBSTCCAUUwHQYDVR0OBBYEFOcB/AwWGMp9sozshyejb2GBO4Q5MB8GA1Ud
+IwQYMBaAFLE+w2kD+L9HAdSYJhoIAu9jZCvDMA4GA1UdDwEB/wQEAwIBhjAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0
+BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
+LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
+RGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYE
+VR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
+MA0GCSqGSIb3DQEBCwUAA4IBAQAWGka+5ffLpfFuzT+WlwDRwhyTZSunnvecZWZT
+PPKXipynjpXx5dK8YG+2XoH74285GR1UABuvHMFV94XeDET9Pzz5s/NHS1/eAr5e
+GdwfBl80XwPkwXaYqzRtw6J4RAxeLqcbibhUQv9Iev9QcP0kNPyJu413Xov76mSu
+JlGThKzcurJPive2eLmwmoIgTPH11N/IIO9nHLVe8KTkt+FGgZCOWHA3kbFBZR39
+Mn2hFS974rhUkM+VS9KbCiQQ5OwkfbZ/6BINkE1CMtiESZ2WkbxJKPsF3dN7p9DF
+YWiQSbYjFP+rCT0/MkaHHYUkEvLNPgyJ6z29eMf0DjLu/SXJ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem
new file mode 100644
index 0000000000..81e01bd783
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem
@@ -0,0 +1,41 @@
+-----BEGIN CERTIFICATE-----
+MIIHOzCCBiOgAwIBAgIQBi31aKBRMQgg1+xDJ+G6/TANBgkqhkiG9w0BAQsFADBf
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMR4wHAYDVQQDExVUaGF3dGUgRVYgUlNBIENBIDIwMTgw
+HhcNMTgwNTI4MDAwMDAwWhcNMjAwNTIxMTIwMDAwWjCB6zEdMBsGA1UEDwwUUHJp
+dmF0ZSBPcmdhbml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCREUxFjAUBgsrBgEE
+AYI3PAIBAhMFSGVzc2UxGDAWBgsrBgEEAYI3PAIBAQwHR2llw59lbjERMA8GA1UE
+BRMISFJCIDY5MDIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDASBgNV
+BAcTC0hldWNoZWxoZWltMRQwEgYDVQQKEwtTY2h1bmsgR21iSDELMAkGA1UECxMC
+SVQxGTAXBgNVBAMTEHNjaHVuay1ncm91cC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCvkuQZz2ExPv9paJb622OOk+o4bWnjDe1zHGK6qnK25mMT
+Zldk74sXF+Wfr9lbwqHTcjGhQFwmVDqvtr55KVX8FOv0CSqNaewOrnNrFz8Xg4rn
+OlIs3+MmqD5CIK+el0rA+xltEY8WvNlwZKG7yeJYrdsr+5DAThDuwCVe8bU7it4h
+sjsMsof5ocee9zDkFThNVGR4sMk5EgBxb1Gt4n9wXUj4OBT78whhlkLH/pVZrrhs
+tQwC3q90MOPC5RJcEolSCNjGdHCKRbexmRqJgbJj/qZ9JT+fQ+Ko6a+UAWvc2BUc
+POnzGV2GzCdFFGOubJb6RjU0nuPG4Lmdc/BuS9kFAgMBAAGjggNkMIIDYDAfBgNV
+HSMEGDAWgBTnAfwMFhjKfbKM7Icno29hgTuEOTAdBgNVHQ4EFgQUNb1SY8Bkil98
+tD8zoxE30jBA1NIwZwYDVR0RBGAwXoIQc2NodW5rLWdyb3VwLmNvbYIUd3d3LnNj
+aHVuay1ncm91cC5jb22CG3NjaHVuay1jYXJib250ZWNobm9sb2d5LmNvbYIXc2No
+dW5rLXNpbnRlcm1ldGFscy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY2Rw
+LnRoYXd0ZS5jb20vVGhhd3RlRVZSU0FDQTIwMTguY3JsMEsGA1UdIAREMEIwNwYJ
+YIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
+bS9DUFMwBwYFZ4EMAQEwcQYIKwYBBQUHAQEEZTBjMCQGCCsGAQUFBzABhhhodHRw
+Oi8vc3RhdHVzLnRoYXd0ZS5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnRz
+LnRoYXd0ZS5jb20vVGhhd3RlRVZSU0FDQTIwMTguY3J0MAkGA1UdEwQCMAAwggF7
+BgorBgEEAdZ5AgQCBIIBawSCAWcBZQB1AKS5CZC0GFgUh7sTosxncAo8NZgE+Rvf
+uON3zQ7IDdwQAAABY6Ze9XAAAAQDAEYwRAIgNUeXL3GwlpGQtTS/wKBlOkHJvHR5
+knSop0OPumeCfQECIEdxY7qr/WRVbWkQFvP48fgWkZHkd4vTq70Y0aaSZTbPAHUA
+VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFjpl71tQAABAMARjBE
+AiAtxKdc/wum3TE7r9BoRd/gkrjYLWyqeLuL/opRBRy9xwIgPF6uEZxyhEoLZ+9G
+AFBAP+X89zjZphVALjIXu0RRea4AdQC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQ
+lmQ2jh7RhQAAAWOmXvY1AAAEAwBGMEQCIHc04ERlUbIkVrlC+I89C9xtugvRCwbR
+a7qZzSdqHltUAiBRVwTacf1dnO9AgLSgrxft5LV32DvH3qNT7pWYh8dFNjANBgkq
+hkiG9w0BAQsFAAOCAQEARJ+tbnM+yS6chgpyzfB3e7IWPq2Den46Ja1H6/4qaKrd
+nsbElcvd4cCQf1zYY6jlQkO6qtfMUChKrEar5aqqnyX8x/8T9PkpHp8XyUxgGlmT
+hrnHML0gDJFS8O4MB5pFnGkgoOQa+OIQokWCXr4/a4AwsTG3Ms+lC+R+vRYz90lg
+TEJLNHB2fSvQyvpXDUL9aAjACBp/9pKxfM9iq06MFO5jP483xJUfdqtVteHMw75w
+1mb8IrM9R1dP47GsblTrf2rZYdaoxdyLjtJQG2aaOdU5unE6QeFrXbz0qeTPePs8
+ftuXSW9xb053HjAkCcVo48j07b2cHfU1hxzGGptVbQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite b/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite
new file mode 100644
index 0000000000..34ced4b840
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem
new file mode 100644
index 0000000000..705827a85e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEkDCCA3igAwIBAgIJIrmxUyPlrv3NMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
+BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw
+JQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTIwHhcNMTgwODIy
+MDczMjI0WhcNMjgwODIyMDczMjI0WjBQMQswCQYDVQQGEwJKUDElMCMGA1UEChMc
+U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEaMBgGA1UEAxMRQ3Jvc3NUcnVz
+dCBEViBDQTUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnTNi5Kgrt
+FL8qBuEmpL2gvLFY7f9MEgjzClvic/45ebM+DxZ2CMuqtMtImgf8XPIpLaFFbozx
+3VgqH41cmGHbpAoDRKpwfF1f53peHYhRxpOVgcnsiVCPZJPBPCUM9St+cuEjfo0d
+YGbr3aG5urdT2zeKIFyxKbggdkU0LVRHwvLFsIpXCn/YK/8Rmx87yW9VB80OXkzf
+IQoZop83+aebq1VwzjNCN3u4bWSFLYDyJGqE40WlZ53NZh+TwBsa6gld9YXPGQfx
+k8x38zkFXberlMQOYhX9KyuTOMdlFkbx6LfIUqVKJavpcr54+XPzVyeroNPpKxtZ
+mEqUYiFjAqUVAgMBAAGjggFeMIIBWjAdBgNVHQ4EFgQUT4twz6lAHJbllF13rNZv
+TS2b8ncwHwYDVR0jBBgwFoAUCoWpd2UFmHxAgfgPlyw48QrsPM8wEgYDVR0TAQH/
+BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwSQYDVR0fBEIwQDA+oDygOoY4aHR0
+cDovL3JlcG9zaXRvcnkuc2Vjb210cnVzdC5uZXQvU0MtUm9vdDIvU0NSb290MkNS
+TC5jcmwwUgYDVR0gBEswSTBHBgoqgwiMmxtkhwUEMDkwNwYIKwYBBQUHAgEWK2h0
+dHBzOi8vcmVwb3NpdG9yeS5zZWNvbXRydXN0Lm5ldC9TQy1Sb290Mi8wQAYIKwYB
+BQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8vc2Nyb290Y2EyLm9jc3Auc2Vj
+b210cnVzdC5uZXQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD
+ggEBABEDSrrhhR+Js5q45yih2Ne4cMLZmrH0AZwU3eM+7HZplzi1EhppgvcYk/2k
+LM9haQGWnAZ5wiixLqKu7WlWrHgblZbXyCxALmMBK1rqeP0omxXExqKVqWNHU8KZ
+t3jahH1wDYSzfetM7guWR+PAPpb9oQCtAx8DVyI/3Ocswvti/uWb517Bdo6Nd0+9
+mf0LiphNKcSzSFX0s1Cb47cJROYHGBe2J6NUSWR7wE0asPtKsznGyNO+NJCUR+0h
+OLN2cA2KJwPhZjYJt8UkucAF/EE7qC0Fc8B9Q/gttQ52en5BZxdkDrHCi4qnsSvi
+gueQme/RzYkEaQlNT1WCZ9AIgVE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem
new file mode 100644
index 0000000000..195d2d8ca2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF4DCCBMigAwIBAgIQC3d196+a5UJlyc0yVxB3jjANBgkqhkiG9w0BAQsFADBQ
+MQswCQYDVQQGEwJKUDElMCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4s
+TFRELjEaMBgGA1UEAxMRQ3Jvc3NUcnVzdCBEViBDQTUwHhcNMTkwNjExMDUyMjEy
+WhcNMjEwNjMwMTQ1OTU5WjAUMRIwEAYDVQQDEwlza3luZXcuanAwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeciw7C297026HA4oIwc29vL2h29GVrRF7
+HGdeXzAJA7kh+qwo8rTBFfdX7sgHy6nnE1+flEtFt91Ss8i3BZMEqoFUZFb1jGXd
+DbQtmIWxz7O5skkjR1gdKwt9GImy1hEPt8dwU52mwVsSUEKvlZlsjeofUPAEbnYY
++iA/nYaYXiXyCxJzk6Y09VlzghyMIhkLwDa7rL3S9FgUQI6tSUwsiNYNoQzlYgXF
+yPfQfd57LbBwZJtqVPC6rjPOZZd0sw7uvrDNuxnAM2k2mzlML9Vwt8EvSlZX60xD
+oGQCsQQ/ZgjEQTA8WRZ+fxW/LqQNYYm70KU/1M+e8o4MKmA9xkH5AgMBAAGjggLw
+MIIC7DAfBgNVHSMEGDAWgBRPi3DPqUAcluWUXXes1m9NLZvydzA8BggrBgEFBQcB
+AQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9kdmNhNS5vY3NwLnNlY29tdHJ1c3Qu
+bmV0MCMGA1UdEQQcMBqCCXNreW5ldy5qcIINd3d3LnNreW5ldy5qcDBaBgNVHSAE
+UzBRMEUGCiqDCIybG26BVQIwNzA1BggrBgEFBQcCARYpaHR0cHM6Ly9yZXBvMS5z
+ZWNvbXRydXN0Lm5ldC9zcHBjYS94dGR2NS8wCAYGZ4EMAQIBMBMGA1UdJQQMMAoG
+CCsGAQUFBwMBMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9yZXBvMS5zZWNvbXRy
+dXN0Lm5ldC9zcHBjYS94dGR2NS9mdWxsY3JsLmNybDAdBgNVHQ4EFgQUuj9305tQ
+JIeVAQtsz9JHx3PTqaQwDgYDVR0PAQH/BAQDAgWgMIIBfgYKKwYBBAHWeQIEAgSC
+AW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWtF
+Bb6pAAAEAwBHMEUCIHUQkmFzUh01r1Px/zWMZSL21dNNQwM+rN1z0gutxV3JAiEA
+jSb2/GAm4+2qiNWDtx1EkHsMXjNW+5S4GhJePexjJR8AdgDuS723dc5guuFCaR+r
+4Z5mow9+X7By2IMAxHuJeqj9ywAAAWtFBcdeAAAEAwBHMEUCIDVHdfP9wnVgz45l
+eX80DpRCRNEV/OCDwfW+B0g/dveYAiEArbpLQb5Z9hul3r00kF2LrivNuI7kwEBy
+MpkYsLtSPJoAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAWtF
+BdCQAAAEAwBHMEUCIE2GUo6x3qDrIhacnCmjikBCHF2yT6Fv5GAehZB569YCAiEA
+vXwMXV8+y3xNFys+A6u9EjKiy8CTKv+SQxqsJ4s6jK0wDQYJKoZIhvcNAQELBQAD
+ggEBAAzlm9W+N5fviTJ9wDsc5nXKYur3744V/cm75+8dUM61Rko1isK6IZt5aNPN
+wOfhBsTzHHSYmAFMR9Xjoq8iDYZtIk01IGI6LEWuls9F2hVcERiHMWJOLTiH35xN
+vRNTG0AbBdIpTX2sURsoCPJ+8DTnVUr3pTzXnIY4EQ4UXfANuYwceOHShF6UJo/L
+PK0uRdHcd5SmMa03gFUdkTc9gU6PIEO/UgubazGh9xDBHtHECeleL+gpSfOP3SkF
+7W1RgmbE6WJdVPlto7FRQtl2xIzHs/gNaPezqNKPHgFlx4c+ECTjPLqoW8LdeXu+
+N8dueJg1+h+lQifkmgl23DqEIiI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js b/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js
new file mode 100644
index 0000000000..8a757c199c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js
@@ -0,0 +1,48 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file tests that cert_storage correctly persists its "has prior data"
+// information across runs of the browser.
+// (The test DB files for this test were created by running the test
+// `test_cert_storage_broken_db.js` and copying them from that test's profile
+// directory.)
+
+/* eslint-disable no-unused-vars */
+add_task(async function () {
+  let dbDirectory = do_get_profile();
+  dbDirectory.append("security_state");
+  let dbFile = do_get_file("test_cert_storage_preexisting/data.safe.bin");
+  dbFile.copyTo(dbDirectory, "data.safe.bin");
+
+  let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+    Ci.nsICertStorage
+  );
+  let hasPriorRevocationData = await new Promise(resolve => {
+    certStorage.hasPriorData(
+      Ci.nsICertStorage.DATA_TYPE_REVOCATION,
+      (rv, hasPriorData) => {
+        Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+        resolve(hasPriorData);
+      }
+    );
+  });
+  Assert.equal(
+    hasPriorRevocationData,
+    true,
+    "should have prior revocation data"
+  );
+
+  let hasPriorCertData = await new Promise(resolve => {
+    certStorage.hasPriorData(
+      Ci.nsICertStorage.DATA_TYPE_CERTIFICATE,
+      (rv, hasPriorData) => {
+        Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+        resolve(hasPriorData);
+      }
+    );
+  });
+  Assert.equal(hasPriorCertData, true, "should have prior cert data");
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb
new file mode 100644
index 0000000000..df4cb182a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin
new file mode 100644
index 0000000000..011ed93484
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb
new file mode 100644
index 0000000000..dc4b50fdfc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js
new file mode 100644
index 0000000000..c444bdd945
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js
@@ -0,0 +1,83 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file tests that cert_storage correctly persists its information across
+// runs of the browser specifically in the case of CRLite.
+// (The test DB files for this test were created by running the test
+// `test_cert_storage_direct.js` and copying them from that test's profile
+// directory.)
+
+/* eslint-disable no-unused-vars */
+add_task(async function () {
+  Services.prefs.setIntPref(
+    "security.pki.crlite_mode",
+    CRLiteModeEnforcePrefValue
+  );
+
+  let dbDirectory = do_get_profile();
+  dbDirectory.append("security_state");
+  let crliteFile = do_get_file(
+    "test_cert_storage_preexisting_crlite/crlite.filter"
+  );
+  crliteFile.copyTo(dbDirectory, "crlite.filter");
+  let coverageFile = do_get_file(
+    "test_cert_storage_preexisting_crlite/crlite.coverage"
+  );
+  coverageFile.copyTo(dbDirectory, "crlite.coverage");
+  let enrollmentFile = do_get_file(
+    "test_cert_storage_preexisting_crlite/crlite.enrollment"
+  );
+  enrollmentFile.copyTo(dbDirectory, "crlite.enrollment");
+
+  let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+    Ci.nsICertStorage
+  );
+
+  // Add an empty stash to ensure the filter is considered to be fresh.
+  await new Promise(resolve => {
+    certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => {
+      Assert.equal(rv, Cr.NS_OK, "marked filter as fresh");
+      resolve();
+    });
+  });
+
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  let validCertIssuer = constructCertFromFile(
+    "test_cert_storage_direct/valid-cert-issuer.pem"
+  );
+  let validCert = constructCertFromFile(
+    "test_cert_storage_direct/valid-cert.pem"
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    validCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2019-10-28T00:00:00Z").getTime() / 1000,
+    false,
+    "skynew.jp",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+
+  let revokedCertIssuer = constructCertFromFile(
+    "test_cert_storage_direct/revoked-cert-issuer.pem"
+  );
+  let revokedCert = constructCertFromFile(
+    "test_cert_storage_direct/revoked-cert.pem"
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2019-11-04T00:00:00Z").getTime() / 1000,
+    false,
+    "schunk-group.com",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage
new file mode 100644
index 0000000000..2bd13319e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment
new file mode 100644
index 0000000000..aac0238188
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment
@@ -0,0 +1 @@
+
3)û«Õ¤:Óf£õv¬œ 0ИëðëyæQ±ýý�'ŽêŸïÕájfå¨é›à@(,v–~;ÕPÏ;Ò§mºÝÚ�bØgåt (M‡T³ÕNTbkÕÚ $
\ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter
new file mode 100644
index 0000000000..34ced4b840
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter
diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin
new file mode 100644
index 0000000000..d96571f128
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin
diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js
new file mode 100644
index 0000000000..45ff78a253
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -0,0 +1,324 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function load_cert(cert_name, trust_string) {
+  let cert_filename = cert_name + ".pem";
+  return addCertFromFile(
+    certdb,
+    "test_cert_trust/" + cert_filename,
+    trust_string
+  );
+}
+
+function setup_basic_trusts(ca_cert, int_cert) {
+  certdb.setCertTrust(
+    ca_cert,
+    Ci.nsIX509Cert.CA_CERT,
+    Ci.nsIX509CertDB.TRUSTED_SSL | Ci.nsIX509CertDB.TRUSTED_EMAIL
+  );
+
+  certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
+}
+
+async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
+  // On reset most usages are successful
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLClient
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_CA_CERT_INVALID,
+    certificateUsageSSLCA
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageEmailSigner
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageEmailRecipient
+  );
+
+  // Test of active distrust. No usage should pass.
+  setCertTrust(cert_to_modify_trust, "p,p,p");
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_UNTRUSTED_ISSUER,
+    certificateUsageSSLServer
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_UNTRUSTED_ISSUER,
+    certificateUsageSSLClient
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_CA_CERT_INVALID,
+    certificateUsageSSLCA
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_UNTRUSTED_ISSUER,
+    certificateUsageEmailSigner
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_UNTRUSTED_ISSUER,
+    certificateUsageEmailRecipient
+  );
+
+  // Trust set to T  -  trusted CA to issue client certs, where client cert is
+  // usageSSLClient.
+  setCertTrust(cert_to_modify_trust, "T,T,T");
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+
+  // XXX(Bug 982340)
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+    certificateUsageSSLClient
+  );
+
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_CA_CERT_INVALID,
+    certificateUsageSSLCA
+  );
+
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+    certificateUsageEmailSigner
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+    certificateUsageEmailRecipient
+  );
+
+  // Now tests on the SSL trust bit
+  setCertTrust(cert_to_modify_trust, "p,C,C");
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_UNTRUSTED_ISSUER,
+    certificateUsageSSLServer
+  );
+
+  // XXX(Bug 982340)
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLClient
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_CA_CERT_INVALID,
+    certificateUsageSSLCA
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageEmailSigner
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageEmailRecipient
+  );
+
+  // Inherited trust SSL
+  setCertTrust(cert_to_modify_trust, ",C,C");
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+  // XXX(Bug 982340)
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLClient
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_CA_CERT_INVALID,
+    certificateUsageSSLCA
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageEmailSigner
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageEmailRecipient
+  );
+
+  // Now tests on the EMAIL trust bit
+  setCertTrust(cert_to_modify_trust, "C,p,C");
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_UNTRUSTED_ISSUER,
+    certificateUsageSSLClient
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_CA_CERT_INVALID,
+    certificateUsageSSLCA
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_UNTRUSTED_ISSUER,
+    certificateUsageEmailSigner
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_UNTRUSTED_ISSUER,
+    certificateUsageEmailRecipient
+  );
+
+  // inherited EMAIL Trust
+  setCertTrust(cert_to_modify_trust, "C,,C");
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+    certificateUsageSSLClient
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    SEC_ERROR_CA_CERT_INVALID,
+    certificateUsageSSLCA
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+    certificateUsageEmailSigner
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+    certificateUsageEmailRecipient
+  );
+}
+
+add_task(async function () {
+  let certList = ["ca", "int", "ee"];
+  let loadedCerts = [];
+  for (let certName of certList) {
+    loadedCerts.push(load_cert(certName, ",,"));
+  }
+
+  let ca_cert = loadedCerts[0];
+  notEqual(ca_cert, null, "CA cert should have successfully loaded");
+  let int_cert = loadedCerts[1];
+  notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
+  let ee_cert = loadedCerts[2];
+  notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+  setup_basic_trusts(ca_cert, int_cert);
+  await test_ca_distrust(ee_cert, ca_cert, true);
+
+  setup_basic_trusts(ca_cert, int_cert);
+  await test_ca_distrust(ee_cert, int_cert, false);
+
+  // Reset trust to default ("inherit trust")
+  setCertTrust(ca_cert, ",,");
+  setCertTrust(int_cert, ",,");
+
+  // End-entities can be trust anchors for interoperability with users who
+  // prefer not to build a hierarchy and instead directly trust a particular
+  // server certificate.
+  setCertTrust(ee_cert, "CTu,CTu,CTu");
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLClient
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageEmailSigner
+  );
+  await checkCertErrorGeneric(
+    certdb,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageEmailRecipient
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem
new file mode 100644
index 0000000000..54b436cdab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUbd6irDfViDg0hGYGrBFpSOiAgmswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBa/UJSVAkS4R5UUprUZ+VETh+G
+TbLf+xbhyhpXn39i7Rk0/U7IelYJN3qalF3eIL7ab4qij3jWLrdOJz1ERkxVWXeX
+a9rjQC7nQQqnOrdcEPvq297cHuwtKb+jTTKDI4ATy7UVeE3DDW6VWewmAz8VA7FH
+SxAwdLWgqKzAqLEhhrg6l0JtpDmCfoBZ5yVA9gPdcSouaQ+6WnL0TFmNtriZPZI5
+Sq7Ua1aM1X/Ca3kQLo1DD06lgR7bJbjH+2j0uRYbB7NeB5aeYYnnxRdXcbXtM2Wl
+dPg/8WETAK3hjbaY0Xq5UFP9tLkLbq3a1lew5BEz9xFz7P+offg8hSAONOZu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec
new file mode 100644
index 0000000000..d809dbd635
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem
new file mode 100644
index 0000000000..82e6a30f34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUMdajt4X/9IBhgxXiQsm9Bu84o80wDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozUwMzAxBgNVHSUEKjAoBggrBgEF
+BQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDAzANBgkqhkiG9w0BAQsF
+AAOCAQEAA7nG4h3CGUtm2eS08c0e+mROnPPpkOMaOS0McOFIDOamQlKtxuzl6md7
+CmZtQfckTwVxy8KaEtVhcJ5Dj4w+HJJ2uwun8PspBkgEaVJAMxhm8CAOBHO72vee
+1WU1K2lxcGz1tTFzyvGi7b+frWWaeoTM4/4qUQkKEBTbJannKqmKSHdawNNeJ7XB
+yxyO+Pf5JlWMDpSoFY3IEG2j01ALdWcI4T63TFLB0lEmuMRGZ6o2EnNOFvg2bDkg
++peiKONSzIVqiVHkJjgMDGOdXfeei2pFyQz+1ESWYl3+LuxHbxXauyKV5tAjXL8n
+RbN+Ds8/8RpSFhDOTRLVCVrQiFqNag==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec
new file mode 100644
index 0000000000..9666c18062
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:ee
+extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem b/security/manager/ssl/tests/unit/test_cert_trust/int.pem
new file mode 100644
index 0000000000..f12ebf91fd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUS7UFd8kviZT6AzkUw+zBza2WxxcwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
+A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAXr6DXGOqX+xkzyNm1YZc+wtm
+6yFQo2jgeCMxgOv4j07wEEgGPP4adgyHjAhqTtYNbdBCuPtEbMInVRHdJooWNGk7
+MeoyTmJLlEJlnzVHdCUDi0mb+E7w2vVWNeirXnUSBN8qStok8vNoHJDT7pX3QEQs
+zRRNHw5qs/xxZKxzxeBiljYlh1d1zVgqNWTx9LP5IOEKOQ9OzxpzsCpJtPZRxh/d
+gip6TZT9srCndY2jCFUEYdSFRWOjsb6ni9TGC2o4SUxxJvC8jmrLjgGqPGNdTMiX
+DOxuAjt1gue4kqK6r6nMqxOZ04TEe0c/M5+hF4dhQaxqga6vvGBl0oF2QMxXGA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec
new file mode 100644
index 0000000000..a7f6d81419
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_utf8.js b/security/manager/ssl/tests/unit/test_cert_utf8.js
new file mode 100644
index 0000000000..caeddd8158
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_utf8.js
@@ -0,0 +1,79 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function run_test() {
+  // This certificate has a number of placeholder byte sequences that we can
+  // replace with invalid UTF-8 to ensure that we handle these cases safely.
+  let certificateToAlterFile = do_get_file(
+    "test_cert_utf8/certificateToAlter.pem",
+    false
+  );
+  let certificateBytesToAlter = atob(
+    pemToBase64(readFile(certificateToAlterFile))
+  );
+  testUTF8InField("issuerName", "ISSUER CN", certificateBytesToAlter);
+  testUTF8InField("issuerOrganization", "ISSUER O", certificateBytesToAlter);
+  testUTF8InField(
+    "issuerOrganizationUnit",
+    "ISSUER OU",
+    certificateBytesToAlter
+  );
+  testUTF8InField("issuerCommonName", "ISSUER CN", certificateBytesToAlter);
+  testUTF8InField("organization", "SUBJECT O", certificateBytesToAlter);
+  testUTF8InField("organizationalUnit", "SUBJECT OU", certificateBytesToAlter);
+  testUTF8InField("subjectName", "SUBJECT CN", certificateBytesToAlter);
+  testUTF8InField("displayName", "SUBJECT CN", certificateBytesToAlter);
+  testUTF8InField("commonName", "SUBJECT CN", certificateBytesToAlter);
+  testUTF8InField(
+    "emailAddress",
+    "SUBJECT EMAILADDRESS",
+    certificateBytesToAlter
+  );
+}
+
+// Every (issuer, serial number) pair must be unique. If NSS ever encounters two
+// different (in terms of encoding) certificates with the same values for this
+// pair, it will refuse to import it (even as a temporary certificate). Since
+// we're creating a number of different certificates, we need to ensure this
+// pair is always unique. The easiest way to do this is to change the issuer
+// distinguished name each time. To make sure this doesn't introduce additional
+// UTF8 issues, always use a printable ASCII value.
+var gUniqueIssuerCounter = 32;
+
+function testUTF8InField(field, replacementPrefix, certificateBytesToAlter) {
+  let toReplace = `${replacementPrefix} REPLACE ME`;
+  let replacement = "";
+  for (let i = 0; i < toReplace.length; i++) {
+    replacement += "\xEB";
+  }
+  let bytes = certificateBytesToAlter.replace(toReplace, replacement);
+  let uniqueIssuerReplacement =
+    "ALWAYS MAKE ME UNIQU" + String.fromCharCode(gUniqueIssuerCounter);
+  bytes = bytes.replace("ALWAYS MAKE ME UNIQUE", uniqueIssuerReplacement);
+  ok(
+    gUniqueIssuerCounter < 127,
+    "should have enough ASCII replacements to make a unique issuer DN"
+  );
+  gUniqueIssuerCounter++;
+  let cert = gCertDB.constructX509(stringToArray(bytes));
+  notEqual(cert[field], null, `accessing nsIX509Cert.${field} shouldn't fail`);
+  notEqual(
+    cert.getEmailAddresses(),
+    null,
+    "calling nsIX509Cert.getEmailAddresses() shouldn't assert"
+  );
+  ok(
+    !cert.containsEmailAddress("test@test.test"),
+    "calling nsIX509Cert.containsEmailAddress() shouldn't assert"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem
new file mode 100644
index 0000000000..344858e1fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID7zCCAtegAwIBAgIUBd/A9SPEdfUGTxKTRoSskwSi2UYwDQYJKoZIhvcNAQEL
+BQAwfDEcMBoGA1UECgwTSVNTVUVSIE8gUkVQTEFDRSBNRTEdMBsGA1UECwwUSVNT
+VUVSIE9VIFJFUExBQ0UgTUUxHTAbBgNVBAMMFElTU1VFUiBDTiBSRVBMQUNFIE1F
+MR4wHAYDVQQHDBVBTFdBWVMgTUFLRSBNRSBVTklRVUUwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowgY8xHTAbBgNVBAoMFFNVQkpFQ1QgTyBSRVBM
+QUNFIE1FMR4wHAYDVQQLDBVTVUJKRUNUIE9VIFJFUExBQ0UgTUUxHjAcBgNVBAMM
+FVNVQkpFQ1QgQ04gUkVQTEFDRSBNRTEuMCwGCSqGSIb3DQEJARYfU1VCSkVDVCBF
+TUFJTEFERFJFU1MgUkVQTEFDRSBNRTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNRME8wTQYDVR0RBEYwRIIeU1VC
+SkVDVCBBTFQgRE5TTkFNRSBSRVBMQUNFIE1FgSJTVUJKRUNUIEFMVCBSRkM4MjJA
+TkFNRSBSRVBMQUNFIE1FMA0GCSqGSIb3DQEBCwUAA4IBAQAKUSa8BdHwFUeuwcIx
+zjUMm3VfByLFQ1bGMPzH8oZ2iYPEuna+2yWgMt1PyqKlRu6LUFbxDhS1zyNdHmTE
+IgZ5L7AqA92pi1NNHJdMPJx5Pm2S0YzvTGoJMiU+btqykWq1YA4qviVFJC41V7mF
+ykgLl31W+5EOT6H3kPwFOa80s5u7PdtNZ18M9rRX36fP1W3vBLd9QUlEyKlJBwNf
++bLIQF8LbG4R5DbvinZufeMa6CQLQI1eot9WzBYddIzJVVJy04RBiCnZhZjdow1t
+j3daswBkJDX0kEPlW707yXHrLQhlI8imTYrEXCO0u9+n1NmRqD0eNhNEqdjAAgpC
+5PAD
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec
new file mode 100644
index 0000000000..6579ac5550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec
@@ -0,0 +1,3 @@
+issuer:/O=ISSUER O REPLACE ME/OU=ISSUER OU REPLACE ME/CN=ISSUER CN REPLACE ME/L=ALWAYS MAKE ME UNIQUE
+subject:/O=SUBJECT O REPLACE ME/OU=SUBJECT OU REPLACE ME/CN=SUBJECT CN REPLACE ME/emailAddress=SUBJECT EMAILADDRESS REPLACE ME
+extension:subjectAlternativeName:SUBJECT ALT DNSNAME REPLACE ME,SUBJECT ALT RFC822@NAME REPLACE ME
diff --git a/security/manager/ssl/tests/unit/test_cert_version.js b/security/manager/ssl/tests/unit/test_cert_version.js
new file mode 100644
index 0000000000..5bf8dd180f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version.js
@@ -0,0 +1,304 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests the interaction between the basic constraints extension and the
+// certificate version field. In general, the testcases consist of verifying
+// certificate chains of the form:
+//
+// end-entity (issued by) intermediate (issued by) trusted X509v3 root
+//
+// where the intermediate is one of X509 v1, v2, v3, or v4, and either does or
+// does not have the basic constraints extension. If it has the extension, it
+// either does or does not specify that it is a CA.
+//
+// To test cases where the trust anchor has a different version and/or does or
+// does not have the basic constraint extension, there are testcases where the
+// intermediate is trusted as an anchor and the verification is repeated.
+// (Loading a certificate with trust "CTu,," means that it is a trust anchor
+// for SSL. Loading a certificate with trust ",," means that it inherits its
+// trust.)
+//
+// There are also testcases for end-entities issued by a trusted X509v3 root
+// where the end-entities similarly cover the range of versions and basic
+// constraint extensions.
+//
+// Finally, there are testcases for self-signed certificates that, again, cover
+// the range of versions and basic constraint extensions.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function certFromFile(certName) {
+  return constructCertFromFile("test_cert_version/" + certName + ".pem");
+}
+
+function loadCertWithTrust(certName, trustString) {
+  addCertFromFile(
+    certdb,
+    "test_cert_version/" + certName + ".pem",
+    trustString
+  );
+}
+
+function checkEndEntity(cert, expectedResult) {
+  return checkCertErrorGeneric(
+    certdb,
+    cert,
+    expectedResult,
+    certificateUsageSSLServer
+  );
+}
+
+function checkIntermediate(cert, expectedResult) {
+  return checkCertErrorGeneric(
+    certdb,
+    cert,
+    expectedResult,
+    certificateUsageSSLCA
+  );
+}
+
+add_task(async function () {
+  loadCertWithTrust("ca", "CTu,,");
+
+  // Section for CAs lacking the basicConstraints extension entirely:
+  loadCertWithTrust("int-v1-noBC_ca", ",,");
+  await checkIntermediate(
+    certFromFile("int-v1-noBC_ca"),
+    MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v1-noBC"),
+    MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
+  );
+  // A v1 certificate with no basicConstraints extension may issue certificates
+  // if it is a trust anchor.
+  loadCertWithTrust("int-v1-noBC_ca", "CTu,,");
+  await checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess);
+
+  loadCertWithTrust("int-v2-noBC_ca", ",,");
+  await checkIntermediate(
+    certFromFile("int-v2-noBC_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v2-noBC"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  loadCertWithTrust("int-v2-noBC_ca", "CTu,,");
+  await checkIntermediate(
+    certFromFile("int-v2-noBC_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v2-noBC"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+
+  loadCertWithTrust("int-v3-noBC_ca", ",,");
+  await checkIntermediate(
+    certFromFile("int-v3-noBC_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v3-noBC"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  loadCertWithTrust("int-v3-noBC_ca", "CTu,,");
+  await checkIntermediate(
+    certFromFile("int-v3-noBC_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v3-noBC"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+
+  loadCertWithTrust("int-v4-noBC_ca", ",,");
+  await checkIntermediate(
+    certFromFile("int-v4-noBC_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v4-noBC"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  loadCertWithTrust("int-v4-noBC_ca", "CTu,,");
+  await checkIntermediate(
+    certFromFile("int-v4-noBC_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v4-noBC"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+
+  // Section for CAs with basicConstraints not specifying cA:
+  loadCertWithTrust("int-v1-BC-not-cA_ca", ",,");
+  await checkIntermediate(
+    certFromFile("int-v1-BC-not-cA_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v1-BC-not-cA"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,");
+  await checkIntermediate(
+    certFromFile("int-v1-BC-not-cA_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v1-BC-not-cA"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+
+  loadCertWithTrust("int-v2-BC-not-cA_ca", ",,");
+  await checkIntermediate(
+    certFromFile("int-v2-BC-not-cA_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v2-BC-not-cA"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,");
+  await checkIntermediate(
+    certFromFile("int-v2-BC-not-cA_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v2-BC-not-cA"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+
+  loadCertWithTrust("int-v3-BC-not-cA_ca", ",,");
+  await checkIntermediate(
+    certFromFile("int-v3-BC-not-cA_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v3-BC-not-cA"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,");
+  await checkIntermediate(
+    certFromFile("int-v3-BC-not-cA_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v3-BC-not-cA"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+
+  loadCertWithTrust("int-v4-BC-not-cA_ca", ",,");
+  await checkIntermediate(
+    certFromFile("int-v4-BC-not-cA_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v4-BC-not-cA"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,");
+  await checkIntermediate(
+    certFromFile("int-v4-BC-not-cA_ca"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+  await checkEndEntity(
+    certFromFile("ee_int-v4-BC-not-cA"),
+    SEC_ERROR_CA_CERT_INVALID
+  );
+
+  // Section for CAs with basicConstraints specifying cA:
+  loadCertWithTrust("int-v1-BC-cA_ca", ",,");
+  await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
+  loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,");
+  await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
+
+  loadCertWithTrust("int-v2-BC-cA_ca", ",,");
+  await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
+  loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,");
+  await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
+
+  loadCertWithTrust("int-v3-BC-cA_ca", ",,");
+  await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
+  loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,");
+  await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
+
+  loadCertWithTrust("int-v4-BC-cA_ca", ",,");
+  await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
+  loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,");
+  await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
+
+  // Section for end-entity certificates with various basicConstraints:
+  await checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess);
+
+  await checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess);
+  await checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess);
+
+  await checkEndEntity(
+    certFromFile("ee-v1-BC-cA_ca"),
+    MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+  );
+  await checkEndEntity(
+    certFromFile("ee-v2-BC-cA_ca"),
+    MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+  );
+  await checkEndEntity(
+    certFromFile("ee-v3-BC-cA_ca"),
+    MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+  );
+  await checkEndEntity(
+    certFromFile("ee-v4-BC-cA_ca"),
+    MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
+  );
+
+  // Section for self-signed certificates:
+  await checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+
+  await checkEndEntity(
+    certFromFile("ss-v1-BC-not-cA"),
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  await checkEndEntity(
+    certFromFile("ss-v2-BC-not-cA"),
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  await checkEndEntity(
+    certFromFile("ss-v3-BC-not-cA"),
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  await checkEndEntity(
+    certFromFile("ss-v4-BC-not-cA"),
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+
+  await checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+  await checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ca.pem
new file mode 100644
index 0000000000..e640e32bbf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUR09v04QlrQMgLL9A9x5Lis3g49EwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBYoi35Dp3gNfLJAi4Gk2GwxCie
+kk5hUcWiM7wAttc1NTH3PU7lzcnmkL4Fn0urD8DpYr17Fzd3LMvPTcvc/fHgl2R9
+uxXEvS38SCuAq8gfEraHy9m7w+J11SBA8PsnZqNJSDdGblAjNXbv3yeAIjI22+rE
++gUEd+62kObnUYoPC6tX/kq7uJU1h10jjoR1nYrghij6yRM5ozeqbl/AEam1YgnU
+RZWRSnsP5g2QDrpwlpOxAQZxpwW2KYk+Jr1uFROsbn/cUbMRLg8pwAw3DasmIJlS
+31oldY5nuSACsBWcJW1Cck5h2+PJqT9SfP9AqtPWF1BMUjC4xiCV0W3NVKLf
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec
new file mode 100644
index 0000000000..8689ef9ea1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem
new file mode 100644
index 0000000000..f5ba3ee376
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwDCCAagCFC+ZWtAQE8lVz0D4wb40yUfGwCkNMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBYxFDASBgNVBAMMC2VlLXYxLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAMBgNVHRMEBTADAQH/
+MA0GCSqGSIb3DQEBCwUAA4IBAQAcgP1lvoA0169HURGT56n+WBBbjkGXuH5cmkhg
+BHZxU8AsonQl5T+IXRWNT/iyWVNlfvYTOZeWga5G42tvQxYsJ3nOg4Tg16b+Ny7p
++F9QFv/ggvVdiV9EF9ofy+0gY8Kp6h7sIfjqqjkRUquPkuFmsucYbpKHV66XB0z3
+VKHwZxBWkOgmHOeCuY8+7eVrhntDOuLD5SHwN/NPBQy0CLppN0T9rPJ8rMZ4BGsk
+NCakLrw2hISVBajKmcFtdEYPZ65PCuJI24ziDPhGlc2lTkjocf8Ixg4V881Lqy3x
+rWkR5qu1OoMM6oWzXw+0YunB8bRuP4/tBJDVpvu6xBqkgGKv
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..4570e6e3ff
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v1-BC-cA
+version:1
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..9815e5e13c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwTCCAakCFCXWLDfdUshis2BR2AOx1Wx0Pe4/MA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBoxGDAWBgNVBAMMD2VlLXYxLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMNMAswCQYDVR0TBAIw
+ADANBgkqhkiG9w0BAQsFAAOCAQEAmOBNxj3ggsPlL425Fdsnlwg9xe+YGYrQ+qDx
+gXgQypAf9+A6PzJde3x0todPYShaItrpUkkqq+65y3PFQ5/Cx4JTSuLZowx1US3D
+TVCTr8zPkx44+pFsPpVo/H46ntgTdJzeGxy4CLwRuzfCwE7xDXu4RGWG6HJ0H4H0
+BQQQoY+PZwjQKzV8ac+mO7zXxEA9KG+J0whj89x6Ps31Oj5wsQb6mt5M1KzihzLe
+yJMc2J/d0xj0NN/mxjFyeu2gg5efJgByZgCs1oGImlvrV8mll6zNazGwIzAEjOv7
+qFlzeX8fnowEZkYjt655nzH6qV51D5Ml2KPanMUdwXwttsgJ9w==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..f4257841fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v1-BC-not-cA
+version:1
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem
new file mode 100644
index 0000000000..276596cf8f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrTCCAZUCFDfaJVmc86Op+Njp91sQs3VibqnjMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBUxEzARBgNVBAMMCmVlLXYxLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9
+sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5
+TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7
+xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd
+tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l
+8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEB
+AKNZOtDY6VR1afUmrbxsYNmSlbJfDH1Wf1yW1mGlEaaAt+2jCwq4XQe+WydH+XNY
+1hF6qB8Dfv6BjHtz3mDlEurO8OQLzbEsCjoHTsC2k7xBX5AqjgLOd7VXTw+nkWpl
+KS16AGoFwWwJoRiqvRIN7QmrL4+VTy9qiMjW/xQZpJRjgclghsyD1ftuS8MO6CFA
+Xl8H10FX+iLrQ1vVZEpFvawJsaPqpP1Q/aaUbuVFOdl9FdO/AoYg9T4OoNMuVAri
+1EdM0PJ2fLuBZEfGu0Xzfx3DQMGTGY3b+rbXXsAvKDY7Lz2uH3QQ3dV8u/A/ziXR
+4CuNiCfPf9ln9nYZryvPhTo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..48fe9e5416
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v1-noBC
+version:1
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem
new file mode 100644
index 0000000000..d0f8108576
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAQIUSfJg0GeqJHFEX50dYSwtSQ3bMKowDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtdjItQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAA+oYLQRft2MQcjzbocFjcHuOtGLN2zd
+h/VRTr6kdHVUlTWGxPAlbbMQebdqxrkOs7z7AUdXND4ByKTtNEuQPr+wXwwXSTE3
+iYjViklkaO/90FwPXCY0cKPP3Wlr+dU//+ae8MHxUgITiz1pSaCxpn+aWNuT0YEh
+OyPHJp604kUXsaS/tnh9Gs+PcUnbzDdajbsCgKHoxtjMJWvYzr7AbHxmZdNJj5+s
+oayWjkj57NlX3fSRPLwcLoLanp7stBFXQuYdUdHBxPo4NJvCePu+qX9dKRfs8iOh
+QX/C7/hznhGYCmr+bwA5vDP2/hlaXVY3Y86QVtSxjfzAR8FipCk7Csw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..f714725d2b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v2-BC-cA
+version:2
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..70137183e2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAQIUDxDa2ifUgdQYpJ8MdfEeYRaJsdMwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGjEYMBYGA1UEAwwPZWUtdjItQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV
+HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCddjVLxryXnecJPMqSm0jUBYLnM+AK
+Rq6/2mzN4RpEVWZp6GNnWYzmONMwJ6wtGVgARfg0FuBONBzNtHxpdLcbia6wajf0
+/A9FZ2IA6TmEDt9iBQQYphczJquzzrPU1ST472ueH9ugSWm6CV2a8tWZTqpADewy
+waivrK76PCatnMHWZy+h0QlMStf5j9mvEXydnDVZtyqH28THAHOfTyseEBdkl+VI
+rJ/mnuK6toyJRJOEajDPfhJveAu8Xc139qWrC79P9Tp82eqNLZxfIEBh20eNYxSk
+PFkDwGE+pmEQEpGuIrFBR/e2vZTQJ6OTNhWxG8JriY58UlIQ1kACWw7y
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..db72288814
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v2-BC-not-cA
+version:2
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem
new file mode 100644
index 0000000000..f2c644ce6f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAQIUXbeigSj410bH6jRhgrqYja0GpzowDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtdjItbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAuDsqRa2nVMQ97V4Tf2WevBu+k7ZhcIaW68a5tlKLEKhx6/eGSSGeij4m
+OeBOyFOr885Y/Kkhd+aHEefJV61HcgHYNDkRAcEFg6WRDwoto3u06wlqDt4hWr5x
+I/gRPudZ702Mw4trcwXljvm8lKYOL1O79Ic9kbqpCoIdFRbf2n+mMwqf/z17Lis/
+TSQTmYwO4lMDqv2XJ4a+DAyCItLvlAUsWukWEyHY9RUaKS+flqwLB6w5nkM8enI0
+oiqxEeSgn0DwnSEyLzb8bjybErM+qnDjmRPXN/w9lkpzs6LhhP+YY1eUhlw7JRJO
+EHESM9OVGl3i60Ed9U2vNPgwqciqbw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..cc304ab87e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v2-noBC
+version:2
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem
new file mode 100644
index 0000000000..8b9056a167
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAgIUc98+jTM4qNvfdiHHTt3xeTnklo0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtdjMtQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPnZLZtuRfQew8WQGlkkLGRBVLTqudE
+eGIVRcAMToZ8clV5nFTRJd8TDPJtEnJq7JuVzKXwYyibfd1jGixewFSs1NVZqshN
+Twx+FSQCoWNTrH1g09hhJDKDYZAIl940Jfp3tI9dmLDAT6eJK7MtfocJcnfJT++X
+6OXE9CzwA+jNoqEhPXjmPa41SMpAgr0lLviONqy0sUjUy6Wwd/Awi3BsV7pgkInb
+59hTTWaxwsIVXr8d5uXvxNvXiTFRmxAsF4EgF/OR413gel2cR8ERy4GLp7y044AE
+7NaFQoeto9yW3IpYr3fvmyYbMLPXdQcv7OPvolLgN9756qU73BaYhwA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..6f69c35743
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v3-BC-cA
+version:3
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..c909ceae66
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUZbMh4u0fW5ML6yh8z8pbXjOe1VEwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGjEYMBYGA1UEAwwPZWUtdjMtQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV
+HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCYkQCEZnA8CNk3m3GRWOmmfSHggAEg
+DPhdb/lD5HPuwk7mZvlmVWuLzL7KkbNe71lGcDxH9/az8loi/3F+qPtTAQm0dIv6
++PMeJ9M81FrrL9QOlt1g6oD2H3CpeBmPXTZhw8BrY8G5vOazqng8BHv5HhDu64U2
+tG0uCynb/9DP0JyZykV9l8r8c4Tsz2xFAMfbowricN3kNoeV0WLY9NL7T3iBa22+
+mSVUVfVb6JgX59hkupfq6ykSWy90aHpHvOYGvnxAp+r31ddwGAix9FyebSNNQn80
+YfMR6qlPWwTqe5nVGqEdQ4fTg+qC93OqWtcDJrXshB3j415ubudwKN59
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..4a9de06358
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v3-BC-not-cA
+version:3
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem
new file mode 100644
index 0000000000..b5c0319790
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAgIUAQDoVGw+r6lNT2b+jJm2+epsWHcwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtdjMtbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAGpZrWuH+x+qgSsl+EtFBQ6dlKN1w481HZlxA9UEXLqcV4ePHpdu0gb2p
+nIlDxJDCIbPmsmh2NkiwrxtW+UO7Gee2qSJx+HzTbDU4Zf61AdzrSLy7UXeAa/Db
+HoVqGZ6SY7HRfUZSwHhNjUhxemp7b98HCQWn8lIvkcDrkXRpaQUWd1slyEA3VNem
+EXVbjybmuoO60Xka65CSSg3B8+UY/fhYONh6UvpyWLc5N+qoMEywqvSCB8vNPcmw
+fVr8AFzvWQ0XKT5YxUtPZvAcreC0lUZXIF41us5JVbx7eX9GU5/viguxOUTj5W4B
+jyLS9tyap1ysIq3sPPlXW7S1i1pmXA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..9d385900f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v3-noBC
+version:3
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem
new file mode 100644
index 0000000000..d780e80fcd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa2gAwIBAwIUCd37312Tb5EZpix3723WyR6xMJUwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLZWUtdjQtQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBALC4++IlQxFJcpwHvCdfQ7DjwM579Sn2
+/QRXYfA4UnHWzx5GCggoMPnyvI70hbYXNZvsOg4fkk/wY4vLYblGPYY3NRB51DAr
+2udwFlqnMhHLwzGntRWb7Fvnug0f9GCjD6+CI8sfamlTBg33JDT/LQUB0+7Pwih7
+6kxSr+D4TXxDZkCcn+imjA2y6t90jl09Gyaxj2fGya1Tz3O4F2dhUlhD+Z1VyGSO
+WeMCDMJq0HlHymc2C9NJa+l8mxP3ZhAhCkquz98l9iNi8feKET3Mor1QkZQrw4iX
+EztBsqyMP7TZJrzgzNVQgdM67gj670qOOlYDG0fftJkPhvwUtUzGJIQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..1f44c1dd27
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v4-BC-cA
+version:4
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..580730ead1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAwIUf14/9bHAT4wfeg67o/l7Z6hx1RIwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGjEYMBYGA1UEAwwPZWUtdjQtQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV
+HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBa8RvfZI03C2soSzVOamYtjem/rQ9c
+sCUr5b/twKBFUxFWPPeM+zQbLjKwCVMKfhOrBddqxiWtBEXoeDgGN4Hz7dYtedQY
+yZXrBHFx8NTkP1hu7ZLH6/Wmq8pIY1clVkCW9BaN/VrooivYDVT9FAQ3Olmb7ndY
+WpG/HAJtvLI0IvFq4AzMXa0zJJFOzWd+zeYFkizdEIeWTd9blb70czeru3hf5NwO
+zxE4bsKgWXO9hRaJwdb6STlit2BVtx8mMOibJn852IZ0tECKRGlTLJSC2Pz2kk67
+dqRTLC4ys09cGT/wQbE9nBYqdRD46LeSYnxBLlPaJZ8tJ3p82VK8I+ob
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..e9659153e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ee-v4-BC-not-cA
+version:4
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem
new file mode 100644
index 0000000000..685d2da6b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAwIUaR0hFbbBz1XsN9CW31yoUhYk7k0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFTETMBEGA1UEAwwKZWUtdjQtbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAcWHh1vTXippkY8F4flCD4/4S7e6X0hr/WKPPpQGWKMDUyTBp5bvlSlJo
+CQnceIqJ7PW48tEhSv7XjCFYAtrJaN+I5ttP+RvhWk7CY8bZFH469PWMKiEZQrR7
+CJyk1LBX3zDRbRRweT8h0DuzqcHqFXE9J+DEfYue/Y0ZMlly3u9NAFiFj+etyrX7
+zm9cG3cc1AVbnQMC0tAyJnbepwj1QHDbxDGN1UBI9SlUW9FolPBJzgtNuLMiY/VX
+B8SfNGvTm5nvHGrL+tp0jp32ufCtwT/DGp4jasa4vG3gpD7l91SoIx3W0cKJuclB
+/dTVAfLtVNFvJWV6J5FdrHiPzufHNw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..19229ba766
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ee-v4-noBC
+version:4
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem
new file mode 100644
index 0000000000..e7c3b79420
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUVWOyeMgSib4O1LKG1AJMZEOfA5EwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXYxLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBhWnPGcosA9XFiil1ODUfKcRa6J5Pp3R/n/tdp7XZFauH6q512f4wy
+23L0zJhhov7dJdnI+spAuXcsKR9rDFYximIGUSjYPoJmGTdemTW60ddF3DjLYZvf
+BJJQyZMn1zvlJE73G24vZK1FNP0u0zRQvKVPt3/OFwE906AysPk8waodm0fMjCgu
+rRWcX0HJcnYj+LCic8/hiNypu/z4eES136pkpzegh08fOS9NmTERXovIMOEGKLzq
+2nGX4qR/q78kbM1T79Qv0RAqz/BWTrrf3HOwtguQ4LqM8wRN4xeyEqfvzw2I5tSt
+pGJtVfIXSwWoC7oVw1rgRdPOmzVyXMI2
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec
new file mode 100644
index 0000000000..6a7dc5c436
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v1-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem
new file mode 100644
index 0000000000..41206cae7b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUQxRBwJhxMEAFMa7BzkaZKbkhuoQwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXYxLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAVNqzFe5ctks0XWw8TEF8pasaXlMvpB8KTAJAr2Qamo3eyS+r
+Sj9di81UA6ty83yKcUQgxaAcE+1K39vynS2/uMdOycbOLrfA/bEDqtTYxL86LvRS
+5nzbk1gfq2HfMt5Y1EpRAJ+loOKynLGnuJ07Q62unUtMf5G9BXKbkQ90s4tAhVh5
+EWTdV8Yj9loI1TqkjXMFGUAMhMh/dSvdbQib1z0ikJtGHmeIwbs6sZzLt+9IHABj
+xFBgjrveLBD5vKvGmno3BN3lqzlU+KaQ8HJmYRX1VP1sancFbGFWWhdJpcBPVRkV
+0uiOvCLHBfGA6TN1XhRwgMwSUr+1Qh36sov0jQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..639f83d660
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v1-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem
new file mode 100644
index 0000000000..31f154b29b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUSZxrSB1ASCb/9OLKTfbXvWhu8oMwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXYxLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAF2GVw1iaU9gHhCPgZVZlAOb6O5k507/xrT2SdYiRkFQaHfH9iL2l5aL
+tQ+gQNH4BY3fUyxIR0wOKR2WUiBKBFPzvgZYzdajTzd1Cwy8F4v4hvCkx8T9dY16
+UE0TRSM7M2D+UpelJ/c8k2EzbBdeeNs1LR1XEGqVFUoTb0voFVgPb4ZnpSw+36wc
+v2kZaZjxPJOkoNcif3kuGbp0RVZW9zG0LVfgsZTyfczWmMdpdVCXVdXe4cJ1wAxy
+kQUGPMjv6xUXMcawgOLvT7JmX+9hQFkqidP2oR7eU8bGX8Kc9mFtJEG3I+xmcig6
+TbgPEBsnRfM8KxHcZpnxeKsRAP3msoo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec
new file mode 100644
index 0000000000..d704f3086d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v1-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem
new file mode 100644
index 0000000000..3948a89f26
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUU/Jvq3MSz1uQv7XntCtIuprX+bMwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXYyLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQBFv3t9QETpW/vJYCDwA6xAUS3h68J+0pwHhq/dVsart/cgsC8LzHhG
+bOJUKseHitl0gHjHiH50dkuzKzjH2bfrG8a+t3J46WnmxDEJP09viwRZYyxufSzt
+eX4+P+Z83ByRdqoIPFzd5ytWRo97oyZemNz3a3pU7bsbytYq2nIjCOAVAWxnIS2Z
+LPaQhEaQTeZ8hkHOlgQzAWAo5ncgVtmlgy4B6ObxDrHMMRG76rG96enCkrtxmqTm
+CjNyMC0Kim0q5rli6V7CV5hyF4V8/k+0uAeYFPboTHXOC7qY/1Kuer7BMejwEYOh
+uaYfipGohEbIYJGPgqf7wVFsZH+rsECZ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec
new file mode 100644
index 0000000000..5d3a65e650
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v2-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem
new file mode 100644
index 0000000000..b8161aa201
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUQ0aSCvyN3w9lBlcjtfY7MI+9znEwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXYyLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAPFTPXlcnxZn3v2lA4XKkBMjgz6ofD2k3Q+9CBIPAQ8adsr2U
+k6J5bDHr0hZs3OTSjm4MvnkDPUXnz0TEaCkGPaMDJSm5Pc+QNz8mtFZ3LCU7kaXk
+eye/mgUyA6kzp9m+beI2bPFgs6yfNF1hJwmFLprfr8tAfhSRdG0Be1n2ZlxD5+JK
+m2VRUXuWfZk9zG2XEVH7aiIsdvsvP2LvisfpPVWG1UaMv+RytnGT3bwHB1qaTeEz
+QUriOWNRevenmHzRBAsepSUlNvejPrGh8kiGaQXA2TVUHMFxhn3nrG081cZnlBpB
+8MJmJXvgAciIbuOwA3EofUzjIgvRCbl6YoGIhw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..591a16aca0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v2-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem
new file mode 100644
index 0000000000..e1f66e9e51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUX0FaQnSAZBS9om1VZNfOrAUkAe0wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXYyLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAKwAvSfgc83j7dwYrrblbKrMEi/+XVeMuFNHnBh2HYvSInBbRA4Opflg
+EgGkh8X3X6cHemjTzNRqQAI1dsODNRgjigY1KJ3voiRWdasd4em/qBHtUr8yL3H2
+E8AAQKtHNzDimP5bYcf4ABibTVw9n6fRsmsP9WsQPafiyBOfqpu95ZBrc5xSCi/I
+z7QEO90pPoBmvmb0vDQnAZ2qrqXXRmMes+wDceWTQRz4aHErlmriyCbqI8jsFqDg
+IcuydsUzZXUxa9Jw2LAUEQ4uNnNXycOZrZYG3Y6EW9AmwkTT5mHGWdBlVVUfgPyy
+T7tC1iWYC10v6b2QqW6E5AlRjEMMa74=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec
new file mode 100644
index 0000000000..7f99393cf2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v2-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem
new file mode 100644
index 0000000000..6c037d9e29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUZ4+j89wGn7o9vFoh7xjDTNgsTikwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXYzLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQANK4s2ijXn8xh45oXq0QjgiWMF1QnA6egTC7uKlDk1BYHtW+hztq4i
+71dkmot4SOL6Qf7ar3HSmRl8HzFfD0uasf8uobH5zFfn9wImjs2k0ZFMl9rc2NVj
+adNi0fqZ6x6sAN49QAZzkwx9nwnUj7larBg7F0KYNEpQ3li44l7W9ZYR6A39pCmJ
+QSUOJLH2OZEelAn/Ys8gQBz6od6Csa3sYYZGxvzfe3XEsGGFKktZjJzlwrZq0wqn
+1hPXy9cj5LbwB28F1OuO9Xwqt2pNdNI6oMW0N/SnGL9bcJs6zH0HFO4o6oRtNUFn
+4uaz1Oxe4NjHmU1p3UEXwzuUs2eAOl9H
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec
new file mode 100644
index 0000000000..13af934f29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v3-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem
new file mode 100644
index 0000000000..386d5a0b6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUM0bo32+v9wg+ySb7JNgS9bNERjQwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXYzLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAoZ1c9YGZvP5LfhC/PkgXr+ASbbfXpAs2ku/vLcVCx83/tf4H
+suQhyjyIJxwh73C4MvJLwhjhRN7wTbsGjcQdmFRsR4bFnFPSmtXbbkG9ZETo/fdX
+dRp8tOS73ZoqFNaO5f+9+CWFcMIE2WznMVruBXK3AfNZ2pxmT6hvYngpvoulHaab
+kTsAZhtGIlKZ50UgTfW9xo7vEREgFXU5aRptA20zjHC/jlzlrYA5FJNnT8Kb3h2d
+yVtan28mbtC8Chaytfhg/olwNyXmlugid1wZ1MyKq2aRXE4phvubhHhfVE19EQ7x
+0KAx2S5LmSIM6kPVX2A87G8asDPRIdE8JGq/OQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..8539715a03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v3-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem
new file mode 100644
index 0000000000..e9a5dbc060
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUYwcJlTtvWVYPYl8zRS5OIB6KHyMwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXYzLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAAZLo88i5xTVqbh2Q0eIlYQ3U/2wiCEt31iTlWIBegfemPs47yZszm6Z
+H/TEl6pw4sBBUmRRD8R/kFwqruJ3I83m83XgVv8wV6rxgQy+l/7vgS+9aRzwJ4rE
+I+jsYxtrCab/rQB+1ExmLfLM+SlyBu+pwyrJrhMCxfQ3YXftWdJ/OnuHF7HOQSgO
+N9mskwjAiJLgZkW4ncsJ9yqlmCMSCL954P+gZP+a7vh7t52/+Ye3QgqrzdW4njGw
+RTVXZv9WT0nutkzz2UN1LXe2YPACVC15Z2jAx0NE+soF/cv7+ABLbNi3cJ4xT2ub
+NJpF2DU/rhqYqRCNXKthPm+/HgxuygA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec
new file mode 100644
index 0000000000..a65e41cea5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v3-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem
new file mode 100644
index 0000000000..68597d3617
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAZygAwIBAgIUJQnuCvzn6Cptf7mbf5euO8tqA6QwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LXY0LUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQA2iunDwwbF7DjKjXfY8TagUVcuYRlM0aR0NOWDJht7HGQ165jGvlbD
+tGFiV8LCttQ7mHIkM5petJQOijZ/WOE+TBOPdwOlGKI7LK64Dx0jD+STXeR8funZ
+C9oxou7BQTguKsDL8e+Vx3CiduJ//82yCvoiSOWKZNt2/XzMJVkXe2zwqjWJ1mZy
+eFM1R+HhmeTiElWHylyNmZu1rMQEvM8cRVT9T07BkUwe/Q1YNC2pssg8zWvsXlJe
+uyEKxd+rtbxXfZ2Ca5K6zoc03Da92DF/ZYeA1rr2jLfWlekcUUWyytQ1tvFpXX28
+wB9+G2j4ghLch847KX6jFvLloB4XAUsZ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec
new file mode 100644
index 0000000000..35a3a9ff36
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v4-BC-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem
new file mode 100644
index 0000000000..6459172a25
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuDCCAaCgAwIBAgIUP4CbTDW2dlD720iPom3sJdQk4i4wDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LXY0LUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEAADRGeHq/tJLPiJSuPdGLKRV06gwvSqynXeTGxuLouD37GAf0
+IH0JKP6zMKAo06am7YJxThwQSj+cdyEmR5fPcZXeJW25s05YP+CyY76J8Zevxu7I
+1E/lEPg9D0xOiwbN4LtlK8UXCCgkVJEkqqtcxaa2QNvUsdu9C4tpGz9NdYbfSFtu
+ItcfOH0mX0JqSwnYjaYys8FuP2xCTvCIY0iqUw3bJw8X5kvUrC/tOURl/vvAo5JE
+x/qqoJCZi8zYkF6FQ2ore2XH4WrovFRr0QHEO6iSPJwFFuBmHLBSZN+Qcb6lf0AY
+Im7gb1hJdEOqnICcEgwqRslVm6WduwjbrzQ9Nw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..7627d3a8a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v4-BC-not-cA
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem
new file mode 100644
index 0000000000..e7ca4d52cb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIUMQUX3zZT021FdxR9n54rCz06Yq8wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLaW50LXY0LW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAC4Z3DsSJU8p7V/8G++ImlrraGiZgr1ORJkDA3CpOkWkPftYlQoY+fvD
+1GoJs5kLnhrhhchOatRvWVR+/y6QZPV5SVNydDzPl+c7vVesxjnN2sQmekCt5olS
+GI/UnTCFUNUA1Tdsi8rYN9wHjJuhbq82+1kvxPBT69rJ7YxEvQYi9qiEj1/6k5n8
+QSMImyp4wvr2QXgO8PcfThZEq4f62jH/tqqkk4UhN839N+R5v7n12GcS+/OfArDT
+XNr2KxiSZoApP3gDrEU4HEcltszfkBxhc/fjvHLqJdJvVlbNeY4TJxXHOtCEuG1p
+hGLFa63QwhnIaYfHRn8G1Oy+H2SZepk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec
new file mode 100644
index 0000000000..a780337539
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec
@@ -0,0 +1,2 @@
+issuer:int-v4-noBC
+subject:ee
diff --git a/security/manager/ssl/tests/unit/test_cert_version/generate.py b/security/manager/ssl/tests/unit/test_cert_version/generate.py
new file mode 100755
index 0000000000..2afaace3b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/generate.py
@@ -0,0 +1,93 @@
+#!/usr/bin/env python
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# This file generates the certspec files for test_cert_version.js. The naming
+# convention for those files is generally of the form
+# "<subject-description>_<issuer-description>.pem.certspec". End-entity
+# certificates are generally called "ee". Intermediates are called
+# "int". The root CA is called "ca" and self-signed certificates are called
+# "ss".
+# In the case that the subject and issuer are the same, the redundant part is
+# not repeated.
+# If there is nothing particularly special about a certificate, it has no
+# description ("nothing particularly special" meaning the certificate is X509v3
+# and has or does not have the basic constraints extension as expected by where
+# it is in the hierarchy). Otherwise, the description includes its version and
+# details about the extension. If the extension is not present, the string
+# "noBC" is used. If it is present but the cA bit is not asserted, the string
+# "BC-not-cA" is used. If it is present with the cA bit asserted, the string
+# "BC-cA" is used.
+# For example, a v1 intermediate that does not have the extension that was
+# issued by the root CA has the name "int-v1-noBC_ca.pem.certspec".
+# A v4 end-entity that does have the extension but does not assert the cA bit
+# that was issued by the root CA has the name
+# "ee-v4-BC-not-cA_ca.pem.certspec".
+# An end-entity issued by a v3 intermediate with the extension that asserts the
+# cA bit has the name "ee_int-v3-BC-cA.pem.certspec".
+
+versions = {"v1": 1, "v2": 2, "v3": 3, "v4": 4}
+
+basicConstraintsTypes = {
+    "noBC": "",
+    "BC-not-cA": "extension:basicConstraints:,",
+    "BC-cA": "extension:basicConstraints:cA,",
+}
+
+
+def writeCertspec(issuer, subject, fields):
+    filename = "%s_%s.pem.certspec" % (subject, issuer)
+    if issuer == subject:
+        filename = "%s.pem.certspec" % subject
+    with open(filename, "w") as f:
+        f.write("issuer:%s\n" % issuer)
+        f.write("subject:%s\n" % subject)
+        for field in fields:
+            if len(field) > 0:
+                f.write("%s\n" % field)
+
+
+keyUsage = "extension:keyUsage:keyCertSign,cRLSign"
+basicConstraintsCA = "extension:basicConstraints:cA,"
+
+writeCertspec("ca", "ca", [keyUsage, basicConstraintsCA])
+
+for versionStr, versionVal in versions.iteritems():
+    # intermediates
+    versionText = "version:%s" % versionVal
+    for (
+        basicConstraintsType,
+        basicConstraintsExtension,
+    ) in basicConstraintsTypes.iteritems():
+        intermediateName = "int-%s-%s" % (versionStr, basicConstraintsType)
+        writeCertspec(
+            "ca", intermediateName, [keyUsage, versionText, basicConstraintsExtension]
+        )
+        writeCertspec(intermediateName, "ee", [])
+
+    # end-entities
+    versionText = "version:%s" % versionVal
+    for (
+        basicConstraintsType,
+        basicConstraintsExtension,
+    ) in basicConstraintsTypes.iteritems():
+        writeCertspec(
+            "ca",
+            "ee-%s-%s" % (versionStr, basicConstraintsType),
+            [versionText, basicConstraintsExtension],
+        )
+
+    # self-signed certificates
+    versionText = "version:%s" % versionVal
+    for (
+        basicConstraintsType,
+        basicConstraintsExtension,
+    ) in basicConstraintsTypes.iteritems():
+        selfSignedName = "ss-%s-%s" % (versionStr, basicConstraintsType)
+        writeCertspec(
+            selfSignedName, selfSignedName, [versionText, basicConstraintsExtension]
+        )
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem
new file mode 100644
index 0000000000..4713680eab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbYCFE/Qhor9ec3ELTS4N1BGKhj1nEShMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBcxFTATBgNVBAMMDGludC12MS1CQy1jQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEG
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJCQfexxdv7+4MqcTMOj
+1keHx0hdsqx6lvRPatw3YgAyuaT6ZPWLfFZk+LF5uK6CpkMY9v5Cq3x0Le42vQZH
+5ekERe6JA87bJuDgndHUAde7UKYb1JIdomBBISQjS1yP46asX2a9s7Tbaa6rLrRH
+CCvGI6Gk6KK8l9CMUuMqWb0TxoZosfhz+Wn+Jw/gthcZXjxc+cM2XRCUe6G+NNa1
+EtvEujaOBlzF+XMESgm9MSp3E4tc0uWHcp+K0sA2Cq1CtC/NULUS0RgdFKfE7sc4
+5a9MpamgJ/EiCOiwoNGVwd0CxJEforr8nsRBT5Wlbkla6Q4VjFlYjiqTJ1QSXoOr
+Spc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..77f3ae9147
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v1-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:1
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..d566d59e30
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAbcCFDmurlX239tmJzMSwE2yWclnP/YTMA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBsxGTAXBgNVBAMMEGludC12MS1CQy1ub3QtY0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAsGA1UdDwQE
+AwIBBjAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQA2sZIPc4usxnbGoqze
+dBE+p3d+XcbH9gMfNBbmUl6XfKf+RZFcZuE7Jml1Uv+6Jd+nZdJDJaYJMPzbRRn6
+E8lTi7Ml5dCkmyRVJfmjuaec3IegrNcInau7ApNCidM6wPfcd+P7b3doh1qYD7l2
+NYOdNGik4yFqDgYVH7RghAYGKmJ1yvejqB0ulfNCJCXz2e+jxbgvMVm176wDxhi4
+yCmwvRWRi9byXpMmI6PqC2za4aZL3Ztb7uqyoa/CYEJQVZtS8OtDmpjru4bq9wlV
+RGhgg2zygpRsmBGim9LVIgWZVDehvJ8fP8cFsndVEQ03OrQohq827x2SkKoWurzU
+x1Qp
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..2a366535b6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v1-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:1
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem
new file mode 100644
index 0000000000..2d63a43993
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvzCCAacCFFlMGtxn81zLZeWwYjryulK7jFX7MA0GCSqGSIb3DQEBCwUAMA0x
+CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBYxFDASBgNVBAMMC2ludC12MS1ub0JDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBABIkDbeDGKocP3t3H8pcicHy57lHkPUqzOV5Qz4k
+K1py+SKGY7dn08rfts6L5GsNB4euv7TXt4CJvUxZfyv6V87ZfP5hN0si3YwDaBRq
+WmHtOQuyoEu3Gjagq5rvnM32YVV+2luA2LH3uKRyD+WWyY8OKekxCnNGpgG5CH/t
+tKujd2VQPZ++74rzI4zFLDEohdPJ+V/zYWHFcIAIXbKFnaFXOiDdps3+Wjm83uLO
+t8103w1lFRl4si1ilr++cnZdWw7KGY5pSi+XM5f3X7O+tF01QTBTB4oYHpR7aLMr
+KSun8GxhvE5N/im6BHW7MlwWg7/dCBcWFdVvoahLtpbTtEM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..63bf6ed737
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v1-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:1
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem
new file mode 100644
index 0000000000..ab3de4239d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAQIUdRNyE5Q7FT2TnlhkA3MFGPl8kHMwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LXYyLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAeTnN/gKQj4Ke
+OTTweVvVugkfTU9BKBrqNGwarLQCznA7RHo+FvVKLjoY3Q+baHcK4EtO0u6SG9p5
+wP77QcvAmf2Zr3cnU5thgEPhn6GD3hpxDTH1Ai1i+5Y+kD+0AoDyXcAoDYYSOL8J
+XoTDeWFlKwUchWcVqr6T23dQk1ugYX2jSvozQJ92uTdk3xFqj3glhPEY/KmsiGGd
+WX9CWt9df/sw2fkCHWDTx4Uwa4f6bnu0YL/rHV5F/J3iHM0PN++vtLifyEJmwWh9
+pkLR79Pvd7eQelrdt+vcnUbvT9L/KdlUptcO4FWtlPE+hfkQdlSL0M9Wo+bsJTeG
+CekrPZWLOw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..ca1bf67a7d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v2-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:2
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..e18ee2c0cb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAQIUZbO+K3eIJS/mMdcdqWTFhjTgZYswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LXYyLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD
+VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHPwO/Xglbd7
+0tOHcMV5fgQOIPY1qXyG3DM/dYNYJ1+Ma+2F09nZjaOtJpUeSNJReTD6TNWFuNbH
+pcDge8qlQImjjM1CN7TIgefwY1riWqryJniX9mL0oGaZsRMWH8Ad2e44vAbG9yRv
+2t933F9LC9MjEHMhrLCaY/DRtA3Hbao1l+ykAOl/Y8M7AVQmscsyw+BKtAv10lxR
+ktTz0ksevwxGIBgx6MTJRFreY3JbCraJBdkM4RjiKhmXhmEjQS2+TRWTp0do030N
+FO9ELuo59+DMCf8hZi33IlekAfda6qmtuIxBg4USLKhoF0KAa+KnIIVY3G17zO94
+VnA8/fR5uJ8=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..fc28ff150e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v2-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:2
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem
new file mode 100644
index 0000000000..8ef8e505bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAQIUUQLaY8ipGIlTLB/nSbAqMeW6VScwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LXYyLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAioRpOtyrsMKsL6Hty1aZ71A8VK6rccVF
+87ONK3VlT2PqrT9QW4RnVpyBgghPNqFTup9i/5SmC8Onva8beyRFj0zXThw0R4dg
+jEssH8l0a/kHZL/WYhrgIEjddoyoghcNKEldlzTjystlwSF19vjaAjIuyMXkz6vB
+sxZPybLUsku/Vadr6q+IgVQfbAnnKi4nlmju4Y7qcBDHSMNRyiSQ+UvCLYRqBp4P
+eJmNQ6CIveosdZHN0GL5TA2wwLaZPeg2dSIMyZZkJ3wZ8f9rUo+K3djlhBlsNbb8
+tnXTtF+V0Cuw1K27sUDwcpzGkW3KZOyTNChnNGeTRuRvL8atnovoiQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..2d3fe59ffa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v2-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:2
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem
new file mode 100644
index 0000000000..020f8c95a0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUI1ybSEPY2poauHkhPwser00Xp/MwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LXYzLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAOGTAs8e845vz
+QlLoD0fleQQZ2MXLA+/OrpWyzsN5ACv3PMShQs7TBl+/xxAu8lt2AvGso5lFsV8b
+0URtUP/X+nSrrKDFDx9g6A47q4XNpWeDESAWxJzigH2JYszzg/YtEdTcf78cIIIF
+rLvoohH3zobR95yMXsfbs2JSvYH3vzWDZV+cz0FyaUXw16e2KS0MnmIwP+37t6xk
+sJQ5bCoWQhg2vuanikOUoqvr3aFgoLJ0HjArk5rDAi7fX8/JuAWc3cIJufHUTlXD
+Q9t8x8dbmGk02IcNDqyzpTzyht8vWEkx3NeA+xalUdC7Q7ERK5RfnTGZE61NCP2t
+Hc/W4GT9Jg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..56fcb21a03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v3-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:3
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..84a3cb5aa9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAgIUD4qSXNFu/c46+734YKWQ34JSbYwwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LXYzLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD
+VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAGScr4E0l8ED
+DTvqNg3LofHZhzXbcjnIMCtF0Lsm+bgD/lcakGq36EHfRe5lzYkCUJNYZdzhoEPA
+vusoj+SxXvmvGf0a58yW6m3Qm1nwIS3g93AA5QakNeMAKNqwNubLK2LCeaI7BUzh
+Q8rMOwskLjPe9dTVFWQc+w8xFwM3okYQQbwtwm8xJ/246RTCsN0bNDX3+stMy9q9
+cIJe3Qn4Ts/1MRdk3h9xmpY3gxP7Z1pAoVGR4rkw90ZHQgyVKZeewEl3FSH2MUNA
+0pAwdNCudoSrsVzWyd5/B8cdLzbaZX5K3+6/O2b7EYSxcLTwSxbhFFrzBchdr7gW
+6h1ZkGIuZ54=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..a2def8d323
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v3-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:3
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem
new file mode 100644
index 0000000000..95da1f083f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAgIUI2KYUx6IdZc7V+QOkPrR6lb8mB0wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LXYzLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAaeXb3bAjhYr/PTWrfsPEbafwF60e9iMB
+SIvCE4EgFkk4jVmnSsQ3x9gipx1j+7M0xIMPSvkC/wdK9G1gdUVg64xjIUoBy38h
+YP9Mla/4vThWkkOt/0LDqtVio26R89GKR0v1tLwOfSBGJtZIpzZmZeGfYhFQDKc6
+MioBkNO/2QGABwyTtzRBhirgm3Sr39mLO1LiAeX/9kZ8kx+RQ+rhb5zxkwh1J5Fu
+c53sY4bfssi1PZTCiqv1TunBNfCnUexSsryFVpt66nUmTFpxAFTF4LB0o2nxesN0
+MB6t/FCjQB4ohAjsDZFuvay20i39QeOdn1giiq8WKxkJ/1gJEJoghQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..b336397ab6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v3-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:3
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem
new file mode 100644
index 0000000000..3a70fcb59f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAwIUf4EySk0lSBQJqR+4lgqvertC0zYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LXY0LUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAaZBJSMK66toq
+1l0vfxuY8w6uwbged4tuAEZPtl8hA2I/E70HwcaFpphKZGC5W1HeCrUsooZpRJPb
+UZntyARmXdaTD3tUi85VUX2LnZ4OjmfATAcEHZixItQSmRrXRQrDOk2hwADrLRD0
+aH8dR23aE+pbZSvPt8Oj/0M0PMeyfYLjPwacyspMKBOKB2psAISnRqiRJidprhuy
+XDmYPaCMzw+cB5nFK3w6UJagxR6n9p70BQXaj5vodHpAsYDKHNmJzoUTewQhDjvu
+8IZ7IwwIQCkzBYD1hzgyv3iwos1Fdruo3HlUG3QrTlKRJWTg+uy22mjz2LkQTASs
+GtMjAMQoXg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec
new file mode 100644
index 0000000000..12b94e63a5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v4-BC-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:4
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem
new file mode 100644
index 0000000000..258edfd30b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbygAwIBAwIUaRagMmDSJscXn/t4Oc6wCFBRsAswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LXY0LUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD
+VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBALc+XVxkZhVz
+jUck7fZy1tMh8WoDXjeVEg1nLC/ZR7RSKyJrsvqiz3lVgI5PHKEJTdX4GGUIduaV
+cqF5NegfOEIxbz1e4TIETyr6+bZpSyEY9+yRZlXViXYu3RN/06D7iRs+GiCRalD6
+LqWGka40hU2RnfTJMQl5vdKYRsEkgKJdDcy9siqtyy+N0q99qrjdgmEp9frvFOeK
+n+Z2A0q2dd4SvNJMjBuWOSDkf7OWe8ikG9a6/LuqvKTLKbSGPcn3kBBRWa50fhXF
+VD7zNYCEenOUkKtSEuOLjfCXkclq5E+2x6xevQzLhaq+YEn9eWIB1lkUKlIKRctH
+mMxi6abwwmo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec
new file mode 100644
index 0000000000..43a04f70fd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-v4-BC-not-cA
+extension:keyUsage:keyCertSign,cRLSign
+version:4
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem
new file mode 100644
index 0000000000..eb04abd1ac
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAaygAwIBAwIUHQVqHNDgKUKfLlJSssV/DtzK7n8wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFjEUMBIGA1UEAwwLaW50LXY0LW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE
+AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAOlKR1lHnYxbIL/rDMu7L9iOV/r1rz2X9
+hD5cIsB21vlgGyX2Mgp5FqnzqdEwspUDkK37R0rKQx1RSERbgFSoGomTmkcoGcxw
+eZu7uURGGkhHCUxGa58LgDsbsRTJ8z6M61fC9bax9rTTSNdmwMoQ6RVNTeTcPBC0
+FuzC0IkKpTSRlkZiRiGsGmOboDdyJepopFNBdiiF4TP6h6R1VuG36wxWkuVjpmo7
+EjQATtHKW3hA2OUeG7MZ3uXfA9LB6J0YLeQx6RAtxJz3l8h1H6FLQqjHzZdpaqlz
+TiZK2iVAFwysASY934d3960AVXf6w7sTcm+VATUJ6FeyZqv+MHLzrw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec
new file mode 100644
index 0000000000..4970d1e945
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-v4-noBC
+extension:keyUsage:keyCertSign,cRLSign
+version:4
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem
new file mode 100644
index 0000000000..26d1e24ab8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbECFEm03vqIwHzrulQ6ThsgNEQPGQ1pMA0GCSqGSIb3DQEBCwUAMBYx
+FDASBgNVBAMMC3NzLXYxLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBYxFDASBgNVBAMMC3NzLXYxLUJDLWNBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCxarz9SPSE3MKd2HcoDsHx66Cj
+VpIgwPpGRCNoagkknbjSunYdIIi2NDnMHIzQBD0ldQWh6up2fdXGeVVyvKfs9Nt4
+c8oodt2JpOh8F3HHYeXy3xCr/5CA7t+MUamcMrE7xsZ36ozbVMKHR6FmgQ+J62ht
+onoprRvwvwh/Q9RFC+oG4hC+M+PzDH+XXVXJ9tVsuOEPElb27sQATNr/msGfwNV3
+ly2KUdrexprB03HC/WxrkW82vJEqWBx2AtQ5p1VpczAcKW6hxknIE3aW/T8BAk+u
+BrVWnL/Dm2WWMAiMYLdp0/yB0qCVwBLbWxr1pyzvvI71ht/rQ2cLuFaMaWGV
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec
new file mode 100644
index 0000000000..731396f034
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v1-BC-cA
+subject:ss-v1-BC-cA
+version:1
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem
new file mode 100644
index 0000000000..58e32058f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbYCFB2XtG2qFhxdho3Q01DnHGTK3Mn4MA0GCSqGSIb3DQEBCwUAMBox
+GDAWBgNVBAMMD3NzLXYxLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9zcy12MS1CQy1ub3QtY0EwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+DTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAEfB+j9e5x5l1ucXYQwj
+bIB2mGM0OmgN7gWjknyMNO7G48cydDPSay6OgX7yulT3TPNE+/p447hOo5LOeUSx
+om+pLouQ6YejxgFzmfpNyOz3E2wJpLhMTis0S2z/YlyHQ+jKPawgH80pgPMcWdIJ
+X/yz4whWW5XyELYsMR/M3wAhRK1KWgdDruZ/TvDhUkKmZWb5R2Q9fp1hqj88E8vI
+0tW74SjrTVRO+N8r9SvaXxtzJgKl3lBKE54JUTaCCCgNZfDFw4qJNy46KkbX9nQF
+rBCc5W7Ol3UvFRXCXFgvKWjKZNIs4+hHtKze9BnTN6P7qojv//6YPILPvtxRLBQu
+OSE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..20d716d494
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v1-BC-not-cA
+subject:ss-v1-BC-not-cA
+version:1
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem
new file mode 100644
index 0000000000..897b2929d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtTCCAZ0CFCtTEqIZaepqohtlFuKdl2gKmSgLMA0GCSqGSIb3DQEBCwUAMBUx
+EzARBgNVBAMMCnNzLXYxLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIw
+NTAwMDAwMFowFTETMBEGA1UEAwwKc3MtdjEtbm9CQzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7
+wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp
+k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh
+eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW
+EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc
+JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEAl3uPUlywKxXEyN2YufvSbOK1YUXV0U50+Y7ForOzz4fkGagQ3JnJ
+0kxPSyKBv49f+NKPWQXpTQI18vhJCAsuKu91h26iPVmNpIpur9c80J0MuB9h7d/N
+OvnjU+mOZERvNjiMREKmf/iXc9muxD8m768uXLx9fD/TlVnNSGg3EB01xGdIYUVb
+4OeiYdRveU7tTHRYQm+7fDpvz0bsushAC/IP+gMVKr9L0cOi9Sm8kXYofF6KE9OP
+uqZubzychgdd8NeDFiZV+gKuzrFo+KDfZXgv7uPLsLXJTPrF4oa8K0f2o/7eodzy
+dCqgcGAMiG8RY99fj/wkr53PTeoyjmH8JA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec
new file mode 100644
index 0000000000..58d2f0d7f5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v1-noBC
+subject:ss-v1-noBC
+version:1
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem
new file mode 100644
index 0000000000..a9698fa84b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAQIUccKKmvoyz83s/BA7Se0cmdaDyA4wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLc3MtdjItQkMtY0EwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjItQkMtY0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKCYVHe7DQRTQ8bGEkSf
+WFzWfcbVaijFx7fxDP7bSQ8odxLQ6HL9+qFY7YFAdlYNtzxnd1/7Lq91nmRn0yqV
+W7KVCLMld9OsXMtrGZoA8BQ7AeiaC+UHjpdvNNkPVm4rMqutTTXzEfhlJ6sIYUFg
+CTmRpBrAHZiQy0KoUAyu+mAEYgoZoBITapgj150ScwHYDrZZRMHQyBmWtS9Y/vkL
+4mlU1k2x3vGp1OzEZ7ha/W6UKGj11vKYNH0wTJ7CFFOMWOybLnr47GkGvqYpM4AX
+baIDecJcHu83EIVbVolkEhPyxGpdKd6ooSulOx4kqvOUfpa3qmtK8L1mG0GhtB8m
+8EY=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec
new file mode 100644
index 0000000000..8dbb3a65ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v2-BC-cA
+subject:ss-v2-BC-cA
+version:2
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem
new file mode 100644
index 0000000000..3962a757d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAQIUJfSgjF/arNqPCRg7D0Wxb4V09DEwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPc3MtdjItQkMtbm90LWNBMCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXYyLUJDLW5vdC1jQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAEj9uU+SGjK3L
+BX2rRLlAmmY2gqpFPvVaPyxFlmqsLOnr/1LYzT5oWGP0TA57WLNv5KG1oJK+Jgcy
+8kzVQvV3y/nMjYLF+JmPiNwkhZgHtjLuEpymjGtmqPQ1xyPRHz9tJwpw06HTcSZB
+QgOY8gbAThJUyXS4/2ScOnSCyHXA/vOD2b11LPD+N3YWqsSg8DwMGoD2NoeoOlB/
+E3f7/oC4o/t17dRaivcruajM2BtAgG2hxWDXacNw1CuM19aCK2WFczP5bC20jwFT
+a0G++6UnUD9VtnuZqSpPAUy57sddBavoLAhBe/CqSCgRAsPdNxyg1xBrZ6+We3O3
+r7Lsq4PH4Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..2b8f4bcc55
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v2-BC-not-cA
+subject:ss-v2-BC-not-cA
+version:2
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem
new file mode 100644
index 0000000000..a8fa3cf4ee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAaKgAwIBAQIUQdBy+4wdhpohAMac8EXVk4wUnPkwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKc3MtdjItbm9CQzAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12Mi1ub0JDMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQCW9HCqtoNi0A4JKT5I/zdq3m5e7gBPXxA1ZKdN0mqkkrhS
+nqH+QvQmQrX/k53N/h3j/E/Dim9UYg26M+avN4/hfU/cx6AS5oHBHUwT4FVktktg
+Qi7LCVnEop0GfRh37F3ELH2CP4/dPQCtVv1SUzMyJluKxnxjSfMHZtdzysGrAmRR
+5cZKkaEBhqRPhfbhcb9zg6aE8Zkz/wJDERbQPNm64zUnvCok+Odzd9k1LiEeVcZ6
+f9BHkfij47T1v0thdmPFt7nEj7K2NslaTu1F9fvt8Km8d6RYYyb7LPROaW9vCvpa
+O8RjTqqO5WuhaTG8Dm5JKWdv7sI7Y5idy9BcJ5V/
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec
new file mode 100644
index 0000000000..7656115a84
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v2-noBC
+subject:ss-v2-noBC
+version:2
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem
new file mode 100644
index 0000000000..a86689c286
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIUV3RPQ09ejjSXQuMvUHp+zUtwebkwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLc3MtdjMtQkMtY0EwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjMtQkMtY0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJOBJL+9cOC3goHK5Koy
+QtMAovGwLK/6C79HM3rmAm/sKgc1fKNR6HKSN+dHT20n7DbNNLs0Yi0vxREqe77Q
+tc57OM99Qa4AHDKyKM7C/dLNjvhedDJUGQx9Z6BdmvnsplPJ0mLE0Q/Tfvv/ptDV
+frUiJtHAytpSQdIHex6pTn1duw9C6077MeOFWTFBhN46ofaWX7CJ/VFmo3cFe4w2
+81W2l4OY47KOMShPOulWegPoD7F5n7RLxCJmglgc3YqNKU0ZmjIbGd0pxBwA3hJ6
+RJYABAgFt4vWHiR681o92EdrvGxynQrt+rNua7vnbd15mpdlWhOzf2TpH6Eb1xQJ
+xh0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec
new file mode 100644
index 0000000000..df822e99b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v3-BC-cA
+subject:ss-v3-BC-cA
+version:3
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem
new file mode 100644
index 0000000000..50cb38c511
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUe6vAs3LdMkG/SJQc7W2Z2nK0BhQwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPc3MtdjMtQkMtbm90LWNBMCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXYzLUJDLW5vdC1jQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAucdyWJ2AEXtX
+Q39648iG6PVW1J3wcnGX8qzmgFATl6bJAnW4kvUIJPx7Giuwr5FXiU0+4iH1UjvF
+BorUywDb3H8R8PawAeNZK2pgbhy1aar1sAGINhJHq6ezyJzBHo/Kc6VHaHT2CHLa
+3++MB9afCWa5+mUKfXbwQErCoI66N+ft6CEFRMtEvgLdqNNjoXrtW8Nag0elXwCs
+dLBlErXmUnms8qXm4qnYu4bmw1fTbhpEmWYTZVEFpjcukKceOsK9g0HcuCzIKRTc
+XH09WTxYiic5b2czUkCFA7LLwlslk6wzUZ/7ZwzR/+g/m+09ov/LkSPaacFIoOn0
+zaDYXSF1aw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..0b2b575573
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v3-BC-not-cA
+subject:ss-v3-BC-not-cA
+version:3
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem
new file mode 100644
index 0000000000..088bb2090b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAaKgAwIBAgIUaVRk3sXNmaUjSjJv3jBL0P0UTWIwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKc3MtdjMtbm9CQzAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12My1ub0JDMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQCyXkVIdklwHrjupe3kra+HJFuVX4YmH1aPmTmbZ6lcbjue
+4s3N4B6vMko1EpSLTkURaXptwIqTXepJW408wvq/I90AS41yFZdJWIqA4Ja660wo
+GPiAg2pXYrRkJF3EuHywZBnAwW2ofvHfrWorZILvDuJHzV5ATwZq3Ol/h+Y0A/5m
+tSD0nX3HsQzP12vJGe49MDcns/KZ/EjM2OYjES/0RaKO0RlsjcNwMRumDzONIQuy
+nK/fqLUb3Kr85TUszug43hYLxggthGtQPABoKe3SWZdcUw436BcVajALLooIvPL2
+hWOvLzNaoTe/s0hstVlQA+w4A7gXBJ/ObXEig8Ug
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec
new file mode 100644
index 0000000000..96314e51a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v3-noBC
+subject:ss-v3-noBC
+version:3
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem
new file mode 100644
index 0000000000..ac28f2a876
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAwIUKQWpRSl3Uj/ocXqC2oi769nb2qcwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLc3MtdjQtQkMtY0EwIhgPMjAyMTExMjcwMDAwMDBaGA8y
+MDI0MDIwNTAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjQtQkMtY0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKlNt44BoIpzXgsZi0C7
+OIzkY4K3S7sa16Y+yyTlLNmUFSWd2LlFsecbqF5hsfQpGr4VGZ2qiRMMp/58SN6x
+ZcIooVxuoPzrgmAsi88+oIg8/3y44rMYXTzUDEtT8qdCj+ZPFDJ+kXCQJgZg073/
+7Ds6gZrssJ7522Srneba/UCqpULVh3L7GCirWi9l55fWARGDpzzqx6jQ0VgKX51M
+5h9F+xtqN1AauQwIszYR5Hayd31isphb3Xi+QHKkDu0hLeUIoYL+R3wrK3v66PsQ
+UN3vP5uFlPSTytFyxHxznq/XK7PQTKJtDEsw83w1Zf/eC/OQqhpp5CQRIqhp4uvc
+6fM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec
new file mode 100644
index 0000000000..54269184ed
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v4-BC-cA
+subject:ss-v4-BC-cA
+version:4
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem
new file mode 100644
index 0000000000..513c923439
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAwIUIeyKT44j1c2KJk9pttBpbzR9ZSYwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPc3MtdjQtQkMtbm90LWNBMCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXY0LUJDLW5vdC1jQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAmotdMTHJSzQd
+7qW3zeMmT8LJrfAcYBH6mG0akuU+qI6DJyhxPZ1+WAg/WaDA9RxIBPX2kiWf3M6P
+KPNlVQpenRuMVBpRGmkpdZVZzliM0Fy5GASUppXYwkUsXCDRD0bAOhvFR7c4JnSN
+9jcE6GBJ0uMg06+YU5iAAX9G2WraWzp7Pk+xjqP8mbwda1xeNzj17jQ+byH+uYD6
+06l4yVrc5tEhvaLNQ4kj6WfwH2McfH8QKmTcKc4Hrurpy1DoIvhiPUXgjWRh10mY
+hK2cyYKxOLkARC9rZyNC+Gs49QPNIvP8hx0bcBt2155KCyq+maY2z89V+4GDniCb
+cotpFITaQQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec
new file mode 100644
index 0000000000..3d65335316
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ss-v4-BC-not-cA
+subject:ss-v4-BC-not-cA
+version:4
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem
new file mode 100644
index 0000000000..21c3e5ab41
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICujCCAaKgAwIBAwIUY9VIv+NEAO2/Qp7CbzKTT7ZFeIwwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKc3MtdjQtbm9CQzAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12NC1ub0JDMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQC167h5gNohDcvc3rNzNfzoEVyRnF9dxUkqjJRoNZ+LG+SQ
+5zpkmFbbztbh+lto9oKNaLZre6ZKIVortL5zuKIaL7wl5D/V4sww/PDE7As8bWen
+GR5ayqzq1jtOdVS0rbE11phIrnRciT6poZ8OQjasD1PYU/vYn1p8n8bEKqFR5uzq
+g0nHMvGrVBPoe0fHYC1XIhIxFzJly0iDG2mObdgA4lusktAPBdXTbQElkQBuLVnE
+yoL1lqt1jDPaOBhptIMuJC1yOqQcdlFPHdqRAd2xTur/ZwVOGSD2K+a0fqIyfFDl
+hI+MT6xYiExzrkfQ+FV5wGQ95omzeVweeqhUCcbw
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec
new file mode 100644
index 0000000000..d02e04de51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ss-v4-noBC
+subject:ss-v4-noBC
+version:4
diff --git a/security/manager/ssl/tests/unit/test_client_auth_remember_service/ClientAuthRememberList.txt b/security/manager/ssl/tests/unit/test_client_auth_remember_service/ClientAuthRememberList.txt
new file mode 100644
index 0000000000..414144e51b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_client_auth_remember_service/ClientAuthRememberList.txt
@@ -0,0 +1,3 @@
+example.com,C9:65:33:89:EE:DC:4D:05:DA:16:3D:D0:12:61:BC:61:21:51:AF:2B:CC:C6:E1:72:B3:78:23:0F:13:B1:C7:4D,	0	19486	AAAA
+example.com,C9:65:33:89:EE:DC:4D:05:DA:16:3D:D0:12:61:BC:61:21:51:AF:2B:CC:C6:E1:72:B3:78:23:0F:13:B1:C7:4D,^partitionKey=%28https%2Cexample.com%29	0	19486	BBBB
+example.test,,	0	19486	CCCC
diff --git a/security/manager/ssl/tests/unit/test_client_auth_remember_service_read.js b/security/manager/ssl/tests/unit/test_client_auth_remember_service_read.js
new file mode 100644
index 0000000000..6238b1dfda
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_client_auth_remember_service_read.js
@@ -0,0 +1,64 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This tests that the nsIClientAuthRememberService correctly reads its backing
+// state file.
+
+function run_test() {
+  let profile = do_get_profile();
+  let clientAuthRememberFile = do_get_file(
+    `test_client_auth_remember_service/${CLIENT_AUTH_FILE_NAME}`
+  );
+  clientAuthRememberFile.copyTo(profile, CLIENT_AUTH_FILE_NAME);
+
+  let clientAuthRememberService = Cc[
+    "@mozilla.org/security/clientAuthRememberService;1"
+  ].getService(Ci.nsIClientAuthRememberService);
+
+  let dbKey = {};
+  ok(
+    clientAuthRememberService.hasRememberedDecisionScriptable(
+      "example.com",
+      {},
+      dbKey
+    )
+  );
+  equal(dbKey.value, "AAAA");
+
+  dbKey = {};
+  ok(
+    clientAuthRememberService.hasRememberedDecisionScriptable(
+      "example.com",
+      { partitionKey: "(https,example.com)" },
+      dbKey
+    )
+  );
+  equal(dbKey.value, "BBBB");
+
+  ok(
+    !clientAuthRememberService.hasRememberedDecisionScriptable(
+      "example.org",
+      {},
+      {}
+    )
+  );
+  ok(
+    !clientAuthRememberService.hasRememberedDecisionScriptable(
+      "example.com",
+      { partitionKey: "(https,example.org)" },
+      {}
+    )
+  );
+
+  dbKey = {};
+  ok(
+    clientAuthRememberService.hasRememberedDecisionScriptable(
+      "example.test",
+      {},
+      dbKey
+    )
+  );
+  equal(dbKey.value, "CCCC");
+}
diff --git a/security/manager/ssl/tests/unit/test_constructX509FromBase64.js b/security/manager/ssl/tests/unit/test_constructX509FromBase64.js
new file mode 100644
index 0000000000..400724bef8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_constructX509FromBase64.js
@@ -0,0 +1,87 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks that ConstructX509FromBase64() accepts valid input and rejects invalid
+// input.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function excMessage(e) {
+  if (e.message) {
+    let msg = e.message;
+    if (e.data) {
+      msg = msg + ": " + e.data;
+    }
+    return msg;
+  }
+
+  return e.toString();
+}
+
+function testGood(data) {
+  try {
+    let cert = certDB.constructX509FromBase64(data.cert);
+    equal(
+      cert.commonName,
+      data.cn,
+      "Actual and expected commonName should match"
+    );
+  } catch (e) {
+    info(`Exception: ${excMessage(e)}`);
+    ok(false, `Should not have gotten an exception for "CN=${data.cn}"`);
+  }
+}
+
+function testBad(data) {
+  throws(
+    () => certDB.constructX509FromBase64(data.input),
+    data.result,
+    `Should get "${data.result}" for "${data.input}"`
+  );
+}
+
+function run_test() {
+  const badCases = [
+    // Wrong type or too short
+    { input: null, result: /NS_ERROR_ILLEGAL_VALUE/ },
+    { input: "", result: /NS_ERROR_ILLEGAL_VALUE/ },
+    { input: "=", result: /NS_ERROR_ILLEGAL_VALUE/ },
+    { input: "==", result: /NS_ERROR_ILLEGAL_VALUE/ },
+    // Not base64
+    { input: "forty-four dead stone lions", result: /NS_ERROR_ILLEGAL_VALUE/ },
+    // Not a cert
+    {
+      input: "Zm9ydHktZm91ciBkZWFkIHN0b25lIGxpb25z",
+      result: /NS_ERROR_FAILURE/,
+    },
+  ];
+
+  // Real certs with all three padding levels
+  const goodCases = [
+    {
+      cn: "A",
+      cert: "MIHhMIGcAgEAMA0GCSqGSIb3DQEBBQUAMAwxCjAIBgNVBAMTAUEwHhcNMTEwMzIzMjMyNTE3WhcNMTEwNDIyMjMyNTE3WjAMMQowCAYDVQQDEwFBMEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxANFm7ZCfYNJViaDWTFuMClX3+9u18VFGiyLfM6xJrxir4QVtQC7VUC/WUGoBUs9COQIDAQABMA0GCSqGSIb3DQEBBQUAAzEAx2+gIwmuYjJO5SyabqIm4lB1MandHH1HQc0y0tUFshBOMESTzQRPSVwPn77a6R9t",
+    },
+    {
+      cn: "Bo",
+      cert: "MIHjMIGeAgEAMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNVBAMTAkJvMB4XDTExMDMyMzIzMjYwMloXDTExMDQyMjIzMjYwMlowDTELMAkGA1UEAxMCQm8wTDANBgkqhkiG9w0BAQEFAAM7ADA4AjEA1FoSl9w9HqMqVgk2K0J3OTiRsgHeNsQdPUl6S82ME33gH+E56PcWZA3nse+fpS3NAgMBAAEwDQYJKoZIhvcNAQEFBQADMQAo/e3BvQAmygiATljQ68tWPoWcbMwa1xxAvpWTEc1LOvMqeDBinBUqbAbSmPhGWb4=",
+    },
+    {
+      cn: "Cid",
+      cert: "MIHlMIGgAgEAMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNVBAMTA0NpZDAeFw0xMTAzMjMyMzI2MzJaFw0xMTA0MjIyMzI2MzJaMA4xDDAKBgNVBAMTA0NpZDBMMA0GCSqGSIb3DQEBAQUAAzsAMDgCMQDUUxlF5xKN+8KCSsR83sN+SRwJmZdliXsnBB7PU0OgbmOWN0u8yehRkmu39kN9tzcCAwEAATANBgkqhkiG9w0BAQUFAAMxAJ3UScNqRcjHFrNu4nuwRldZLJlVJvRYXp982V4/kYodQEGN4gJ+Qyj+HTsaXy5x/w==",
+    },
+  ];
+
+  for (let badCase of badCases) {
+    testBad(badCase);
+  }
+  for (let goodCase of goodCases) {
+    testGood(goodCase);
+  }
+}
diff --git a/security/manager/ssl/tests/unit/test_content_signing.js b/security/manager/ssl/tests/unit/test_content_signing.js
new file mode 100644
index 0000000000..7e96ea2df6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing.js
@@ -0,0 +1,431 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// These tests ensure content signatures are working correctly.
+
+const TEST_DATA_DIR = "test_content_signing/";
+
+const ONECRL_NAME = "oneCRL-signer.mozilla.org";
+const ABOUT_NEWTAB_NAME = "remotenewtab.content-signature.mozilla.org";
+var VERIFICATION_HISTOGRAM = Services.telemetry.getHistogramById(
+  "CONTENT_SIGNATURE_VERIFICATION_STATUS"
+);
+var ERROR_HISTOGRAM = Services.telemetry.getKeyedHistogramById(
+  "CONTENT_SIGNATURE_VERIFICATION_ERRORS"
+);
+
+function getSignatureVerifier() {
+  return Cc["@mozilla.org/security/contentsignatureverifier;1"].getService(
+    Ci.nsIContentSignatureVerifier
+  );
+}
+
+function getCertHash(name) {
+  let cert = constructCertFromFile(`test_content_signing/${name}.pem`);
+  return cert.sha256Fingerprint.replace(/:/g, "");
+}
+
+function loadChain(prefix, names) {
+  let chain = [];
+  for (let name of names) {
+    let filename = `${prefix}_${name}.pem`;
+    chain.push(readFile(do_get_file(filename)));
+  }
+  return chain;
+}
+
+function check_telemetry(expected_index, expected, expectedId) {
+  for (let i = 0; i < 10; i++) {
+    let expected_value = 0;
+    if (i == expected_index) {
+      expected_value = expected;
+    }
+    let errorSnapshot = ERROR_HISTOGRAM.snapshot();
+    for (let k in errorSnapshot) {
+      // We clear the histogram every time so there should be only this one
+      // category.
+      equal(k, expectedId);
+      equal(errorSnapshot[k].values[i] || 0, expected_value);
+    }
+    equal(
+      VERIFICATION_HISTOGRAM.snapshot().values[i] || 0,
+      expected_value,
+      "count " +
+        i +
+        ": " +
+        VERIFICATION_HISTOGRAM.snapshot().values[i] +
+        " expected " +
+        expected_value
+    );
+  }
+  VERIFICATION_HISTOGRAM.clear();
+  ERROR_HISTOGRAM.clear();
+}
+
+add_task(async function run_test() {
+  // set up some data
+  const DATA = readFile(do_get_file(TEST_DATA_DIR + "test.txt"));
+  const GOOD_SIGNATURE =
+    "p384ecdsa=" +
+    readFile(do_get_file(TEST_DATA_DIR + "test.txt.signature")).trim();
+
+  const BAD_SIGNATURE =
+    "p384ecdsa=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2r" +
+    "UWM4GJke4pE8ecHiXoi-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1G" +
+    "q25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L";
+
+  let remoteNewTabChain = loadChain(TEST_DATA_DIR + "content_signing", [
+    "remote_newtab_ee",
+    "int",
+  ]);
+
+  let oneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [
+    "onecrl_ee",
+    "int",
+  ]);
+
+  let oneCRLBadKeyChain = loadChain(TEST_DATA_DIR + "content_signing", [
+    "onecrl_wrong_key_ee",
+    "int",
+  ]);
+
+  let noSANChain = loadChain(TEST_DATA_DIR + "content_signing", [
+    "onecrl_no_SAN_ee",
+    "int",
+  ]);
+
+  let expiredOneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [
+    "onecrl_ee_expired",
+    "int",
+  ]);
+
+  let notValidYetOneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [
+    "onecrl_ee_not_valid_yet",
+    "int",
+  ]);
+
+  // Check signature verification works without throwing when using the wrong
+  // root
+  VERIFICATION_HISTOGRAM.clear();
+  let chain1 = oneCRLChain.join("\n");
+  let verifier = getSignatureVerifier();
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      chain1,
+      ONECRL_NAME,
+      Ci.nsIContentSignatureVerifier.ContentSignatureProdRoot
+    )),
+    "using the wrong root, signatures should fail to verify but not throw."
+  );
+  // Check for generic chain building error.
+  check_telemetry(6, 1, getCertHash("content_signing_onecrl_ee"));
+
+  // Check good signatures from good certificates with the correct SAN
+  ok(
+    await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      chain1,
+      ONECRL_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    ),
+    "A OneCRL signature should verify with the OneCRL chain"
+  );
+  let chain2 = remoteNewTabChain.join("\n");
+  ok(
+    await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      chain2,
+      ABOUT_NEWTAB_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    ),
+    "A newtab signature should verify with the newtab chain"
+  );
+  // Check for valid signature
+  check_telemetry(0, 2, getCertHash("content_signing_remote_newtab_ee"));
+
+  // Check a bad signature when a good chain is provided
+  chain1 = oneCRLChain.join("\n");
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      BAD_SIGNATURE,
+      chain1,
+      ONECRL_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A bad signature should not verify"
+  );
+  // Check for invalid signature
+  check_telemetry(1, 1, getCertHash("content_signing_onecrl_ee"));
+
+  // Check a good signature from cert with good SAN but a different key than the
+  // one used to create the signature
+  let badKeyChain = oneCRLBadKeyChain.join("\n");
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      badKeyChain,
+      ONECRL_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A signature should not verify if the signing key is wrong"
+  );
+  // Check for wrong key in cert.
+  check_telemetry(9, 1, getCertHash("content_signing_onecrl_wrong_key_ee"));
+
+  // Check a good signature from cert with good SAN but a different key than the
+  // one used to create the signature (this time, an RSA key)
+  let rsaKeyChain = oneCRLBadKeyChain.join("\n");
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      rsaKeyChain,
+      ONECRL_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A signature should not verify if the signing key is wrong (RSA)"
+  );
+  // Check for wrong key in cert.
+  check_telemetry(9, 1, getCertHash("content_signing_onecrl_wrong_key_ee"));
+
+  // Check a good signature from cert with good SAN but with no path to root
+  let missingInt = [oneCRLChain[0], oneCRLChain[2]].join("\n");
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      missingInt,
+      ONECRL_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A signature should not verify if the chain is incomplete (missing int)"
+  );
+  // Check for generic chain building error.
+  check_telemetry(6, 1, getCertHash("content_signing_onecrl_ee"));
+
+  // Check good signatures from good certificates with the wrong SANs
+  chain1 = oneCRLChain.join("\n");
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      chain1,
+      ABOUT_NEWTAB_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A OneCRL signature should not verify if we require the newtab SAN"
+  );
+  // Check for invalid EE cert.
+  check_telemetry(7, 1, getCertHash("content_signing_onecrl_ee"));
+
+  chain2 = remoteNewTabChain.join("\n");
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      chain2,
+      ONECRL_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A newtab signature should not verify if we require the OneCRL SAN"
+  );
+  // Check for invalid EE cert.
+  check_telemetry(7, 1, getCertHash("content_signing_remote_newtab_ee"));
+
+  // Check good signatures with good chains with some other invalid names
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      chain1,
+      "",
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A signature should not verify if the SANs do not match an empty name"
+  );
+  // Check for invalid EE cert.
+  check_telemetry(7, 1, getCertHash("content_signing_onecrl_ee"));
+
+  // Test expired certificate.
+  let chainExpired = expiredOneCRLChain.join("\n");
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      chainExpired,
+      "",
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A signature should not verify if the signing certificate is expired"
+  );
+  // Check for expired cert.
+  check_telemetry(4, 1, getCertHash("content_signing_onecrl_ee_expired"));
+
+  // Test not valid yet certificate.
+  let chainNotValidYet = notValidYetOneCRLChain.join("\n");
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      chainNotValidYet,
+      "",
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A signature should not verify if the signing certificate is not valid yet"
+  );
+  // Check for not yet valid cert.
+  check_telemetry(5, 1, getCertHash("content_signing_onecrl_ee_not_valid_yet"));
+
+  let relatedName = "subdomain." + ONECRL_NAME;
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      chain1,
+      relatedName,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A signature should not verify if the SANs do not match a related name"
+  );
+
+  let randomName =
+    "\xb1\x9bU\x1c\xae\xaa3\x19H\xdb\xed\xa1\xa1\xe0\x81\xfb" +
+    "\xb2\x8f\x1cP\xe5\x8b\x9c\xc2s\xd3\x1f\x8e\xbbN";
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      chain1,
+      randomName,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A signature should not verify if the SANs do not match a random name"
+  );
+
+  // check good signatures with chains that have strange or missing SANs
+  chain1 = noSANChain.join("\n");
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA,
+      GOOD_SIGNATURE,
+      chain1,
+      ONECRL_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A signature should not verify if the SANs do not match a supplied name"
+  );
+
+  // Check malformed signature data
+  chain1 = oneCRLChain.join("\n");
+  let bad_signatures = [
+    // wrong length
+    "p384ecdsa=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ecHiXoi-" +
+      "7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L==",
+    // incorrectly encoded
+    "p384ecdsa='WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ecHiXoi" +
+      "-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L=",
+    // missing directive
+    "other_directive=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ec" +
+      "HiXoi-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L",
+    // actually sha256 with RSA
+    "p384ecdsa=XS_jiQsS5qlzQyUKaA1nAnQn_OvxhvDfKybflB8Xe5gNH1wNmPGK1qN-jpeTfK" +
+      "6ob3l3gCTXrsMnOXMeht0kPP3wLfVgXbuuO135pQnsv0c-ltRMWLe56Cm4S4Z6E7WWKLPWaj" +
+      "jhAcG5dZxjffP9g7tuPP4lTUJztyc4d1z_zQZakEG7R0vN7P5_CaX9MiMzP4R7nC3H4Ba6yi" +
+      "yjlGvsZwJ_C5zDQzWWs95czUbMzbDScEZ_7AWnidw91jZn-fUK3xLb6m-Zb_b4GAqZ-vnXIf" +
+      "LpLB1Nzal42BQZn7i4rhAldYdcVvy7rOMlsTUb5Zz6vpVW9LCT9lMJ7Sq1xbU-0g==",
+  ];
+  for (let badSig of bad_signatures) {
+    await Assert.rejects(
+      verifier.asyncVerifyContentSignature(
+        DATA,
+        badSig,
+        chain1,
+        ONECRL_NAME,
+        Ci.nsIX509CertDB.AppXPCShellRoot
+      ),
+      /NS_ERROR/,
+      `Bad or malformed signature "${badSig}" should be rejected`
+    );
+  }
+
+  // Check malformed and missing certificate chain data
+  let chainSuffix = [oneCRLChain[1], oneCRLChain[2]].join("\n");
+  let badChains = [
+    // no data
+    "",
+    // completely wrong data
+    "blah blah \n blah",
+  ];
+
+  let badSections = [
+    // data that looks like PEM but isn't
+    "-----BEGIN CERTIFICATE-----\nBSsPRlYp5+gaFMRIczwUzaioRfteCjr94xyz0g==\n",
+    // data that will start to parse but won't base64decode
+    "-----BEGIN CERTIFICATE-----\nnon-base64-stuff\n-----END CERTIFICATE-----",
+    // data with garbage outside of PEM sections
+    "this data is garbage\n-----BEGIN CERTIFICATE-----\nnon-base64-stuff\n" +
+      "-----END CERTIFICATE-----",
+  ];
+
+  for (let badSection of badSections) {
+    // ensure we test each bad section on its own...
+    badChains.push(badSection);
+    // ... and as part of a chain with good certificates
+    badChains.push(badSection + "\n" + chainSuffix);
+  }
+
+  for (let badChain of badChains) {
+    await Assert.rejects(
+      verifier.asyncVerifyContentSignature(
+        DATA,
+        GOOD_SIGNATURE,
+        badChain,
+        ONECRL_NAME,
+        Ci.nsIX509CertDB.AppXPCShellRoot
+      ),
+      /NS_ERROR/,
+      `Bad chain data starting "${badChain.substring(0, 80)}" ` +
+        "should be rejected"
+    );
+  }
+
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA + "appended data",
+      GOOD_SIGNATURE,
+      chain1,
+      ONECRL_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A good signature should not verify if the data is tampered with (append)"
+  );
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      "prefixed data" + DATA,
+      GOOD_SIGNATURE,
+      chain1,
+      ONECRL_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A good signature should not verify if the data is tampered with (prefix)"
+  );
+  ok(
+    !(await verifier.asyncVerifyContentSignature(
+      DATA.replace(/e/g, "i"),
+      GOOD_SIGNATURE,
+      chain1,
+      ONECRL_NAME,
+      Ci.nsIX509CertDB.AppXPCShellRoot
+    )),
+    "A good signature should not verify if the data is tampered with (modify)"
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem
new file mode 100644
index 0000000000..d615eccf22
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUNZb51bNpKyzQtWTCj5zrdME7cKYwDQYJKoZIhvcNAQEL
+BQAwKTEnMCUGA1UEAwweeHBjc2hlbGwgc2lnbmVkIGFwcHMgdGVzdCByb290MCIY
+DzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBExDzANBgNVBAMMBmlu
+dC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaMlMCMwDAYDVR0TBAUwAwEB/zATBgNVHSUEDDAKBggrBgEFBQcD
+AzANBgkqhkiG9w0BAQsFAAOCAQEAefvKJnF/4qRY9sf/jYCPhWyngBx6JhWFJKiy
+IUHmejn9q/LUX3nskHXA4gAt+KF9hfk9Nx5naL5DaYOkvETawdrSw55Hvphi4MB2
+yHManuj+yplqr8rtDh8Tb2Wm/AeiBqKMTa4AFN9xPbKOrUAVgU+VsXlEIUmOzEI+
+E0HeeIoPCCa6vWPpwhKb4LUlVupe3toJHVbFSp2KcD4gCRsgK60lyqZBosAG8Sat
+Vk7XLPv152/jl7j+pYqnlwabF/LEyVSqegVvvr481kgX8RyEjiPx2wNYYqUF3CPG
+SE2lDXWy629KUGwTH9rUpayMqbfL5bQ9fSGA5vE9pT7vlbBaRg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec
new file mode 100644
index 0000000000..fc9dfd47ae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:xpcshell signed apps test root
+subject:int-CA
+extension:basicConstraints:cA,
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem
new file mode 100644
index 0000000000..041fa0ebc1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUfVErdg1uvVM/D2oapMLb9gSeabswDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBExDzANBgNVBAMMBmVlLVJTQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM9MDswEwYDVR0lBAww
+CgYIKwYBBQUHAwMwJAYDVR0RBB0wG4IZb25lQ1JMLXNpZ25lci5tb3ppbGxhLm9y
+ZzANBgkqhkiG9w0BAQsFAAOCAQEAOLPmVQpsFu7rL6Tc6TUQdS1/wnBDZeO3Q8uq
+x7FSm7tyvrMwCx2pGGJATWIdH33amhRDe3fH5IB7dvFiQx0qDewROnE900ooOQCu
+dsjKDzYurpGmlpYsBHtdFz8tEVgN2CUzfFLRTrJK0wAio5OqbyuZQwb8QBl/HMyk
+aqG33hm/1t8gR7NLn4c03XtaK/xbBGC07aCijsWTj09UB5wgtB12p9Wt7IWrkh2B
+9omSirPYgCWaD0wWJP1d1PlheeNeOYweNbEncjQlH+ukYjMzzZ3IVm7zFN1kit/W
+M7enx5fdED/84092ZzuDheLYKaA63ysJhQvCCzOovWr0PuOnLg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec
new file mode 100644
index 0000000000..7b2a02bdaf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-CA
+subject:ee-RSA
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem
new file mode 100644
index 0000000000..6f15597b6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICPzCCASegAwIBAgIUSRecknZ3alfumVeo6yV/3O5nvrswDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE
+oWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3Ey2ozpjoMVNOapwMCwnI
+1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP8ALwWvcaH93Mg3SqbqnO
+oz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAkBgNVHREEHTAbghlvbmVDUkwtc2ln
+bmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQBElZXLzQGRPdygDJ33
+2LuNJiDU8lFXdDulPXcZAQjVXo5gy9XQfMtbTLzf07dpPuQntzJNbGuS4ypboEal
+ixi2jYZHy/Q3CCxFk8jWi18auKES+uRF6qI3PK9RsXXxm7Xt0vk9akYwmmnuAJl9
+eYTCNZ0VaXANvv5GjuFczMHF08XTW1j2x81s0epmblgagcaMIcaq5nKSNuFt/2j/
+hXtGzNfI1njHIT8X6Fp4QeGqQiSlW90WVPoDPxfUHh8VvE/9Y0fnnHcDwGICb7LH
+on1mz76mcXNwOgA+dBmHKS/5t7/PBT/F7+UuORfYdoFKrnc7npVYhQmH06ENKHMS
+9Bmv
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec
new file mode 100644
index 0000000000..ab22807b9e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-CA
+subject:ee
+subjectKey:secp384r1
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem
new file mode 100644
index 0000000000..ef22669f4d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICTjCCATagAwIBAgIUOQNrYQz01j0SirgoHMLKbtGL9RowDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMTMwMTAxMDAwMDAwWhgPMjAxNDAx
+MDEwMDAwMDBaMBwxGjAYBgNVBAMMEWVlLWludC1DQS1leHBpcmVkMHYwEAYHKoZI
+zj0CAQYFK4EEACIDYgAEoWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3
+Ey2ozpjoMVNOapwMCwnI1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP
+8ALwWvcaH93Mg3SqbqnOoz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAkBgNVHREE
+HTAbghlvbmVDUkwtc2lnbmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEBCwUAA4IB
+AQBZJPo4llgMe5588+BnRLnFguspIiwMWmTeqCfi8VQBx/tUwRiTizbU7J2Yh9bo
+yZEPKfPSP2o8J0eSUgvXdVOxU1fNRuocsVfXUlveq5x10ddjXBT9X4AY1mtR7HJw
+hl/7269N8b4itfrfvZmCBToJayjv0I2N84bqjpOnXJ/iB5YVdk8oZIJDXWi4SR3B
+E9IejwA1fikpt++RjpJSZ1BSNU7FfiyGGUonxHDoP/29znaOJnpAqaH5LVJCRkfN
+H12vePBbunZd+ay5r+mMJPaXR+V2sY8OaOfcrPSHQLa8Eb/EEhBuITMKkOucohjx
+zqvM6S2iOI9GbwHClybEHRO7
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec
new file mode 100644
index 0000000000..48fd9c8cc7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec
@@ -0,0 +1,6 @@
+issuer:int-CA
+subject:ee-int-CA-expired
+subjectKey:secp384r1
+validity:20130101-20140101
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem
new file mode 100644
index 0000000000..6cf5c6a312
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICVDCCATygAwIBAgIUbV+rBAfhGRv/bU22A92xneoAy3owDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwNTAwMTAxMDAwMDAwWhgPMjA1MTAx
+MDEwMDAwMDBaMCIxIDAeBgNVBAMMF2VlLWludC1DQS1ub3QteWV0LXZhbGlkMHYw
+EAYHKoZIzj0CAQYFK4EEACIDYgAEoWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXb
+YI4lLeS3Ey2ozpjoMVNOapwMCwnI1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2p
+cQO+KIjP8ALwWvcaH93Mg3SqbqnOoz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAk
+BgNVHREEHTAbghlvbmVDUkwtc2lnbmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEB
+CwUAA4IBAQAjXmLNn2kLa/FzNp7F3PqcSXuAO2jT31Y2g4pZnVqCDfMqplsl2ZFn
+oam3wyQnepm3q9DD4BOAW9JFYR3wqnl9cBRNHlSGyjGM4qBpuSD6WxAz7EdFcRO6
+fcA50245fAuB45UJeYJ58QvIBv7AwoBGnqAI7ZDN3eIGopZIL56jiH7vO9WyQPWj
+XZAWrXTG68rEf0RxXRtjUv9coFiuInT8+oyXB3NwK2EbaI5IeR+x3qIDEgNKk+t+
+PlE3NrtaAiK19p0s9RtQQilBKNmo+5irrUq/OD2H1aurDaAXpLTM5vLUpfyN3/qD
+HzuZujaUIeMsRiXsIRDNql1S+nq4oNRy
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec
new file mode 100644
index 0000000000..b2926dfc42
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec
@@ -0,0 +1,6 @@
+issuer:int-CA
+subject:ee-int-CA-not-yet-valid
+subjectKey:secp384r1
+validity:20500101-20510101
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem
new file mode 100644
index 0000000000..6c35f2f377
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICIDCCAQigAwIBAgIUI9ZQ+lOT4QPSefKaSaGvSm4BzikwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLW5vLVNBTjB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMtqM6Y6DFT
+TmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC8Fr3Gh/d
+zIN0qm6pzqMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQAD
+ggEBABwtpcPoXa4bLLw8WCuLPMPm7RiWrj7ifWqeyNoQO+xIxIefZhFTxhs6yM0Y
+H+B2jSzrCmfslRaX0eZPQ3BOPPI0CCo4eZOlq7oNaltXCLP3NwPodLfxd8pGlOIK
+xpRB/+iyXu5bKHfG1v4XJ+g+yXPh8p0ykVJeH/hc/+kAhq4vey+0PB/KjIcpAsGo
+S7Yvbal7pSr0CQCxDB4mTWJeE1/FeTQpeFiIiCtvkEyLD+igxRlP5lbLOd6Lt5Oh
+BSJ6TnUdMajalOku3BufB5j4ynDBGNi9h935ZCOKWu3qgbFlIE1qZIJS+u7+2PTN
+vIlU3orErRSmuAlusdo6Z9YtxbQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec
new file mode 100644
index 0000000000..4a9b9a3ceb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-CA
+subject:ee-no-SAN
+subjectKey:secp384r1
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem
new file mode 100644
index 0000000000..d76f4501cb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICLDCCARSgAwIBAgIUV+E6VhJoKZrnCV22wV/aVW9aglwwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBcxFTATBgNVBAMMDGVlLXdyb25nLWtleTBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnS
+M0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCjPTA7MBMGA1UdJQQMMAoGCCsG
+AQUFBwMDMCQGA1UdEQQdMBuCGW9uZUNSTC1zaWduZXIubW96aWxsYS5vcmcwDQYJ
+KoZIhvcNAQELBQADggEBAFOgIZXl0sf1hEH0H5fqGPshlMemqjhFZKPBgLlWl+3W
+wSIcuBPw5GSDkoQOdAxE/iIsLfZoC0PfYdee+twANQ13MMbwP0NmR78qJKLPOO4b
+yWRiQFaIU6fTleU7wSD6tcDtIsKAfTDNF6EiC3czw3XuOiNh4r7A2EJ3GyGuUq7d
+YgpwA5I2s3VjG/2lhRKP06UH/YGCpBTio23NUyzS2NINPhTnrLjyY2IWIp9EiXXj
+d6QRQ8ytp6wU/rI3HAueWOWEQ6dDWR5hfe0Y/QDB0n9hEBgf+lUOtuqpTs/ZK0eM
+HPC6swGdKVnJ1DCcfyzMsDIvGZKUyj8v6E2E7x8AdLk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec
new file mode 100644
index 0000000000..fbc8e603f4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-CA
+subject:ee-wrong-key
+subjectKey:secp256r1
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:oneCRL-signer.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem
new file mode 100644
index 0000000000..b2e7d3cdbb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUDCCATigAwIBAgIUd9FOUg8KGZnunc6wzwp+21rSdVswDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE
+oWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3Ey2ozpjoMVNOapwMCwnI
+1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP8ALwWvcaH93Mg3SqbqnO
+o04wTDATBgNVHSUEDDAKBggrBgEFBQcDAzA1BgNVHREELjAsgipyZW1vdGVuZXd0
+YWIuY29udGVudC1zaWduYXR1cmUubW96aWxsYS5vcmcwDQYJKoZIhvcNAQELBQAD
+ggEBAJvuDgm64Fca8XKLPxCSaANEFXIQy3I0lvPqmRRFtkP8cNpgjaRQTNNwyRPL
+eI6VZv9IfecgjMNMcSbrdUPSmETA5M0kzH0lVBPsgzcv1EO6FFS+B9uwip52nKot
+HsWYhDIVKYFYLrFcBHS0qSaoPWUpRZ+igI0uBgzmSIBuZYLDbe0xcXzZmpdPnGYt
+pjRmTuNtJ8R/Qvbp37aTpN279AwhOP/uF+x3HdPgI4M1pQKjZ/Oxk9JHIeSafjG5
+58D1rGivjWYq6Yl1vwzBWwlPJvDAgADWCQR4wWjlXc0Hzn/393QRs3rvbkCFWZfi
+1GMOoGuxmHzb7VL+1Kf4igjHXcQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec
new file mode 100644
index 0000000000..81e1eefe1d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int-CA
+subject:ee
+subjectKey:secp384r1
+extension:extKeyUsage:codeSigning
+extension:subjectAlternativeName:remotenewtab.content-signature.mozilla.org
diff --git a/security/manager/ssl/tests/unit/test_content_signing/pysign.py b/security/manager/ssl/tests/unit/test_content_signing/pysign.py
new file mode 100644
index 0000000000..23c6128aa2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/pysign.py
@@ -0,0 +1,36 @@
+#!/usr/bin/env python
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"""
+Create an ECDSA signature on the P-384 curve using the SHA-384 hash of data from
+stdin. The key used for the signature is the secp384r1Encoded key used in pykey
+and pycert.
+
+The certificates for the content signature tests make use of this program.
+You can use pysign.py like this:
+
+cat test.txt | python pysign.py > test.txt.signature
+"""
+
+import base64
+import binascii
+import hashlib
+import pathlib
+import six
+import sys
+
+import ecdsa
+
+# For pykey, find the relative file location and add it to path
+toolsDir = (pathlib.Path(__file__).parents[4] / "tools").resolve()
+sys.path.append(str(toolsDir))
+import pykey
+
+data = sys.stdin.buffer.read()
+
+key = pykey.ECCKey("secp384r1")
+sig = key.signRaw(b"Content-Signature:\00" + data, pykey.HASH_SHA384)
+print(str(base64.b64encode(sig)).replace("+", "-").replace("/", "_"))
diff --git a/security/manager/ssl/tests/unit/test_content_signing/test.txt b/security/manager/ssl/tests/unit/test_content_signing/test.txt
new file mode 100644
index 0000000000..2daac1cb00
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/test.txt
@@ -0,0 +1 @@
+This is a test file to test content-signature verification with a PKI.
diff --git a/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature b/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature
new file mode 100644
index 0000000000..e613981473
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature
@@ -0,0 +1 @@
+hSvmvvA7_QLedDsjRJGBevqLwjPILx1EtWSPP4A0fepaWWPuuZRB8VfDT2j07bKDacRsbmJjmvg_R4CpKmnoWF8-2w5lSszlFFDqYSvQVQxpKhu-HMM_qquu_l0KecQ2
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash b/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash
new file mode 100644
index 0000000000..7bde8641b9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash
@@ -0,0 +1 @@
+ÿÿÿÿ
\ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter b/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter
new file mode 100644
index 0000000000..f76dd238ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment
new file mode 100644
index 0000000000..119fd67098
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment
@@ -0,0 +1,2 @@
+

	
+

\ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage
new file mode 100644
index 0000000000..119fd67098
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage
@@ -0,0 +1,2 @@
+

	
+

\ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage
new file mode 100644
index 0000000000..787a2bdfc7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage
new file mode 100644
index 0000000000..c76b47cac6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage
new file mode 100644
index 0000000000..d08c818596
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage
diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment
new file mode 100644
index 0000000000..3ef70ac188
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js b/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js
new file mode 100644
index 0000000000..2b71c3dfe2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is missing.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = undefined;
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js
new file mode 100644
index 0000000000..1782885964
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is truncated in a LogID field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_corrupted/trunc-log-id.coverage");
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js
new file mode 100644
index 0000000000..0eed16bac3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js
@@ -0,0 +1,19 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is truncated in a MinTimestamp field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file(
+  "test_crlite_corrupted/trunc-min-timestamp.coverage"
+);
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js
new file mode 100644
index 0000000000..419a639b07
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js
@@ -0,0 +1,19 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file is truncated in a MaxTimestamp field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file(
+  "test_crlite_corrupted/trunc-max-timestamp.coverage"
+);
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_version.js b/security/manager/ssl/tests/unit/test_crlite_coverage_version.js
new file mode 100644
index 0000000000..1764e5abaf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_coverage_version.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted coverage file. Specifically, this handles the case
+// where the coverage file's version is not recognized.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_corrupted/version-0.coverage");
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js b/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js
new file mode 100644
index 0000000000..5f259f28a2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js
@@ -0,0 +1,19 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted enrollment file. Specifically, this handles the case
+// where the enrollment file is truncated in an issuer ID field.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+let enrollment = do_get_file(
+  "test_crlite_corrupted/trunc-issuer-id.enrollment"
+);
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js b/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js
new file mode 100644
index 0000000000..8c673a47d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js
@@ -0,0 +1,17 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted enrollment file. Specifically, this handles the case
+// where the enrollment file's version is not recognized.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+let enrollment = do_get_file("test_crlite_corrupted/version-0.enrollment");
+let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js b/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js
new file mode 100644
index 0000000000..cc947d287f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js
@@ -0,0 +1,21 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted filter file.
+//
+// There are many ways that a filter file could be corrupted, but the parsing
+// is done in rust-cascade, not cert_storage, so it is sufficient for us to
+// test any form of corruption here. For simplicity we just try to load a
+// single \x00 byte as the filter.
+
+"use strict";
+
+/* eslint-disable no-unused-vars */
+let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+let filter = do_get_file("test_crlite_corrupted/hash-alg-0.filter");
+
+load("./corrupted_crlite_helper.js");
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters.js b/security/manager/ssl/tests/unit/test_crlite_filters.js
new file mode 100644
index 0000000000..55fe4d75e3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters.js
@@ -0,0 +1,880 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite filter downloading works correctly.
+
+// The file `test_crlite_filters/20201017-0-filter` can be regenerated using
+// the rust-create-cascade program from https://github.com/mozilla/crlite.
+//
+// The input to this program is a list of known serial numbers and a list of
+// revoked serial numbers. The lists are presented as directories of files in
+// which each file holds serials for one issuer. The file names are
+// urlsafe-base64 encoded SHA256 hashes of issuer SPKIs. The file contents are
+// ascii hex encoded serial numbers. The program crlite_key.py in this directory
+// can generate these values for you.
+//
+// The test filter was generated as follows:
+//
+// $ ./crlite_key.py test_crlite_filters/issuer.pem test_crlite_filters/valid.pem
+// 8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8=
+// 00da4f392bfd8bcea8
+//
+// $ ./crlite_key.py test_crlite_filters/issuer.pem test_crlite_filters/revoked.pem
+// 8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8=
+// 2d35ca6503fb1ba3
+//
+// $ mkdir known revoked
+// $ echo "00da4f392bfd8bcea8" > known/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\=
+// $ echo "2d35ca6503fb1ba3" >> known/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\=
+// $ echo "2d35ca6503fb1ba3" > revoked/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\=
+//
+// $ rust-create-cascade --known ./known/ --revoked ./revoked/
+//
+
+"use strict";
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const { RemoteSecuritySettings } = ChromeUtils.importESModule(
+  "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs"
+);
+const { TestUtils } = ChromeUtils.importESModule(
+  "resource://testing-common/TestUtils.sys.mjs"
+);
+
+const { CRLiteFiltersClient } = RemoteSecuritySettings.init();
+
+const CRLITE_FILTERS_ENABLED_PREF =
+  "security.remote_settings.crlite_filters.enabled";
+const INTERMEDIATES_ENABLED_PREF =
+  "security.remote_settings.intermediates.enabled";
+const INTERMEDIATES_DL_PER_POLL_PREF =
+  "security.remote_settings.intermediates.downloads_per_poll";
+
+// crlite_enrollment_id.py test_crlite_filters/issuer.pem
+const ISSUER_PEM_UID = "UbH9/ZAnjuqf79Xhah1mFOWo6ZvgQCgsdheWfjvVUM8=";
+// crlite_enrollment_id.py test_crlite_filters/no-sct-issuer.pem
+const NO_SCT_ISSUER_PEM_UID = "Myn7EasO1QikOtNmo/UZdh6snCAw0BOY6wgU8OsUeeY=";
+
+function getHashCommon(aStr, useBase64) {
+  let hasher = Cc["@mozilla.org/security/hash;1"].createInstance(
+    Ci.nsICryptoHash
+  );
+  hasher.init(Ci.nsICryptoHash.SHA256);
+  let stringStream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+    Ci.nsIStringInputStream
+  );
+  stringStream.data = aStr;
+  hasher.updateFromStream(stringStream, -1);
+
+  return hasher.finish(useBase64);
+}
+
+// Get a hexified SHA-256 hash of the given string.
+function getHash(aStr) {
+  return hexify(getHashCommon(aStr, false));
+}
+
+// Get the name of the file in the test directory to serve as the attachment
+// for the given filter.
+function getFilenameForFilter(filter) {
+  if (filter.type == "full") {
+    return "20201017-0-filter";
+  }
+  if (filter.id == "0001") {
+    return "20201017-1-filter.stash";
+  }
+  // The addition of another stash file was written more than a month after
+  // other parts of this test. As such, the second stash file for October 17th,
+  // 2020 was not readily available. Since the structure of stash files don't
+  // depend on each other, though, any two stash files are compatible, and so
+  // this stash from December 1st is used instead.
+  return "20201201-3-filter.stash";
+}
+
+/**
+ * Simulate a Remote Settings synchronization by filling up the local data with
+ * fake records.
+ *
+ * @param {*} filters List of filters for which we will create records.
+ * @param {boolean} clear Whether or not to clear the local DB first. Defaults
+ *                        to true.
+ */
+async function syncAndDownload(filters, clear = true) {
+  const localDB = await CRLiteFiltersClient.client.db;
+  if (clear) {
+    await localDB.clear();
+  }
+
+  for (let filter of filters) {
+    const filename = getFilenameForFilter(filter);
+    const file = do_get_file(`test_crlite_filters/${filename}`);
+    const fileBytes = readFile(file);
+
+    const record = {
+      details: {
+        name: `${filter.timestamp}-${filter.type}`,
+      },
+      attachment: {
+        hash: getHash(fileBytes),
+        size: fileBytes.length,
+        filename,
+        location: `security-state-workspace/cert-revocations/test_crlite_filters/${filename}`,
+        mimetype: "application/octet-stream",
+      },
+      incremental: filter.type == "diff",
+      effectiveTimestamp: new Date(filter.timestamp).getTime(),
+      parent: filter.type == "diff" ? filter.parent : undefined,
+      id: filter.id,
+      coverage: filter.type == "full" ? filter.coverage : undefined,
+      enrolledIssuers:
+        filter.type == "full" ? filter.enrolledIssuers : undefined,
+    };
+
+    await localDB.create(record);
+  }
+  // This promise will wait for the end of downloading.
+  let promise = TestUtils.topicObserved(
+    "remote-security-settings:crlite-filters-downloaded"
+  );
+  // Simulate polling for changes, trigger the download of attachments.
+  Services.obs.notifyObservers(null, "remote-settings:changes-poll-end");
+  let results = await promise;
+  return results[1]; // topicObserved gives back a 2-array
+}
+
+add_task(async function test_crlite_filters_disabled() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, false);
+
+  let result = await syncAndDownload([
+    {
+      timestamp: "2019-01-01T00:00:00Z",
+      type: "full",
+      id: "0000",
+      coverage: [
+        {
+          logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+          minTimestamp: 0,
+          maxTimestamp: 9999999999999,
+        },
+      ],
+    },
+  ]);
+  equal(result, "disabled", "CRLite filter download should not have run");
+});
+
+add_task(async function test_crlite_no_filters() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+  let result = await syncAndDownload([]);
+  equal(
+    result,
+    "unavailable",
+    "CRLite filter download should have run, but nothing was available"
+  );
+});
+
+add_task(async function test_crlite_only_incremental_filters() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+  let result = await syncAndDownload([
+    {
+      timestamp: "2019-01-01T06:00:00Z",
+      type: "diff",
+      id: "0001",
+      parent: "0000",
+    },
+    {
+      timestamp: "2019-01-01T18:00:00Z",
+      type: "diff",
+      id: "0002",
+      parent: "0001",
+    },
+    {
+      timestamp: "2019-01-01T12:00:00Z",
+      type: "diff",
+      id: "0003",
+      parent: "0002",
+    },
+  ]);
+  equal(
+    result,
+    "unavailable",
+    "CRLite filter download should have run, but no full filters were available"
+  );
+});
+
+add_task(async function test_crlite_incremental_filters_with_wrong_parent() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+  let result = await syncAndDownload([
+    { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+    {
+      timestamp: "2019-01-01T06:00:00Z",
+      type: "diff",
+      id: "0001",
+      parent: "0000",
+    },
+    {
+      timestamp: "2019-01-01T12:00:00Z",
+      type: "diff",
+      id: "0003",
+      parent: "0002",
+    },
+    {
+      timestamp: "2019-01-01T18:00:00Z",
+      type: "diff",
+      id: "0004",
+      parent: "0003",
+    },
+  ]);
+  let [status, filters] = result.split(";");
+  equal(status, "finished", "CRLite filter download should have run");
+  let filtersSplit = filters.split(",");
+  deepEqual(
+    filtersSplit,
+    ["2019-01-01T00:00:00Z-full", "2019-01-01T06:00:00Z-diff"],
+    "Should have downloaded the expected CRLite filters"
+  );
+});
+
+add_task(async function test_crlite_incremental_filter_too_early() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+  let result = await syncAndDownload([
+    { timestamp: "2019-01-02T00:00:00Z", type: "full", id: "0000" },
+    {
+      timestamp: "2019-01-01T00:00:00Z",
+      type: "diff",
+      id: "0001",
+      parent: "0000",
+    },
+  ]);
+  equal(
+    result,
+    "finished;2019-01-02T00:00:00Z-full",
+    "CRLite filter download should have run"
+  );
+});
+
+add_task(async function test_crlite_filters_basic() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+  let result = await syncAndDownload([
+    { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+  ]);
+  equal(
+    result,
+    "finished;2019-01-01T00:00:00Z-full",
+    "CRLite filter download should have run"
+  );
+});
+
+add_task(async function test_crlite_filters_not_cached() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+  let filters = [
+    { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+  ];
+  let result = await syncAndDownload(filters);
+  equal(
+    result,
+    "finished;2019-01-01T00:00:00Z-full",
+    "CRLite filter download should have run"
+  );
+
+  let records = await CRLiteFiltersClient.client.db.list();
+
+  // `syncAndDownload` should not cache the attachment, so this download should
+  // get the attachment from the source.
+  let attachment = await CRLiteFiltersClient.client.attachments.download(
+    records[0]
+  );
+  equal(attachment._source, "remote_match");
+  await CRLiteFiltersClient.client.attachments.deleteDownloaded(records[0]);
+});
+
+add_task(async function test_crlite_filters_full_and_incremental() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+  let result = await syncAndDownload([
+    // These are deliberately listed out of order.
+    {
+      timestamp: "2019-01-01T06:00:00Z",
+      type: "diff",
+      id: "0001",
+      parent: "0000",
+    },
+    { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+    {
+      timestamp: "2019-01-01T18:00:00Z",
+      type: "diff",
+      id: "0003",
+      parent: "0002",
+    },
+    {
+      timestamp: "2019-01-01T12:00:00Z",
+      type: "diff",
+      id: "0002",
+      parent: "0001",
+    },
+  ]);
+  let [status, filters] = result.split(";");
+  equal(status, "finished", "CRLite filter download should have run");
+  let filtersSplit = filters.split(",");
+  deepEqual(
+    filtersSplit,
+    [
+      "2019-01-01T00:00:00Z-full",
+      "2019-01-01T06:00:00Z-diff",
+      "2019-01-01T12:00:00Z-diff",
+      "2019-01-01T18:00:00Z-diff",
+    ],
+    "Should have downloaded the expected CRLite filters"
+  );
+});
+
+add_task(async function test_crlite_filters_multiple_days() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+  let result = await syncAndDownload([
+    // These are deliberately listed out of order.
+    {
+      timestamp: "2019-01-02T06:00:00Z",
+      type: "diff",
+      id: "0011",
+      parent: "0010",
+    },
+    {
+      timestamp: "2019-01-03T12:00:00Z",
+      type: "diff",
+      id: "0022",
+      parent: "0021",
+    },
+    {
+      timestamp: "2019-01-02T12:00:00Z",
+      type: "diff",
+      id: "0012",
+      parent: "0011",
+    },
+    {
+      timestamp: "2019-01-03T18:00:00Z",
+      type: "diff",
+      id: "0023",
+      parent: "0022",
+    },
+    {
+      timestamp: "2019-01-02T18:00:00Z",
+      type: "diff",
+      id: "0013",
+      parent: "0012",
+    },
+    { timestamp: "2019-01-02T00:00:00Z", type: "full", id: "0010" },
+    { timestamp: "2019-01-03T00:00:00Z", type: "full", id: "0020" },
+    {
+      timestamp: "2019-01-01T06:00:00Z",
+      type: "diff",
+      id: "0001",
+      parent: "0000",
+    },
+    {
+      timestamp: "2019-01-01T18:00:00Z",
+      type: "diff",
+      id: "0003",
+      parent: "0002",
+    },
+    {
+      timestamp: "2019-01-01T12:00:00Z",
+      type: "diff",
+      id: "0002",
+      parent: "0001",
+    },
+    { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
+    {
+      timestamp: "2019-01-03T06:00:00Z",
+      type: "diff",
+      id: "0021",
+      parent: "0020",
+    },
+  ]);
+  let [status, filters] = result.split(";");
+  equal(status, "finished", "CRLite filter download should have run");
+  let filtersSplit = filters.split(",");
+  deepEqual(
+    filtersSplit,
+    [
+      "2019-01-03T00:00:00Z-full",
+      "2019-01-03T06:00:00Z-diff",
+      "2019-01-03T12:00:00Z-diff",
+      "2019-01-03T18:00:00Z-diff",
+    ],
+    "Should have downloaded the expected CRLite filters"
+  );
+});
+
+add_task(async function test_crlite_confirm_revocations_mode() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+  Services.prefs.setIntPref(
+    "security.pki.crlite_mode",
+    CRLiteModeConfirmRevocationsValue
+  );
+  Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  addCertFromFile(certdb, "test_crlite_filters/issuer.pem", ",,");
+  addCertFromFile(certdb, "test_crlite_filters/no-sct-issuer.pem", ",,");
+
+  let result = await syncAndDownload([
+    {
+      timestamp: "2020-10-17T00:00:00Z",
+      type: "full",
+      id: "0000",
+      coverage: [
+        {
+          logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+          minTimestamp: 0,
+          maxTimestamp: 9999999999999,
+        },
+        {
+          logID: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",
+          minTimestamp: 0,
+          maxTimestamp: 9999999999999,
+        },
+      ],
+      enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+    },
+  ]);
+  equal(
+    result,
+    "finished;2020-10-17T00:00:00Z-full",
+    "CRLite filter download should have run"
+  );
+
+  // The CRLite result should be enforced for this certificate and
+  // OCSP should not be consulted.
+  let validCert = constructCertFromFile("test_crlite_filters/valid.pem");
+  await checkCertErrorGenericAtTime(
+    certdb,
+    validCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    undefined,
+    "vpn.worldofspeed.org",
+    0
+  );
+
+  // OCSP should be consulted for this certificate, but OCSP is disabled by
+  // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY so this will be treated as a soft-failure
+  // and the CRLite result will be used.
+  let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    undefined,
+    "us-datarecovery.com",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+
+  // Reload the filter w/o coverage and enrollment metadata.
+  result = await syncAndDownload([
+    {
+      timestamp: "2020-10-17T00:00:00Z",
+      type: "full",
+      id: "0000",
+      coverage: [],
+      enrolledIssuers: [],
+    },
+  ]);
+  equal(
+    result,
+    "finished;2020-10-17T00:00:00Z-full",
+    "CRLite filter download should have run"
+  );
+
+  // OCSP will be consulted for the revoked certificate, but a soft-failure
+  // should now result in a Success return.
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    undefined,
+    "us-datarecovery.com",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+});
+
+add_task(async function test_crlite_filters_and_check_revocation() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+  Services.prefs.setIntPref(
+    "security.pki.crlite_mode",
+    CRLiteModeEnforcePrefValue
+  );
+  Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  addCertFromFile(certdb, "test_crlite_filters/issuer.pem", ",,");
+  addCertFromFile(certdb, "test_crlite_filters/no-sct-issuer.pem", ",,");
+
+  let result = await syncAndDownload([
+    {
+      timestamp: "2020-10-17T00:00:00Z",
+      type: "full",
+      id: "0000",
+      coverage: [
+        {
+          logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+          minTimestamp: 0,
+          maxTimestamp: 9999999999999,
+        },
+        {
+          logID: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",
+          minTimestamp: 0,
+          maxTimestamp: 9999999999999,
+        },
+      ],
+      enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+    },
+  ]);
+  equal(
+    result,
+    "finished;2020-10-17T00:00:00Z-full",
+    "CRLite filter download should have run"
+  );
+
+  let validCert = constructCertFromFile("test_crlite_filters/valid.pem");
+  // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that
+  // the implementation does not fall back to OCSP fetching, because if it
+  // did, the implementation would attempt to connect to a server outside the
+  // test infrastructure, which would result in a crash in the test
+  // environment, which would be treated as a test failure.
+  await checkCertErrorGenericAtTime(
+    certdb,
+    validCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "vpn.worldofspeed.org",
+    0
+  );
+
+  let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "us-datarecovery.com",
+    0
+  );
+
+  // Before any stashes are downloaded, this should verify successfully.
+  let revokedInStashCert = constructCertFromFile(
+    "test_crlite_filters/revoked-in-stash.pem"
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedInStashCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "stokedmoto.com",
+    0
+  );
+
+  result = await syncAndDownload(
+    [
+      {
+        timestamp: "2020-10-17T03:00:00Z",
+        type: "diff",
+        id: "0001",
+        parent: "0000",
+      },
+    ],
+    false
+  );
+  equal(
+    result,
+    "finished;2020-10-17T03:00:00Z-diff",
+    "Should have downloaded the expected CRLite filters"
+  );
+
+  // After downloading the first stash, this should be revoked.
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedInStashCert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "stokedmoto.com",
+    0
+  );
+
+  // Before downloading the second stash, this should not be revoked.
+  let revokedInStash2Cert = constructCertFromFile(
+    "test_crlite_filters/revoked-in-stash-2.pem"
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedInStash2Cert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "icsreps.com",
+    0
+  );
+
+  result = await syncAndDownload(
+    [
+      {
+        timestamp: "2020-10-17T06:00:00Z",
+        type: "diff",
+        id: "0002",
+        parent: "0001",
+      },
+    ],
+    false
+  );
+  equal(
+    result,
+    "finished;2020-10-17T06:00:00Z-diff",
+    "Should have downloaded the expected CRLite filters"
+  );
+
+  // After downloading the second stash, this should be revoked.
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedInStash2Cert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "icsreps.com",
+    0
+  );
+
+  // The other certificates should still get the same results as they did before.
+  await checkCertErrorGenericAtTime(
+    certdb,
+    validCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "vpn.worldofspeed.org",
+    0
+  );
+
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "us-datarecovery.com",
+    0
+  );
+
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedInStashCert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "stokedmoto.com",
+    0
+  );
+
+  // This certificate has no embedded SCTs, so it is not guaranteed to be in
+  // CT, so CRLite can't be guaranteed to give the correct answer, so it is
+  // not consulted, and the implementation falls back to OCSP. Since the real
+  // OCSP responder can't be reached, this results in a
+  // SEC_ERROR_OCSP_SERVER_ERROR.
+  let noSCTCert = constructCertFromFile("test_crlite_filters/no-sct.pem");
+  // NB: this will cause an OCSP request to be sent to localhost:80, but
+  // since an OCSP responder shouldn't be running on that port, this should
+  // fail safely.
+  Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com");
+  Services.prefs.setBoolPref("security.OCSP.require", true);
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  await checkCertErrorGenericAtTime(
+    certdb,
+    noSCTCert,
+    SEC_ERROR_OCSP_SERVER_ERROR,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "mail233.messagelabs.com",
+    0
+  );
+  Services.prefs.clearUserPref("network.dns.localDomains");
+  Services.prefs.clearUserPref("security.OCSP.require");
+  Services.prefs.clearUserPref("security.OCSP.enabled");
+
+  // The revoked certificate example has one SCT from the log with ID "9ly...="
+  // at time 1598140096613 and another from the log with ID "XNx...=" at time
+  // 1598140096917. The filter we construct here fails to cover it by one
+  // millisecond in each case. The implementation will fall back to OCSP
+  // fetching. Since this would result in a crash and test failure, the
+  // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY is used.
+  result = await syncAndDownload([
+    {
+      timestamp: "2020-10-17T00:00:00Z",
+      type: "full",
+      id: "0000",
+      coverage: [
+        {
+          logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+          minTimestamp: 0,
+          maxTimestamp: 1598140096612,
+        },
+        {
+          logID: "XNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDso=",
+          minTimestamp: 1598140096917,
+          maxTimestamp: 9999999999999,
+        },
+      ],
+      enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+    },
+  ]);
+  equal(
+    result,
+    "finished;2020-10-17T00:00:00Z-full",
+    "CRLite filter download should have run"
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "us-datarecovery.com",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+});
+
+add_task(async function test_crlite_filters_avoid_reprocessing_filters() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+  let result = await syncAndDownload([
+    {
+      timestamp: "2019-01-01T00:00:00Z",
+      type: "full",
+      id: "0000",
+      coverage: [
+        {
+          logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
+          minTimestamp: 0,
+          maxTimestamp: 9999999999999,
+        },
+      ],
+      enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID],
+    },
+    {
+      timestamp: "2019-01-01T06:00:00Z",
+      type: "diff",
+      id: "0001",
+      parent: "0000",
+    },
+    {
+      timestamp: "2019-01-01T12:00:00Z",
+      type: "diff",
+      id: "0002",
+      parent: "0001",
+    },
+    {
+      timestamp: "2019-01-01T18:00:00Z",
+      type: "diff",
+      id: "0003",
+      parent: "0002",
+    },
+  ]);
+  let [status, filters] = result.split(";");
+  equal(status, "finished", "CRLite filter download should have run");
+  let filtersSplit = filters.split(",");
+  deepEqual(
+    filtersSplit,
+    [
+      "2019-01-01T00:00:00Z-full",
+      "2019-01-01T06:00:00Z-diff",
+      "2019-01-01T12:00:00Z-diff",
+      "2019-01-01T18:00:00Z-diff",
+    ],
+    "Should have downloaded the expected CRLite filters"
+  );
+  // This simulates another poll without clearing the database first. The
+  // filter and stashes should not be re-downloaded.
+  result = await syncAndDownload([], false);
+  equal(result, "finished;");
+
+  // If a new stash is added, only it should be downloaded.
+  result = await syncAndDownload(
+    [
+      {
+        timestamp: "2019-01-02T00:00:00Z",
+        type: "diff",
+        id: "0004",
+        parent: "0003",
+      },
+    ],
+    false
+  );
+  equal(result, "finished;2019-01-02T00:00:00Z-diff");
+});
+
+let server;
+
+function run_test() {
+  server = new HttpServer();
+  server.start(-1);
+  registerCleanupFunction(() => server.stop(() => {}));
+
+  server.registerDirectory(
+    "/cdn/security-state-workspace/cert-revocations/",
+    do_get_file(".")
+  );
+
+  server.registerPathHandler("/v1/", (request, response) => {
+    response.write(
+      JSON.stringify({
+        capabilities: {
+          attachments: {
+            base_url: `http://localhost:${server.identity.primaryPort}/cdn/`,
+          },
+        },
+      })
+    );
+    response.setHeader("Content-Type", "application/json; charset=UTF-8");
+    response.setStatusLine(null, 200, "OK");
+  });
+
+  Services.prefs.setCharPref(
+    "services.settings.server",
+    `http://localhost:${server.identity.primaryPort}/v1`
+  );
+
+  // Set intermediate preloading to download 0 intermediates at a time.
+  Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 0);
+
+  Services.prefs.setCharPref("browser.policies.loglevel", "debug");
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter
new file mode 100644
index 0000000000..151cac41a9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash
new file mode 100644
index 0000000000..d43193a78c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash b/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash
new file mode 100644
index 0000000000..52c9ee8d51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem b/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem
new file mode 100644
index 0000000000..ead19e3c14
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem
new file mode 100644
index 0000000000..70b86dfd71
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
+U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
+nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
+KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
+/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
+kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
+/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
+aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
+Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
+oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
+QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
+d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
+xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
+CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
+5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
+8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
+2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
+c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
+j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem
new file mode 100644
index 0000000000..a690a0ad0d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFpDCCBIygAwIBAgIQDVHBpbd6yyk2LgPoPr9QyjANBgkqhkiG9w0BAQsFADBN
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
+aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMTE4MDAwMDAwWhcN
+MjExMTE4MTIwMDAwWjCBlDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
+aWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHTAbBgNVBAoTFFN5bWFudGVjIENv
+cnBvcmF0aW9uMRcwFQYDVQQLEw5TeW1hbnRlYy5jbG91ZDEgMB4GA1UEAxMXbWFp
+bDIzMy5tZXNzYWdlbGFicy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCyM1Fy9hAlahRqqeEnPKDWgUmsxofivWEWKNeSMEKcnXX3TCQOGbLQTthN
+xfNU7IWY8ViTPwQ8JBWWDxNhd6dTYLNnytKrNRG8qDQ3rFMKJY4p0dZImMp55X3W
+1xcKMxSOkPv0YUCGp7qlAHq6+N3YY1ILw6MRdJ75Njh4Kw8qe5F3rHLwD+AyYQmx
+3WsMCRp5NZtWUcU5Vbc9ca/osrh9xBF7U3ZYR6GoPXQlizrNjXv7/BaKWWO5ChbD
+iRI4Nj8d3HhWUHsJoGvYDof5Iudgtbubz3c5cwp6+VNNMas7izpvbixqW8zXdUug
+8v5v47IkRNYnlma/zvv2IDC1dVlxAgMBAAGjggI2MIICMjAfBgNVHSMEGDAWgBQP
+gGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUZnBdWwGQjkPX/+A2ZEYdUdnw
+lN8wfQYDVR0RBHYwdIIbY2x1c3RlcjguZXUubWVzc2FnZWxhYnMuY29tgh5jbHVz
+dGVyOG91dC5ldS5tZXNzYWdlbGFicy5jb22CHGNsdXN0ZXI4YS5ldS5tZXNzYWdl
+bGFicy5jb22CF21haWwyMzMubWVzc2FnZWxhYnMuY29tMA4GA1UdDwEB/wQEAwIF
+oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2g
+K4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6At
+oCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwG
+A1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
+LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHwGCCsGAQUFBwEBBHAwbjAkBggr
+BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpo
+dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2Vy
+dmVyQ0EuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAK7vS/qDcGKb
+QYu26+jGtBemopT3+2YJjtALeR62eNhF9LoHu+mnmNLvPI0M0NMhz56Ss/6sUHOz
+hJgB98SLAQ5ElSWXrnZThLIjsiH5X5MYTD0Y8MqzoJSi2Lf2Muy/UpyrD3wB14E1
+kUYhvUnaWDDPIN81DCFzEosBmnsRqr5zlcZSKs0e1LVQ8cNkt8svVkiwFgeOIhwo
+QF22GJAZPtRceSGlbRTFBYKh+u3KN8eNS/X+C935y+F4J/grufDCzRSGtRRseTcd
+1QW49+QME/rx1mBb7id4iXNKxvGuJTivBlxaHWBQLh/RGk39DSdHfjAhYvt2gmxh
+C3gxXMNrymE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem b/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem
new file mode 100644
index 0000000000..bac70a76bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----

+MIIGpzCCBY+gAwIBAgIIfLPIa/Mc/f4wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV

+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow

+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz

+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1

+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjIwMTA2MDA1MTI5WhcN

+MjMwMjA0MTUxNjQwWjAeMRwwGgYDVQQDExNwZWVrYWJvb3Bob25pY3MuY29tMIIB

+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCKkB+36Yd/mBwwlq/F+B2R/

+ibNdUncADG1+xCB21TB6H0UWR1Aj92ZsIKXwXIyhj02VT58y0Oh4eycsMtEi/lLq

+KXhpWjRAMZaxjdyIrSJxpQVXC3v8Taej6PG2RewGMA3uXj+oWfl7t25JnEes1l2n

+JOnDXs5w4K0aDD1+r7wqCgZA7evmmdK3WJMWD/GSeF2hYcXFgb5dM2TiSRBGkv/9

+jMAvOSuJO8/kxKHLtLfM4I3O0gugB5Uyxtn5a6+P4vOphozsYgHqnSapCV8eAEN2

+SWRhFpfwsbt6/Dw/k38F2A5axSF0n+IQ49ejtWjs+f/GNTloieTsDbcpKkDSEwID

+AQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI

+KwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6

+Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS0zNzEwLmNybDBdBgNVHSAEVjBUMEgG

+C2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMu

+Z29kYWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGow

+aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUF

+BzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv

+Z2RpZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDcGA1Ud

+EQQwMC6CE3BlZWthYm9vcGhvbmljcy5jb22CF3d3dy5wZWVrYWJvb3Bob25pY3Mu

+Y29tMB0GA1UdDgQWBBRElZlefxDT9BFjvpeq7zP6TlVv+TCCAYEGCisGAQQB1nkC

+BAIEggFxBIIBbQFrAHcA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4A

+AAF+LN6rOQAABAMASDBGAiEAssjNEfjNFhpQmiFRCFZSr1zZk7ISWHqPIzoghyZ+

+UbgCIQDB6iKxtMkpx1I9P9uL40M93xynsb/3DVl1OX8pSO1n9gB3ADXPGRu/sWxX

+vw+tTG1Cy7u2JyAmUeo/4SrvqAPDO9ZMAAABfizerPwAAAQDAEgwRgIhANUhPyqm

+inLVPy1zUqikc64dwi0P/nvCoNtC1gO2cDHgAiEAjv1Gw04htq5OyTP3XYQTHsZW

+h35omGu+WCS68t8LnIEAdwB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1Lr

+UgAAAX4s3q2BAAAEAwBIMEYCIQDqxot9iMPghZbHZSegX98g1o5dvSsG1azMv290

+Cp+sBgIhALiMl5lj1A3nWkHTQKF9bF3ops5/ZxxJYE7XwBxlkZYYMA0GCSqGSIb3

+DQEBCwUAA4IBAQAOfIC7VLhn3oBYQKTzX4CN+249JN7l5tbSMqC2zjKRjOWOF3p/

+yNb2gk/v6EW0xN024E2yo8K4XF+QJMfzlwpsed1yuziYHIpjeiad7JGUs/57jdCo

+EUQrvwkuIeR5CZrGcXKG8nlVM5SaNhmId8XixnJz7XfEWiCxszlRkXIZ4Uhpwz2D

+XhQ8RE1DhwX3x6oO5y9Eu6o6+bz2Y14E0lL4hCng09UmrOFEUzVcO4bK8qsSp9oe

+1NNPlMQ3SD6RlGBy+2O5Iy8Kj4BRv2US2stuDeZWSvxp6N2RwLGBnDTyT08VAFD5

+SkulqE2/r6AHWNMe649z1clhq14i1+kQjEq5

+-----END CERTIFICATE-----

diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem
new file mode 100644
index 0000000000..9550453493
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGNTCCBR2gAwIBAgIIFn0oGKdatdgwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwOTI3MTE0MzI0WhcN
+MjExMDI5MTE0MzI0WjA5MSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
+ZWQxFDASBgNVBAMTC2ljc3JlcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAydMKPhCqRWjy5h1aPUNdRb80kt0hP/g55ytjlSF04PG+1CbIcId1
+GJg1qkbTR1vqZyvaI8wjv3zdfvsvYbka9OQFJiOasJfeqmiA+sDd9AvFiD2EF5zN
+D9uKHi+sF8Ut4JMl7jqaRAu/gbjBvY/9ammkz4sUiTlp1x4rteda3tuX9O7yMO7U
+ldnyfabHgGmmm8KU3nvRAjNbHCq3J/V/zw8YeolXU5OpOeZMhI8KAGKpxk8tRiIb
+LkdSdCTWoKgXO60extYcGTxIT8c8zfY6OoN0VaQY8HA1VyBZQIw2RTWivmI8le0J
+ypXYxNcUtInS0ivO4ymiNnCjYR9pgQ6+tQIDAQABo4ICwzCCAr8wDAYDVR0TAQH/
+BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
+AgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Rp
+ZzJzMS0yMzM0LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYB
+BQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9y
+eS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
+L29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNh
+dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaA
+FEDCvSeOzDSDMKIz1/tss/C0LIDOMCcGA1UdEQQgMB6CC2ljc3JlcHMuY29tgg93
+d3cuaWNzcmVwcy5jb20wHQYDVR0OBBYEFEgqFQnM5zH3cKFGtFanJxxD9zdPMIIB
+BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98M
+LyALzE7xZOMAAAF0z1/40gAABAMARjBEAiADSOnqg/I15y+dJDSWta8NzBwE6Xti
+UzyBKMT2OYHCYwIgb1aFpZxlkhx6XCCuniBLTcr5JbhigoM/lAfUmvvUqrIAdwBc
+3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXTPX/oBAAAEAwBIMEYC
+IQD6WvavTba+Lydf6uhaaxcRmhuuPeddzSmC8t4+tBLGGgIhANJPxhRl1pGYm6WX
+ay9jPCM2SqtBraOJYncaV6k37zGYMA0GCSqGSIb3DQEBCwUAA4IBAQA0IknIoU51
+FCBqpksgo7zR9OJj5MoQmlsQbzSFppdRKgyHhk8rW6IrBi3yrtWjo3HxcwihZlJQ
+2AbinRTNnHvBpiiiXXxR5u9yVly+9l3KfF/uHIGMnIqsahaKXNOy5h98uq4o4N0+
+YCGu9wSeDwtaCzdT+V447Fq63nmW629pjwin8FYCz2S8RdztranPZuOgwYqBNlWu
+u3Mi9DWIV2hP6eFwMZh7BWgbvnhWiI37TE74YQ+3cEVaLxLHJH9jkBjsel+ZwVIo
+9xeE6kGsh5+D0uHS5NWf9zu+fvW0iTgsB8J4VX5OihAa1v4FS4IaF3snkaMa0PCd
+MJMOgY5VkZiw
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem
new file mode 100644
index 0000000000..1073159662
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGPTCCBSWgAwIBAgIJAJeW47AXop8NMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
+MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
+cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
+dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIwMDgyMjIzMDI0NVoX
+DTIxMDkyMTIxMTYxMVowPDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
+dGVkMRcwFQYDVQQDEw5zdG9rZWRtb3RvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANLX8D4Cin6x2bmoSdgnuw9O+tGcD1x1S++3110NJVXUlpSc
+3uSUwqpU4rMOkJlRnuaBtHXYUFG8NMMnbTJYY9JuuhAlnHzVqoRWmcTNRp72fpDA
+XoD3U20spJeGQZXuQnGfe/k9EouvXt5du029YqItkFbjdbub4FP5MbIz1CWeelEn
+fEwpe/peLVYEfKSyYf325tFI9wZhuIM/zTe9DE6lauznM8hg1ioiBujxzeWWSstZ
+K2uJKaI8nlWkSr6vwPqJEBvvoShcWHFEmG8SWqPBy1tsNsLNjJkaHfD7gvG/J1Rc
+G21D0XO2IA0rEo6lo8MNEkWoHZA/oHO1eHrCjNkCAwEAAaOCAscwggLDMAwGA1Ud
+EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
+/wQEAwIFoDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmdvZGFkZHkuY29t
+L2dkaWcyczEtMjIzNy5jcmwwXQYDVR0gBFYwVDBIBgtghkgBhv1tAQcXATA5MDcG
+CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
+aXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0
+dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRp
+ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSME
+GDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjAtBgNVHREEJjAkgg5zdG9rZWRtb3Rv
+LmNvbYISd3d3LnN0b2tlZG1vdG8uY29tMB0GA1UdDgQWBBTP8YI0WwVBgvg5GABQ
+fUksbk6evjCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1APZclC/RdzAiFFQYCDCU
+Vo7jTRMZM7/fDC8gC8xO8WTjAAABdBhpJtAAAAQDAEYwRAIgcrebTXyuMk/ciVyg
+LMbbd6qbkyB3yRAY1QnBs5sGK1ICIGw6EpH/NMXcOfYdkuSmhSYgUx0AIDdT9QWH
+rRIT50D3AHUAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF0GGko
+AwAABAMARjBEAiBtzQQHVVML3yZhZRsLLhJkYcc11nXeU/S/rouOZCCZQQIgVYKY
+jgjCU5HQyY6R5PZQTsCQGWiaOm1VguAIgPbvKzYwDQYJKoZIhvcNAQELBQADggEB
+AH6jCZU9+5TMaR5XThGL/z8EYQ1uFVN0hlXXB+gP3IDQLmyxkqrk9cOSf1D6fLRT
+5T4tGzPLvmReBLfrzQEkuqkXpUieortbpi116V82K+zBDT5s9Dol6+MxhwIZyZ7K
+DkHSbcFyiV9hkr2bf8JZzjvpCOfw9kYZTcYv8M8kheIOQsONdfe/rqNQnMRy56UZ
+OGZmxqDT2RwbewHEMAEb5ZsZ55/UHq08vZSVSA8qIqX/BU+7frwwt4vmv4WQ7AoJ
+YNml0TdV4R27NlnvhbAclucuqEMBcBg8gNylvKD3Mid7O4c5gCX5Wuml6rLpOr05
+vpJJqSf0uy73EtNcyTqfwUQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem
new file mode 100644
index 0000000000..ece7360def
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem
@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIHTjCCBjagAwIBAgIILTXKZQP7G6MwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwODIyMjM0ODE1WhcN
+MjEwMTE0MjEwMzAxWjBDMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
+ZWQxHjAcBgNVBAMMFSoudXMtZGF0YXJlY292ZXJ5LmNvbTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKzuSr8LaH2Aw/G1aKN4URo0RwaFv4+7MzM0RVTB
+189BdE8rgNRfxskoAVfte+iftO7P5qjg+1Jx8SCE1ZCNT2TGtcYwlsjyNLnbP3xV
+Cq514bODlwimOKLhpUFH1/ofO4/enbU8E4hlxS4DPtOGbsjouTiRHAOLsi7D+WT3
+3pZelFa5Hgmed5dL/CCJTiwbF10lbTXNwLgI7efUqiwvHRwf/CXEW9IvKJ9HG2We
+tT9ouQGOHfz4fyGOMN268dHqP89K+auCcf9b3BzzWOsknhmDisl+06WaIJe/W7Dn
++eG07nAuJLhE6nH9KLYiU2X5CHnLPvBTOPDdm/hzH84hnHkX2pSbst4d1aNtU4uP
+hyQcE5aMfnV7Yr1ZQUlLreCKzwIAb6BKqF/gHMASXUX7Fw5OFUHxV1xcPbcHQLs6
+D3XAoLBzopTR4YjxIDqhS3pkxHu5u9OEzFfaeP5zYnrj69Bke3lrdbrKV8aXIxHn
+xh9xJV4zAaPoHe8ze03zvdBXfu69DU+TTQkRfzJSZx/sXV6BHe15WGSHZxe0i61z
+wA1Oi7QgySMKIKSs6dsPOqppmePc3seMJy7y0FSxF1Kq6a1tR+W3j2WT9nY1c4Wb
+4LWc+0gDK3nvibJbFqCfnPznq/Q+q0V6m9BqBNjvqyyWXbgzCVn7qcT4apiP47IV
++MiBAgMBAAGjggLSMIICzjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
+BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYn
+aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTIyMzcuY3JsMF0GA1UdIARW
+MFQwSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmlj
+YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUH
+AQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYI
+KwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3Np
+dG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4w
+NQYDVR0RBC4wLIIVKi51cy1kYXRhcmVjb3ZlcnkuY29tghN1cy1kYXRhcmVjb3Zl
+cnkuY29tMB0GA1UdDgQWBBTooRcQfblnnD7pJFCZfGGcf4kD4jCCAQUGCisGAQQB
+1nkCBAIEgfYEgfMA8QB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTj
+AAABdBiSoGUAAAQDAEgwRgIhAI4Cd+FhKsWdUZkBugaburD9dzdlVHSxKq6oYNyI
+vmIIAiEAwlmkvAiPb9nwDirqe7MZud5nu/lmq/Ip7M1xSKuraykAdgBc3EOS/uar
+RUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXQYkqGUAAAEAwBHMEUCIQCpYqq+
+Uc881tR+ikvsR97FRl6jBfxG50Sum+cdHEQkYQIgZJbGaeNoDS9+LAKI88NNRiCK
+vtQZkwWigDYr+2dWguYwDQYJKoZIhvcNAQELBQADggEBAD+sj44+86AvdVUrAN9h
+cU6kt4I6K1TM0KBmKg3rG8JEY7+Ec4Rztls3uviLR0ajH5tkQPwD7vRBVrLVDtQS
+Ndt2StR38AXiBRWwewy/sPMz11YzOPLyHaTl4pJVfyzHJ+rPdWuFZLtpTras/MIK
+IFnnbInlh5XtRhDCv6UEkAmGu5BeftA+9XxTuZlbwQlO5U1yg9Hqor9zANMqX9Ad
+3omIZrPtBkTdVOwHRU8SoaS6XxQ9jxcmWRgNTVAhU1/J7Bgvg3CPSpcHyV78sXkS
+D9bb1f4jdadaMKuJc0mTHBAxZenr3IFV8upf2FRTJnrCiS0jX8kKobN/+04Gbev6
+Tr0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem b/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem
new file mode 100644
index 0000000000..6769ba3d37
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem
@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIGyTCCBbGgAwIBAgIJANpPOSv9i86oMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
+MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
+cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
+dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE4MTAxNTE5NTQxNFoX
+DTIwMTAyNDE4MzczOFowQjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
+dGVkMR0wGwYDVQQDExR2cG4ud29ybGRvZnNwZWVkLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKb1cjhtYv6yiyZa1feabWaSBOCmN0JuqXIMkX3r
+4g+5heKAwPFlPFbZ3vZ3DQXiliV7jb5nhlx0O6nYG+MoGFmj6hEHDptCASAfdd3j
+4tCxg0FlilXgrgMkJCg+SjW0npZ86jMkfc0WzufUyMjxv2pUUicPNXyWbaQr+PCq
+zs6AsOkmuQ8RUUAqZ+Q0EJfQnjuhql7NCdByNui9S2LmrPcV6TAHHeTwKX733edv
+zsNzaLNgE6TLGXSSRvsW/eZ/uNScPHLybE4wdxxCDwSYCPwaQq34csc3a8SUTWfS
+4UkdbOn7j5sZPx7Jj0uUlm20ZDsj2FUi/0SXNvz5flFQbVsCAwEAAaOCA00wggNJ
+MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4G
+A1UdDwEB/wQEAwIFoDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmdvZGFk
+ZHkuY29tL2dkaWcyczEtODc4LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcB
+MDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20v
+cmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcw
+AYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8v
+Y2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8G
+A1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDkGA1UdEQQyMDCCFHZwbi53
+b3JsZG9mc3BlZWQub3Jnghh3d3cudnBuLndvcmxkb2ZzcGVlZC5vcmcwHQYDVR0O
+BBYEFGjmOgodY5yPX19UPVcACFpVExz1MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFp
+AWcAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWZ5SxEeAAAE
+AwBHMEUCIEL5OLHwBpIALbEnLFQntFlGBe8Oko6U/arr15jU4sLDAiEA6uy8DEnh
+PFLOxXDC3ZaeOlK2+cdx76IAr6M6As74ETEAdgDuS723dc5guuFCaR+r4Z5mow9+
+X7By2IMAxHuJeqj9ywAAAWZ5SxMzAAAEAwBHMEUCIFWIeePa6jdf6y9o/YYxoqWr
+Je3j8W94e4f5bixaGPiyAiEA7aJRZI+aWCE/zz5DpvcyRgkIoSKS3+dKS2irf/mp
+qx0AdQBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWZ5SxPjAAAE
+AwBGMEQCIEkYw6g/cIZBdOUh+ETwl2XX2S0Bv8iGGiaOKOoXqVK6AiAh3eqABfMc
+9b/wLJZo186YgbzmbZB0N3y5TUJKK1oMYDANBgkqhkiG9w0BAQsFAAOCAQEAPEwx
+d597oqiP9/TN8RDrZqhn4uLZ9K5mXOD93RorUN8T8O1kV0B4UcXM1CkU2zxv4a9S
+tG3diHjmfJgcrhpa4i19sZD7+QpTU8j0e82JlsB3MpbtuaiBwqb979c5qNPixQlJ
+kDs4DWf8kV+4B9/DWWLDKvs+FtL8ST8n+LfwstZqi2EyK+1ZyM0p9hkUAzrT/M2h
+Ou1DYELbCt2HaKMHMPSlrkESG7Q9v9Ba23EXElG+oFXxgnPwk4n84rYG8lI8pPyA
+clunJNqc2cISUTDMdgGctCFdSVGyEq+8VVG5Y6Od5LMwtOLKcv+VPi17+iGfxNt/
++dAMbzGIlDuJELwn0g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting.js b/security/manager/ssl/tests/unit/test_crlite_preexisting.js
new file mode 100644
index 0000000000..c788a11b54
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting.js
@@ -0,0 +1,208 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that starting a profile with a preexisting CRLite filter and stash
+// works correctly.
+
+"use strict";
+
+add_task(async function test_preexisting_crlite_data() {
+  Services.prefs.setIntPref(
+    "security.pki.crlite_mode",
+    CRLiteModeEnforcePrefValue
+  );
+
+  let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+    Ci.nsICertStorage
+  );
+
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  // These need to be available to be able to find them during path building
+  // for certificate verification.
+  let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem");
+  ok(issuerCert, "issuer certificate should decode successfully");
+  let noSCTCertIssuer = constructCertFromFile(
+    "test_crlite_filters/no-sct-issuer.pem"
+  );
+  ok(
+    noSCTCertIssuer,
+    "issuer certificate for certificate without SCTs should decode successfully"
+  );
+
+  let validCert = constructCertFromFile("test_crlite_filters/valid.pem");
+  let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+
+  // We didn't load a data.bin file, so the filter is not considered fresh and
+  // we should get a "no filter" result. We later test that CRLite considers
+  // this cert to be revoked. So success here shows that CRLite is not
+  // consulted when the filter is stale.
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "us-datarecovery.com",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+
+  // Add an empty stash to ensure the filter is considered to be fresh.
+  await new Promise(resolve => {
+    certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => {
+      Assert.equal(rv, Cr.NS_OK, "marked filter as fresh");
+      resolve();
+    });
+  });
+
+  // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that
+  // the implementation does not fall back to OCSP fetching, because if it
+  // did, the implementation would attempt to connect to a server outside the
+  // test infrastructure, which would result in a crash in the test
+  // environment, which would be treated as a test failure.
+  await checkCertErrorGenericAtTime(
+    certdb,
+    validCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "vpn.worldofspeed.org",
+    0
+  );
+
+  // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that
+  // the implementation does not fall back to OCSP fetching, because if it
+  // did, the implementation would attempt to connect to a server outside the
+  // test infrastructure, which would result in a crash in the test
+  // environment, which would be treated as a test failure.
+  await checkCertErrorGenericAtTime(
+    certdb,
+    validCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "vpn.worldofspeed.org",
+    0
+  );
+
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "us-datarecovery.com",
+    0
+  );
+
+  let revokedInStashCert = constructCertFromFile(
+    "test_crlite_filters/revoked-in-stash.pem"
+  );
+  // The stash may not have loaded yet, so await a task that ensures the stash
+  // loading task has completed.
+  await new Promise(resolve => {
+    certStorage.hasPriorData(
+      Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL,
+      (rv, _) => {
+        Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+        resolve();
+      }
+    );
+  });
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedInStashCert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "stokedmoto.com",
+    0
+  );
+
+  let revokedInStash2Cert = constructCertFromFile(
+    "test_crlite_filters/revoked-in-stash-2.pem"
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedInStash2Cert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "icsreps.com",
+    0
+  );
+
+  // This certificate has no embedded SCTs, so it is not guaranteed to be in
+  // CT, so CRLite can't be guaranteed to give the correct answer, so it is
+  // not consulted, and the implementation falls back to OCSP. Since the real
+  // OCSP responder can't be reached, this results in a
+  // SEC_ERROR_OCSP_SERVER_ERROR.
+  let noSCTCert = constructCertFromFile("test_crlite_filters/no-sct.pem");
+  // NB: this will cause an OCSP request to be sent to localhost:80, but
+  // since an OCSP responder shouldn't be running on that port, this should
+  // fail safely.
+  Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com");
+  Services.prefs.setBoolPref("security.OCSP.require", true);
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  await checkCertErrorGenericAtTime(
+    certdb,
+    noSCTCert,
+    SEC_ERROR_OCSP_SERVER_ERROR,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    false,
+    "mail233.messagelabs.com",
+    0
+  );
+  Services.prefs.clearUserPref("network.dns.localDomains");
+  Services.prefs.clearUserPref("security.OCSP.require");
+  Services.prefs.clearUserPref("security.OCSP.enabled");
+
+  let notCoveredCert = constructCertFromFile(
+    "test_crlite_filters/notcovered.pem"
+  );
+  await checkCertErrorGenericAtTime(
+    certdb,
+    notCoveredCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    new Date("2022-01-07T00:00:00Z").getTime() / 1000,
+    false,
+    "peekaboophonics.com",
+    Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
+  );
+});
+
+function run_test() {
+  let securityStateDirectory = do_get_profile();
+  securityStateDirectory.append("security_state");
+  // For simplicity, re-use the filter from test_crlite_filters.js.
+  let crilteFile = do_get_file("test_crlite_filters/20201017-0-filter");
+  crilteFile.copyTo(securityStateDirectory, "crlite.filter");
+  // This stash file and the following cert storage file were obtained by
+  // running just the task `test_crlite_filters_and_check_revocation` in
+  // test_crlite_filters.js, causing it to hang (by adding something like
+  // `add_test(() => {});`), and then copying the files from the temporary
+  // profile directory.
+  let stashFile = do_get_file("test_crlite_preexisting/crlite.stash");
+  stashFile.copyTo(securityStateDirectory, "crlite.stash");
+  let coverageFile = do_get_file("test_crlite_preexisting/crlite.coverage");
+  coverageFile.copyTo(securityStateDirectory, "crlite.coverage");
+  let enrollmentFile = do_get_file("test_crlite_preexisting/crlite.enrollment");
+  enrollmentFile.copyTo(securityStateDirectory, "crlite.enrollment");
+  let certStorageFile = do_get_file(
+    "test_crlite_preexisting/crlite.enrollment"
+  );
+  certStorageFile.copyTo(securityStateDirectory, "crlite.enrollment");
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage
new file mode 100644
index 0000000000..2bd13319e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment
new file mode 100644
index 0000000000..7f34283ded
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment
@@ -0,0 +1 @@
+
3)û«Õ¤:Óf£õv¬œ 0ИëðëyæQ±ýý�'ŽêŸïÕájfå¨é›à@(,v–~;ÕPÏ
\ No newline at end of file
diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash
new file mode 100644
index 0000000000..25bd87d8eb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash
diff --git a/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js b/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js
new file mode 100644
index 0000000000..707e2f400b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js
@@ -0,0 +1,91 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Tests that CRLite is left in the uninitialized state when the profile
+// contains a corrupted stash file.
+
+"use strict";
+
+add_task(async function test_crlite_stash_corrupted() {
+  let securityStateDirectory = do_get_profile();
+  securityStateDirectory.append("security_state");
+
+  Services.prefs.setIntPref(
+    "security.pki.crlite_mode",
+    CRLiteModeEnforcePrefValue
+  );
+
+  let coverage = do_get_file("test_crlite_preexisting/crlite.coverage");
+  coverage.copyTo(securityStateDirectory, "crlite.coverage");
+
+  let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment");
+  enrollment.copyTo(securityStateDirectory, "crlite.enrollment");
+
+  let filter = do_get_file("test_crlite_filters/20201017-0-filter");
+  filter.copyTo(securityStateDirectory, "crlite.filter");
+
+  let stash = do_get_file("test_crlite_corrupted/bad.stash");
+  stash.copyTo(securityStateDirectory, "crlite.stash");
+
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+
+  let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+    Ci.nsICertStorage
+  );
+
+  // Add an empty stash to ensure the filter is considered to be fresh.
+  await new Promise(resolve => {
+    certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => {
+      Assert.equal(rv, Cr.NS_OK, "marked filter as fresh");
+      resolve();
+    });
+  });
+
+  // Await a task that ensures the stash loading task has completed.
+  await new Promise(resolve => {
+    certStorage.hasPriorData(
+      Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL,
+      (rv, _) => {
+        Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+        resolve();
+      }
+    );
+  });
+
+  // This certificate is revoked according to `test_crlite_filters/20201017-0-filter`.
+  // Its issuer is enrolled according to `test_crlite_preexisting/crlite.enrollment`,
+  // and it is covered according to `test_crlite_preexisting/crlite.coverage`.
+  let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
+
+  // The issuer's certificate needs to be available for path building.
+  let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem");
+  ok(issuerCert, "issuer certificate should decode successfully");
+
+  // Loading the stash should not have caused any problems, and `revokedCert`
+  // should be marked as revoked.
+  await checkCertErrorGenericAtTime(
+    certdb,
+    revokedCert,
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    certificateUsageSSLServer,
+    new Date("2020-10-20T00:00:00Z").getTime() / 1000,
+    undefined,
+    "us-datarecovery.com",
+    0
+  );
+
+  let hasFilter = await new Promise(resolve => {
+    certStorage.hasPriorData(
+      Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL,
+      (rv, result) => {
+        Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
+        resolve(result);
+      }
+    );
+  });
+  Assert.equal(hasFilter, true, "CRLite should have a filter");
+});
diff --git a/security/manager/ssl/tests/unit/test_ct.js b/security/manager/ssl/tests/unit/test_ct.js
new file mode 100644
index 0000000000..1f436eb44d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct.js
@@ -0,0 +1,72 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+function expectCT(value) {
+  return securityInfo => {
+    Assert.equal(
+      securityInfo.certificateTransparencyStatus,
+      value,
+      "actual and expected CT status should match"
+    );
+  };
+}
+
+registerCleanupFunction(() => {
+  Services.prefs.clearUserPref("security.pki.certificate_transparency.mode");
+  let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
+  setCertTrust(cert, ",,");
+});
+
+function run_test() {
+  Services.prefs.setIntPref("security.pki.certificate_transparency.mode", 1);
+  add_tls_server_setup("BadCertAndPinningServer", "test_ct");
+  // These certificates have a validity period of 800 days, which is a little
+  // over 2 years and 2 months. This gets rounded down to 2 years (since it's
+  // less than 2 years and 3 months). Our policy requires N + 1 embedded SCTs,
+  // where N is 2 in this case. So, a policy-compliant certificate would have at
+  // least 3 SCTs.
+  add_connection_test(
+    "ct-valid.example.com",
+    PRErrorCodeSuccess,
+    null,
+    expectCT(
+      Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT
+    )
+  );
+  // This certificate has only 2 embedded SCTs, and so is not policy-compliant.
+  add_connection_test(
+    "ct-insufficient-scts.example.com",
+    PRErrorCodeSuccess,
+    null,
+    expectCT(
+      Ci.nsITransportSecurityInfo
+        .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS
+    )
+  );
+
+  // Test that if an end-entity is marked as a trust anchor, CT verification
+  // returns a "not enough SCTs" result.
+  add_test(() => {
+    let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
+    setCertTrust(cert, "CTu,,");
+    clearSessionCache();
+    run_next_test();
+  });
+  add_connection_test(
+    "ct-valid.example.com",
+    PRErrorCodeSuccess,
+    null,
+    expectCT(
+      Ci.nsITransportSecurityInfo
+        .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS
+    )
+  );
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem
new file mode 100644
index 0000000000..dc5ba854a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEsjCCA5qgAwIBAgIUO1A7IKB0sCUgXosbjKr2+i1ynO0wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjArMSkwJwYDVQQDDCBjdC1pbnN1ZmZpY2llbnQtc2N0cy5leGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOCAeEwggHdMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20w
+ggG/BgorBgEEAdZ5AgQCBIIBrwSCAasBqQB2ACq4MEQzuRTe0vMeQgfyUcF6N6CS
+aFLZCAIG+F5XORYqAAABUfp73AAAAAQDAEcwRQIgXHVRnxMRUM1dit4go7wGMJH/
+snN1XzFk7P3LQoAKcOYCIQCukSzwRcH5LaZUGjQQswNOAf0giSm/7LC6Awq+EMMD
+jAEvADEI9rbdchgH8BaVhE2FAla2cZNgg9u9OTSgUFJQGiiSAAABUfp73AAAAAQB
+AQBfrqR5eXq3/2XT6FUWtKVv8DHpP6VnLw8rARRr3GJM8nd4SMk/ds+1nWLFT+Uu
+CNm2wcVImCmumIi9zWoaWbh5xWpO2SN4KX85vZVhhsyPH27iR9M9PZ/OEblBJdIz
+W/QFLBKRmFe06GyLq0LuW5aQun+tjGx//dm0LB4Sug1NixnEUYUhCt4uGdcEyohj
+Hk95Gv89hAtiz2O6GS2fMzoe78IoN2d7XaCXNWTz4JkMCwTUwkxbpn76f/kGyD1K
++usjemQdVBOhZ8KE46+wZiI3BgqugHrmWY2xpr6oZxYbKzrVC3+BuKMI4sDDsX64
+pR88XkOqvluKcfxtTnVjhKmyMA0GCSqGSIb3DQEBCwUAA4IBAQAjm3TIr026oz6N
+DZyj2+9PqoOYsngraVhZlogvwWK/GIkcNUGupczij7JdoCA5b4szCcaYqSC/gTMl
+kp9YmrUzYjbI8OU7KIwPazx/3QZzZDmmUUvTlM5cfDhDPJX0MmwypzM+klmRJKh4
+2hyE6TiKmoARMLDSrHxLaU43Ph8Q9PDricAdUk+r87Xq/z2785l32XJUeXFFbM1A
+ZrD059jjQX+oWucVxdql9+SM/ZnHC5gnZS+UOIYY9USu1FhSyX8OqwlrLzl0GeI1
+GLrgvHPBLYhbl6NtdVHxXrAy6ueL89wPZevBkAZ6G5GXDhtbrdLQuXIvluWyRfRu
+PjrboP8a
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec
new file mode 100644
index 0000000000..c40f26d5d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:ct-insufficient-scts.example.com
+extension:subjectAlternativeName:*.example.com
+extension:embeddedSCTList:secp256r1:20160101,alternate:20160101
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem
new file mode 100644
index 0000000000..539a558f4a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF1zCCBL+gAwIBAgIUVcPTyId6kLmdmBE+lvZPcEuHWWowDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRjdC12YWxpZC5leGFtcGxlLmNvbTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaOCAxIwggMOMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wggLwBgorBgEEAdZ5
+AgQCBIIC4ASCAtwC2gEvAFQiJZjzPTZIBULa7ODmuU3hXA7ujFkUykjXXjxIToA/
+AAABUfp73AAAAAQBAQApU8txbrW74luVlVcqhBmSPgDDrO1DJwJD5Nh0AFi+IHUp
+1HGttD5v4631GMKg6YQurbxBjIyf2XoIEcz0ItvcH6JAn5DQ+hnNVN38CFy2LKvQ
+fZ5+YMmbQQICUZvNaknC5QDD04CmfcJBNtE6f2NOsw2ssUOEy37fnHIQNqb68YWG
+HMJDHdhhN/PdPA55ew79w1Q8l5+ShU0sewGQkXMsWiNVPJwf/YZ9ZwglcVZMTU7S
+w00EntzeShcDb8XVsCNvuw/7R10cW9XEnFxC+/aIZp/MnbagJctiKpuEioPpkJtz
+UHa2G8j98u21W4ZRYpzUjuhtZMXg4WrAt2kMQtKEAHYAKrgwRDO5FN7S8x5CB/JR
+wXo3oJJoUtkIAgb4Xlc5FioAAAFR+nvcAAAABAMARzBFAiBcdVGfExFQzV2K3iCj
+vAYwkf+yc3VfMWTs/ctCgApw5gIhAKuTtYDsjlbPaI0qWB+4k+jdEMRWTLeoLyGe
+0OFrQx5lAS8AMQj2tt1yGAfwFpWETYUCVrZxk2CD2705NKBQUlAaKJIAAAFR+nvc
+AAAABAEBAEBwuP6rrIG0L8/cMl/TNSQBumJtza2IzHNGQ8Y1nrhzYebNwrcrm+gB
+ur+EalPi7JucxOehxiiRvWNVhQ5gk1TG78GWnrWQMHCAiISGGNRru5MyIlu+VqY4
+dae1sKb9jiuQ1zm1PnZnpIfUxr2Q4oKVwkCMPl0m+ddbAaNBbuhfqdd8vCY9GeAf
+tfRq3Zm7Zrwj3nqQduAMErRbZ3ief6vUGmJR4JY6pHfhf9xE65LpsPbWo2DSI5br
+2jTojixZ6B6ECtHTvZWohypMbbb2tMEdVPCRRwuWar0mhfQ9w/EaDkd3smVfuxJp
+hfFTN2pvqKHAMkQMj7Q1wOWZC1Y/cREwDQYJKoZIhvcNAQELBQADggEBAGeXrpKU
+mMhXj+8NlmQFd5GoqUHEWIz6Ryz4esAznDDphASxRSnzzYzzRoti3M6Dk3QvHvUG
+d/cU2pmhZBonKBeGbAkXIHkv1jGQfzr0/KrTPALl61RUFZ9xxp4UXGH8fJUtMIko
+sg4YMvsMsgobX6PozctO+teNWG4fsOfSRJACFbqGzOEJh/lVA0VWDbABHOBoNRw4
+m254+oECn39t4WAenTAbqueF3fKN18WvWNYiY2OIYyfolipg9/YnZwhGXOlPVIzQ
+xpcKKBaRYWgmHRZlm5r34ywxYrG2MqkvK9D6eBB5EVGJQg2ClvgnO+GRbFjNG602
+sSp/9KiOM6Z4HiQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec
new file mode 100644
index 0000000000..0ecf46d89c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:ct-valid.example.com
+extension:subjectAlternativeName:*.example.com
+extension:embeddedSCTList:default:20160101,secp256r1:20160101,alternate:20160101
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.key b/security/manager/ssl/tests/unit/test_ct/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.pem b/security/manager/ssl/tests/unit/test_ct/default-ee.pem
new file mode 100644
index 0000000000..5dc7cf4ef8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti
+AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym
+qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc
+5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm
+lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo
+Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/test_ct/test-ca.pem b/security/manager/ssl/tests/unit/test_ct/test-ca.pem
new file mode 100644
index 0000000000..67e7ca56e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIUP5NBbozOXrtwcuQwu3pzUXbOl7owDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEABBSMkSBFq/bK
+LpntIx6QJdqPtmnjdjwTpCbQyKKfQjjrazCfru5SheZq7ACtQ0uWFokUOQhB+Xvv
+sqy9HqJhK4UN0zfNPjtkHOSbNefWXOseEzA6XxuaCzQXWOp1WNNPnfdtYZizy6hT
+fKuKjhniKLmIQD61KNl7Ev1hWUhWC7R8U+IFztXusYYFUUmqqaZ/v7lNfY1sHu4k
+zHQFp+xqeaXvkoRpTXhoSdwDQ7ldquwqMM0NIQXlhtcmg7IYwZBGlJgzoejN4k2H
+2WycvxPW70I10NeAAhtie1+K4JHwr6/SLLwCCnJDoRMMpMhM9/853Ye/4PTDGhuK
+fqhEoHH9Ig==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec
new file mode 100644
index 0000000000..5d2435d7bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test CA
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_db_format_pref_new.js b/security/manager/ssl/tests/unit/test_db_format_pref_new.js
new file mode 100644
index 0000000000..9921948927
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_db_format_pref_new.js
@@ -0,0 +1,30 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests that when PSM initializes, we create the sqlite-backed certificate and
+// key databases.
+
+function run_test() {
+  let profileDir = do_get_profile();
+  let certificateDBFile = profileDir.clone();
+  let certificateDBName = "cert9.db";
+  certificateDBFile.append(certificateDBName);
+  ok(
+    !certificateDBFile.exists(),
+    `${certificateDBName} should not exist beforehand`
+  );
+  let keyDBFile = profileDir.clone();
+  let keyDBName = "key4.db";
+  keyDBFile.append(keyDBName);
+  ok(!keyDBFile.exists(), `${keyDBName} should not exist beforehand`);
+  // This should start PSM.
+  Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports);
+  ok(
+    certificateDBFile.exists(),
+    `${certificateDBName} should exist in the profile`
+  );
+  ok(keyDBFile.exists(), `${keyDBName} should exist in the profile`);
+}
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials.js b/security/manager/ssl/tests/unit/test_delegated_credentials.js
new file mode 100644
index 0000000000..1bb6f70aad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials.js
@@ -0,0 +1,91 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of certificates marked as permitting delegated credentials
+
+function shouldBeDelegatedCredential(aTransportSecurityInfo) {
+  Assert.ok(
+    aTransportSecurityInfo.isDelegatedCredential,
+    "This host should have used a delegated credential"
+  );
+}
+
+function shouldNotBeDelegatedCredential(aTransportSecurityInfo) {
+  Assert.ok(
+    !aTransportSecurityInfo.isDelegatedCredential,
+    "This host should not have used a delegated credential"
+  );
+}
+
+do_get_profile();
+
+add_tls_server_setup(
+  "DelegatedCredentialsServer",
+  "test_delegated_credentials"
+);
+
+// Test:
+// Server certificate supports DC
+// Server DC support enabled
+// Client DC support disabled
+// Result: Successful connection without DC
+add_test(function () {
+  clearSessionCache();
+  Services.prefs.setBoolPref(
+    "security.tls.enable_delegated_credentials",
+    false
+  );
+  run_next_test();
+});
+add_connection_test(
+  "delegated-enabled.example.com",
+  PRErrorCodeSuccess,
+  null,
+  shouldNotBeDelegatedCredential
+);
+
+// Test:
+// Server certificate does not support DC
+// Server DC support enabled
+// Client DC support enabled
+// Result: SSL_ERROR_DC_INVALID_KEY_USAGE from client when
+//         checking DC against EE cert, no DC in aTransportSecurityInfo.
+add_test(function () {
+  clearSessionCache();
+  Services.prefs.setBoolPref("security.tls.enable_delegated_credentials", true);
+  run_next_test();
+});
+add_connection_test(
+  "standard-enabled.example.com",
+  SSL_ERROR_DC_INVALID_KEY_USAGE,
+  null,
+  // We'll never |mHaveCipherSuiteAndProtocol|,
+  // and therefore can't check IsDelegatedCredential
+  null
+);
+
+// Test:
+// Server certificate supports DC
+// Server DC support disabled
+// Client DC support enabled
+// Result: Successful connection without DC
+add_connection_test(
+  "delegated-disabled.example.com",
+  PRErrorCodeSuccess,
+  null,
+  shouldNotBeDelegatedCredential
+);
+
+// Test:
+// Server certificate supports DC
+// Server DC support enabled
+// Client DC support enabled
+// Result: Successful connection with DC
+add_connection_test(
+  "delegated-enabled.example.com",
+  PRErrorCodeSuccess,
+  null,
+  shouldBeDelegatedCredential
+);
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key
new file mode 100644
index 0000000000..a926a54efb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
+1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec
new file mode 100644
index 0000000000..03c3ce198f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec
@@ -0,0 +1 @@
+secp256r1
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem
new file mode 100644
index 0000000000..4ee85cb1eb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICSDCCATCgAwIBAgIUN26/sySuiNB+ynuprhHIoxsuFXQwDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBUxEzARBgNVBAMM
+CmRlZmF1bHQtZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGm
+ClmshwTi7AULQj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQej
+BOqgSqbAo0AwPjATBgNVHSUEDDAKBggrBgEFBQcDATAnBgNVHREEIDAeghxzdGFu
+ZGFyZC1lbmFibGVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBIxTo+
+s5Tg/YrX0tLgg0rKcrZumJdN64j10IW1JwKCgYqoP/XhXK5AEISudekcedjrQOtb
+Kalacxn9Pecmw+EiDvhXklxQfZKSHBtsecLtmQnr2RaDdbxQx+ebAmAtn4y9MwjO
+rWVqdW80viHcsn+1S/+uDF8tNPuBTTInLh7yYRwBZ1O44sT/w/5DXujmjefK5LoK
+VORWpnHZ9JA1jVEj4MHlhHXky6og2SG+10WnouvmOGKJsV7JfWrUe/ogMnW1nkEZ
+dcOBIqjHQWLCWKd27ZQASmTZThVDHoN+QnXe/dEYwBaCcUmoafM+uis9A2zcMdJw
+o6scbgbJMwgS/e/d
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec
new file mode 100644
index 0000000000..5ebe9b5ba7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:delegated-credential-intermediate
+subjectKey:secp256r1
+subject:default-ee
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:standard-enabled.example.com
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem
new file mode 100644
index 0000000000..8da0838e6f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICiTCCAXGgAwIBAgIUXdQo1CMJjWFQKxkJ45F9RpbesCQwDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBcxFTATBgNVBAMM
+DGRlbGVnYXRlZC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5
+saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3st
+B6ME6qBKpsCjfzB9MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDBI
+BgNVHREEQTA/gh1kZWxlZ2F0ZWQtZW5hYmxlZC5leGFtcGxlLmNvbYIeZGVsZWdh
+dGVkLWRpc2FibGVkLmV4YW1wbGUuY29tMA8GCSsGAQQBgtpLLAQCBQAwDQYJKoZI
+hvcNAQELBQADggEBABih6ICVs7RsbhTEhAJQ16rrD36fF0fCe+1XqUy52nUaQuAj
+a2JWbkqp24Ib76dU40B40L7Pd4ksmYnazKS4aFZ8HrTRKfPzmKR743Jex6rcFiRM
+0JnqLw75p5LbZcOfW4+Nu1AzhgUiPp1u0PJnfCbVTlcCkyS3Fb+SH7knCftF6BJt
+zS+ZQFRzorbVjjUAkUeN2B7qeesYJVLqFpGfhsTSge9+F8JIAqE9Fso7+a+sHuhp
+5ItAKczQkFcXwyCdTCBnNo4yy7NvQ66tNj6+v0ifHnINg3wqd2gOAJ9xMY7mGE7F
+uXi/dBWquWVHsg481ybTW20Ovk4HWJz33Ylxc6E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec
new file mode 100644
index 0000000000..e90fa3b646
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec
@@ -0,0 +1,7 @@
+issuer:delegated-credential-intermediate
+subject:delegated-ee
+subjectKey:secp256r1
+extension:extKeyUsage:serverAuth
+extension:keyUsage:digitalSignature,keyEncipherment
+extension:subjectAlternativeName:delegated-enabled.example.com,delegated-disabled.example.com
+extension:delegationUsage:
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key
new file mode 100644
index 0000000000..1c1af40bda
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDADXHobENn6/oN7ZK2S
+8i9c7QeJGGU4ZptcbYcs7D2SYSKzk3crV2Av8xNl7+E5MkahZANiAAShaHJDNitc
+exiJ83kVRhWhxz+0je6GPgIpFdtgjiUt5LcTLajOmOgxU05qnAwLCcjWOa3oMgbl
+uoE0c6EfozDgXajJbkOD/ieHPalxA74oiM/wAvBa9xof3cyDdKpuqc4=
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec
new file mode 100644
index 0000000000..11f041d996
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec
@@ -0,0 +1 @@
+secp384r1
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem
new file mode 100644
index 0000000000..8090606694
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUV5QPCtt30cr0OHQqp5FKh9iORPUwDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAyMTEx
+MjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowIjEgMB4GA1UEAwwXZGVsZWdhdGVk
+LWNyZWRlbnRpYWwtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
+AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQB7snna6hblvBPTwNKeReVfshWDEeeW4cFM
+zDZIxdQ+Xh9dWSZHN8fT0r4ZH621vnfipRqlfKTNp2/472WfVLGWRJSBX/bSqfVG
+EH2SQVixHOAHnmgi2zfE6XY0O5CT1IoHLNOEoGkpPXXgpw6ya/XPWHNw/I+Poj9F
+sEnot00uDdn3yO/mzMyHaOnWoKoycLIPHxsRQb/twRYFs5rypEzXvRd2IWj6E0Kj
+TDAusnuYrzZOyTG+pqvq7V9Xr5igwD29f48KQVYRu+wuXaxH8KXw8nB3N7+rhMOW
+x9nnItSoPDkZI2fxWedhDF6YLoDPkISZpw8/4vs4kVkBAgjnKxZ5
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec
new file mode 100644
index 0000000000..91227f5da0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:delegated-credential-ca
+subject:delegated-credential-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem
new file mode 100644
index 0000000000..dbeca6352f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIUJRD5PaFbjcWhPAHq+mbNZw66NKowDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAyMTEx
+MjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhZGVsZWdhdGVk
+LWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/
+MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAeRvreFXifukKi5uoS290
+3UcsmVcGiPGrFFBvOi279MqzZFawGwsAFD9hCrQbx6Ym3PvMdKjcwAb/sVGui7b8
+NYKXt7U5hSvncWQOFShK0eWUYZp7yVUt+ZPd0NPpmP5QGbnBoR4YVAuubb/lLycZ
+r3tt41pYBKhOBov4AX2Rab16yW619pClss4Qqd7pIAimSXYxRFh0p8FRh8c9a2tK
+Cc8qA0tc8lQfem1Z1gWHhUMiFBTS0HRwRr6s4JqYVJcu1zMzU6QxEDzTClA3BVHB
+tiSwVSDRg2blzlIbaAD4OQwip9aTzQQw0Sc7wV//UOjuR5DmcX5d6Qd18qE5NQHR
+aA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec
new file mode 100644
index 0000000000..64cc4e5693
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:delegated-credential-ca
+subject:delegated-credential-intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_der.js b/security/manager/ssl/tests/unit/test_der.js
new file mode 100644
index 0000000000..2d125488e9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_der.js
@@ -0,0 +1,345 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Tests DER.jsm functionality.
+
+// Until DER.jsm is actually used in production code, this is where we have to
+// import it from.
+var { DER } = ChromeUtils.importESModule(
+  "resource://gre/modules/psm/DER.sys.mjs"
+);
+
+function run_simple_tests() {
+  throws(
+    () => new DER.DERDecoder("this is not an array"),
+    /invalid input/,
+    "should throw given non-array input"
+  );
+
+  let testReadByte = new DER.DERDecoder([0x0a, 0x0b]);
+  equal(testReadByte.readByte(), 0x0a, "should read 0x0a");
+  equal(testReadByte.readByte(), 0x0b, "should read 0x0b");
+  throws(
+    () => testReadByte.readByte(),
+    /data truncated/,
+    "reading more data than is available should fail"
+  );
+
+  let testReadBytes = new DER.DERDecoder([0x0c, 0x0d, 0x0e]);
+  deepEqual(
+    testReadBytes.readBytes(3),
+    [0x0c, 0x0d, 0x0e],
+    "should read correct sequence of bytes"
+  );
+
+  let testReadNegativeBytes = new DER.DERDecoder([0xff, 0xaf]);
+  throws(
+    () => testReadNegativeBytes.readBytes(-4),
+    /invalid length/,
+    "reading a negative number of bytes should fail"
+  );
+
+  let testReadZeroBytes = new DER.DERDecoder([]);
+  equal(
+    testReadZeroBytes.readBytes(0).length,
+    0,
+    "reading zero bytes should result in a zero-length array"
+  );
+
+  let testReadTooManyBytes = new DER.DERDecoder([0xab, 0xcd, 0xef]);
+  throws(
+    () => testReadTooManyBytes.readBytes(4),
+    /data truncated/,
+    "reading too many bytes should fail"
+  );
+
+  let testSEQUENCE = new DER.DERDecoder([0x30, 0x01, 0x01]);
+  let content = testSEQUENCE.readTagAndGetContents(DER.SEQUENCE);
+  equal(content.length, 1, "content should have length 1");
+  equal(content[0], 1, "value of content should be [1]");
+  ok(testSEQUENCE.atEnd(), "testSEQUENCE should be at the end of its input");
+  testSEQUENCE.assertAtEnd();
+
+  // The length purports to be 4 bytes, but there are only 2 available.
+  let truncatedSEQUENCE = new DER.DERDecoder([0x30, 0x04, 0x00, 0x00]);
+  throws(
+    () => truncatedSEQUENCE.readTagAndGetContents(DER.SEQUENCE),
+    /data truncated/,
+    "should get 'data truncated' error"
+  );
+
+  // With 2 bytes of content, there is 1 remaining after reading the content.
+  let extraDataSEQUENCE = new DER.DERDecoder([0x30, 0x02, 0xab, 0xcd, 0xef]);
+  content = extraDataSEQUENCE.readTagAndGetContents(DER.SEQUENCE);
+  equal(content.length, 2, "content should have length 2");
+  deepEqual(content, [0xab, 0xcd], "value of content should be [0xab, 0xcd]");
+  ok(
+    !extraDataSEQUENCE.atEnd(),
+    "extraDataSEQUENCE should not be at the end of its input"
+  );
+  throws(
+    () => extraDataSEQUENCE.assertAtEnd(),
+    /extra data/,
+    "should get 'extra data' error"
+  );
+
+  // The length of 0x81 0x01 is invalid because it could be encoded as just
+  // 0x01, which is shorter.
+  let invalidLengthSEQUENCE1 = new DER.DERDecoder([0x30, 0x81, 0x01, 0x00]);
+  throws(
+    () => invalidLengthSEQUENCE1.readTagAndGetContents(DER.SEQUENCE),
+    /invalid length/,
+    "should get 'invalid length' error"
+  );
+
+  // Similarly, 0x82 0x00 0x01 could be encoded as just 0x01, which is shorter.
+  let invalidLengthSEQUENCE2 = new DER.DERDecoder([
+    0x30, 0x82, 0x00, 0x01, 0x00,
+  ]);
+  throws(
+    () => invalidLengthSEQUENCE2.readTagAndGetContents(DER.SEQUENCE),
+    /invalid length/,
+    "should get 'invalid length' error"
+  );
+
+  // Lengths requiring 4 bytes to encode are not supported.
+  let unsupportedLengthSEQUENCE = new DER.DERDecoder([
+    0x30, 0x83, 0x01, 0x01, 0x01,
+  ]);
+  throws(
+    () => unsupportedLengthSEQUENCE.readTagAndGetContents(DER.SEQUENCE),
+    /unsupported length/,
+    "should get 'unsupported length' error"
+  );
+
+  // Indefinite lengths are not supported (and aren't DER anyway).
+  let unsupportedASN1SEQUENCE = new DER.DERDecoder([
+    0x30, 0x80, 0x01, 0x00, 0x00,
+  ]);
+  throws(
+    () => unsupportedASN1SEQUENCE.readTagAndGetContents(DER.SEQUENCE),
+    /unsupported asn.1/,
+    "should get 'unsupported asn.1' error"
+  );
+
+  let unexpectedTag = new DER.DERDecoder([0x31, 0x01, 0x00]);
+  throws(
+    () => unexpectedTag.readTagAndGetContents(DER.SEQUENCE),
+    /unexpected tag/,
+    "should get 'unexpected tag' error"
+  );
+
+  let readTLVTestcase = new DER.DERDecoder([0x02, 0x03, 0x45, 0x67, 0x89]);
+  let bytes = readTLVTestcase.readTLV();
+  deepEqual(
+    bytes,
+    [0x02, 0x03, 0x45, 0x67, 0x89],
+    "bytes read with readTLV should be equal to expected value"
+  );
+
+  let peekTagTestcase = new DER.DERDecoder([0x30, 0x01, 0x00]);
+  ok(
+    peekTagTestcase.peekTag(DER.SEQUENCE),
+    "peekTag should return true for peeking with a SEQUENCE at a SEQUENCE"
+  );
+  ok(
+    !peekTagTestcase.peekTag(DER.SET),
+    "peekTag should return false for peeking with a SET at a SEQUENCE"
+  );
+  peekTagTestcase.readTLV();
+  ok(
+    !peekTagTestcase.peekTag(DER.SEQUENCE),
+    "peekTag should return false for peeking at a DER with no more data"
+  );
+
+  let tlvChoiceTestcase = new DER.DERDecoder([0x31, 0x02, 0xaa, 0xbb]);
+  let tlvChoiceContents = tlvChoiceTestcase.readTLVChoice([DER.NULL, DER.SET]);
+  deepEqual(
+    tlvChoiceContents,
+    [0x31, 0x02, 0xaa, 0xbb],
+    "readTLVChoice should return expected bytes"
+  );
+
+  let tlvChoiceNoMatchTestcase = new DER.DERDecoder([0x30, 0x01, 0xff]);
+  throws(
+    () => tlvChoiceNoMatchTestcase.readTLVChoice([DER.NULL, DER.SET]),
+    /unexpected tag/,
+    "readTLVChoice should throw if no matching tag is found"
+  );
+}
+
+function run_bit_string_tests() {
+  let bitstringDER = new DER.DERDecoder([0x03, 0x04, 0x03, 0x01, 0x02, 0xf8]);
+  let bitstring = bitstringDER.readBIT_STRING();
+  equal(bitstring.unusedBits, 3, "BIT STRING should have 3 unused bits");
+  deepEqual(
+    bitstring.contents,
+    [0x01, 0x02, 0xf8],
+    "BIT STRING should have expected contents"
+  );
+
+  let bitstringTooManyUnusedBits = new DER.DERDecoder([0x03, 0x02, 0x08, 0x00]);
+  throws(
+    () => bitstringTooManyUnusedBits.readBIT_STRING(),
+    /invalid BIT STRING encoding/,
+    "BIT STRING with too many unused bits should throw"
+  );
+
+  // A BIT STRING must have the unused bits byte, and so its length must be at
+  // least one.
+  let bitstringMissingUnusedBits = new DER.DERDecoder([0x03, 0x00]);
+  throws(
+    () => bitstringMissingUnusedBits.readBIT_STRING(),
+    /invalid BIT STRING encoding/,
+    "BIT STRING with missing unused bits (and no contents) should throw"
+  );
+
+  // The minimal BIT STRING is 03 01 00 (zero bits of padding and zero bytes of
+  // content).
+  let minimalBitstringDER = new DER.DERDecoder([0x03, 0x01, 0x00]);
+  let minimalBitstring = minimalBitstringDER.readBIT_STRING();
+  equal(
+    minimalBitstring.unusedBits,
+    0,
+    "minimal BIT STRING should have 0 unused bits"
+  );
+  equal(
+    minimalBitstring.contents.length,
+    0,
+    "minimal BIT STRING should have empty contents"
+  );
+
+  // However, a BIT STRING with zero bytes of content can't have any padding,
+  // because that makes no sense.
+  let noContentsPaddedBitstringDER = new DER.DERDecoder([0x03, 0x01, 0x03]);
+  throws(
+    () => noContentsPaddedBitstringDER.readBIT_STRING(),
+    /invalid BIT STRING encoding/,
+    "BIT STRING with no contents with non-zero padding should throw"
+  );
+}
+
+function run_compound_tests() {
+  let derBytes = [
+    0x30,
+    0x1a, // SEQUENCE
+    0x02,
+    0x02,
+    0x77,
+    0xff, //   INTEGER
+    0x06,
+    0x03,
+    0x2b,
+    0x01,
+    0x01, //   OBJECT IDENTIFIER
+    0x30,
+    0x07, //   SEQUENCE
+    0x05,
+    0x00, //     NULL
+    0x02,
+    0x03,
+    0x45,
+    0x46,
+    0x47, //     INTEGER
+    0x30,
+    0x06, //   SEQUENCE
+    0x02,
+    0x02,
+    0x00,
+    0xff, //     INTEGER
+    0x05,
+    0x00,
+  ]; //     NULL
+  let der = new DER.DERDecoder(derBytes);
+  let contents = new DER.DERDecoder(der.readTagAndGetContents(DER.SEQUENCE));
+  let firstINTEGER = contents.readTagAndGetContents(DER.INTEGER);
+  deepEqual(
+    firstINTEGER,
+    [0x77, 0xff],
+    "first INTEGER should have expected value"
+  );
+  let oid = contents.readTagAndGetContents(DER.OBJECT_IDENTIFIER);
+  deepEqual(
+    oid,
+    [0x2b, 0x01, 0x01],
+    "OBJECT IDENTIFIER should have expected value"
+  );
+
+  let firstNested = new DER.DERDecoder(
+    contents.readTagAndGetContents(DER.SEQUENCE)
+  );
+  let firstNestedNULL = firstNested.readTagAndGetContents(DER.NULL);
+  equal(
+    firstNestedNULL.length,
+    0,
+    "first nested NULL should have expected value (empty array)"
+  );
+  let firstNestedINTEGER = firstNested.readTagAndGetContents(DER.INTEGER);
+  deepEqual(
+    firstNestedINTEGER,
+    [0x45, 0x46, 0x47],
+    "first nested INTEGER should have expected value"
+  );
+  firstNested.assertAtEnd();
+
+  let secondNested = new DER.DERDecoder(
+    contents.readTagAndGetContents(DER.SEQUENCE)
+  );
+  let secondNestedINTEGER = secondNested.readTagAndGetContents(DER.INTEGER);
+  deepEqual(
+    secondNestedINTEGER,
+    [0x00, 0xff],
+    "second nested INTEGER should have expected value"
+  );
+  let secondNestedNULL = secondNested.readTagAndGetContents(DER.NULL);
+  equal(
+    secondNestedNULL.length,
+    0,
+    "second nested NULL should have expected value (empty array)"
+  );
+  secondNested.assertAtEnd();
+
+  contents.assertAtEnd();
+  der.assertAtEnd();
+
+  let invalidDERBytes = [
+    0x30,
+    0x06, // SEQUENCE
+    0x30,
+    0x02, //   SEQUENCE
+    0x02,
+    0x01, //     INTEGER (missing data)
+    0x05,
+    0x00, //   NULL
+    0x00,
+    0x00,
+  ]; // (extra data)
+  let invalidDER = new DER.DERDecoder(invalidDERBytes);
+  let invalidContents = new DER.DERDecoder(
+    invalidDER.readTagAndGetContents(DER.SEQUENCE)
+  );
+  let invalidContentsContents = new DER.DERDecoder(
+    invalidContents.readTagAndGetContents(DER.SEQUENCE)
+  );
+  throws(
+    () => invalidContentsContents.readTagAndGetContents(DER.INTEGER),
+    /data truncated/,
+    "should throw due to missing data"
+  );
+  let nestedNULL = invalidContents.readTagAndGetContents(DER.NULL);
+  equal(nestedNULL.length, 0, "nested NULL should have expected value");
+  invalidContents.assertAtEnd();
+  throws(
+    () => invalidDER.assertAtEnd(),
+    /extra data/,
+    "should throw due to extra data"
+  );
+}
+
+function run_test() {
+  run_simple_tests();
+  run_bit_string_tests();
+  run_compound_tests();
+}
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello.js b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js
new file mode 100644
index 0000000000..945a9ea83f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js
@@ -0,0 +1,101 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of Encrypted Client Hello. These ECHConfigs
+// can be regenerated by running EncryptedClientHelloServer
+// and dumping the output of SSL_EncodeEchConfig. They do not
+// expire. An update here is only needed if the host or ECH
+// ciphersuite configuration changes, or if the keypair in
+// EncryptedClientHelloServer.cpp is modified.
+
+// Public name: ech-public.example.com
+const ECH_CONFIG_FIXED =
+  "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA";
+
+// Public name: ech-public.example.com, Unsupported AEAD to prompt retry_configs from a trusted host.
+const ECH_CONFIG_TRUSTED_RETRY =
+  "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA";
+
+// Public name: selfsigned.example.com. Unsupported AEAD to prompt retry_configs from an untrusted host.
+const ECH_CONFIG_UNTRUSTED_RETRY =
+  "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWc2VsZnNpZ25lZC5leGFtcGxlLmNvbQAA";
+
+function shouldBeAcceptedEch(aTransportSecurityInfo) {
+  Assert.ok(
+    aTransportSecurityInfo.isAcceptedEch,
+    "This host should have accepted ECH"
+  );
+  Assert.ok(
+    !aTransportSecurityInfo.usedPrivateDNS,
+    "This connection does not use DoH"
+  );
+}
+
+function shouldBeRejectedEch(aTransportSecurityInfo) {
+  Assert.ok(
+    !aTransportSecurityInfo.isAcceptedEch,
+    "This host should have rejected ECH"
+  );
+  Assert.ok(
+    !aTransportSecurityInfo.usedPrivateDNS,
+    "This connection does not use DoH"
+  );
+}
+
+do_get_profile();
+
+add_tls_server_setup(
+  "EncryptedClientHelloServer",
+  "test_encrypted_client_hello"
+);
+
+// Connect directly without ECH first
+add_connection_test(
+  "ech-public.example.com",
+  PRErrorCodeSuccess,
+  null,
+  shouldBeRejectedEch
+);
+
+// Connect with ECH
+add_connection_test(
+  "ech-private.example.com",
+  PRErrorCodeSuccess,
+  null,
+  shouldBeAcceptedEch,
+  null,
+  null,
+  ECH_CONFIG_FIXED
+);
+
+// Trigger retry_configs by setting an ECHConfig with a different.
+// AEAD than the server supports.
+add_connection_test(
+  "ech-private.example.com",
+  SSL_ERROR_ECH_RETRY_WITH_ECH,
+  null,
+  null,
+  null,
+  null,
+  ECH_CONFIG_TRUSTED_RETRY
+);
+
+// Trigger retry_configs, but from a host that is untrusted
+// (due to a self-signed certificate for the public name).
+// Retry_configs must not be used or reported as available.
+add_connection_test(
+  "ech-private.example.com",
+  MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
+  null,
+  null,
+  null,
+  null,
+  ECH_CONFIG_UNTRUSTED_RETRY
+);
+
+// A client-only (retry_without_ech) test is located in
+// test_encrypted_client_hello_client_only.js We can't easily restart
+// a different server (one without ECHConfigs) here, so put that
+// test in a different file that launches a non-ECH server.
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem
new file mode 100644
index 0000000000..60960b4daa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUWxEI7DW20X+b24MUvyO3J1pngeQwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBgxFjAUBgNVBAMMDWVjaC1wdWJsaWMtZWUwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjJTAjMCEG
+A1UdEQQaMBiCFmVjaC1wdWJsaWMuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD
+ggEBALBk11enYtAuUPy77WPmNv4fN/NigB4wuygvdTJqVQTUDrRLXhX7ThFL68pd
+b7jTdBsCS3QGucU3W05miyyHwGfiN3PqTvzY6xATR6i4+cKPyW2OM8U7gIZmH3du
+et/rIJ8eAio98S4wvqAmd7oMKeQ4zJ3iRomEHIXH80c8VLOaSugarZuZG11hKCWT
+qbSiVYvCkLBuKzNMlLN3QEaK1mSWngwZ7u6AvbzvoDV3+JX1UThFjI97j/41Kpgy
+Ip0PbKONjUOjb+Rd1Fo6FLBAtJ/tfKrJZqCm7HxJiY9PuPJWyL6PBxIAymFcAyRU
+deD8cDEq9EaQmfYM3rPeUortM8g=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec
new file mode 100644
index 0000000000..d5c332ceec
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ech-ca
+subject:ech-public-ee
+extension:subjectAlternativeName:ech-public.example.com
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem
new file mode 100644
index 0000000000..f136a811e8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUN7V9tjNwYafgE24tOZNXBSQn96QwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBkxFzAVBgNVBAMMDmVjaC1wcml2YXRlLWVlMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyYwJDAi
+BgNVHREEGzAZghdlY2gtcHJpdmF0ZS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF
+AAOCAQEATfrz7BkT8pNISv2h71JHVkuPNDpjgSG+M0Z0IzXhTON0CpE/6Jk8nRwS
+LjfW9n9nJL7PATF4RT45tQ83+jmfFykhrmPctl2Tiq1HfTKdMdpW2i8lZVOovKZN
+3c98eNWZ5cqicG4XZEQbq1Nu+VsL7R5UCVvhIgLPWAdiEJu1D7VagCzZHguoUBDT
+C428L9nx0z80l4XNOeqYGtJtN2YqRSErkeMPAN1Q7MxVyp0Lsz8lwHQx8D73jYKK
+AN1kjtC18jBr5BYL1HCHvE/sL7ZLlaBRS+PQnF2HW0qkCOb3POlZ1UCjTa09Qy4f
+pxbYP6sTh1c6VShYzlE04jXC3K8KKw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec
new file mode 100644
index 0000000000..c152462f0d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ech-ca
+subject:ech-private-ee
+extension:subjectAlternativeName:ech-private.example.com
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem
new file mode 100644
index 0000000000..eb6a2c1096
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUKXdVQO3RzfhQiRP9uZIuxnydYxAwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbU2VsZi1zaWduZWQgVGVzdCBFbmQtZW50aXR5MCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCYxJDAiBgNVBAMMG1NlbGYt
+c2lnbmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMlMCMwIQYDVR0RBBowGIIWc2Vs
+ZnNpZ25lZC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAXAU/SRgl952l
+O2B26d2oytCFyWJkotYhd7cHLTWcdGdfwgJ6YD2JaW9Bos0NVFbj+Z9PJJh2xNCy
+xULqNCVnRu11dFlGad6FDvY1psli8By00Kvz74kbNseISNuuzCTsZU2Uw5BXS9W9
+ia4S1dskQyuBae5M8ma6BeUyyHHfmu9TiqtzrlrAqIsXDucMs6WhgfOVimgAIQDl
+fA5qju7cmOJ8lzSV+CTrmoAMv2Q80G3rw0CPPIWqKrcTjkf+R5p3CSYUQ5Qq38Qx
+m0hK0fdlZ4MPsSKxQN7k/DeINotW2IaLX/AGL5z6dEFsBMp50iJCMEebkFmuFQ50
+oOILqRNvCA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec
new file mode 100644
index 0000000000..438a08eba2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Self-signed Test End-entity
+subject:Self-signed Test End-entity
+extension:subjectAlternativeName:selfsigned.example.com
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem
new file mode 100644
index 0000000000..80c87da490
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUG1Lw/SgeLtklG97Ln5uybxccJyMwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBExDzANBgNVBAMMBmVjaC1jYTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAAMcKWJnU+OkvNVY
+g3glJ1ZgNURoWjhFnyqX8EmxFYH8mRdEdb8ZBTGeBYUDc3diHdZcmunGJ3FCVO5v
+zOI4UOCfADvIzY0hwtj+adtaavgRBRXeTZp8MyTSiN2a1T/3XgsnzKLYqAK7GIEq
+NwdRcsgu/mFG6p0ktOBvfBgbyD3rlupZhuWoedUQ6fR04BKFgdp4zg411qCG8HBQ
+lSa2t0e+dT5pZ1QTtyzIjtkAQu+GWJqc2Sqr5I4BnHOzRiXPc2lhVl0yGPjROHaD
+qK/jsbIkFxvi++59F9ptkOJTPJk1rAJ69Grx5/V7s1NxtXocCEm6gtDSi0zJ3V0f
+J0Qs50Y=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec
new file mode 100644
index 0000000000..1735a15075
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ech-ca
+subject:ech-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js b/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js
new file mode 100644
index 0000000000..0949bc6038
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js
@@ -0,0 +1,32 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Public Name = delegated-enabled.example.com
+const ECH_CONFIG_FIXED =
+  "AFD+DQBMTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QdZGVsZWdhdGVkLWVuYWJsZWQuZXhhbXBsZS5jb20AAA==";
+do_get_profile();
+
+// An arbitrary, non-ECH server.
+add_tls_server_setup(
+  "DelegatedCredentialsServer",
+  "test_delegated_credentials"
+);
+
+add_test(function () {
+  clearSessionCache();
+  run_next_test();
+});
+
+// Connect, sending ECH. The server is not configured for it,
+// but *is* authoritative for the public name.
+add_connection_test(
+  "delegated-disabled.example.com",
+  SSL_ERROR_ECH_RETRY_WITHOUT_ECH,
+  null,
+  null,
+  null,
+  null,
+  ECH_CONFIG_FIXED
+);
diff --git a/security/manager/ssl/tests/unit/test_enterprise_roots.js b/security/manager/ssl/tests/unit/test_enterprise_roots.js
new file mode 100644
index 0000000000..6abd7161ae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_enterprise_roots.js
@@ -0,0 +1,82 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests enterprise root certificate support. When configured to do so, the
+// platform will attempt to find and import enterprise root certificates. This
+// feature is specific to Windows.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const { TestUtils } = ChromeUtils.importESModule(
+  "resource://testing-common/TestUtils.sys.mjs"
+);
+
+async function check_no_enterprise_roots_imported(
+  nssComponent,
+  certDB,
+  dbKey = undefined
+) {
+  let enterpriseRoots = nssComponent.getEnterpriseRoots();
+  notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
+  equal(
+    enterpriseRoots.length,
+    0,
+    "should not have imported any enterprise roots"
+  );
+  if (dbKey) {
+    let cert = certDB.findCertByDBKey(dbKey);
+    // If the garbage-collector hasn't run, there may be reachable copies of
+    // imported enterprise root certificates. If so, they shouldn't be trusted
+    // to issue TLS server auth certificates.
+    if (cert) {
+      await asyncTestCertificateUsages(certDB, cert, []);
+    }
+  }
+}
+
+async function check_some_enterprise_roots_imported(nssComponent, certDB) {
+  let enterpriseRoots = nssComponent.getEnterpriseRoots();
+  notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
+  notEqual(
+    enterpriseRoots.length,
+    0,
+    "should have imported some enterprise roots"
+  );
+  let foundNonBuiltIn = false;
+  let savedDBKey = null;
+  for (let certDer of enterpriseRoots) {
+    let cert = certDB.constructX509(certDer);
+    notEqual(cert, null, "should be able to decode cert from DER");
+    if (!cert.isBuiltInRoot && !savedDBKey) {
+      foundNonBuiltIn = true;
+      savedDBKey = cert.dbKey;
+      info("saving dbKey from " + cert.commonName);
+      await asyncTestCertificateUsages(certDB, cert, [certificateUsageSSLCA]);
+      break;
+    }
+  }
+  ok(foundNonBuiltIn, "should have found non-built-in root");
+  return savedDBKey;
+}
+
+add_task(async function run_test() {
+  let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  nssComponent.getEnterpriseRoots(); // blocks until roots are loaded
+  Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
+  await check_no_enterprise_roots_imported(nssComponent, certDB);
+  Services.prefs.setBoolPref("security.enterprise_roots.enabled", true);
+  await TestUtils.topicObserved("psm:enterprise-certs-imported");
+  let savedDBKey = await check_some_enterprise_roots_imported(
+    nssComponent,
+    certDB
+  );
+  Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
+  await check_no_enterprise_roots_imported(nssComponent, certDB, savedDBKey);
+});
diff --git a/security/manager/ssl/tests/unit/test_ev_certs.js b/security/manager/ssl/tests/unit/test_ev_certs.js
new file mode 100644
index 0000000000..f163623919
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -0,0 +1,310 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that end-entity certificates that should successfully verify as EV
+// (Extended Validation) do so and that end-entity certificates that should not
+// successfully verify as EV do not. Also tests related situations (e.g. that
+// failure to fetch an OCSP response results in no EV treatment).
+//
+// A quick note about the certificates in these tests: generally, an EV
+// certificate chain will have an end-entity with a specific policy OID followed
+// by an intermediate with the anyPolicy OID chaining to a root with no policy
+// OID (since it's a trust anchor, it can be omitted). In these tests, the
+// specific policy OID is 1.3.6.1.4.1.13769.666.666.666.1.500.9.1 and is
+// referred to as the test OID. In order to reflect what will commonly be
+// encountered, the end-entity of any given test path will have the test OID
+// unless otherwise specified in the name of the test path. Similarly, the
+// intermediate will have the anyPolicy OID, again unless otherwise specified.
+// For example, for the path where the end-entity does not have an OCSP URI
+// (referred to as "no-ocsp-ee-path-{ee,int}", the end-entity has the test OID
+// whereas the intermediate has the anyPolicy OID.
+// For another example, for the test OID path ("test-oid-path-{ee,int}"), both
+// the end-entity and the intermediate have the test OID.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+registerCleanupFunction(() => {
+  Services.prefs.clearUserPref("network.dns.localDomains");
+  Services.prefs.clearUserPref("security.OCSP.enabled");
+});
+
+Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+const evroot = addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "test_ev_certs/non-evroot-ca.pem", "CTu,,");
+
+const SERVER_PORT = 8888;
+
+function failingOCSPResponder() {
+  return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
+}
+
+class EVCertVerificationResult {
+  constructor(
+    testcase,
+    expectedPRErrorCode,
+    expectedEV,
+    resolve,
+    ocspResponder
+  ) {
+    this.testcase = testcase;
+    this.expectedPRErrorCode = expectedPRErrorCode;
+    this.expectedEV = expectedEV;
+    this.resolve = resolve;
+    this.ocspResponder = ocspResponder;
+  }
+
+  verifyCertFinished(prErrorCode, verifiedChain, hasEVPolicy) {
+    equal(
+      prErrorCode,
+      this.expectedPRErrorCode,
+      `${this.testcase} should have expected error code`
+    );
+    equal(
+      hasEVPolicy,
+      this.expectedEV,
+      `${this.testcase} should result in expected EV status`
+    );
+    this.ocspResponder.stop(this.resolve);
+  }
+}
+
+function asyncTestEV(
+  cert,
+  expectedPRErrorCode,
+  expectedEV,
+  expectedOCSPRequestPaths,
+  ocspResponseTypes = undefined
+) {
+  let now = Date.now() / 1000;
+  return new Promise((resolve, reject) => {
+    let ocspResponder = expectedOCSPRequestPaths.length
+      ? startOCSPResponder(
+          SERVER_PORT,
+          "www.example.com",
+          "test_ev_certs",
+          expectedOCSPRequestPaths,
+          expectedOCSPRequestPaths.slice(),
+          null,
+          ocspResponseTypes
+        )
+      : failingOCSPResponder();
+    let result = new EVCertVerificationResult(
+      cert.subjectName,
+      expectedPRErrorCode,
+      expectedEV,
+      resolve,
+      ocspResponder
+    );
+    certdb.asyncVerifyCertAtTime(
+      cert,
+      certificateUsageSSLServer,
+      0,
+      "ev-test.example.com",
+      now,
+      result
+    );
+  });
+}
+
+function ensureVerifiesAsEV(testcase) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  let expectedOCSPRequestPaths = [`${testcase}-ee`];
+  return asyncTestEV(
+    cert,
+    PRErrorCodeSuccess,
+    gEVExpected,
+    expectedOCSPRequestPaths
+  );
+}
+
+function ensureVerifiesAsEVWithNoOCSPRequests(testcase) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected, []);
+}
+
+function ensureVerifiesAsDV(testcase, expectedOCSPRequestPaths = undefined) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  return asyncTestEV(
+    cert,
+    PRErrorCodeSuccess,
+    false,
+    expectedOCSPRequestPaths ? expectedOCSPRequestPaths : [`${testcase}-ee`]
+  );
+}
+
+function ensureVerificationFails(testcase, expectedPRErrorCode) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  return asyncTestEV(cert, expectedPRErrorCode, false, []);
+}
+
+function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  let now = Date.now() / 1000;
+  let expectedErrorCode = SEC_ERROR_POLICY_VALIDATION_FAILED;
+  if (expectSuccess && gEVExpected) {
+    expectedErrorCode = PRErrorCodeSuccess;
+  }
+  return new Promise((resolve, reject) => {
+    let ocspResponder = failingOCSPResponder();
+    let result = new EVCertVerificationResult(
+      cert.subjectName,
+      expectedErrorCode,
+      expectSuccess && gEVExpected,
+      resolve,
+      ocspResponder
+    );
+    let flags =
+      Ci.nsIX509CertDB.FLAG_LOCAL_ONLY | Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
+    certdb.asyncVerifyCertAtTime(
+      cert,
+      certificateUsageSSLServer,
+      flags,
+      "ev-test.example.com",
+      now,
+      result
+    );
+  });
+}
+
+function ensureNoOCSPMeansNoEV(testcase) {
+  return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, false);
+}
+
+function ensureVerifiesAsEVWithFLAG_LOCAL_ONLY(testcase) {
+  return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, true);
+}
+
+function verifyWithOCSPResponseType(testcase, response, expectEV) {
+  let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`);
+  addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,");
+  let expectedOCSPRequestPaths = [`${testcase}-ee`];
+  let ocspResponseTypes = [response];
+  return asyncTestEV(
+    cert,
+    PRErrorCodeSuccess,
+    gEVExpected && expectEV,
+    expectedOCSPRequestPaths,
+    ocspResponseTypes
+  );
+}
+
+function ensureVerifiesAsDVWithOldEndEntityOCSPResponse(testcase) {
+  return verifyWithOCSPResponseType(testcase, "longvalidityalmostold", false);
+}
+
+function ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(testcase) {
+  return verifyWithOCSPResponseType(testcase, "ancientstillvalid", false);
+}
+
+// These should all verify as EV.
+add_task(async function plainExpectSuccessEVTests() {
+  await ensureVerifiesAsEV("anyPolicy-int-path");
+  await ensureVerifiesAsEV("test-oid-path");
+  await ensureVerifiesAsEV("cabforum-oid-path");
+  await ensureVerifiesAsEV("cabforum-and-test-oid-ee-path");
+  await ensureVerifiesAsEV("test-and-cabforum-oid-ee-path");
+  await ensureVerifiesAsEV("reverse-order-oids-path");
+  // In this case, the end-entity has both the CA/B Forum OID and the test OID
+  // (in that order). The intermediate has the CA/B Forum OID. Since the
+  // implementation tries all EV policies it encounters, this successfully
+  // verifies as EV.
+  await ensureVerifiesAsEV("cabforum-and-test-oid-ee-cabforum-oid-int-path");
+  // In this case, the end-entity has both the test OID and the CA/B Forum OID
+  // (in that order). The intermediate has only the CA/B Forum OID. Since the
+  // implementation tries all EV policies it encounters, this successfully
+  // verifies as EV.
+  await ensureVerifiesAsEV("test-and-cabforum-oid-ee-cabforum-oid-int-path");
+});
+
+// These fail for various reasons to verify as EV, but fallback to DV should
+// succeed.
+add_task(async function expectDVFallbackTests() {
+  await ensureVerifiesAsDV("anyPolicy-ee-path");
+  await ensureVerifiesAsDV("non-ev-root-path");
+  await ensureVerifiesAsDV("no-ocsp-ee-path", []);
+  await ensureVerifiesAsEV("no-ocsp-int-path");
+  // In this case, the end-entity has the test OID and the intermediate has the
+  // CA/B Forum OID. Since the CA/B Forum OID is not treated the same as the
+  // anyPolicy OID, this will not verify as EV.
+  await ensureVerifiesAsDV("test-oid-ee-cabforum-oid-int-path");
+});
+
+// Test that removing the trust bits from an EV root causes verifications
+// relying on that root to fail (and then test that adding back the trust bits
+// causes the verifications to succeed again).
+add_task(async function evRootTrustTests() {
+  clearOCSPCache();
+  info("untrusting evroot");
+  certdb.setCertTrust(
+    evroot,
+    Ci.nsIX509Cert.CA_CERT,
+    Ci.nsIX509CertDB.UNTRUSTED
+  );
+  await ensureVerificationFails("test-oid-path", SEC_ERROR_UNKNOWN_ISSUER);
+  info("re-trusting evroot");
+  certdb.setCertTrust(
+    evroot,
+    Ci.nsIX509Cert.CA_CERT,
+    Ci.nsIX509CertDB.TRUSTED_SSL
+  );
+  await ensureVerifiesAsEV("test-oid-path");
+});
+
+// Test that if FLAG_LOCAL_ONLY and FLAG_MUST_BE_EV are specified, that no OCSP
+// requests are made (this also means that nothing will verify as EV).
+add_task(async function localOnlyMustBeEVTests() {
+  clearOCSPCache();
+  await ensureNoOCSPMeansNoEV("anyPolicy-ee-path");
+  await ensureNoOCSPMeansNoEV("anyPolicy-int-path");
+  await ensureNoOCSPMeansNoEV("non-ev-root-path");
+  await ensureNoOCSPMeansNoEV("no-ocsp-ee-path");
+  await ensureNoOCSPMeansNoEV("no-ocsp-int-path");
+  await ensureNoOCSPMeansNoEV("test-oid-path");
+});
+
+// Prime the OCSP cache and then ensure that we can validate certificates as EV
+// without hitting the network. There's two cases here: one where we simply
+// validate like normal and then check that the network was never accessed and
+// another where we use flags to mandate that the network not be used.
+add_task(async function ocspCachingTests() {
+  clearOCSPCache();
+
+  await ensureVerifiesAsEV("anyPolicy-int-path");
+  await ensureVerifiesAsEV("test-oid-path");
+
+  await ensureVerifiesAsEVWithNoOCSPRequests("anyPolicy-int-path");
+  await ensureVerifiesAsEVWithNoOCSPRequests("test-oid-path");
+
+  await ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("anyPolicy-int-path");
+  await ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("test-oid-path");
+});
+
+// Old-but-still-valid OCSP responses are accepted for intermediates but not
+// end-entity certificates (because of OCSP soft-fail this results in DV
+// fallback).
+add_task(async function oldOCSPResponseTests() {
+  clearOCSPCache();
+
+  clearOCSPCache();
+  await ensureVerifiesAsDVWithOldEndEntityOCSPResponse("anyPolicy-int-path");
+  await ensureVerifiesAsDVWithOldEndEntityOCSPResponse("test-oid-path");
+
+  clearOCSPCache();
+  await ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(
+    "anyPolicy-int-path"
+  );
+  await ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse("test-oid-path");
+});
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem
new file mode 100644
index 0000000000..bb67341220
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVzCCAj+gAwIBAgIUHb9CrEDo8VwITKCJOkRAeW4iftkwDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAwwVYW55UG9saWN5LWVlLXBhdGgtaW50MCIYDzIwMjExMTI3
+MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMB8xHTAbBgNVBAMMFGFueVBvbGljeS1l
+ZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo4GFMIGCME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcw
+AYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBvbGljeS1lZS1wYXRo
+LWVlLzARBgNVHSAECjAIMAYGBFUdIAAwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt
+cGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAt3y+8E3yCuL0S85twhU87JxsyNCL
+Am+QQGqyTpH81RsL64uxvSVyswKvyA4LpJBN/w13xsIOue/55AK9CwGhyw9jSPcn
+/OGRXzcqiBjeSkkCHOPXzPV5e/xWuWI9fR0XBBy/UgBsoXQzrrq5lCHR76yr2eyF
+2RA5lh1qqk2fgsqq3cCqsFEiOUbWjsHjlra8yvArfqexLVowlyg5olisnORbi7eJ
+/jm7w+X9eEP17yRDFnb5joeXh+UeCaxdhVp7c71oY/5lBdnesmkwr6b9CNVg9vLk
+LHrp3IyQF5Wj1usyDu/BYr0lu+VRAEusNnqDiz7LZfhnUMZJJwvqC+Tcrg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..a9175c32ed
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:anyPolicy-ee-path-int
+subject:anyPolicy-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-ee/
+extension:certificatePolicies:any
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem
new file mode 100644
index 0000000000..860453152c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRDCCAiygAwIBAgIUHUngL0WtaSVKsjGfK6Ktnv/n3acwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCAxHjAcBgNVBAMMFWFueVBvbGljeS1lZS1wYXRoLWludDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaOBgDB+MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME4GCCsGAQUFBwEBBEIw
+QDA+BggrBgEFBQcwAYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBv
+bGljeS1lZS1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEB
+CwUAA4IBAQCSEsmhHQQkMTDD+JU3kEWCt7v0RujqGvkBuUUM5VObzheZFKTQVYZ1
+1fui+s+AlogSfCWOOHNLGMrF2HQd1imzVqSDaoeeGMqKsiJ/MR9MWKjxZE+omL4J
+HsJ59n0+9U4k28/dujgno3BK65mbfKlAqBEBYFBmGmZO5Fb6U+dtDZi9mOiN2JzM
+Y/l8uax0i1XmKR6TESu9f3ue5D5WFkd2uL9oexGnvpEpV/wEB1f8wViU3W1AFC52
+CYHGiwV/54PZ3cg7zH86i2Gionq4CMApP1QRvOBTheJpkM5ul3BPiGg8mDkjb5lB
+dlPnrj4exf+eoqsrVFxdTX0EL7gQSRqr
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..c49f6c4bcc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:anyPolicy-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
new file mode 100644
index 0000000000..c088a135a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIUBcyX7McNHTUw58i902kjb15KZlswDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWYW55UG9saWN5LWludC1wYXRoLWludDAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAgMR4wHAYDVQQDDBVhbnlQb2xpY3kt
+aW50LXBhdGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjgZQwgZEwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUF
+BzABhjJodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9saWN5LWludC1w
+YXRoLWVlLzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREE
+FzAVghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAxk4+S
+laaEinRp3bXkqJ3rQTdaZwX9uegjAfOfaDLMFnGiD63aGNg9mqvsdt9rgbGmuFYX
+nsoeSzzWhV/Uk1VA/9El7x5eRHOMs3r5VnnW395eIYdAlGmDW81ANm4NIdiAfKZj
+fr2LOkjhPbhrV9i3YtY9lDFIiZheS6V2RgeHLoHc1cj0EB46PH1HC8fP+rg4tOhd
+vq5tL1p6dkHWnhduJ+oKrBuHehmnJfrXV53pz9VoOIj3F6F2F/c/EriyAPc/KOO9
+ocyNrJMoD0aFBF9ijK6uERhga/vM4dXIPUGzECQxceUuTUkn/2wEECNV2ETVmNTZ
+cRcP3J32vzU1jaVQ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..1c643c2f95
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:anyPolicy-int-path-int
+subject:anyPolicy-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
new file mode 100644
index 0000000000..779f2dfa85
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRjCCAi6gAwIBAgIUHyEVo6adgErPC5OEcIkP33KrTjgwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCExHzAdBgNVBAMMFmFueVBvbGljeS1pbnQtcGF0aC1pbnQwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT
+2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV
+JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N
+jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA
+BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh
+He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB
+AAGjgYEwfzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBPBggrBgEFBQcBAQRD
+MEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQ
+b2xpY3ktaW50LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcN
+AQELBQADggEBAINthPjozG2qV5mlu5XJKM+LofF58fyxH7KCNIyDErghGz3DQyR/
+5GcPpKwzfl/gnXvXvF6yWOimQOOmU4u1oDtKv0lodL0EVEAqZQmZ0pDF2wBKPquH
+H7Eaji8uDhSuhnJZpwmyaCpOiMCda3qq5YgxwjyQTZ63lLXqQpEnSqgExfUISueH
+7j68bvPm8Q/SLVhOVLQdNf7mDVacFZE0OmtyjlSUN2ZFBZaN8o7FTnfocNmPlyD8
+EGmdkbdggXmESN5jGnBxo9fqLnqYCJEA8uN0Xckfz3ovKlt6PfbgnEeUzJRT71pN
+fqXYugdt7ppcn3sJbEOKInkw6h8to/pNlCU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
new file mode 100644
index 0000000000..5f5adacc7f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:anyPolicy-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem
new file mode 100644
index 0000000000..0c83086180
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIUfU399SRJMbYE6q+pNnq6hlSOzt4wDQYJKoZIhvcNAQEL
+BQAwPTE7MDkGA1UEAwwyY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLWNhYmZvcnVt
+LW9pZC1pbnQtcGF0aC1pbnQwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowPDE6MDgGA1UEAwwxY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLWNhYmZv
+cnVtLW9pZC1pbnQtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBuTCBtjBqBggrBgEFBQcBAQReMFww
+WgYIKwYBBQUHMAGGTmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9jYWJmb3J1
+bS1hbmQtdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWVlLzAoBgNV
+HSAEITAfMAcGBWeBDAEBMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAV
+ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQB0CMZ2fLLZ
+1qUT8t9DlOq9kMses1ASgX74/g5cl8W96x31QnxgEtRAMQKZrvucke8+us2LRh1d
+Oi5XAYry+g0kNOwfpXiWo+y23WoA+WHX2hYcH26fgzoyz3ULuMMyoM9DMlrwJvHv
+/+v1eMiAw71JfK987KWcbP1uESaTHZ04+5aN57efGVr3ADZiicaj6fUIsDIfMKJ3
+INVgVdMWpX01zFNTsSPNImxMZ7Gtqs1lP0gv30QXwGLTPCG1gARWSYF/fCFwbpon
+P7wBCAr/ADvUJl0UjcdCpU+YmwYxOW0QPGNVwRwgEAdLCnnnztq3y3bOzmGL/lQ4
+eD9G3c6ZD14D
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..c72237e453
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-and-test-oid-ee-cabforum-oid-int-path-int
+subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem
new file mode 100644
index 0000000000..6a2a55cd98
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUDTr/XHbekA2O0a9J+hMLRhyOr3EwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMD0xOzA5BgNVBAMMMmNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1j
+YWJmb3J1bS1vaWQtaW50LXBhdGgtaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GfMIGcMAwGA1UdEwQFMAMB
+Af8wCwYDVR0PBAQDAgEGMGsGCCsGAQUFBwEBBF8wXTBbBggrBgEFBQcwAYZPaHR0
+cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZvcnVtLWFuZC10ZXN0LW9pZC1l
+ZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtaW50LzASBgNVHSAECzAJMAcGBWeBDAEB
+MA0GCSqGSIb3DQEBCwUAA4IBAQCBt+AdgkYRRMubo29YkYXETC2UKiIHcyk/PuMU
+yFtR0xqsj7oe5lUf7XYHUNbJPuoF7hflSIKXx5un5zwZ5Vw3SE0qYcy6kM2PS4dK
+w6SMFkrZxCMf9GHFMubDk01T/p7BmpFKGVVAKgsUZmQSn+s/K+9+v4reDJ7yBfiu
+l+KjNGsa5In6l2kO799Q/QAPfBLxl0ZOYIONF4+IjJAwt6AXuilkPgPUcRkyZ3ka
+p+4GUc962Ylc4rGPxSKxcs93AkFl+8aYy5lW9kkFRQKSDM3W6WRPoal8411BsXEg
+LBcS5MoY024Y4gRn5H2WVUcqYbZ+SQtQ3sqnFbgtvVH0t89E
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec
new file mode 100644
index 0000000000..92ebdb37fd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem
new file mode 100644
index 0000000000..c6f64b2001
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAnqgAwIBAgIUJwEFxlIecfbIub/Yy2vC/isMYB0wDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLXBhdGgtaW50
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCsxKTAnBgNVBAMM
+IGNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GoMIGlMFkG
+CCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL3d3dy5leGFtcGxlLmNv
+bTo4ODg4L2NhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1wYXRoLWVlLzAoBgNVHSAE
+ITAfMAcGBWeBDAEBMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBQdToSfEhnomqt
+UFfMjK3tieFSRqQ60lF28IFX40/Yu48k8AQY8UN/frh7r4tVk59aQK44QDj9CwUo
+E5DIwPwqOozGrrNYfSVaqqsyepepYp410EuT5OTjHIJ71Wus3EPf8w7oPABApidH
+GjOdoMj8dUufmnsCOlXYt32g/x70OpAn1PRw7Sc7YfIQwOuGRuTIuCS2T/JKkU2Y
+s+DNT98tuBlTnpByHen7QpdPdWCmMX+30e7B2bC/1IRetDOaUuT0zLMFBtL1sx2p
+W/U9p4mU3z9IkDflqSuxBuuMudY7n1+ZPw9uJF2z1PqZN4qOGXiebiGfigWlU4Ac
+uDd/MtOD
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..36f80e017b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-and-test-oid-ee-path-int
+subject:cabforum-and-test-oid-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem
new file mode 100644
index 0000000000..8f92651d3a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIUQS8yxTmnGrb3xLk+pZAOVYuZoR0wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCwxKjAoBgNVBAMMIWNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1w
+YXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBjTCBijAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBa
+BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAGGPmh0dHA6Ly93d3cuZXhhbXBsZS5j
+b206ODg4OC9jYWJmb3J1bS1hbmQtdGVzdC1vaWQtZWUtcGF0aC1pbnQvMBEGA1Ud
+IAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAZmY7h/FLsNdMGtjTauA7
+LY6oaWD8kZAEsn9tq59CsAQG/M/nJFrjeFQUtzaSz2vmg8u1xqinelrAoy02Ujup
+Nm+/WULLoOjyb99QmkY3VaK7FkjNdbvt5AfgriRXWnbZpC+vXDHXMWViAQx0+Wm+
+9C1ssqbIClbQMhwsVldyRjVMRFMO5F/hvgGkLsUWaztEaVnMRG4eM/c9bl5HsdVM
+VfSIIb7D92TmQyfPbum2ws2CDmsYL2OKgosy3eylZjwprrE4yq8ZTsRaovvB7FwG
+UGV+L6FjuUVN7nR3EnQTDoXin3a0C5enc6fIfcmM5MLy+bHxpG5nHrQH9yvSwqqI
+zw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..79ae7ae801
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-and-test-oid-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem
new file mode 100644
index 0000000000..fe4447dc7a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWDCCAkCgAwIBAgIUWy0RlFqNWWWgn+O3e6YCiRHdLFkwDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAwwVY2FiZm9ydW0tb2lkLXBhdGgtaW50MCIYDzIwMjExMTI3
+MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMB8xHTAbBgNVBAMMFGNhYmZvcnVtLW9p
+ZC1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABo4GGMIGDME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcw
+AYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZvcnVtLW9pZC1wYXRo
+LWVlLzASBgNVHSAECzAJMAcGBWeBDAEBMB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhh
+bXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAH+evAgGQBC6njxTFd0BuozC3Skz
+UGKec1dIMmiYFj7mgzuKp9eTAeOK1WdOvevygxoWRHkHAmquWEY9mvt4dSWIqhsz
+RJ2b5cKnhtkFdfnQf+depCRZbdO4A7fLNYL9HCRnnN1PQKpaFF7fFEZ1rSzSShGX
+nsz4KbEvGQVxCe2HmflqJQARp4gJUGZ+psAIspmwAqA4dViNZSgg79E1neG/g+EG
+Ocq03fAbwb2Ko2eLzI0GF31L2iI1p0keEHzbwsxCjJQ5pRQdra5c7vEQHgQq5eSL
+9RQrtE1J9erO0Jy9MUCDoZ4+WCnl4VZXVlYLt0oUh1YCOKD3J5dm7sRJ93A=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec
new file mode 100644
index 0000000000..86fd9aca39
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:cabforum-oid-path-int
+subject:cabforum-oid-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-ee/
+extension:certificatePolicies:2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem
new file mode 100644
index 0000000000..f4bbc67785
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUJ3QtUr7ndrb3mL/xD7keEx/Qj1owDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCAxHjAcBgNVBAMMFWNhYmZvcnVtLW9pZC1wYXRoLWludDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaOBgTB/MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME4GCCsGAQUFBwEBBEIw
+QDA+BggrBgEFBQcwAYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZv
+cnVtLW9pZC1wYXRoLWludC8wEgYDVR0gBAswCTAHBgVngQwBATANBgkqhkiG9w0B
+AQsFAAOCAQEAGkKvsFxMmr30hx3Z4gJ8ZKLeQ2yomqPxSgjZxir4sumwkjEguFYE
+ZcaLijKzoTdOHs1G6VnjOxVYUsAXBNT2gC2h3e5TO/toub2lyst6csDB3nj1y4Ee
+2JYctZAyYHg4UJZU+zAvsTpTamEjn4LMievWD5foeoPFAAB5PNTSgvibAe6oi0Mo
+MTb0dwrmWkfIDyH7xjQKNlLCgi0U+KF0TtWX7boZ2QDmMl3b5DLA2/idf1Y21ix3
+EmAXKz4Ni93vL3Oy+Wnj1R5KjEQw4U3RURZ/OnmQOhg2UJloUbDjKAHdtp6lQC0W
+hL8oOBBAkCgkphWeDqOkjgRY+oyVMkgMSQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec
new file mode 100644
index 0000000000..343307164b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:cabforum-oid-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.key b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
new file mode 100644
index 0000000000..af5ffef782
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAfigAwIBAgIUV4EyKmZfq4MEI8NLfzjTZovpx3owDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTbm8tb2NzcC1lZS1wYXRoLWludDAiGA8yMDIxMTEyNzAw
+MDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAdMRswGQYDVQQDDBJuby1vY3NwLWVlLXBh
+dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjQzBBMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB
+MB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD
+ggEBACqYubzmmeSUHH2ONuYa1B13hyuMCgDvyQKOxI1m/NewbtEZ80UDWmQMolFP
+m2l8lbmlSuNWi25RQxONcXSspCQgIwRzfi4OBql81nZkjyGWWprLUTBrCfyYE3gi
+P2acboz9ObJoXDzYl63MnyAiD/VQifM/iYuiiel/tJRCV5I72a2wQKlZniulgyWQ
+HuWQk9v7lKUX+msgEo9ZW8ndb/hgq+QnEzB3kPmkWgEmLJdK2k05UIjYNBRbgntj
+qGSUgCtdga8gfEeaD/00DweQ8MFwhQkXol2kQVY3j0rddi5T0BI9Fu8BuPaPXU4w
+nr0GvC4bu/ATRI5EuKOJRt4WSv4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..ece1cf816f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:no-ocsp-ee-path-int
+subject:no-ocsp-ee-path-ee
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem
new file mode 100644
index 0000000000..09cfda1739
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPzCCAiegAwIBAgIUcXOmLIKcwe+H0AekAT8yEbaqdJUwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMB4xHDAaBgNVBAMME25vLW9jc3AtZWUtcGF0aC1pbnQwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+fjB8MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEwGCCsGAQUFBwEBBEAwPjA8
+BggrBgEFBQcwAYYwaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L25vLW9jc3At
+ZWUtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOC
+AQEAS/QkZA0m4gZRyp7eyeXeHaR0toxH9RaypHw5FkG/vHQ4EIjO6eXRcC/bPuCX
+N4cMfYmkCpU3Dy5uSZLetYYmu05X+rCwXQu6TZO3D4medEiVslbD3cQH7LmxCLxT
+wBf2foLLFAJ+wFmVmzZk26+G71vbJ5RvzL5djHPZhm6XFQcg8D2oHMfp5mIWEkCk
+VtB3/AIhxh8CIuhs1+lCsOc7XoOAZ04EVPP9kkc8o9K0rPaTzupmfHRTVuWyAQrC
+MPSYnQITQAQAN9Qg/BGgIW1qudgFJpMmjb6AS+7Ts9f7225z+SzLBkNMQggApW14
+ZIUonu/c9e/2+3baPEiVfzcfzA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..5eb952a9a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:no-ocsp-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem
new file mode 100644
index 0000000000..fd01063ac3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIUGwe4TG7p4Bv83RKwPf6KcStdBLAwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUbm8tb2NzcC1pbnQtcGF0aC1pbnQwIhgPMjAyMTExMjcw
+MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowHjEcMBoGA1UEAwwTbm8tb2NzcC1pbnQt
+cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBkjCBjzBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAGG
+MGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9uby1vY3NwLWludC1wYXRoLWVl
+LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCr21rqLU8BEBZN
+oYZ/Mltq+7EXM7NKhRSBvwozcwVvBHgXO90bxogeLsXCyhW8b/zH908M1ne/0Ir2
+MuKUZy82wzLr9VSmN/3tAR4CsIftCR3gbPRgITkkvU/3sZkvZVJLaZkL9cQ7WVdL
+0fwNQR7FQx8/S20/KNa/Ud63l0QnIR2uys6KpS93iT4W2DOiC2vrHS1xja0OAw9+
+BBfnLp99KRVOXi9LHXcWyLWJU7/zW7rbJX1S/mONZbQtq8qwpzb/q0mUSxBX1p4U
+l6SY/m7Pl5Ef4RgwsMdu0zRmmmb6kQmboE/qBX75IgIZjOK5FnrJCZcR6EyV60uu
+jMeIG7hs
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..623057e9e9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:no-ocsp-int-path-int
+subject:no-ocsp-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem
new file mode 100644
index 0000000000..ff07be395f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgIUTZjDIERCE7WIkgtKaDPqLLkqk9IwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMB8xHTAbBgNVBAMMFG5vLW9jc3AtaW50LXBhdGgtaW50MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ozAwLjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjARBgNVHSAECjAIMAYGBFUd
+IAAwDQYJKoZIhvcNAQELBQADggEBAAKFwKsNxeiFmmVyq3YsF2tS11eJJ0/n/KzC
+G4t39HZWfWw8u2osQpHn1O2+L0YhRBNpYX85GgVKSPYzjsptfTmIcAyAWdlJsK5r
+Np9LHrsx65A7cFkKxD6V7FbG1YwL+VbD7qkEZBy3SqFe6m7hQ3om0LgWpaNu756x
+TJeZdqNoSwvtbPdH/GYId1dTj8KdTDncer6eBfefcq0yCoNA1zphgdBMRVBPjXj8
+MFJEd+PTkyDzuTvBG5nB0ChZQ+ca3z8w38rI0KZTeWKH8mW3IU4dSj4q+8ZGymv6
+O1BYsVGr7Z4M//zJ70x9c5+jgDyam7LtxRpsd61R2/sVfqzJVTg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec
new file mode 100644
index 0000000000..548241de3a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec
@@ -0,0 +1,6 @@
+issuer:evroot
+subject:no-ocsp-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
new file mode 100644
index 0000000000..150eb3dfa1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIUVY/VRh2hxRcuAlpF5eXruz6Rbi4wDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUbm9uLWV2LXJvb3QtcGF0aC1pbnQwIhgPMjAyMTExMjcw
+MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowHjEcMBoGA1UEAwwTbm9uLWV2LXJvb3Qt
+cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBkjCBjzBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAGG
+MGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9ub24tZXYtcm9vdC1wYXRoLWVl
+LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBXgdfedO5sSJJE
+n1BMPeTQIZvhXADPJuQfw589m0J3KZIyQrZvpKJpnx70FcfnTx2ef1QFGrRPT0be
+ikVjzahGsKl2YZxJTHsfsYIBtXb3gxJhWMOWjp/o61yJoMOxuv3+sD1FeK15F73R
+LIwZ8FJw+kPVQr6nHKg/KxZ2x6z9AUzxr0vrbEXbClopnIoXVYT2YsnBLASlPKjk
+iHxuR4AR31ue9T38Y2p8eTKAyxssqE5DUYeRlS6RxHQKf3zNPIDlYoU6K+CpXp/R
+aGjUAsUGyFqEXSrqoiYrMthUmkESpgY8pj8gaFwwElIgrhL+TEJDLYVQtRcZf+9/
+NF21J9M2
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
new file mode 100644
index 0000000000..9895732b15
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:non-ev-root-path-int
+subject:non-ev-root-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
new file mode 100644
index 0000000000..fabab40b3d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjCgAwIBAgIUL2l0QIXF1lhAxtAsa96UcJ2xVv0wDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNbm9uLWV2cm9vdC1jYTAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRub24tZXYtcm9vdC1wYXRoLWlu
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAAaN/MH0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTQYIKwYBBQUH
+AQEEQTA/MD0GCCsGAQUFBzABhjFodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgv
+bm9uLWV2LXJvb3QtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG
+9w0BAQsFAAOCAQEAVcD0UEY9IIAhyuk9cnSrU9rf28agFR7Gs3YOQUqqGePrNf1w
+ZwiFB3cHGaroBlFYsV9PHRM/o6kGKXiw+c5uo0vTQMAb8+/YcXUYL2eYBZMCIUDx
+Z9yzPUZenK9WBaZCcWFBcoZsWSMb/CV0AasRpM8VMxQ+i0IejzF/Jk1FrfT1+jSO
+H0EoUETMNx8ULbiUh3OWvTbTG5emiBIKA5YdhCQXwaqsB3tqwAz/fu8aYjf3zP3C
+h8PjV5pe+hMk0vkkAekzdiJQJYodPEn0VZz4wiQn9KOtFFGO0PJ9JDxBQLCDLFza
+07HSkmRfF7+Z3Nf9zEiYkuZZiRXWhE637X+rpw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
new file mode 100644
index 0000000000..5ce035ae1e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec
@@ -0,0 +1,6 @@
+issuer:non-evroot-ca
+subject:non-ev-root-path-int
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem
new file mode 100644
index 0000000000..345485e228
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUBfqrswEJGDjE9nm6ejtjD0kklVwwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNbm9uLWV2cm9vdC1jYTAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1ub24tZXZyb290LWNhMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAgp5QqEQH2DbmS5o6AFElwUJqETVSj82Mh4x8MmMWX5kx/f2oRMYGd3fuqirQ
+fgZFyp6z1O0Ei+sosKj6B5tsZKcEEIKBiOGJeFPv0XAVeny0GSN/UsCNpJdPI8bA
+WzuwDFCL62a7Rh7rbViNyzEWw8PUwsNjziRUx6TcgbvFahkW25vJJr4mmOiE26zw
+5kqI4AAqVHpzy89p11dsKld30Y122TdLuXVwvuE2Al1w3tW9HK8oeoQPueHpMQcz
+i1SUAZdSSQ0MyOVWVWz6uGEWU+7iSYCQrwLR9eIfpOku8Pb6C6olsYYm0D6vG/a7
+1O2Tm7VL2prtY5lv503AKF7QHA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec
new file mode 100644
index 0000000000..7b61447a80
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:non-evroot-ca
+subject:non-evroot-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem
new file mode 100644
index 0000000000..9c18903539
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUY65iIQOPqad0zzesK3FOt5aVmeIwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbcmV2ZXJzZS1vcmRlci1vaWRzLXBhdGgtaW50MCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCUxIzAhBgNVBAMMGnJldmVy
+c2Utb3JkZXItb2lkcy1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GiMIGfMFMGCCsGAQUFBwEBBEcw
+RTBDBggrBgEFBQcwAYY3aHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3JldmVy
+c2Utb3JkZXItb2lkcy1wYXRoLWVlLzAoBgNVHSAEITAfMAcGBWeBDAEBMBQGEisG
+AQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNldi10ZXN0LmV4YW1wbGUuY29t
+MA0GCSqGSIb3DQEBCwUAA4IBAQC1RiorsYhREaYYkyTYNifb2XLtf5R2diikyO9E
+P+ZObrMhOtiQuGymn/HmhX37bv+lcginsTP+7UhUyAtRrWYFZ/+KFiwogA0X0gVD
+w6XbfCeExMc1PhyaCMTafIxbNjg0E4oaZZMZ8uM8ekxCXJoNVe7hms7AIjofQZkI
+0UTcr35l/8QPwKHdMWarQNNGk/hLfrlKEl+aYCySi1VXmJDFfkw2Ttd75pEaDjCP
+Lmx+8EUKqgLvwWJZ23b9+NbjYBwoS5E25qmd4v+nTykL0J6qYoIIiw3SzppsBE48
+Upeg19FmitAsp19J43mVB9/qvwvrreKs3Sjh2eDp64xmmbDm
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec
new file mode 100644
index 0000000000..31e3e69e53
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:reverse-order-oids-path-int
+subject:reverse-order-oids-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-ee/
+extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem
new file mode 100644
index 0000000000..7b1255309b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIUMWXAuy7fu9hNxa2wdzYNdAbnEfIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCYxJDAiBgNVBAMMG3JldmVyc2Utb3JkZXItb2lkcy1wYXRoLWlu
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAAaOBnjCBmzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBUBggrBgEF
+BQcBAQRIMEYwRAYIKwYBBQUHMAGGOGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4
+OC9yZXZlcnNlLW9yZGVyLW9pZHMtcGF0aC1pbnQvMCgGA1UdIAQhMB8wFAYSKwYB
+BAHrSYUahRqFGgGDdAkBMAcGBWeBDAEBMA0GCSqGSIb3DQEBCwUAA4IBAQAAgTzv
+rOKCCIsum1ejoJeKdCLVhOoYdkLwMvQPx9GrDrkOK0xBT/hS7CPgKoeni0GTFk8A
+VIKO9p90STMWeAAvkvVoPbMMCjgirXf6H6BXnWBzROu5KQMEmCnozrGj7KlaNcFj
+r8IjxvhKsAHzbIBnPorH2/ksXmai+34XOTDdSzXIDQvfPu8wZHU49xgwFArNfsh+
+m7cwPdqnk3zeBlQ5aMWZyRJG86LeTO2fTvMsyHxlL/p5SYb1JPWyK03qUwKpfKvX
+rRqNqmUapWvsVBdAU60yLPipNO/mw6I10HJ1v3ZU7fdYeoOV/gDl7RPquPnV73Ff
+tt+m1SpB9l5StlS9
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec
new file mode 100644
index 0000000000..a2b523073e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:reverse-order-oids-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-int/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem
new file mode 100644
index 0000000000..5439295f29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIUFUZzpOeJ6SMwLH4GMYnNKJQ6J5YwDQYJKoZIhvcNAQEL
+BQAwPTE7MDkGA1UEAwwydGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLWNhYmZvcnVt
+LW9pZC1pbnQtcGF0aC1pbnQwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowPDE6MDgGA1UEAwwxdGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLWNhYmZv
+cnVtLW9pZC1pbnQtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBuTCBtjBqBggrBgEFBQcBAQReMFww
+WgYIKwYBBQUHMAGGTmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LWFu
+ZC1jYWJmb3J1bS1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWVlLzAoBgNV
+HSAEITAfMBQGEisGAQQB60mFGoUahRoBg3QJATAHBgVngQwBATAeBgNVHREEFzAV
+ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQB2gvv3BrZ0
+3wqNT7VwXUzgtvQ9gRC2l9PpKFGAPjZlN0QlOKh7q2A/efTeVr9IIEOJrvjMdepB
+0qFRuGMw8Zw+veIEv4Gy5YfHYkeNPnYXm/NkvXiWECmCkOUyxZzrqqlEWdzjkcvI
+bUVyspWmS5RjcNCJY+kFOclPRM8xqZbuyZs5gC3Qabo71cYLDW/7QobcOvmMN+P6
+1tBd5GPH4QJnJiJrSWmAotB44vdWM1guAftJhl0zf0wgr0Rxq/eUNBCm7Lc4Qv4R
+neh/1uUBXjeh8py7HCTUK5nJb8eAcg/gD6d4+HYEOik8BpLB/gDqCLyGzuy409VO
+qyX4hAhGVP8e
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..edac2fc1ad
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-and-cabforum-oid-ee-cabforum-oid-int-path-int
+subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem
new file mode 100644
index 0000000000..7fb0c8a643
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIUI59mCZyqqA1n9QHKquSu1nhheGUwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMD0xOzA5BgNVBAMMMnRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1j
+YWJmb3J1bS1vaWQtaW50LXBhdGgtaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GfMIGcMAwGA1UdEwQFMAMB
+Af8wCwYDVR0PBAQDAgEGMGsGCCsGAQUFBwEBBF8wXTBbBggrBgEFBQcwAYZPaHR0
+cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3Rlc3QtYW5kLWNhYmZvcnVtLW9pZC1l
+ZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtaW50LzASBgNVHSAECzAJMAcGBWeBDAEB
+MA0GCSqGSIb3DQEBCwUAA4IBAQAzuiRK8DbNihTSeXbgCz8rEAVK864Fyl+nyPoo
+eMvIp/Xwb2lKakji3IRX2xqJuQR6sdckn8RyzVvvMzZHGXto+DbMnNPh0ACmNE2x
+8rg+OBnNun8da0oP6gIlnl2q2eRP6XbQtQ7w2DSbbHJ7QvNyi77EjgMVOU2ZiE0M
+yeWHvL+OqwqgB6ZsLRWjQeKu/iTKHh5EGG9yPQl+2TYOlTGAlBjpKDyptwA17CW3
++tnXODlgGDBo3hLyFNStKG2JxtpJTwDn4k7IVJ6pJjFmpCNMXpcc9McI6xl6bBy8
+nXKJaRSM4wlJs8sPe4BMnCaSsUayoLEvzwnEu7vW71cOjmzA
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec
new file mode 100644
index 0000000000..68dfd00573
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem
new file mode 100644
index 0000000000..087d1f05e4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAnqgAwIBAgIUYT7HpFGQFkg/E790SoVkCNUtYn8wDQYJKoZIhvcNAQEL
+BQAwLDEqMCgGA1UEAwwhdGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLXBhdGgtaW50
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCsxKTAnBgNVBAMM
+IHRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GoMIGlMFkG
+CCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL3d3dy5leGFtcGxlLmNv
+bTo4ODg4L3Rlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1wYXRoLWVlLzAoBgNVHSAE
+ITAfMBQGEisGAQQB60mFGoUahRoBg3QJATAHBgVngQwBATAeBgNVHREEFzAVghNl
+di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBDRKyEcWf9alVl
+a/qcpHwuJ1+5WGxFv88ZPo6CTav77YrxUdOxTt8abQh2AMMZcJ/Nucerm7eiESPK
+2KO/fgayLkDqsJ0BBz+lpz6WmWk4puvQYNW5C3+FLvpgCI79kksva3h2WcOwRPrN
+YmiITKnZsgzFxrU6EkRjgO/OQBlU/azBS3kHhWYPEmnDGtr3rjr51wBAXUwMFxcM
+fxmopVMe/rERRoStxGvXAFNLfCBGFrcLSiMPB//BN/3Nk24iHrTvjzofF70oeOV3
+kcbYlCvpTF+bg9SzLvpOHqwxCiC9IrOA4D3jQmFv8Udo9QCaGC56IJTua+rhoWqm
+e9viX7js
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec
new file mode 100644
index 0000000000..affbd87458
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-and-cabforum-oid-ee-path-int
+subject:test-and-cabforum-oid-ee-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem
new file mode 100644
index 0000000000..cc2f45d3ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIUb2D4HeEORbizbOLDdYEKZeydFOcwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCwxKjAoBgNVBAMMIXRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1w
+YXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaOBjTCBijAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBa
+BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAGGPmh0dHA6Ly93d3cuZXhhbXBsZS5j
+b206ODg4OC90ZXN0LWFuZC1jYWJmb3J1bS1vaWQtZWUtcGF0aC1pbnQvMBEGA1Ud
+IAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAnxGTQXg6kASA3iTx6F//
+1NJjcf+xLthZA4Nr6Hr36gmgMwIPi1TQd40omtwIs+BcTXRUJsXkvW/NfRB2GIV2
+Zz1+2ViUMp95O98fVnIC1rJOvVha2t6Ct6jUGx9pznghH/5WR8yaK3GUCYjKO9Cn
+t67wF8ff6/GTXxenyCHp8iAffUJOhiXinDEYZ7DF0ylzYCrFr9hUlNicNMCIOLLe
+jeb+aD55bn8lvwgnErNIweOG+DKn3yWjjfnvVLn/PATg1xGRLe86MZgA5VzYU61q
+rEx0y6dlaxpfISarNfuicLrznf67bNXCpU17tyeITzxBCIfokDdeW1VxwWVVlS5K
+Aw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec
new file mode 100644
index 0000000000..11630b4b4f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-and-cabforum-oid-ee-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-int/
+extension:certificatePolicies:any
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem
new file mode 100644
index 0000000000..a49017dd4a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDlTCCAn2gAwIBAgIUBz5FscfzmfpyDXtVsfMuu/CYTkcwDQYJKoZIhvcNAQEL
+BQAwMDEuMCwGA1UEAwwldGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRo
+LWludDAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAvMS0wKwYD
+VQQDDCR0ZXN0LW9pZC1lZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtZWUwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+gaMwgaAwXQYIKwYBBQUHAQEEUTBPME0GCCsGAQUFBzABhkFodHRwOi8vd3d3LmV4
+YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRo
+LWVlLzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAV
+ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAH14OR4H62
+ENgeo7uXk6xgY01XulxL2jT4a/RY2Dsja43yjevGACMSO3X07y0MbjmPUtCS8vyo
+x9zr8deVnh+4fllU1Q7IZFDraje0qnOueNOtFeYYM6GRt/6fMMikE5VrcOtUkjo8
+b4IRru3eWt56JdUr/sytkDEUGSZiP2ipNXDNhvHKO6KEDuJETwPmOMSS0QkxnisV
+o1s9/tkrQV5ZNoZ3lgrK8hPIV4oHuJJnFyMtkcvLiRoN+uGVVVZL3jwTE17PlG2N
+/pVVC4vZmZPNCIZyzXjfqifzg2vWPTAFdBqy0L+3nUDrGvXswrnKVpi8MbCzFJM9
+ZoOHfu2/Ncex
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
new file mode 100644
index 0000000000..bd0f955ada
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-oid-ee-cabforum-oid-int-path-int
+subject:test-oid-ee-cabforum-oid-int-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem
new file mode 100644
index 0000000000..70c6974db9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZjCCAk6gAwIBAgIUMcttbpnyWBC8D4SQ5L52xqdAchgwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMDAxLjAsBgNVBAMMJXRlc3Qtb2lkLWVlLWNhYmZvcnVtLW9pZC1p
+bnQtcGF0aC1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjgZIwgY8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMC
+AQYwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzABhkJodHRwOi8vd3d3LmV4YW1w
+bGUuY29tOjg4ODgvdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWlu
+dC8wEgYDVR0gBAswCTAHBgVngQwBATANBgkqhkiG9w0BAQsFAAOCAQEAkWY3TNtZ
+uIZDgcBslHPsaNJ9CLy88Uv6WK4+0r07WeTK4m716cHARRzaWfG/saYZErCD3wPy
+PXsDvzHH5TB7NYcDO9wGFvHyqr8nM6Y0g675LJZO/MIv/F+6cXnidGFpGQYAyN27
+oYlsg5UxHVf85unSWdYOekEk3Vb3j7yOyDyJlfPUjekCrFb2IXwGCXV8vwySnH08
+sOozuXxRL+IMOqhgXwSygP+uKIOpDTCm+ab9LCQ9rXrS/nSeP5dqsCTwSh08YUYW
+R/7drxxbAIP4hkdfypW+qNSFhVUagRqyNPOlyclnXiT/ECPbvZTJO2aVUnq/2wgf
+AACvPx4gGI/gPQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec
new file mode 100644
index 0000000000..37d4d133a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-oid-ee-cabforum-oid-int-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-int/
+extension:certificatePolicies:2.23.140.1.1
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
new file mode 100644
index 0000000000..b28d658f34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWTCCAkGgAwIBAgIUP0QPDJYHS8iqIxQh16sMCzUo2J4wDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRdGVzdC1vaWQtcGF0aC1pbnQwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowGzEZMBcGA1UEAwwQdGVzdC1vaWQtcGF0aC1l
+ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAAaOBjzCBjDBJBggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAGGLWh0dHA6
+Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LW9pZC1wYXRoLWVlLzAfBgNVHSAE
+GDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNldi10ZXN0LmV4
+YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAulta+AvmR58Lr0CzIcRHSFkx6
+OAXxS7qxSy2DhfMucxyjIGFiL5GTFZ+PjZjpm7kBavXAq3s42/6gYaoUsTWy+exE
+G2wSV22L2iU0zTPJExtcOciLaWpX90yqUZN9ThB0WCosLGg9GiLfZLjlmX+IL0bC
+bGmOMmxpk9wCEdQbQGkSkkucZaPONST/n3W4g0eYzlCiC5bY45HnEbYPVxGKDd1P
+xTcJqEsbxffNflSAMyY4c5+KEY9DFpdXeKJvfAddoT61bBbrUHvi6g4xo+fBDfgP
+Zz9VeBvUMILYrbpFyFBmQL2rd8pCFnUcC7M6+HrSHdrXwAZWKiNmATFexWS4
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
new file mode 100644
index 0000000000..a9d62c65e9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:test-oid-path-int
+subject:test-oid-path-ee
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
+extension:subjectAlternativeName:ev-test.example.com
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
new file mode 100644
index 0000000000..ad2bd1d509
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUQ9qTdUCkE4CVzUr1Rvfr0N+HsVkwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GL
+MIGIMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEoGCCsGAQUFBwEBBD4wPDA6
+BggrBgEFBQcwAYYuaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3Rlc3Qtb2lk
+LXBhdGgtaW50LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATANBgkq
+hkiG9w0BAQsFAAOCAQEAGmKNKoN7WoJUTqRBPdDm/acbFxtmXXSwl9SdxQ8+yW9w
+ukE9nqMii5V7viy+nimZ96ggcvbGsjZmyL9yMbG7nDyDbMI8z7p+5IaHY4pjPmu/
+JhWaMLneZDIQNADn8JOtBpwkGPRlKzDPBwjMBerfDXBxoj384iZZNsBCB0BLQgdx
+oQL+yrHXCq882e1KFkl+j0JJhvqiNHE3A6WPPcz/iaHm8kKRfjYNIWWapXLlEyv1
+06QQew0gPEmUUZu3nK76gvmxGqJOg4MV9ahCOW4R5ScHCyBH7QNZzlRRwmobfmH/
+gVfq9IkiIV2PXiic+YiXUlERvXElRzLamt/zWaHk6w==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
new file mode 100644
index 0000000000..53534eb526
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:test-oid-path-int
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-int/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key
new file mode 100644
index 0000000000..a926a54efb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
+1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec
new file mode 100644
index 0000000000..03c3ce198f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec
@@ -0,0 +1 @@
+secp256r1
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem
new file mode 100644
index 0000000000..a5c0e04b0a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICMjCCARqgAwIBAgIUQQv+1NaQ2YW3zROTKhMXi0+z4+kwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaZmF1bHR5LXNlcnZlci1pbnRlcm1lZGlhdGUwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowFTETMBEGA1UEAwwKZGVmYXVs
+dC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLs
+BQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCj
+MTAvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5j
+b20wDQYJKoZIhvcNAQELBQADggEBAIa1n0PRvEO1vobr+MUhrdC2pkjrf3BkPofv
+UMX0GArZsYtkZTnB073ZuzRMaR1RNnEbCerDC8ibxVQzPqc3+HjCGhxUH8Mv6QMl
+K/F9FixiEHSiWOocGpSqNIbUtLFTVJOf7GC7GvT5a3rvAzMwtujetHKw+3QzgpZT
+Ja77qqxE1VJDdjnaXGgUc1hUfiNGPy1bh4/Eed/nLIbeDYDP9TfvvkhNTc3mb/vG
+LIxhaAXuQmxm3vHJl7ewXSzL+3g8Slr+LycODwv07SCz5ZYkY42ahqDlELKlkcwM
+O867QbO8leAZV2B/6ugEZJV02Sho1fNJkE/zYr/yBpZkTHqB3Uc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec
new file mode 100644
index 0000000000..5d471da110
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec
@@ -0,0 +1,5 @@
+issuer:faulty-server-intermediate
+subjectKey:secp256r1
+subject:default-ee
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:*.example.com
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem
new file mode 100644
index 0000000000..c896de631d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICFjCB/6ADAgECAhQJA7Qytg0FIuJ3Y9mQfFhL/MXBgzANBgkqhkiG9w0BAQsF
+ADAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWludGVybWVkaWF0ZTAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAUMRIwEAYDVQQDDAluby1zYW4t
+ZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AUL
+Qj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAoxcw
+FTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEACQkHi4sl
+CReY+YWeZ7YCkzCt0UYHAlrd4F86n4GEJzXrjdrorzV3R4o1tNQtbDBJVIH3OzuM
+9xH2L7brtnVFP/INP4imkOFwvJiibt24hYssKTVS7vOh6VoIKF2QqLPh2mEO3u5g
+0w7D1xIIqMFATeZ/ovTEJzAhM4rt4cp0sMYJ8Zx8etuK5xDdMxkVuWp+HHNcEaSd
+674tpLwD2Peeoa/n90Dp8q3fxgbZ85jLetXz2Hi0WQE/nTKF3Cr1Fk+ECgCGbEL+
+DS2jbVYuR/P6EdBssZYtaCfW/Lajt9z+5+njqBGqCgfBeBN9m543xdUbvwdxFIGh
+fezZ/D6tdaeSEQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec
new file mode 100644
index 0000000000..68eb6b0202
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:faulty-server-intermediate
+subjectKey:secp256r1
+subject:no-san-ee
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key
new file mode 100644
index 0000000000..a926a54efb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
+1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
+-----END EC PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec
new file mode 100644
index 0000000000..03c3ce198f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec
@@ -0,0 +1 @@
+secp256r1
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem
new file mode 100644
index 0000000000..3d0ae14911
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUGSmSb2HbEr51bpQzj+bUUISSggowDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjAbMRkwFwYDVQQDDBBmYXVsdHktc2VydmVyLWNh
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
+AQsFAAOCAQEARaxPN9ImyTHcTq2l4hCl3vybWKsY+RLOT0cap3xqst1htZbkoejV
+sy9OrA6jMe7k6N7IquopV/3ZuZTbebQZwCP+82HDs48yL20ACrUU3rlQJoOPtTJf
+7yUskA0ztDYkRtuV3KMWoscxoVFGoMIXwzjskUxy/Rp6+vKTuf0gvF+zd4iQzZ11
+oZarse5nF5pSxiFxQscep44bAh9Wnt8cMkUqoXgOc0hJE2MV/Kn1bLptNDVRyVmk
+2e6403EsBzmAjfy7yLLx/mpz2Fl+XgztP52AwK2V0TcWxaHg29cRIc16si0wNqF4
+2xxhvYyAUMArnzvKgRHXHqZbuyyaHV762A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec
new file mode 100644
index 0000000000..bcbf751bb2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:faulty-server-ca
+subject:faulty-server-ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem
new file mode 100644
index 0000000000..9964b1ed68
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUFXP/lk1Ozpz/foBDAI+E6dPYOJkwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWlu
+dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw
+DQYJKoZIhvcNAQELBQADggEBAKKRqr0ubyrDGcUcswUGJGZXcvCZryaa3vbv/ccm
+G26nli+ANlthqjwnInKP1sdTjbk/BnhsOXrs05ygSdFuW/dOZqkeJKlPXbeFGF8i
+wnJb0gYdceBoTqyJ7H83AIVYJbuP5JMR78CE/iFOUv+43OaRQAMQdppcMiyq49oU
+hXMxsVuXOFelUD0XZSP/oAlrEXxeyAVkBJS2iPAN+B3Mxe9CVmkuibCZ47dsMHYr
+LEtzbdKVaO8pg+FHEMiv95Wtx2fBDX+6mhPHbXo21pn8jAVV0uHR3u+CwGvGcMrL
+Y94oWHnU2ojPicyhuy6NOH3v3RxACFW0jQV0sH/VK7bh8Ts=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec
new file mode 100644
index 0000000000..5be535c81d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:faulty-server-ca
+subject:faulty-server-intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
new file mode 100644
index 0000000000..3a595a3e08
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
@@ -0,0 +1,119 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ * vim: sw=2 ts=2 sts=2
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// Ensures that HSTS (HTTP Strict Transport Security) information is cleared
+// when using "Forget About This Site".
+
+const { ForgetAboutSite } = ChromeUtils.importESModule(
+  "resource://gre/modules/ForgetAboutSite.sys.mjs"
+);
+
+do_get_profile(); // must be done before instantiating nsIX509CertDB
+
+registerCleanupFunction(() => {
+  Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
+});
+
+const GOOD_MAX_AGE_SECONDS = 69403;
+const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
+
+const sss = Cc["@mozilla.org/ssservice;1"].getService(
+  Ci.nsISiteSecurityService
+);
+const uri = Services.io.newURI("https://a.pinning.example.com");
+
+// Test the normal case of processing HSTS headers for a.pinning.example.com,
+// using "Forget About Site" on a.pinning2.example.com, and then checking
+// that the platform doesn't consider a.pinning.example.com to be HSTS any
+// longer.
+add_task(async function () {
+  sss.processHeader(uri, GOOD_MAX_AGE);
+
+  Assert.ok(sss.isSecureURI(uri), "a.pinning.example.com should be HSTS");
+
+  await ForgetAboutSite.removeDataFromDomain("a.pinning.example.com");
+
+  Assert.ok(
+    !sss.isSecureURI(uri),
+    "a.pinning.example.com should not be HSTS now"
+  );
+});
+
+// Test the case of processing HSTS headers for a.pinning.example.com, using
+// "Forget About Site" on example.com, and then checking that the platform
+// doesn't consider the subdomain to be HSTS any longer. Also test that
+// unrelated sites don't also get removed.
+add_task(async function () {
+  sss.processHeader(uri, GOOD_MAX_AGE);
+
+  Assert.ok(
+    sss.isSecureURI(uri),
+    "a.pinning.example.com should be HSTS (subdomain case)"
+  );
+
+  // Add an unrelated site to HSTS.
+  let unrelatedURI = Services.io.newURI("https://example.org");
+  sss.processHeader(unrelatedURI, GOOD_MAX_AGE);
+  Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should be HSTS");
+
+  await ForgetAboutSite.removeDataFromDomain("example.com");
+
+  Assert.ok(
+    !sss.isSecureURI(uri),
+    "a.pinning.example.com should not be HSTS now (subdomain case)"
+  );
+
+  Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should still be HSTS");
+});
+
+// Test the case of processing HSTS headers for a.pinning.example.com with
+// various originAttributes, using "Forget About Site" on example.com, and
+// then checking that the platform doesn't consider the subdomain to be HSTS
+// for any originAttributes any longer. Also test that unrelated sites don't
+// also get removed.
+add_task(async function () {
+  let originAttributesList = [
+    {},
+    { userContextId: 1 },
+    { firstPartyDomain: "foo.com" },
+    { userContextId: 1, firstPartyDomain: "foo.com" },
+  ];
+
+  let unrelatedURI = Services.io.newURI("https://example.org");
+
+  for (let originAttributes of originAttributesList) {
+    sss.processHeader(uri, GOOD_MAX_AGE, originAttributes);
+
+    Assert.ok(
+      sss.isSecureURI(uri, originAttributes),
+      "a.pinning.example.com should be HSTS (originAttributes case)"
+    );
+
+    // Add an unrelated site to HSTS.
+    sss.processHeader(unrelatedURI, GOOD_MAX_AGE, originAttributes);
+    Assert.ok(
+      sss.isSecureURI(unrelatedURI, originAttributes),
+      "example.org should be HSTS (originAttributes case)"
+    );
+  }
+
+  await ForgetAboutSite.removeDataFromDomain("example.com");
+
+  for (let originAttributes of originAttributesList) {
+    Assert.ok(
+      !sss.isSecureURI(uri, originAttributes),
+      "a.pinning.example.com should not be HSTS now " +
+        "(originAttributes case)"
+    );
+
+    Assert.ok(
+      sss.isSecureURI(unrelatedURI, originAttributes),
+      "example.org should still be HSTS (originAttributes case)"
+    );
+  }
+});
diff --git a/security/manager/ssl/tests/unit/test_hash_algorithms.js b/security/manager/ssl/tests/unit/test_hash_algorithms.js
new file mode 100644
index 0000000000..3a42017bea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_hash_algorithms.js
@@ -0,0 +1,158 @@
+"use strict";
+
+// This file tests various aspects of the nsICryptoHash implementation for all
+// of the supported algorithms.
+
+const messages = ["The quick brown fox jumps over the lazy dog", ""];
+const ALGORITHMS = [
+  {
+    initString: "md5",
+    initConstant: Ci.nsICryptoHash.MD5,
+    hexHashes: [
+      "9e107d9d372bb6826bd81d3542a419d6",
+      "d41d8cd98f00b204e9800998ecf8427e",
+    ],
+    b64Hashes: ["nhB9nTcrtoJr2B01QqQZ1g==", "1B2M2Y8AsgTpgAmY7PhCfg=="],
+  },
+  {
+    initString: "sha1",
+    initConstant: Ci.nsICryptoHash.SHA1,
+    hexHashes: [
+      "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12",
+      "da39a3ee5e6b4b0d3255bfef95601890afd80709",
+    ],
+    b64Hashes: ["L9ThxnotKPzthJ7hu3bnORuT6xI=", "2jmj7l5rSw0yVb/vlWAYkK/YBwk="],
+  },
+  {
+    initString: "sha256",
+    initConstant: Ci.nsICryptoHash.SHA256,
+    hexHashes: [
+      "d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592",
+      "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+    ],
+    b64Hashes: [
+      "16j7swfXgJRpypq8sAguT41WUeRtPNt2LQLQvzfJ5ZI=",
+      "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=",
+    ],
+  },
+  {
+    initString: "sha384",
+    initConstant: Ci.nsICryptoHash.SHA384,
+    hexHashes: [
+      "ca737f1014a48f4c0b6dd43cb177b0afd9e5169367544c494011e3317dbf9a509cb1e5dc1e85a941bbee3d7f2afbc9b1",
+      "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
+    ],
+    b64Hashes: [
+      "ynN/EBSkj0wLbdQ8sXewr9nlFpNnVExJQBHjMX2/mlCcseXcHoWpQbvuPX8q+8mx",
+      "OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb",
+    ],
+  },
+  {
+    initString: "sha512",
+    initConstant: Ci.nsICryptoHash.SHA512,
+    hexHashes: [
+      "07e547d9586f6a73f73fbac0435ed76951218fb7d0c8d788a309d785436bbb642e93a252a954f23912547d1e8a3b5ed6e1bfd7097821233fa0538f3db854fee6",
+      "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
+    ],
+    b64Hashes: [
+      "B+VH2VhvanP3P7rAQ17XaVEhj7fQyNeIownXhUNru2Quk6JSqVTyORJUfR6KO17W4b/XCXghIz+gU489uFT+5g==",
+      "z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==",
+    ],
+  },
+];
+
+function doHash(algo, value, cmp) {
+  let hash = Cc["@mozilla.org/security/hash;1"].createInstance(
+    Ci.nsICryptoHash
+  );
+  hash.initWithString(algo);
+
+  let converter = Cc[
+    "@mozilla.org/intl/scriptableunicodeconverter"
+  ].createInstance(Ci.nsIScriptableUnicodeConverter);
+  converter.charset = "utf8";
+  value = converter.convertToByteArray(value);
+  hash.update(value, value.length);
+  equal(
+    hexify(hash.finish(false)),
+    cmp,
+    `Actual and expected hash for ${algo} should match`
+  );
+
+  hash.initWithString(algo);
+  hash.update(value, value.length);
+  equal(
+    hexify(hash.finish(false)),
+    cmp,
+    `Actual and expected hash for ${algo} should match after re-init`
+  );
+}
+
+function doHashStream(algo, value, cmp) {
+  // TODO(Bug 459835): Make updateFromStream() accept zero length streams.
+  if (!value.length) {
+    return;
+  }
+
+  let hash = Cc["@mozilla.org/security/hash;1"].createInstance(
+    Ci.nsICryptoHash
+  );
+  hash.initWithString(algo);
+
+  let converter = Cc[
+    "@mozilla.org/intl/scriptableunicodeconverter"
+  ].createInstance(Ci.nsIScriptableUnicodeConverter);
+  converter.charset = "utf8";
+  let stream = converter.convertToInputStream(value);
+  hash.updateFromStream(stream, stream.available());
+  equal(
+    hexify(hash.finish(false)),
+    cmp,
+    `Actual and expected hash for ${algo} should match updating from stream`
+  );
+}
+
+function testInitConstantAndBase64(
+  initConstant,
+  algoName,
+  message,
+  expectedOutput
+) {
+  let converter = Cc[
+    "@mozilla.org/intl/scriptableunicodeconverter"
+  ].createInstance(Ci.nsIScriptableUnicodeConverter);
+  converter.charset = "utf8";
+  let value = converter.convertToByteArray(message);
+
+  let hash = Cc["@mozilla.org/security/hash;1"].createInstance(
+    Ci.nsICryptoHash
+  );
+  hash.init(initConstant);
+  hash.update(value, value.length);
+  equal(
+    hash.finish(true),
+    expectedOutput,
+    `Actual and expected base64 hash for ${algoName} should match`
+  );
+}
+
+function run_test() {
+  for (let algo of ALGORITHMS) {
+    algo.hexHashes.forEach((hash, i) => {
+      doHash(algo.initString, messages[i], hash);
+      doHashStream(algo.initString, messages[i], hash);
+    });
+    algo.b64Hashes.forEach((hash, i) => {
+      testInitConstantAndBase64(
+        algo.initConstant,
+        algo.initString,
+        messages[i],
+        hash
+      );
+    });
+  }
+
+  // Our buffer size for working with streams is 4096 bytes. This tests we
+  // handle larger inputs.
+  doHashStream("md5", " ".repeat(4100), "59f337d82f9ef5c9571bec4d78d66641");
+}
diff --git a/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js b/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js
new file mode 100644
index 0000000000..f2b7016c05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js
@@ -0,0 +1,5 @@
+"use strict";
+
+function run_test() {
+  run_test_in_child("test_hash_algorithms.js");
+}
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
new file mode 100644
index 0000000000..4b09c719fc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@@ -0,0 +1,138 @@
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function load_cert(name, trust) {
+  let filename = "test_intermediate_basic_usage_constraints/" + name + ".pem";
+  addCertFromFile(certdb, filename, trust);
+}
+
+function test_cert_for_usages(certChainNicks, expected_usages) {
+  let certs = [];
+  for (let i in certChainNicks) {
+    let certNick = certChainNicks[i];
+    let certPEM = readFile(
+      do_get_file(
+        "test_intermediate_basic_usage_constraints/" + certNick + ".pem"
+      ),
+      false
+    );
+    certs.push(certdb.constructX509FromBase64(pemToBase64(certPEM)));
+  }
+
+  let cert = certs[0];
+  return asyncTestCertificateUsages(certdb, cert, expected_usages);
+}
+
+add_task(async function () {
+  let ee_usages = [
+    certificateUsageSSLClient,
+    certificateUsageSSLServer,
+    certificateUsageEmailSigner,
+    certificateUsageEmailRecipient,
+  ];
+  let ca_usages = [certificateUsageSSLCA];
+  let eku_usages = [certificateUsageSSLClient, certificateUsageSSLServer];
+
+  // Load the ca into mem
+  let ca_name = "ca";
+  load_cert(ca_name, "CTu,CTu,CTu");
+  await test_cert_for_usages([ca_name], ca_usages);
+
+  // A certificate with no basicConstraints extension is considered an EE.
+  await test_cert_for_usages(["int-no-extensions"], ee_usages);
+
+  // int-no-extensions is an EE (see previous case), so no certs can chain to
+  // it.
+  await test_cert_for_usages(["ee-int-no-extensions", "int-no-extensions"], []);
+
+  // a certificate with basicConstraints.cA==false is considered an EE.
+  await test_cert_for_usages(["int-not-a-ca"], ee_usages);
+
+  // int-not-a-ca is an EE (see previous case), so no certs can chain to it.
+  await test_cert_for_usages(["ee-int-not-a-ca", "int-not-a-ca"], []);
+
+  // a certificate with basicConstraints.cA==false but with the keyCertSign
+  // key usage may not act as a CA (it can act like an end-entity).
+  await test_cert_for_usages(["int-cA-FALSE-asserts-keyCertSign"], ee_usages);
+  await test_cert_for_usages(
+    ["ee-int-cA-FALSE-asserts-keyCertSign", "int-cA-FALSE-asserts-keyCertSign"],
+    []
+  );
+
+  // int-limited-depth has cA==true and a path length constraint of zero.
+  await test_cert_for_usages(["int-limited-depth"], ca_usages);
+
+  // path length constraints do not affect the ability of a non-CA cert to
+  // chain to to the CA cert.
+  await test_cert_for_usages(
+    ["ee-int-limited-depth", "int-limited-depth"],
+    ee_usages
+  );
+
+  // ca
+  //   int-limited-depth (cA==true, pathLenConstraint==0)
+  //      int-limited-depth-invalid (cA==true)
+  //
+  await test_cert_for_usages(
+    ["int-limited-depth-invalid", "int-limited-depth"],
+    []
+  );
+  await test_cert_for_usages(
+    [
+      "ee-int-limited-depth-invalid",
+      "int-limited-depth-invalid",
+      "int-limited-depth",
+    ],
+    []
+  );
+
+  // int-valid-ku-no-eku has keyCertSign
+  await test_cert_for_usages(["int-valid-ku-no-eku"], ca_usages);
+  await test_cert_for_usages(
+    ["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
+    ee_usages
+  );
+
+  // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
+  // but the KU extension is missing keyCertSign. Note that mozilla::pkix
+  // doesn't validate certificates with basicConstraints.Ca==true for non-CA
+  // uses.
+  await test_cert_for_usages(["int-bad-ku-no-eku"], []);
+  await test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], []);
+
+  // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
+  // We treat a missing KU as "any key usage is OK".
+  await test_cert_for_usages(["int-no-ku-no-eku"], ca_usages);
+  await test_cert_for_usages(
+    ["ee-int-no-ku-no-eku", "int-no-ku-no-eku"],
+    ee_usages
+  );
+
+  // int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU,
+  // and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
+  await test_cert_for_usages(["int-valid-ku-server-eku"], ca_usages);
+  await test_cert_for_usages(
+    ["ee-int-valid-ku-server-eku", "int-valid-ku-server-eku"],
+    eku_usages
+  );
+
+  // int-bad-ku-server-eku has basicConstraints.cA==true, a KU without
+  // keyCertSign, and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
+  await test_cert_for_usages(["int-bad-ku-server-eku"], []);
+  await test_cert_for_usages(
+    ["ee-int-bad-ku-server-eku", "int-bad-ku-server-eku"],
+    []
+  );
+
+  // int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and
+  // EKU=={id-kp-serverAuth,id-kp-clientAuth}.
+  await test_cert_for_usages(["int-no-ku-server-eku"], ca_usages);
+  await test_cert_for_usages(
+    ["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
+    eku_usages
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem
new file mode 100644
index 0000000000..69c16a8d42
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvDCCAaSgAwIBAgIUSyYNcZmBB3Fq//SFPcSyXEpJ6tIwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAFsWYvf5u1J578KdSOtot0N4h6jCRbE41le2inKzuBY4
+bKzTckFPNscz3NXjGydHHuMA0WI1BnskiXw59dotlAsaWttq2V02EP8fPMSC0Sbx
+J+Uap+b9xONUzTTja2yBWVEI4pN47xiCAEyVWu88/XWm+Ig+HyTjfhT3a32FviiO
+4MuXaN73kJvLjzTUqk0KOtzbuhPLF6kRvycIuLEDel7f21cIbp7ezQRBaDcT+nVv
++WdlXsm8aA7GqnKNY1wBGL8FwsIcIOOeAVb4HgCG4FXp4eKODoexywRu3LP9yN1u
+XAy3x+0wUWp85H3CQuTD7p76ZR1Ui4soSHDs0DdRpkc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec
new file mode 100644
index 0000000000..eb7c4b4bee
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem
new file mode 100644
index 0000000000..b92dc8fc03
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUX2dsScLlfW4gR9BgNZCZQUmGMVgwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LWJhZC1rdS1uby1la3UwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LWJhZC1rdS1u
+by1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3
+DQEBCwUAA4IBAQAwovJGGbmC872VetJzSnRzUuGG5tPdn6OrnalmanwsZipR5yzd
+tNe+V3olt3kh9CS4M0aU8dB1Usu3VX35yNXMFAl1pa0wtgOWm4wU3iUu5e6XYoak
+X1PM6FysCbiJoaRejhKJdt525zVomVZ/4v+Ww/OxfGfvqXOgfnhEkdVBDNsO02qx
+RoDWllKKz+fjQbHfwN65VFMG4qFSeCBAo58+pTWapJgNT6rprIsmfqAX89lnpAyY
+NhgWCSczyLtHL2voIeabbOWCpL4WjKp4yj2hztrlRuvWTnOzbZaiydckXnorkfmD
+AVxdSYCZJT5zf+kDUFj7rSS1SfgGLEXa6uHW
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..390adf2344
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-bad-ku-no-eku
+subject:ee-int-bad-ku-no-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem
new file mode 100644
index 0000000000..6602f1d911
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUaWcqNQwNMI1aFqgOG5mw0z0Ph8kwDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAwwVaW50LWJhZC1rdS1zZXJ2ZXItZWt1MCIYDzIwMjExMTI3
+MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGVlLWludC1iYWQt
+a3Utc2VydmVyLWVrdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCA/gw
+DQYJKoZIhvcNAQELBQADggEBAFK/ct1l9T0Hs5cOB/yhXWKbEwp74UCZvwKzgpuc
+VslyzB3GPHl8a8aOvastiSgBEzsWzOuGlKprqWsGozG4jG2KHLZWHWG535vjISIO
+wrHyOv20wjgTmMca0osxiQxWumQG7HupZZou8xlbm9XDrFVFriWtvXD88sxhvy6r
+DwtFFzTVXqE0W0LC2KVxFMI6oWIsviYClsAovQLBdMUwjcKpyJj0KFGf0158ncMv
+bkdZgO4uvn+BdUTlbnhyJXs74iSgau7D7t8zCT92CcLojI4+Q70rVt6fw3ZqW/wo
+6s6x+LfPkvkiOBifmhUJGxNOnYlIgxos9Jl1Gi+8nRyxgaw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..32bb6c2485
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-bad-ku-server-eku
+subject:ee-int-bad-ku-server-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem
new file mode 100644
index 0000000000..611c93cc97
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAe2gAwIBAgIUCQnY3uTX2s9L1e03jirXWhQ8u0QwDQYJKoZIhvcNAQEL
+BQAwKzEpMCcGA1UEAwwgaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNpZ24w
+IhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowLjEsMCoGA1UEAwwj
+ZWUtaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNpZ24wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3DQEBCwUAA4IBAQCASFIVTN69
+PWqwJI0aACKMn9re9uVfSjXEljM9rxFCCYtW1lcTm3tqMq/Hn4BEa4hIBFGDADOc
+DNAhvzIaLOWjxWPcKdxWSUsbg5QJ9M60yqUpbIMw6Y4igQkIUMZG8gOEqnvL2jW1
+dJnjpuBFNXKfW5Ww/WurNXSrz/M+z+6jSn3LCB3pzOpBrAIXYqul+4J0S6mJvXdZ
+hP41/f2s/2r3pl91M/ZlE2uJtEPiGXlXxc5biHl9NxahBi8ZtO+dQ9fQX34Kj3y+
+SjAl594g+9zBpLyeoMJIu4h8cUSKbfCGEwrhlkWL5r0i2NCvdOjh/rVhAhuYoUKe
+D/AGM1NDr5tC
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..9e0fb65fd6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-cA-FALSE-asserts-keyCertSign
+subject:ee-int-cA-FALSE-asserts-keyCertSign
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem
new file mode 100644
index 0000000000..0313f22fa3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIUJTkDPPQhp5SptWJuRzUcxOQpGrwwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWxpbWl0ZWQtZGVwdGgtaW52YWxpZDAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAnMSUwIwYDVQQDDBxlZS1pbnQt
+bGltaXRlZC1kZXB0aC1pbnZhbGlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwID+DANBgkqhkiG9w0BAQsFAAOCAQEAo54m8X4ZIwPI62dxL0v5YlxaR32S
+8EEnFzpp9ZDKIDxBAjKdY8YLkbhXF/7VTAbqdQJIWZYsFjHVRKvzjgYQzei+oi9K
+fc8HIwFKTaKd+MDcoLzMXm8J4ykRuz482C3jE5SnjwkaGnWWyMH7DLvqd0A+iUzI
+FQhmwQmtiG1O5poN+qCJQmfXInPOs2ne0vKKM679tAMnWFD0qG+nL2+YRba/TJ5T
+unSmCpRbQU/t8obecB38wa67tSC7u9YZ8ot6vWO7BlVe4NWU7eP71JFFCyl891fY
+hD971ulMb9AKsujEhCIqjlcq9Eq64w6ZPFyVhy1P/Mp8dpJg+krXY1yUXg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec
new file mode 100644
index 0000000000..f00b4d1591
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-limited-depth-invalid
+subject:ee-int-limited-depth-invalid
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem
new file mode 100644
index 0000000000..7b206b3253
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUTfEUPuNAjYMBNO7pTXwAW4m2QywwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LWxpbWl0ZWQt
+ZGVwdGgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3
+DQEBCwUAA4IBAQBGRRnLNAucxyYbATTURGI3VH4aOQS5QfZI6X2Alga7U4odlAsN
+l2wZzETWkgLh5PomEW85l4QGw7nt9AGqu+bVS1e7V4DTLdrNFPpMdjcxfBi36tUl
+pZbvzW09pFO9klTUovL3i1i4KtY59wohPHsC1Px46sr1U1kMZbYxcGQnGtE3cerl
+Pbfx1XuLInk1shMU/XnFn5gwtZLkPdRWcHJAjdPpH4DEyMxyiU7Xkq7j/5PmZp3R
+eWFEh8B6Ww77kR9PgFXw9i3evQSwG3HKWiLvkpcfffHc73FQJC8Thhx7DrQqFyGp
+RzG07oNPjprOIwm6GTWNcQ6bDvOksajKhONU
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec
new file mode 100644
index 0000000000..df85342d98
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-limited-depth
+subject:ee-int-limited-depth
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem
new file mode 100644
index 0000000000..ee57cb363b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUO9f0kr95LgU+xDs1PzAfLOKqnBMwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LW5vLWV4dGVuc2lvbnMwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LW5vLWV4dGVu
+c2lvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3
+DQEBCwUAA4IBAQBBAowOTcEZ1VVW0v7xgIo1hga8cgsgRZHVfvh5n9AuEQ0D+l7e
+tZ/oJFNOloyXu1hfTMCNbSE16trQWAE6b6g+3VsvJvwjYdWFJP6t5JgB3M6IvK+W
+nETRBUw5rkcLASwJfNKWZoYvbblgm9q5AbqxcWUQD35vOunNSr+5qp8RwLzFP/Sl
+8SkRS/vwNZALOZ0y6+OLuvw09m+rtrn+PRfxNLnOA0os7M8AlbEJXZoUkmlf2BlP
+AhkHu3v2ujS11eirT7bQCMU2hB0qHr8W8e/PdsBvnjppv/F4/FPdcbH463q4DFV1
+rzUvWbWHFIt4AqdMZFibyQcSVwddPf5dcZzK
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec
new file mode 100644
index 0000000000..c5279046d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-no-extensions
+subject:ee-int-no-extensions
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem
new file mode 100644
index 0000000000..e356ecf72e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5TCCAc2gAwIBAgIUX5IwL/hJqOZ0Iyh2OWGyGSoA0kcwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQaW50LW5vLWt1LW5vLWVrdTAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1pbnQtbm8ta3Utbm8t
+ZWt1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwID+DANBgkqhkiG9w0B
+AQsFAAOCAQEAONTwF02LG0ZbucYtE7aGaaOP7nG6jZPiT8VPI19y77GVEFNwt+zW
+FtDq/80SIJj1mIzJ4E9oTNUi2v5VxG5m9Slc2VAf2iZfGHdNUBO4gfYKm9waYjqd
+cd7vYA7hEm+K+rMdhgc4TVf4c+I1tK8JtifycRMTZSYSaBeNb7SruB7ZAb+1QhvI
+e8fMYSrZSKpHbE85CfOMHXF/sKJeojouBCdPpYzQRrQ9rbGyQTDZoEqBqdcbuAZo
+m7gCtobppcjq3bBgxrdnPeTU0DMnhS/t5WLzEG28mTcwndIK9OVkZOrxgNTN5Jg8
+qTIRfVlgTurQm6S8BL+c/ncONJObKPwevQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..92ee3cc6d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-no-ku-no-eku
+subject:ee-int-no-ku-no-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem
new file mode 100644
index 0000000000..e5a5e0bea8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUX22fNLvnip6KC7WCdXKFxQXZqUYwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUaW50LW5vLWt1LXNlcnZlci1la3UwIhgPMjAyMTExMjcw
+MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowIjEgMB4GA1UEAwwXZWUtaW50LW5vLWt1
+LXNlcnZlci1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0G
+CSqGSIb3DQEBCwUAA4IBAQBVZ/G/hh1al04zc3kxvCf9GF2KPR98ugcRGqqonXZP
+ix5eHf6w8AgEbucuFqQ7Gd8DbrEeKkL5v7RoQxQuJvL/455BYdFSBN8nx94tRWyy
+8taFHiSrjqt/7wF4kGoTlXuoEWvsowAsI65CgvRe8C/kPa3AYfS5ZsoQDbX39pJo
+adrz5HeSaM7pPrVtxjjd4+0gxH1lwtDJqpPTqR8lpmcVLYxrUFWVmZjRL1nJ30e+
+U5M3vXWORDRPa9Vk6bzJXqwgr6hqXwr76w9ZO5H5RpLL1RNP/DGTt3Jp1yo035BJ
+KPJzAUi7eu6vb/9FCJ69ltUIBdxFYaSYFyF6ZrmmkHm3
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..c148896710
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-no-ku-server-eku
+subject:ee-int-no-ku-server-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem
new file mode 100644
index 0000000000..ddb6b4810f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3TCCAcWgAwIBAgIUNx7IjEtdkB/tsL/CqgWRGxCMkSswDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMaW50LW5vdC1hLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgP
+MjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD2VlLWludC1ub3QtYS1jYTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCA/gwDQYJKoZIhvcNAQELBQADggEB
+ACLu/f0o3T4sd35U49UKAJiKzzaJMLJJa/OUnxrja5p441nI7SAcr+uLKnQokaj6
+FATB/INGwYpGMg+WPrKp0FAFNFHFrsmcE6ADHdZ5nie2NRPCDSNG98X3uQeAK+La
+90DqyYZoDj6C43KpML/oNxH4MBGS2bLL/zGVjoZBs20Fw8HlbjCmCBfa57gAmUC3
+588bjavhoOEqOIQQ5UXwgLQN03yhz/KAnTpB7/ctv9nzv3RdG5Eh7M8zr+VRoqkh
+M8zMqJDY+lLQ/uNyq7GKfzxnpcEpYdH4mTcnDEKZfeocyl6WSk0dR94Iwpu8iXur
+jRzyrsJEB+h+OipLAuSGHTg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec
new file mode 100644
index 0000000000..a95b0dc260
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-not-a-ca
+subject:ee-int-not-a-ca
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem
new file mode 100644
index 0000000000..907671c3e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAdOgAwIBAgIUVanRJenZNEF+cjecPKqHsbneTa0wDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTaW50LXZhbGlkLWt1LW5vLWVrdTAiGA8yMDIxMTEyNzAw
+MDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAhMR8wHQYDVQQDDBZlZS1pbnQtdmFsaWQt
+a3Utbm8tZWt1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO
+FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr
+amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka
+sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY
+VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n
+aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE
+MdUDrNoYCjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwID+DANBgkq
+hkiG9w0BAQsFAAOCAQEAI1rwnetC4tEnvUYabxo0oNmtHi57Blddig3bLWKjTZB5
+jyWidVZqlhcQsKs1Vy2V/SkgFrERsCr3MejyY9FIS1ugqFp/bdq1I6W3BuRYjYKR
+/EkuUMQXVZr+rijX0JDegh0Yo8gf+RTFzI80/NzBnO2OTCSE++lAvRf6DsjFKU4W
+kLSP5tF4ZBdnuBJt+mlrk6SSDVppG2eMCPjJB2Lejkrvx6jJpIWHSzcWhsDC3jNU
+YxtdZtUxyZlO82/EVJnFrinZSiPrA3X6MqinXX2Glyu1BEG05YUgEbDfUpczNgH1
+HWPojXE3OtirTtvFmCtQ0z0H/iDS2vWqGFI9WSez4w==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..89a66b9f97
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-valid-ku-no-eku
+subject:ee-int-valid-ku-no-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem
new file mode 100644
index 0000000000..ef07acc2d0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUOSSwDry8R9Mp7YyOQ8GFPgOKxW4wDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXaW50LXZhbGlkLWt1LXNlcnZlci1la3UwIhgPMjAyMTEx
+MjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowJTEjMCEGA1UEAwwaZWUtaW50LXZh
+bGlkLWt1LXNlcnZlci1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgP4MA0GCSqGSIb3DQEBCwUAA4IBAQC5mUBhwkAJq11r0NRLh32+A+p26fJz1lBT
+Fdct7k75tTY0dE7qTUC4XOWj2Ry63cE/LnNFeNRWrZV3sqmxLPbHLHVZZ3P7a31S
+HAch7qxgtysmDYSMcirMa2SwmL8DEN138HXB2PH0T2B4OYmgYX0p0H4/bOPIjPRt
+HNsDWzz3hg57jf4sR2UC4jV53w5uXmByaJLWVXlzsBsnZcVLnSp+4zmp68aUNsTx
+mNMYTseMNYbtmNhNQlWwsvhBUvIog8zLdF6wYApdHjlyrV0NUVgEv8eDU+Xo73mt
+5sPh9vRb26+B/CdyANACF5nMdse04Incym1yLFqHro0kcRnsnWF0
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..43e83a336e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int-valid-ku-server-eku
+subject:ee-int-valid-ku-server-eku
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem
new file mode 100644
index 0000000000..d7cd3b7eb0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAcCgAwIBAgIUBdrcACRCSGk1ypWIXk360U1xp6UwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHDEaMBgGA1UEAwwRaW50LWJhZC1rdS1uby1la3UwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwG
+A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgH6MA0GCSqGSIb3DQEBCwUAA4IBAQCEXus9
+J5tHBLGUt55OM7ms2OxUerMkz8DdgsDO/fzQi++6h4rIxktmYU/wL5XAtQKurf14
+boo+h9Kspx6GBHvhGAsTrFFAjtoDbi5jpXG4+8RagnJfe5gTL4Fipd9Rqxhrw5xu
+lBltX0iCw6JkXBIb5r9EOyztJ9U8D5tQfbC/oqiNqMcJBaXlNayffh8d8jeLm79J
+iEPIzRUMz25YGfPSBNHs5IyyNjCWGTtFDEXfDq82WAJMu4SYPiylgjQ4SQNaIKWX
+sfrPjS7IZsTv0quMTzvNiCVz3JUR5I/IbgzMlLOGaZ3vVSYSI2w+NoWbUffXn+m1
+bZYy1Mh1ehAukwkQ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..f6525449b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-bad-ku-no-eku
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem
new file mode 100644
index 0000000000..6710e14319
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+zCCAeOgAwIBAgIUT+4cv6NAFN70fnPV/T4jEnMVDLYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowIDEeMBwGA1UEAwwVaW50LWJhZC1rdS1zZXJ2ZXItZWt1MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK
+tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N
+Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr
+sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs
+l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl
+nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozww
+OjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB+jAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB5ipw/UJs2yK/v6oQHpMkoD
+Q7uoZkgNnOO5Sr5tZoc9OxKSkMluYVOFWFGDTfM24ENSqAT73OmaRbKITV1nR59g
+W3oc/6bHPD4smjOQTK6ShVNBz3l4vSOvW2i/reui/v/vrKf9nZmwaV2JBJVkJBtu
+IJ2VOPSlkA+22X4YaLi74VjgLNlkROjEB28GV0Xsd42h3zFfAmDtWAI1xNUMMKQS
+wRm139Zy8d1UiZ6LchdUC0Ekktolen8eYRvaSlpOigJFBLjiaphJcfATKomyfvc3
+IpktKPHjS8d1MlQEumH8Wn15wfG2QzA5Eri8IXGX25dm9+OTNBLpdzCgn/0wT5k=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..2d324508d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-bad-ku-server-eku
+extension:basicConstraints:cA,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem
new file mode 100644
index 0000000000..7b677573a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAcygAwIBAgIUHUteHerAK5l63j3cnwe85sn7MHIwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowKzEpMCcGA1UEAwwgaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNp
+Z24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgH+MA0GCSqGSIb3DQEB
+CwUAA4IBAQAp6oogLBAKI9JqnYGFFMTLRZ/v08fWlx8WXyrEMse10gpPluVYw9+Z
+U0LpbLbiiUwrsF1Tt7OMNVRsjCQAnWfXKKvG+ekkUslrLHz0heWlHG0QU9VUqI6q
+oumlE84qeEOrNFjyOscBnw/mqyAsCKyhNPNQIcqfotpDJnnZoPe8BTvn91vckaz6
+YtysMgQO58kNJN/ACFjjbg2cvSxB4qXkP1nDTZbtRVvVi7iqKLxKaJJI/orAvX4s
+wjkW8XzD9oJBy8xV4Za28xHf/Y5flIT7uIn+0idyqCmQ9YMF29ymj7oTZPnVHVXx
++qr0nbnmjj0mLGAfOgsAdUojRpWJchjX
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec
new file mode 100644
index 0000000000..39785d8a48
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-cA-FALSE-asserts-keyCertSign
+extension:basicConstraints:,
+extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem
new file mode 100644
index 0000000000..f6c42b54ff
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUf4VnRPe9twPlf+DNyCIgMod7xZ0wDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowJDEiMCAGA1UEAwwZaW50LWxpbWl0ZWQtZGVw
+dGgtaW52YWxpZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
+AAOCAQEAtE9Ejr5Lh+bKpA8ymVLC5uefOx2qgjNPNCICA2ohGuubKIWjiwYa9gpf
+a02v15qTnnlgnldbOiKaoL8jK2GofpAaOWGtnQrjvMtjLz2OoSBaXTXybrOJhdlN
+Vzk5dXsiIWmDGzsmM5H7i/TYm1MfbQK9n+ZBJ6wLq61WoMAKECQCoR+YJaWXyx3z
+AUXRyN/IRWMIE6kCihZpU4/Cr8k+iLHDZ4ZTGUXmyJTzFSHkVLlgiHVeVfAmHPYy
+3Vqjda16ObX7+xA4avruSKnwdpn8+1faHsPFDZri0x7uytM0UNTRIH5tyPWq5pee
+odI/mhuYAlXOlJ0FEsfdSKA4z5A2lg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec
new file mode 100644
index 0000000000..9fdb2a248a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-limited-depth
+subject:int-limited-depth-invalid
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem
new file mode 100644
index 0000000000..db6ac489a4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIUE/WlBd0Of+fhvk5dxXZtLiWD4bYwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEzARMA8G
+A1UdEwQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBADwCYAuFWn/72BC3mor7
+YWcirS4nWpVyGfixmVv6E53EBfXn02Ed9yxuEPIN68cXgIlIfKyUk9gEuiTZZEuI
+oFLOnC5vc1UnWGReX7CpzLMGP6FyYvsnP0AXpQ4BjQ42vkuQh8rgSAUAnmDZf0at
+eJEyu/uqJFheWpLJqwYAfyMSyxf3nEz3itLbbTm+apj7wFyddWDoxoHJi6UX2CuJ
+bevVoBHUiKaqRN8tsE0Ffaz1CvAJcSDn2XhAXGPCo0rT5GES///umEa32fvxNhOZ
+Ia2JyjIfzGG9n57mraimiyGep0CiigwEX393G/Im2q2h86mvIedRPCl6zSi9f3td
+FYE=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec
new file mode 100644
index 0000000000..64f54b0441
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:int-limited-depth
+extension:basicConstraints:cA,0
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem
new file mode 100644
index 0000000000..b283219ac2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICuTCCAaGgAwIBAgIUcaLqCVjHQF9LBa2AxD4jgbGxJrgwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHDEaMBgGA1UEAwwRaW50LW5vLWV4dGVuc2lvbnMwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZI
+hvcNAQELBQADggEBAKO52Cuun7/lbVm57hiFGhkFAITYz3tnIPfI5LHk0iax1K+x
+w/X3AoElGtU+/7wgUYzecNmLAs5MsHfxuzdjJ1NccZL/+X7Pfqqzgc0qhK/2l3ou
+NOutsawlnqEw0HWL2th71IcCZvD7SxeL635BzHvJckbpvmMLv6IU/4YgHwmvRTOA
+wYrzmBabL7kexVIss28bPX3Lg1uNWmqan+ZxBMXrN97eUUMm/rVetJlTJi1yPtie
+htsx4T8nVzeXyc8krQJ3r7xYAnCbEIH4Gr1DQ74HMy1wEqGxYOK9qso7Tm0mfwbs
+VRuE0QPnaqe19GC95YXYXen95ISOISnkV/iMp/o=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec
new file mode 100644
index 0000000000..c99626bd5a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec
@@ -0,0 +1,2 @@
+issuer:ca
+subject:int-no-extensions
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem
new file mode 100644
index 0000000000..8045f66c50
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUXVploRsp/hZMzGClfcQ4dRVNaOwwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowGzEZMBcGA1UEAwwQaW50LW5vLWt1LW5vLWVrdTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX
+bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ
+OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9
+uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb
+t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO
+NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYD
+VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAhzPm8mP8EoZmB2TLj1oRwtwg
+aah2AD+zb+2Y/whKrs5y5YNriOajAt7zxXPIxlNe2T++ZRUiwPlmJZyDhKaTxjfE
+rWXgtm4fru3Pc972k8UxYkZdqOj5tnsFHJ7C/O9kwvkPUTvIcIJxVvtTLIypAaLs
+DRq/CTvtGZ2XUUqSsvzrMcl1npaq2JjhAOURBo4QftJlTcAfm5tNZc4Mu9B9QnZA
+7PyK4Ewv8CB66ZT6nRCnz7Bz2dhODqaVi7a92Gww1yCZTuTr7LkQY12V0bqyEBTc
+3uAgInlxZ3sCTCI2NlFrqWalF+v3bdZIYIzooSAYOVHcN7zVYXIUbte2Z3MHYQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..306a218db9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:int-no-ku-no-eku
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem
new file mode 100644
index 0000000000..dc4271d321
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUVdlklAPEUQebV/LWoHRUcE1itMAwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHzEdMBsGA1UEAwwUaW50LW5vLWt1LXNlcnZlci1la3UwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAt
+MAwGA1UdEwQFMAMBAf8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0G
+CSqGSIb3DQEBCwUAA4IBAQBo59TtYXo38fhbrYRtxnjeZeWUe6DFTlEf4zNHUFXz
+dsHmslSp938LiAR0fTRB0PbWWquZz70vGbhRC8hl5lJgf+/R6yGAjLxBpcRlQu2t
+MRvQjS7YDVGYafD5Mt7mUqkzw/Hb1fWAgOfUfSulv9c7gu7WUpSiuFlaHE8lOPR2
+aedPEcq1kza2Fc8xY3OidpJHtZq2jInQSnunu2hOkCRPXIvMvvbTio576QcfTPv4
+b/FNY7IqTC+DEh1VCkb5P9XFtHNGvZ2uYDuL3w1ekZFBL7Aq8hB+6UEb7WCIO6A/
+7vW9Ts+On4nZI11JCk3vRtn9dZYmJoJrJtHSzFaEkyVZ
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..1482b627c7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-no-ku-server-eku
+extension:basicConstraints:cA,
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem
new file mode 100644
index 0000000000..e6efeaa28a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwzCCAaugAwIBAgIUWa2mJPi/2cEfrq8RFVw70uO0JJ4wDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowFzEVMBMGA1UEAwwMaW50LW5vdC1hLWNhMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNVHRME
+AjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBuRuMaGSuSHD9Vuvm4Ln4QkXaqWtiUSfvO
+d4LHv8NzZ8QTVaWZH5Q91yC/0EV82TmGP+YqCJ9e/ILqYCnNdUHfZ1+z1Jd/pwkL
+Ir0uLdCePRee9CPBHPuz6hzHsgyQavYWsrAujBgetYC5De1tFPTl0YgFKtrhxLM6
+H6425T9eFvhZ+B5Jz9/iUB0NjbgpaG0qq32tUUZP/aJkosWqmweq1h9HcDXEamxs
+y4azUVMtW2t6Hbtmn8lAFHz6iCzrbjVqXY/ZqHtrtnGFvcM044/VqjgU9jMlookh
+cSyWqk62xQcpMSuZy955OTEpMnlXXkW4tjUxztAahlJhZP+tal5y
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec
new file mode 100644
index 0000000000..3161680b1c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec
@@ -0,0 +1,3 @@
+issuer:ca
+subject:int-not-a-ca
+extension:basicConstraints:,
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem
new file mode 100644
index 0000000000..fdfcbd8ccb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2jCCAcKgAwIBAgIUBQhZeXfh8VRjz67JI9aGUjCi9/swDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowHjEcMBoGA1UEAwwTaW50LXZhbGlkLWt1LW5vLWVrdTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs
+9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8
+HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak
+kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet
+lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r
+kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBsw
+DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAEUa
+bjiSJtmAjz24jMQzwT9FDIKfYpuPjyff4TGhHh1+mKz4AtELFZE3IfS+TXaTwWHq
+Rmi5SmFusKP8MK85CRKkX47SB3kdvXe4JVXp2QmQ0LwCyLP50sdpzn+gs32lHJHm
+BXqe/fAfqvyAzjBwmkT6uPW6DFKcbrilBeQfX/D2B8LZ/8b74sWiGeBakocUzfNa
+El3nyhWuAsw5nNImZYWW4/pOJecT23WTda3EJ1+J9CEDlW/F6VBdk+9Eckis33rW
+BzoAc+gPS5eisilZsnDxEIVdpWif4IAON6Fh2bhHlrsMKR+gLqJ5g8NQrWkFO/0D
+veptxxVD08aLSmFiIBk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec
new file mode 100644
index 0000000000..d7f9b0387a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int-valid-ku-no-eku
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem
new file mode 100644
index 0000000000..db3a11431e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIUM0xZKEt3/nPLSqS+U75xn0zoKhwwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowIjEgMB4GA1UEAwwXaW50LXZhbGlkLWt1LXNlcnZlci1la3UwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+PDA6MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgIEMB0GA1UdJQQWMBQGCCsGAQUF
+BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAMLbdKU+1y7AV2h9hiMZw
+vCxzBNcPr11o83mCP4eBrO9NQ+TZ/IDLWqWmfog80CA+VrKoEApsVce+1T/PZQ/S
+nNYxawlBDkHD2lcKn929H2G53xhD+U6j69ZesfPiE83sR48fuzOUdpEDpQdR8yol
+9UAVckFK00/6RQwF2YiyyHZDj37ft4mxkV2Y2l0oowgIRm1C5ZUU7BQUxTGbg6K8
+3Is575EyHAfMmeSMDTjWUDn0vT4saa77oG9tbwIhoauku2gwiX+ZIX0hvmaLyzed
+R12GeOm2qgDKi99S4CTibgo4puF+AgiQYmeNwtHha+5XmGKCf6k8IIF5FQy9QNmj
+sg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec
new file mode 100644
index 0000000000..84314bfa40
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca
+subject:int-valid-ku-server-eku
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign
+extension:extKeyUsage:serverAuth,clientAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads.js b/security/manager/ssl/tests/unit/test_intermediate_preloads.js
new file mode 100644
index 0000000000..f1568e0a47
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads.js
@@ -0,0 +1,528 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const { RemoteSecuritySettings } = ChromeUtils.importESModule(
+  "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs"
+);
+const { TestUtils } = ChromeUtils.importESModule(
+  "resource://testing-common/TestUtils.sys.mjs"
+);
+const { IntermediatePreloadsClient } = RemoteSecuritySettings.init();
+
+let server;
+
+const INTERMEDIATES_DL_PER_POLL_PREF =
+  "security.remote_settings.intermediates.downloads_per_poll";
+const INTERMEDIATES_ENABLED_PREF =
+  "security.remote_settings.intermediates.enabled";
+
+function getHashCommon(aStr, useBase64) {
+  let hasher = Cc["@mozilla.org/security/hash;1"].createInstance(
+    Ci.nsICryptoHash
+  );
+  hasher.init(Ci.nsICryptoHash.SHA256);
+  let stringStream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+    Ci.nsIStringInputStream
+  );
+  stringStream.data = aStr;
+  hasher.updateFromStream(stringStream, -1);
+
+  return hasher.finish(useBase64);
+}
+
+// Get a hexified SHA-256 hash of the given string.
+function getHash(aStr) {
+  return hexify(getHashCommon(aStr, false));
+}
+
+function getSubjectBytes(certDERString) {
+  let bytes = stringToArray(certDERString);
+  let cert = new X509.Certificate();
+  cert.parse(bytes);
+  return arrayToString(cert.tbsCertificate.subject._der._bytes);
+}
+
+function getSPKIBytes(certDERString) {
+  let bytes = stringToArray(certDERString);
+  let cert = new X509.Certificate();
+  cert.parse(bytes);
+  return arrayToString(cert.tbsCertificate.subjectPublicKeyInfo._der._bytes);
+}
+
+/**
+ * Simulate a Remote Settings synchronization by filling up the
+ * local data with fake records.
+ *
+ * @param {*} filenames List of pem files for which we will create
+ *                      records.
+ * @param {*} options Options for records to generate.
+ */
+async function syncAndDownload(filenames, options = {}) {
+  const {
+    hashFunc = getHash,
+    lengthFunc = arr => arr.length,
+    clear = true,
+  } = options;
+
+  const localDB = await IntermediatePreloadsClient.client.db;
+  if (clear) {
+    await localDB.clear();
+  }
+
+  let count = 1;
+  for (const filename of filenames) {
+    const file = do_get_file(`test_intermediate_preloads/${filename}`);
+    const certBytes = readFile(file);
+    const certDERBytes = atob(pemToBase64(certBytes));
+
+    const record = {
+      details: {
+        who: "",
+        why: "",
+        name: "",
+        created: "",
+      },
+      derHash: getHashCommon(certDERBytes, true),
+      subject: "",
+      subjectDN: btoa(getSubjectBytes(certDERBytes)),
+      attachment: {
+        hash: hashFunc(certBytes),
+        size: lengthFunc(certBytes),
+        filename: `intermediate certificate #${count}.pem`,
+        location: `security-state-workspace/intermediates/${filename}`,
+        mimetype: "application/x-pem-file",
+      },
+      whitelist: false,
+      pubKeyHash: getHashCommon(getSPKIBytes(certDERBytes), true),
+      crlite_enrolled: true,
+    };
+
+    await localDB.create(record);
+    count++;
+  }
+  // This promise will wait for the end of downloading.
+  const updatedPromise = TestUtils.topicObserved(
+    "remote-security-settings:intermediates-updated"
+  );
+  // Simulate polling for changes, trigger the download of attachments.
+  Services.obs.notifyObservers(null, "remote-settings:changes-poll-end");
+  const results = await updatedPromise;
+  return results[1]; // topicObserved gives back a 2-array
+}
+
+/**
+ * Return the list of records whose attachment was downloaded.
+ */
+async function locallyDownloaded() {
+  return IntermediatePreloadsClient.client.get({
+    filters: { cert_import_complete: true },
+    syncIfEmpty: false,
+  });
+}
+
+add_task(async function test_preload_empty() {
+  Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+
+  // load the first root and end entity, ignore the initial intermediate
+  addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+  let ee_cert = constructCertFromFile(
+    "test_intermediate_preloads/default-ee.pem"
+  );
+  notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+  equal(
+    await syncAndDownload([]),
+    "success",
+    "Preloading update should have run"
+  );
+
+  equal(
+    (await locallyDownloaded()).length,
+    0,
+    "There should have been no downloads"
+  );
+
+  // check that ee cert 1 is unknown
+  await checkCertErrorGeneric(
+    certDB,
+    ee_cert,
+    SEC_ERROR_UNKNOWN_ISSUER,
+    certificateUsageSSLServer
+  );
+});
+
+add_task(async function test_preload_disabled() {
+  Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, false);
+
+  equal(
+    await syncAndDownload(["int.pem"]),
+    "disabled",
+    "Preloading update should not have run"
+  );
+
+  equal(
+    (await locallyDownloaded()).length,
+    0,
+    "There should have been no downloads"
+  );
+});
+
+add_task(async function test_preload_invalid_hash() {
+  Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+  const invalidHash =
+    "6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d";
+
+  const result = await syncAndDownload(["int.pem"], {
+    hashFunc: () => invalidHash,
+  });
+  equal(result, "success", "Preloading update should have run");
+
+  equal(
+    (await locallyDownloaded()).length,
+    0,
+    "There should be no local entry"
+  );
+
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+
+  // load the first root and end entity, ignore the initial intermediate
+  addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+  let ee_cert = constructCertFromFile(
+    "test_intermediate_preloads/default-ee.pem"
+  );
+  notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+  // We should still have a missing intermediate.
+  await checkCertErrorGeneric(
+    certDB,
+    ee_cert,
+    SEC_ERROR_UNKNOWN_ISSUER,
+    certificateUsageSSLServer
+  );
+});
+
+add_task(async function test_preload_invalid_length() {
+  Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+
+  const result = await syncAndDownload(["int.pem"], {
+    lengthFunc: () => 42,
+  });
+  equal(result, "success", "Preloading update should have run");
+
+  equal(
+    (await locallyDownloaded()).length,
+    0,
+    "There should be no local entry"
+  );
+
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+
+  // load the first root and end entity, ignore the initial intermediate
+  addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+  let ee_cert = constructCertFromFile(
+    "test_intermediate_preloads/default-ee.pem"
+  );
+  notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+  // We should still have a missing intermediate.
+  await checkCertErrorGeneric(
+    certDB,
+    ee_cert,
+    SEC_ERROR_UNKNOWN_ISSUER,
+    certificateUsageSSLServer
+  );
+});
+
+add_task(async function test_preload_basic() {
+  Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+  Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+
+  // load the first root and end entity, ignore the initial intermediate
+  addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,");
+
+  let ee_cert = constructCertFromFile(
+    "test_intermediate_preloads/default-ee.pem"
+  );
+  notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+  // load the second end entity, ignore both intermediate and root
+  let ee_cert_2 = constructCertFromFile("test_intermediate_preloads/ee2.pem");
+  notEqual(ee_cert_2, null, "EE cert 2 should have successfully loaded");
+
+  // check that the missing intermediate causes an unknown issuer error, as
+  // expected, in both cases
+  await checkCertErrorGeneric(
+    certDB,
+    ee_cert,
+    SEC_ERROR_UNKNOWN_ISSUER,
+    certificateUsageSSLServer
+  );
+  await checkCertErrorGeneric(
+    certDB,
+    ee_cert_2,
+    SEC_ERROR_UNKNOWN_ISSUER,
+    certificateUsageSSLServer
+  );
+
+  let intermediateBytes = readFile(
+    do_get_file("test_intermediate_preloads/int.pem")
+  );
+  let intermediateDERBytes = atob(pemToBase64(intermediateBytes));
+  let intermediateCert = new X509.Certificate();
+  intermediateCert.parse(stringToArray(intermediateDERBytes));
+
+  const result = await syncAndDownload(["int.pem", "int2.pem"]);
+  equal(result, "success", "Preloading update should have run");
+
+  equal(
+    (await locallyDownloaded()).length,
+    2,
+    "There should have been 2 downloads"
+  );
+
+  // check that ee cert 1 verifies now the update has happened and there is
+  // an intermediate
+
+  // First verify by connecting to a server that uses that end-entity
+  // certificate but doesn't send the intermediate.
+  await asyncStartTLSTestServer(
+    "BadCertAndPinningServer",
+    "test_intermediate_preloads"
+  );
+  // This ensures the test server doesn't include the intermediate in the
+  // handshake.
+  let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+  certDir.append("test_intermediate_preloads");
+  Assert.ok(certDir.exists(), "test_intermediate_preloads should exist");
+  let args = ["-D", "-n", "int"];
+  // If the certdb is cached from a previous run, the intermediate will have
+  // already been deleted, so this may "fail".
+  run_certutil_on_directory(certDir.path, args, false);
+  let certsCachedPromise = TestUtils.topicObserved(
+    "psm:intermediate-certs-cached"
+  );
+  await asyncConnectTo("ee.example.com", PRErrorCodeSuccess);
+  let subjectAndData = await certsCachedPromise;
+  Assert.equal(subjectAndData.length, 2, "expecting [subject, data]");
+  // Since the intermediate is preloaded, we don't save it to the profile's
+  // certdb.
+  Assert.equal(subjectAndData[1], "0", `expecting "0" certs imported`);
+
+  await checkCertErrorGeneric(
+    certDB,
+    ee_cert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+
+  let localDB = await IntermediatePreloadsClient.client.db;
+  let data = await localDB.list();
+  ok(!!data.length, "should have some entries");
+  // simulate a sync (syncAndDownload doesn't actually... sync.)
+  await IntermediatePreloadsClient.client.emit("sync", {
+    data: {
+      current: data,
+      created: data,
+      deleted: [],
+      updated: [],
+    },
+  });
+
+  // check that ee cert 2 does not verify - since we don't know the issuer of
+  // this certificate
+  await checkCertErrorGeneric(
+    certDB,
+    ee_cert_2,
+    SEC_ERROR_UNKNOWN_ISSUER,
+    certificateUsageSSLServer
+  );
+});
+
+add_task(async function test_preload_200() {
+  Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+  Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+  const files = [];
+  for (let i = 0; i < 200; i++) {
+    files.push(["int.pem", "int2.pem"][i % 2]);
+  }
+
+  let result = await syncAndDownload(files);
+  equal(result, "success", "Preloading update should have run");
+
+  equal(
+    (await locallyDownloaded()).length,
+    100,
+    "There should have been only 100 downloaded"
+  );
+
+  // Re-run
+  result = await syncAndDownload([], { clear: false });
+  equal(result, "success", "Preloading update should have run");
+
+  equal(
+    (await locallyDownloaded()).length,
+    200,
+    "There should have been 200 downloaded"
+  );
+});
+
+add_task(async function test_delete() {
+  Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+  Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+  let syncResult = await syncAndDownload(["int.pem", "int2.pem"]);
+  equal(syncResult, "success", "Preloading update should have run");
+
+  equal(
+    (await locallyDownloaded()).length,
+    2,
+    "There should have been 2 downloads"
+  );
+
+  let localDB = await IntermediatePreloadsClient.client.db;
+  let data = await localDB.list();
+  ok(!!data.length, "should have some entries");
+  let subject = data[0].subjectDN;
+  let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
+    Ci.nsICertStorage
+  );
+  let resultsBefore = certStorage.findCertsBySubject(
+    stringToArray(atob(subject))
+  );
+  equal(
+    resultsBefore.length,
+    1,
+    "should find the intermediate in cert storage before"
+  );
+  // simulate a sync where we deleted the entry
+  await IntermediatePreloadsClient.client.emit("sync", {
+    data: {
+      current: [],
+      created: [],
+      deleted: [data[0]],
+      updated: [],
+    },
+  });
+  let resultsAfter = certStorage.findCertsBySubject(
+    stringToArray(atob(subject))
+  );
+  equal(
+    resultsAfter.length,
+    0,
+    "shouldn't find intermediate in cert storage now"
+  );
+});
+
+function findCertByCommonName(certDB, commonName) {
+  for (let cert of certDB.getCerts()) {
+    if (cert.commonName == commonName) {
+      return cert;
+    }
+  }
+  return null;
+}
+
+add_task(async function test_healer() {
+  Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true);
+  Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100);
+
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  // Add an intermediate as if it had previously been cached.
+  addCertFromFile(certDB, "test_intermediate_preloads/int.pem", ",,");
+  // Add an intermediate with non-default trust settings as if it had been added by the user.
+  addCertFromFile(certDB, "test_intermediate_preloads/int2.pem", "CTu,,");
+
+  let syncResult = await syncAndDownload(["int.pem", "int2.pem"]);
+  equal(syncResult, "success", "Preloading update should have run");
+
+  equal(
+    (await locallyDownloaded()).length,
+    2,
+    "There should have been 2 downloads"
+  );
+
+  let healerRanPromise = TestUtils.topicObserved(
+    "psm:intermediate-preloading-healer-ran"
+  );
+  Services.prefs.setIntPref(
+    "security.intermediate_preloading_healer.timer_interval_ms",
+    500
+  );
+  Services.prefs.setBoolPref(
+    "security.intermediate_preloading_healer.enabled",
+    true
+  );
+  await healerRanPromise;
+  Services.prefs.setBoolPref(
+    "security.intermediate_preloading_healer.enabled",
+    false
+  );
+
+  let intermediate = findCertByCommonName(
+    certDB,
+    "intermediate-preloading-intermediate"
+  );
+  equal(intermediate, null, "should not find intermediate in NSS");
+  let intermediate2 = findCertByCommonName(
+    certDB,
+    "intermediate-preloading-intermediate2"
+  );
+  notEqual(intermediate2, null, "should find second intermediate in NSS");
+});
+
+function run_test() {
+  server = new HttpServer();
+  server.start(-1);
+  registerCleanupFunction(() => server.stop(() => {}));
+
+  server.registerDirectory(
+    "/cdn/security-state-workspace/intermediates/",
+    do_get_file("test_intermediate_preloads")
+  );
+
+  server.registerPathHandler("/v1/", (request, response) => {
+    response.write(
+      JSON.stringify({
+        capabilities: {
+          attachments: {
+            base_url: `http://localhost:${server.identity.primaryPort}/cdn/`,
+          },
+        },
+      })
+    );
+    response.setHeader("Content-Type", "application/json; charset=UTF-8");
+    response.setStatusLine(null, 200, "OK");
+  });
+
+  Services.prefs.setCharPref(
+    "services.settings.server",
+    `http://localhost:${server.identity.primaryPort}/v1`
+  );
+
+  Services.prefs.setCharPref("browser.policies.loglevel", "debug");
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem
new file mode 100644
index 0000000000..680b068f34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAeGgAwIBAgIUN/Y56TvJcL2liqk2Feh/QfKrlLwwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EwIhgPMjAx
+MDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowJTEjMCEGA1UEAwwaaW50ZXJt
+ZWRpYXRlLXByZWxvYWRpbmctY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBSPwr2BfSHT3saxwx6YGEautZx
+w/sdM9AJAubFLqDd3MYHtzCZcQXaeDGbAzvo8m/PKA4Yt+UYbKyDnRR8sLA4f/iu
+z1zHeenlzBWpRVHu/++ZSk/ESwn0zLprIsOcXjaYkbfrqcEGNWvLJzpT4T36Gr9t
+DvxHnpsaMsJviZS3WHzTSoioWkcRyF78bYa51ZJWYJHFKZQppqhJ+jcoJhiomRlc
+WwhI8NAU3dOOFJuEg/z+vQpcEQi0rRW9J6X/15BUZRQlF5Hs2wilGa8ViNX2+B5I
+kjbmNrdT5hcnGEfR7JpHFuihFdxQc4CFY87u1chI8yaHLhhriUP6Jq0+J5ur
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec
new file mode 100644
index 0000000000..4ccabc25b3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:intermediate-preloading-ca
+subject:intermediate-preloading-ca
+validity:20100101-20500101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem
new file mode 100644
index 0000000000..4a69166215
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDDCCAfSgAwIBAgIUcx7CbjSZKlPaTqjk1pXt0w+fswUwDQYJKoZIhvcNAQEL
+BQAwLzEtMCsGA1UEAwwkaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRp
+YXRlMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBkxFzAVBgNV
+BAMMDmVlLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozIwMDATBgNVHSUEDDAKBggrBgEFBQcD
+ATAZBgNVHREEEjAQgg5lZS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
+gNr8S/J6CJLQu56YUxksBCLxvcrJw82G9X7rdZ0sXZ4CCHTQjQZbnuc+rJTuGPJX
+36f0m3EPkNa1UepfTtZWe364ATju/F2TUg0XWEm634NI4F8Hy7jXBsYaTVN6yBoK
+cvRSdvko3BbcKXMQfq5zbdRvs1VtSC9cPPyrZYdQxpMar4+JhN1sPx7C3g0hn84C
+VnVpgZlrh+CnSwUiq7I3Q44el2j453GEbKCbXDMxooSq+gD3rMTPsOCsk4GmeH3R
+ILMtaJ/zFd6C7lSkGQPSLNarTqcIudXACWWbzEqZ8uS4GoyaEIYiUf00YMquS4Cu
+xTG8+QNSp9tIoUw48chxjw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec
new file mode 100644
index 0000000000..e9decb76dc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:intermediate-preloading-intermediate
+subject:ee.example.com
+extension:extKeyUsage:serverAuth
+extension:subjectAlternativeName:ee.example.com
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem
new file mode 100644
index 0000000000..a1394d56db
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUI6lFTWQgzUkUf/0bE/nqjn1SLNYwDQYJKoZIhvcNAQEL
+BQAwMDEuMCwGA1UEAwwlaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRp
+YXRlMjAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAOMQwwCgYD
+VQQDDANlZTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W
+1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq
+ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx
+0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV
+t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo
+4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx
+1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3
+DQEBCwUAA4IBAQBDTPaqjguUw5J5Jh7p0NdZK6A2XxBRxUcrQqvT3FsnO5sauXHU
+2y7BJNDilPs+A8edIPLezio6aCijg2uZpIKc0Le0L/AeyWYoObiuQ+Lcs9NkhQMm
+3Jqnjw8lbKLO4ojOHEgJqW7VWDCyTCsLDFkZBSC0cAxr79mRdrvPF89Q27xHrBo2
+UgwKuffODwmgNJCznpvkYvvrZQ2WxO8JZk9eAy/mSn6vlyD41nqI8CYQhGKwdxLT
+Xwip+uag1KQup6dgD3cNSRTBDeBL2z9m9HziPNlOTY9SyFxt32YxO1DOaSHy7kCi
+o82rGqU5p8VbGlS2RvzQvMEhptxt+GKLC/6c
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec
new file mode 100644
index 0000000000..089ac63831
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec
@@ -0,0 +1,3 @@
+issuer:intermediate-preloading-intermediate2
+subject:ee2
+extension:extKeyUsage:serverAuth
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem
new file mode 100644
index 0000000000..480a18002a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIUIRWUrRSEgMYUudCmgeB863e4mK4wDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowLzEtMCsGA1UEAwwkaW50ZXJt
+ZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAuEbrWJmimyJJ
+XQr4efjCRdNUaZ9b/7MihnpISIPvVQFrQ1XmDEG+9zy1IDaNNZ14s8NCEl0S12mI
+vWxKtU91UAJttFH8idip6s2kC9Mfxw8wTbgsGcUnJhszS6emJ8TnEPMaovFwet2m
+bjwjzvPoFohsupHz+FXMxHgaErzxIh08y6DzU+N9DctKcZkNGg5TTwfzYrcJo3MV
+Xx1uxLHTRMdQHfve2g53kKzAJIThls7NdHoD8DcK54lns05tO7CD2vdtNXMc1M8q
+DnofGLcaGBtPbB8RbwCSQme7G5ICvbxNDC3i6/LAjvKSAsUL2gCExFjaN7UK/qN+
+PklUW8438Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec
new file mode 100644
index 0000000000..5863b3131f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:intermediate-preloading-ca
+subject:intermediate-preloading-intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem
new file mode 100644
index 0000000000..2e2791ac00
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBTCCAe2gAwIBAgIUEyGPTx1+eoN9OVa+vKQz//tVlfYwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EyMCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMDAxLjAsBgNVBAMMJWludGVy
+bWVkaWF0ZS1wcmVsb2FkaW5nLWludGVybWVkaWF0ZTIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAeX4/JsyHg
+0g8S+om/H4zuEgGntF1nqpcAFejMJfl7DJe8ukzTzlQF/IcDQEtv264xjMWaVssn
+kV/va8vVkYIJqc/FIrkuxrFLNFGNOrV6KL14sR0+TlJ/FEOyig+Yt5+RPC2HZZBS
+4n5VUxxK/U52dM6jonbFOcqZXpPAJDYcfg2MThkg/oupcXW7v00EUOL6QEdAMlzY
+wZk5PEIgQckDVr4hwygdmpmAYfD98ru0gqNp5KYdR5uqskQlfHjrIuUNEUpehPGX
+KF9Fqo8Gu1G0dmI4poOxGarKum8nd+b/Cjo1rgQYTBwWMhFzS4zVK4CfgzgUCjNb
+ykTwaGJf7EwV
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec
new file mode 100644
index 0000000000..27e9a008df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec
@@ -0,0 +1,4 @@
+issuer:intermediate-preloading-ca2
+subject:intermediate-preloading-intermediate2
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_keysize.js b/security/manager/ssl/tests/unit/test_keysize.js
new file mode 100644
index 0000000000..0fa880f8f1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize.js
@@ -0,0 +1,204 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks that RSA certs with key sizes below 1024 bits are rejected.
+// Checks that ECC certs using curves other than the NIST P-256, P-384 or P-521
+// curves are rejected.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+/**
+ * Tests a cert chain.
+ *
+ * @param {string} rootKeyType
+ *        The key type of the root certificate, or the name of an elliptic
+ *        curve, as output by the 'openssl ecparam -list_curves' command.
+ * @param {number} rootKeySize
+ * @param {string} intKeyType
+ * @param {number} intKeySize
+ * @param {string} eeKeyType
+ * @param {number} eeKeySize
+ * @param {PRErrorCode} eeExpectedError
+ * @returns {Promise} a promise that will resolve when the verification has
+ *                   completed
+ */
+function checkChain(
+  rootKeyType,
+  rootKeySize,
+  intKeyType,
+  intKeySize,
+  eeKeyType,
+  eeKeySize,
+  eeExpectedError
+) {
+  let rootName = "root_" + rootKeyType + "_" + rootKeySize;
+  let intName = "int_" + intKeyType + "_" + intKeySize;
+  let eeName = "ee_" + eeKeyType + "_" + eeKeySize;
+
+  let intFullName = intName + "-" + rootName;
+  let eeFullName = eeName + "-" + intName + "-" + rootName;
+
+  addCertFromFile(certdb, `test_keysize/${rootName}.pem`, "CTu,CTu,CTu");
+  addCertFromFile(certdb, `test_keysize/${intFullName}.pem`, ",,");
+  let eeCert = constructCertFromFile(`test_keysize/${eeFullName}.pem`);
+
+  info("cert o=" + eeCert.organization);
+  info("cert issuer o=" + eeCert.issuerOrganization);
+  return checkCertErrorGeneric(
+    certdb,
+    eeCert,
+    eeExpectedError,
+    certificateUsageSSLServer
+  );
+}
+
+/**
+ * Tests various RSA chains.
+ *
+ * @param {number} inadequateKeySize
+ * @param {number} adequateKeySize
+ */
+async function checkRSAChains(inadequateKeySize, adequateKeySize) {
+  // Chain with certs that have adequate sizes for DV
+  await checkChain(
+    "rsa",
+    adequateKeySize,
+    "rsa",
+    adequateKeySize,
+    "rsa",
+    adequateKeySize,
+    PRErrorCodeSuccess
+  );
+
+  // Chain with a root cert that has an inadequate size for DV
+  await checkChain(
+    "rsa",
+    inadequateKeySize,
+    "rsa",
+    adequateKeySize,
+    "rsa",
+    adequateKeySize,
+    MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+  );
+
+  // Chain with an intermediate cert that has an inadequate size for DV
+  await checkChain(
+    "rsa",
+    adequateKeySize,
+    "rsa",
+    inadequateKeySize,
+    "rsa",
+    adequateKeySize,
+    MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+  );
+
+  // Chain with an end entity cert that has an inadequate size for DV
+  await checkChain(
+    "rsa",
+    adequateKeySize,
+    "rsa",
+    adequateKeySize,
+    "rsa",
+    inadequateKeySize,
+    MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+  );
+}
+
+async function checkECCChains() {
+  await checkChain(
+    "secp256r1",
+    256,
+    "secp384r1",
+    384,
+    "secp521r1",
+    521,
+    PRErrorCodeSuccess
+  );
+  await checkChain(
+    "secp256r1",
+    256,
+    "secp224r1",
+    224,
+    "secp256r1",
+    256,
+    SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+  );
+  await checkChain(
+    "secp256r1",
+    256,
+    "secp256r1",
+    256,
+    "secp224r1",
+    224,
+    SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+  );
+  await checkChain(
+    "secp224r1",
+    224,
+    "secp256r1",
+    256,
+    "secp256r1",
+    256,
+    SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+  );
+  await checkChain(
+    "secp256r1",
+    256,
+    "secp256r1",
+    256,
+    "secp256k1",
+    256,
+    SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+  );
+  await checkChain(
+    "secp256k1",
+    256,
+    "secp256r1",
+    256,
+    "secp256r1",
+    256,
+    SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+  );
+}
+
+async function checkCombinationChains() {
+  await checkChain(
+    "rsa",
+    2048,
+    "secp256r1",
+    256,
+    "secp384r1",
+    384,
+    PRErrorCodeSuccess
+  );
+  await checkChain(
+    "rsa",
+    2048,
+    "secp256r1",
+    256,
+    "secp224r1",
+    224,
+    SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
+  );
+  await checkChain(
+    "secp256r1",
+    256,
+    "rsa",
+    1016,
+    "secp256r1",
+    256,
+    MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
+  );
+}
+
+add_task(async function () {
+  await checkRSAChains(1016, 1024);
+  await checkECCChains();
+  await checkCombinationChains();
+});
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem
new file mode 100644
index 0000000000..1514e2afe0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4DCCAUmgAwIBAgIUVwxpwbAz8P34bpOsh6+QbP2ojSAwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh
+XzEwMTYtaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwgZ4wDQYJKoZIhvcNAQEB
+BQADgYwAMIGIAoGAANKbsS+4T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDr
+kgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drX
+zLSF2BouGdUNTwtoVKyvbXvmnZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEA
+ATANBgkqhkiG9w0BAQsFAAOBgQAJBfYK3k9MPwwgr5XUjo2GDsMyWL/rrF6qud/Q
+vRhdgfPZYWXZ70dHdZEH3iEOub4z049/Jpvz4CkW+mxV1JTwzJn/t/t/UNWlhovX
+rrRAUTid2ePG2AnceiuGRNj6DLMyIriMURnVj1imscyamATg2t6bIHEzsvmUheaA
+3fDiMw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..7b86ef7861
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1024-root_rsa_1024
+subject:ee_rsa_1016-int_rsa_1024-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1016
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem
new file mode 100644
index 0000000000..42daa0757b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4DCCAUqgAwIBAgIUfx3llLPabDFECt89htHl5RT/8dgwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDE2LXJvb3RfcnNhXzEwMjQwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh
+XzEwMjQtaW50X3JzYV8xMDE2LXJvb3RfcnNhXzEwMjQwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANOpdEAQHrqMXflQPm+TXrUv/rPr6dDcXKzib5c8qUy8DZwx
+1mwMATvOnILQ1IAyjfBftrzXmQpTEt2uYVKtbuYcjBvdhmPGi9NiJKmIKueOifVW
+39vm9R2mESy/wnyKSTNrQa/bdTIbUrJKc0TRNI5kY1GlUcdXHM2guP419hp1AgMB
+AAEwDQYJKoZIhvcNAQELBQADgYAAu75m62DkOU7ZXkCVpF1Qu6IZ3Kxpw+JCKDmm
+jDyrtW7VyVadDnpcXeXsfoWgpWICGNgS/nYHPW/Sb8VmIdSkYZz0WZ4LrnJR+ReM
+WYnShnhMnfVDZ+2ei5gFrNMlGy9VESyZpHMtK069v4y2Krj28CAQ5PLtK56MrlcW
+KuGqsQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..326d665dcc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1016-root_rsa_1024
+subject:ee_rsa_1024-int_rsa_1016-root_rsa_1024
+issuerKey:rsa1016
+subjectKey:rsa1024
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem
new file mode 100644
index 0000000000..5e3c2b7616
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRjCCAa+gAwIBAgIUbSYmFjBHNggSogoGtlUuasRUNUMwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMTYwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowEjEQMA4GA1UEAwwHcnNhMTAy
+NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOBgQBPmmqHLLrGqankJL7agjYMNnN4zUnH
+i03p3WOQHfI58xRjBev0xoLBIf7pD/N4+RyB2zGyhfUBN7DAcFxwr3n4If4Z1bo3
+KLjDe4vQx/cxU1iUod7VDB/FoDrKGG9otpUakgBURLmi/2sdfg5VyedmzfINJYso
+Fx7U2rKFpkBTzA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec
new file mode 100644
index 0000000000..c44a089ed6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1024-root_rsa_1016
+subject:ee_rsa_1024-int_rsa_1024-root_rsa_1016
+issuerKey:rsa1024
+subject:rsa1024
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem
new file mode 100644
index 0000000000..2f05523a61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4TCCAUqgAwIBAgIUf88bfQzu3egYcqR2nozsNhooSEEwDQYJKoZIhvcNAQEL
+BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwIhgPMjAy
+MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh
+XzEwMjQtaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANOpdEAQHrqMXflQPm+TXrUv/rPr6dDcXKzib5c8qUy8DZwx
+1mwMATvOnILQ1IAyjfBftrzXmQpTEt2uYVKtbuYcjBvdhmPGi9NiJKmIKueOifVW
+39vm9R2mESy/wnyKSTNrQa/bdTIbUrJKc0TRNI5kY1GlUcdXHM2guP419hp1AgMB
+AAEwDQYJKoZIhvcNAQELBQADgYEAl0O2IIX5cI8wtLbjxrwrIxPq04WSzUHA0/MM
+UKTvB544MDje/rjg88UKuQ/JbPWYCrK/8kKpriQKFSwx9y8aL32j2jD6u/QkPdE2
+ow/P2ycHJlgdrROCrWiByfaXullQRR2e7dxWgHXINcIeokdDeOlh6rORQWySaSdm
+kYpjObw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..a6ee408ec9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1024-root_rsa_1024
+subject:ee_rsa_1024-int_rsa_1024-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1024
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem
new file mode 100644
index 0000000000..f3a5ab79b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBXDCCAQOgAwIBAgIUXYvHjg0MUxqF2X6hrh/dJbT805AwCgYIKoZIzj0EAwIw
+KjEoMCYGA1UEAwwfaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9yc2FfMjA0ODAiGA8y
+MDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA7MTkwNwYDVQQDDDBlZV9z
+ZWNwMjI0cjFfMjI0LWludF9zZWNwMjU2cjFfMjU2LXJvb3RfcnNhXzIwNDgwTTAQ
+BgcqhkjOPQIBBgUrgQQAIQM5AARmjXLMpv1qGzVXtTZhBNhECOy2N/COjIa7/4LM
+6I8AZtevY8Mpi6N3NIoSArA7N/1rH/QVqjEeMAoGCCqGSM49BAMCA0cAMEQCIFx1
+UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiB0nTf5BbTdtJmD7a1JRbHC
+tQ5dVzRgseqLk/nFu2/0cg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..87d2f67339
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_rsa_2048
+subject:ee_secp224r1_224-int_secp256r1_256-root_rsa_2048
+issuerKey:secp256r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem
new file mode 100644
index 0000000000..c0894db548
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBZzCCAQ2gAwIBAgIUb5c9bUbBr5F+ODFobDbjzKYl6ZwwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyMjRyMV8yMjQtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2
+cjFfMjU2ME0wEAYHKoZIzj0CAQYFK4EEACEDOQAEZo1yzKb9ahs1V7U2YQTYRAjs
+tjfwjoyGu/+CzOiPAGbXr2PDKYujdzSKEgKwOzf9ax/0FaoxHjAKBggqhkjOPQQD
+AgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctCgApw5gIhALwxNSek
+yl4Ve2/JszqMa7k+C2Q4tuZChCZYvNqQp99f
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..1aadce0765
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp256r1_256
+subject:ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem
new file mode 100644
index 0000000000..4ca0497642
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbzCCARagAwIBAgIUa1MOcQgjz0GXbvb/nNSJWQo7Y9MwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZrMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2
+cjFfMjU2MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAENe58conY/veoav5dpm2Lwuu2
+qFQ/0v6tCJ9FznrND6ZDgqlQDEHa13D/1LURv0tJLrEjiADDLE92xzo/MpTnxTAK
+BggqhkjOPQQDAgNHADBEAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctCgApw
+5gIgdRmR9h7EWLJiw/HOA4VI/+aCQTQ74ywcJc6m1v8bxcc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..ba999e8f14
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp256r1_256
+subject:ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp256k1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem
new file mode 100644
index 0000000000..f9b3563ce6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqDCCARKgAwIBAgIUQXmjIgDMGJMlxFe7ZCL7DCwTTOwwDQYJKoZIhvcNAQEL
+BQAwKjEoMCYGA1UEAwwfaW50X3JzYV8xMDE2LXJvb3Rfc2VjcDI1NnIxXzI1NjAi
+GA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA7MTkwNwYDVQQDDDBl
+ZV9zZWNwMjU2cjFfMjU2LWludF9yc2FfMTAxNi1yb290X3NlY3AyNTZyMV8yNTYw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AULQj48
+9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAMA0GCSqG
+SIb3DQEBCwUAA4GAAHF+Lr1T0H2jrjkcXLUsXkVPjNZjy1NRRr6WJyjhF6FKnetP
+SAMZx1oTY9Sql2mgfWJqJA7vx7t8074hsyjbPt4SHozNdoRw8UhDTIhYZf+pH5pf
+u7D/l0d3zwTm2rHy4PBBJRnJYPES9Gdh5XnQWX08zsPU50Y6NGQm/WS2b1Q=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..1e2e0a3759
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec
@@ -0,0 +1,4 @@
+issuer:int_rsa_1016-root_secp256r1_256
+subject:ee_secp256r1_256-int_rsa_1016-root_secp256r1_256
+issuerKey:rsa1016
+subjectKey:secp256r1
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem
new file mode 100644
index 0000000000..4403f731cc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBazCCARmgAwIBAgIUJ2KRkxVMwamWLnZIQF6ghanSUzIwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyMjRyMV8yMjQtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyMjRyMV8yMjQtcm9vdF9zZWNwMjU2
+cjFfMjU2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE
+4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm
+wDAKBggqhkjOPQQDAgNAADA9Ah0Amjxv8EbbcPJV9S/WmFIc1y28BSBjT5W2S7JS
+VAIcT8yypPbHzh/icArRyNdIkahxBc/+5tX8YsY/OA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..bd7bc770c7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp224r1_224-root_secp256r1_256
+subject:ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256
+issuerKey:secp224r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem
new file mode 100644
index 0000000000..6ee2ed1f2f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBcjCCARmgAwIBAgIUDQfZ3zvs9qJa/PtD+Zsr5myOCYYwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjI0cjFfMjI0
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjI0
+cjFfMjI0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE
+4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm
+wDAKBggqhkjOPQQDAgNHADBEAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctC
+gApw5gIgJDWD1/nBx/6dIMlHHa07N2IDyTwYFzltWBXmgrigTjQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec
new file mode 100644
index 0000000000..fe7b7f7482
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp224r1_224
+subject:ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem
new file mode 100644
index 0000000000..e273ce5525
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBczCCARmgAwIBAgIUATe62fX5Ze+WwA3r3INkBmZ2No0wCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2azFfMjU2
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2
+azFfMjU2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE
+4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm
+wDAKBggqhkjOPQQDAgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctC
+gApw5gIhAKOvAfyNhAtngfvVMxAw2Ql34vGZccVGQDS59AWW93RV
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec
new file mode 100644
index 0000000000..aefffd9810
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_secp256k1_256
+subject:ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem
new file mode 100644
index 0000000000..0e44de8e33
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBhTCCASygAwIBAgIUWfAaaiXGBAuskGffwQ+qApfqSwowCgYIKoZIzj0EAwIw
+KjEoMCYGA1UEAwwfaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9yc2FfMjA0ODAiGA8y
+MDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA7MTkwNwYDVQQDDDBlZV9z
+ZWNwMzg0cjFfMzg0LWludF9zZWNwMjU2cjFfMjU2LXJvb3RfcnNhXzIwNDgwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAAShaHJDNitcexiJ83kVRhWhxz+0je6GPgIpFdtg
+jiUt5LcTLajOmOgxU05qnAwLCcjWOa3oMgbluoE0c6EfozDgXajJbkOD/ieHPalx
+A74oiM/wAvBa9xof3cyDdKpuqc4wCgYIKoZIzj0EAwIDRwAwRAIgXHVRnxMRUM1d
+it4go7wGMJH/snN1XzFk7P3LQoAKcOYCIDpgUEiNKL+ntNWMucP0wHDNTDIxEg4v
+Bjem251RNI7f
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..615818d08b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp256r1_256-root_rsa_2048
+subject:ee_secp384r1_384-int_secp256r1_256-root_rsa_2048
+issuerKey:secp256r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem
new file mode 100644
index 0000000000..6d7ec9003f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1zCCAVygAwIBAgIUOd3+Ig6xQ1VYRGT/6xjAv5tiQnEwCgYIKoZIzj0EAwIw
+LzEtMCsGA1UEAwwkaW50X3NlY3AzODRyMV8zODQtcm9vdF9zZWNwMjU2cjFfMjU2
+MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM
+NWVlX3NlY3A1MjFyMV81MjEtaW50X3NlY3AzODRyMV8zODQtcm9vdF9zZWNwMjU2
+cjFfMjU2MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBTNycrMR5QQlrycxmdS7C
+f1l3NPpmxit5L4jFGdbTfw0W6hxIOhgnoBC5Eo46CAcMoz719Xg1t8G6JR9sw1Id
+xCsBBlNFGYG0RdND7tN4KjXWz/D/SE9aiD0gnxuQQrcmcDVosvMm4YuDO92KoHND
+krzRlQHhDWmKefU+EeCiK90qrZAwCgYIKoZIzj0EAwIDaQAwZgIxAO0GJz6haDpU
+tNgaQ3SESJY85j6+gRcD7Nc9cvCiVAZZ1OxFRuhW515lVbeTqfcA8wIxAOzP94f9
+No4Fk3LsupP5uGkSyi5QDAQ0o8uGQV9AzwOZ+qWIbTU5dtSscvjhskLAXQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..b2ae9d0c8f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec
@@ -0,0 +1,5 @@
+issuer:int_secp384r1_384-root_secp256r1_256
+subject:ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256
+issuerKey:secp384r1
+subjectKey:secp521r1
+signature:ecdsaWithSHA256
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem
new file mode 100644
index 0000000000..b8374730a6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5jCCAU+gAwIBAgIUEUvOHnMPiL7M+vsW3nuLxaEea2kwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMTYtcm9vdF9y
+c2FfMTAyNDCBnjANBgkqhkiG9w0BAQEFAAOBjAAwgYgCgYAA0puxL7hP3c0ps6UZ
+y2bEO42Pi+VFunk4TOZj7QPfdZkWAOuSB5DSUwzs5UTbmacfBYlqPtIHFlU0qpkF
+fkfEfjvIGtpvoeEuNyaLUEalUmj52tfMtIXYGi4Z1Q1PC2hUrK9te+admggxNuFa
++o9TwcjIT8YHcnndDlXXNppb3QIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOBgQCoCuy8BladR/PAVrgOOf4Ph9dFe2MV
+Yq6EKOWVU/PuYqZRssLh2CQX3v0vhfDzurD/zgj4+UEzJmm5B3knMFcBedPwW+0k
+5KGSdI5Q+gROdkwNx5bGqfnWd+RApjnI8Ykf/HhfO7yFJNzxxr4NANGvt3+M+0rh
+WlaGiJ8uWV02gg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..c6e77116b7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1024
+subject:int_rsa_1016-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1016
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem
new file mode 100644
index 0000000000..7358d4358b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVagAwIBAgIUW50MunLFoD4GAqoirchzeiePUZcwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMCoxKDAmBgNVBAMMH2ludF9yc2FfMTAxNi1yb290
+X3NlY3AyNTZyMV8yNTYwgZ4wDQYJKoZIhvcNAQEBBQADgYwAMIGIAoGAANKbsS+4
+T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7S
+BxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvm
+nZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAaMdMBswDAYDVR0TBAUwAwEB
+/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIgXHVRnxMRUM1dit4go7wG
+MJH/snN1XzFk7P3LQoAKcOYCIQD5W4T/b85G2u0prFnlPiVMZ0Wjw0rvAFjBUcDV
+Y8l0kQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..27728ca374
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_rsa_1016-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:rsa1016
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem
new file mode 100644
index 0000000000..7228823bd3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5jCCAVCgAwIBAgIUY2vK8QUP90UMoUqSZytNypfMOnwwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAxNjAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMjQtcm9vdF9y
+c2FfMTAxNjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA06l0QBAeuoxd+VA+
+b5NetS/+s+vp0NxcrOJvlzypTLwNnDHWbAwBO86cgtDUgDKN8F+2vNeZClMS3a5h
+Uq1u5hyMG92GY8aL02IkqYgq546J9Vbf2+b1HaYRLL/CfIpJM2tBr9t1MhtSskpz
+RNE0jmRjUaVRx1cczaC4/jX2GnUCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNV
+HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYAAINNXc+CjW72JwEYkt+uf23lsrKPb
+FujBh35bnHAJJ1UurBdOrr6D1tujWdF+jiixRUeBxfhvn6o6k5UQmNvq8cs7YoJs
+ZQNb6+VK849E09vhtE6/xo2GQI8Muyh/8+D9ujGlgWRWQsJmKuUTca02yLfD+Lcx
+MHypk9mRS3CDPw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec
new file mode 100644
index 0000000000..fafb393bf9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1016
+subject:int_rsa_1024-root_rsa_1016
+issuerKey:rsa1016
+subjectKey:rsa1024
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem
new file mode 100644
index 0000000000..a0dc860b28
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5zCCAVCgAwIBAgIUQQZXnXSEQFy9H8+KvR29mhZL8CkwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMjQtcm9vdF9y
+c2FfMTAyNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA06l0QBAeuoxd+VA+
+b5NetS/+s+vp0NxcrOJvlzypTLwNnDHWbAwBO86cgtDUgDKN8F+2vNeZClMS3a5h
+Uq1u5hyMG92GY8aL02IkqYgq546J9Vbf2+b1HaYRLL/CfIpJM2tBr9t1MhtSskpz
+RNE0jmRjUaVRx1cczaC4/jX2GnUCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNV
+HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAqL9M3IKj2oB7xmb5/kj/ljVzawt0
+rlcBTewr4diSiuuJtzR4FGhe7+Sdd8bt9iyOXfdTANOs4hwwuykMtLmNNQ6FT209
+XDzv9NP95kBu/Jc+cF12gYulgbBkFkx9D4zd7W5TTVjyr75Xs+wISSOFGNssNwBn
+jOwDWk2JGPCL+sw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..66891f9793
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1024
+subject:int_rsa_1024-root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1024
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem
new file mode 100644
index 0000000000..2f7ca90151
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBYjCCAQmgAwIBAgIUa0XXUQa7LlU9/NCMU/UvW1p5/r8wCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjI0cjFfMjI0
+LXJvb3Rfc2VjcDI1NnIxXzI1NjBNMBAGByqGSM49AgEGBSuBBAAhAzkABGaNcsym
+/WobNVe1NmEE2EQI7LY38I6Mhrv/gszojwBm169jwymLo3c0ihICsDs3/Wsf9BWq
+MR6jHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cA
+MEQCIFx1UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiB6OW49o/Plw34E
+llpmo3clMwUoC5zINELSPN3uKMElUw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..89d77d3b89
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_secp224r1_224-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem
new file mode 100644
index 0000000000..91bba98392
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICJjCCAQ6gAwIBAgIULfRIJwqhrTgphLCOMhBD3HMzZoIwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMjA0ODAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAqMSgwJgYDVQQDDB9pbnRfc2VjcDI1NnIxXzI1Ni1y
+b290X3JzYV8yMDQ4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+Pmx
+pgpZrIcE4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0H
+owTqoEqmwKMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
+AQELBQADggEBALnX/gmXf0oTbESNYaBQ3w0fo/GMNfXFQJJicnstxFt510GGQnM6
+k+mCmtWB3e3w5LMClRz1irAVWEhp+xqaH9a0T7LkmziVv3Iz3YzqDOUkMVFIrWWr
+jPX3O/HUV52UF/YNE3pbDD0w72Zbe6BFS0NzXgdBDZiBM9/GAE9Bepsg5pKGcjea
+PpHcWIbxOJvzLAKrQdjHjoaYWTukL21kspsBw7dIaYgMo69f/JhY8suakh4Y45g9
+uD2S6A4lw2E+ITOi0V+EQU//OUFgynIt7kfB8kVyKTflHw2UpVCwu1XICGvPxDZU
+7OKLAp/2Y18qqGbmVGEf9nZ4zojcCdtAsAU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..44a65ef5a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec
@@ -0,0 +1,5 @@
+issuer:root_rsa_2048
+subject:int_secp256r1_256-root_rsa_2048
+subjectKey:secp256r1
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem
new file mode 100644
index 0000000000..14178a22d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBZzCCARWgAwIBAgIUS9UDyDRw6jcSIVOE3Jd/25HnZKUwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjI0cjFfMjI0MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2
+LXJvb3Rfc2VjcDIyNHIxXzIyNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/
+u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT
+kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA0AAMD0CHQCaPG/wRttw8lX1L9aYUhzXLbwFIGNPlbZLslJUAhwR
+QjtGEs8T4jEfvTzExNDStQ07IOzgazIlFtfw
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec
new file mode 100644
index 0000000000..66ebc1b93e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp224r1_224
+subject:int_secp256r1_256-root_secp224r1_224
+issuerKey:secp224r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem
new file mode 100644
index 0000000000..d8ee88f643
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbjCCARWgAwIBAgIUbfWsobapssVY8KJM2yCX2ixKnPswCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2azFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2
+LXJvb3Rfc2VjcDI1NmsxXzI1NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/
+u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT
+kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA0cAMEQCIFuwodUwyOUnIR4KN5ZCSrU7y4iz4/1EWRdHm5kWKi8d
+AiAPwQROIzfXlMFBuhspsRKzB5bfRlK3JAQUSCN5CsmfEw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec
new file mode 100644
index 0000000000..c7e190ab0b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256k1_256
+subject:int_secp256r1_256-root_secp256k1_256
+issuerKey:secp256k1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem
new file mode 100644
index 0000000000..6eca3f2b9b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbjCCARWgAwIBAgIUa0D2PJJTJo9PXI+vG9zQ1xsBn/owCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2
+LXJvb3Rfc2VjcDI1NnIxXzI1NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/
+u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT
+kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
+CCqGSM49BAMCA0cAMEQCIFx1UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDm
+AiA4ISAfKF73X9PGnyvy/moXFGmSVwofC5A9v2X5+huJHQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..6854d21876
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_secp256r1_256-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem
new file mode 100644
index 0000000000..a30df8f600
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBizCCATKgAwIBAgIUE3rMvYbUkYGloXh1cHBH2bCZyBcwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMzg0cjFfMzg0
+LXJvb3Rfc2VjcDI1NnIxXzI1NjB2MBAGByqGSM49AgEGBSuBBAAiA2IABKFockM2
+K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMtqM6Y6DFTTmqcDAsJyNY5regy
+BuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC8Fr3Gh/dzIN0qm6pzqMdMBsw
+DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDRwAwRAIgXHVR
+nxMRUM1dit4go7wGMJH/snN1XzFk7P3LQoAKcOYCIEwCzXhoYODip/jtMmkCe36I
+IIHXI7fafiAbVaadub6I
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..de8e851981
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:int_secp384r1_384-root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp384r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem
new file mode 100644
index 0000000000..4d1522bb8b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2DCCAUKgAwIBAgIUfXnvTK9B9FK+1IelCwSO1Mf5UTwwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAxNjAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8xMDE2MIGeMA0G
+CSqGSIb3DQEBAQUAA4GMADCBiAKBgADSm7EvuE/dzSmzpRnLZsQ7jY+L5UW6eThM
+5mPtA991mRYA65IHkNJTDOzlRNuZpx8FiWo+0gcWVTSqmQV+R8R+O8ga2m+h4S43
+JotQRqVSaPna18y0hdgaLhnVDU8LaFSsr2175p2aCDE24Vr6j1PByMhPxgdyed0O
+Vdc2mlvdAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
+SIb3DQEBCwUAA4GAAD8C2t9CPWsOkjh/CLrrCa+4TXvZ08h8W/8IhqdQAfCv7dti
+9bEvHqR9zQOFDeahFe7z5PkQcy4muoEYycBEod7MmacIDz8Mp3tZ3z2dHlaGxYIN
+zAhQa8PShkltJw9+whOhPyLFVd4sExO6GSJU616wDCO0XSsk82Akrp3b22E=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec
new file mode 100644
index 0000000000..b0b5ba8e5e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1016
+subject:root_rsa_1016
+issuerKey:rsa1016
+subjectKey:rsa1016
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem
new file mode 100644
index 0000000000..de4451ce56
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2jCCAUOgAwIBAgIUMVucrt/selpf3q8amlrvDqneZmEwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8xMDI0MIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTqXRAEB66jF35UD5vk161L/6z6+nQ3Fys
+4m+XPKlMvA2cMdZsDAE7zpyC0NSAMo3wX7a815kKUxLdrmFSrW7mHIwb3YZjxovT
+YiSpiCrnjon1Vt/b5vUdphEsv8J8ikkza0Gv23UyG1KySnNE0TSOZGNRpVHHVxzN
+oLj+NfYadQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
+hkiG9w0BAQsFAAOBgQAmXbjjKelajwlEDMtahrBCsERFd6+ROiGkWPd2f7DrcbM0
+4XTeBJMOk0JUHRNelafp7s+B/Na/gA6tF7DwbBff6CroFMA08AtT6CaGGshyym4e
+v1gLXMZRAw7Ql0vHwp5+62umXMYQZRsxc7+evlm4BQKsIkVG20R9P39/f2DErg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec
new file mode 100644
index 0000000000..09cd420f70
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec
@@ -0,0 +1,6 @@
+issuer:root_rsa_1024
+subject:root_rsa_1024
+issuerKey:rsa1024
+subjectKey:rsa1024
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem
new file mode 100644
index 0000000000..76c11d0c5d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUHc/POtVpyiofkS90PJVYOJh6zpcwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMjA0ODAiGA8yMDIxMTEyNzAwMDAwMFoY
+DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8yMDQ4MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC
+AQEAk5wQl5Buy92gRlkSDZ2zDu4l4vELd6YC+ObqOe6ixuUf4Y7rGMWiHtbyrhh1
+4IXAD8ZAhZQhdrhl6YX9QsLwIMSowkzhnDLgO7vBJrIw1PsQlyonMFk+A09sbFvk
+iLo6gAo+8Vb83DrkJWp9uoIqSIhJTTRFz4MbWh82oNqpQZeARFZ6TzsJK2cekmL5
+sdIkC5Sh7nnDPQvH4pc+k+AwjAJIyj3ysDelxpvzVoVVhHJCdzVVaN25Kd3pAByL
+nUhQ/r7z2tdg6I/7CijIuRVD8sPKAhrTT8Xo+fIcrqqXnuHEIgNcRpLaR3zgpVRV
+G4p5aG3iXXviN44uwz7abs+l1A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec
new file mode 100644
index 0000000000..cebc2f8e6a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec
@@ -0,0 +1,4 @@
+issuer:root_rsa_2048
+subject:root_rsa_2048
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem
new file mode 100644
index 0000000000..6475f8ef91
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBSDCB96ADAgECAhQHiZOs85zvfLeFMhsh68xncNi5wzAKBggqhkjOPQQDAjAd
+MRswGQYDVQQDDBJyb290X3NlY3AyMjRyMV8yMjQwIhgPMjAyMTExMjcwMDAwMDBa
+GA8yMDI0MDIwNTAwMDAwMFowHTEbMBkGA1UEAwwScm9vdF9zZWNwMjI0cjFfMjI0
+ME0wEAYHKoZIzj0CAQYFK4EEACEDOQAEZo1yzKb9ahs1V7U2YQTYRAjstjfwjoyG
+u/+CzOiPAGbXr2PDKYujdzSKEgKwOzf9ax/0FaoxHqMdMBswDAYDVR0TBAUwAwEB
+/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDQAAwPQIdAJo8b/BG23DyVfUv1phS
+HNctvAUgY0+VtkuyUlQCHHjzlIZKE3ktC+mtNDdM57lQZsqdPCUo2IehzBo=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec
new file mode 100644
index 0000000000..31370f6f73
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp224r1_224
+subject:root_secp224r1_224
+issuerKey:secp224r1
+subjectKey:secp224r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem
new file mode 100644
index 0000000000..a062c78eb2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBWjCCAQCgAwIBAgIUfUU3FkeasPqniKMpSraSUECrlnowCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2azFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMB0xGzAZBgNVBAMMEnJvb3Rfc2VjcDI1NmsxXzI1
+NjBWMBAGByqGSM49AgEGBSuBBAAKA0IABDXufHKJ2P73qGr+XaZti8LrtqhUP9L+
+rQifRc56zQ+mQ4KpUAxB2tdw/9S1Eb9LSS6xI4gAwyxPdsc6PzKU58WjHTAbMAwG
+A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0gAMEUCIFuwodUw
+yOUnIR4KN5ZCSrU7y4iz4/1EWRdHm5kWKi8dAiEA75wpo6AToMf20m7rvmTKnlK8
+FGo2xq0TYVCCcCEfkcM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec
new file mode 100644
index 0000000000..c78aa61bba
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256k1_256
+subject:root_secp256k1_256
+issuerKey:secp256k1
+subjectKey:secp256k1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem
new file mode 100644
index 0000000000..f0fa1a3298
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBXDCCAQOgAwIBAgIUB5NlTHpszJgjDr4BNFqeBut30O8wCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw
+WhgPMjAyNDAyMDUwMDAwMDBaMB0xGzAZBgNVBAMMEnJvb3Rfc2VjcDI1NnIxXzI1
+NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLsBQtC
+Pjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCjHTAb
+MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cAMEQCIFx1
+UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiAwSXG3ZAwdTkc4IYrNr7A3
+PwsFyeNA6J5MEWhUHVzgTw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec
new file mode 100644
index 0000000000..4447fc4b47
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec
@@ -0,0 +1,7 @@
+issuer:root_secp256r1_256
+subject:root_secp256r1_256
+issuerKey:secp256r1
+subjectKey:secp256r1
+signature:ecdsaWithSHA256
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev.js b/security/manager/ssl/tests/unit/test_keysize_ev.js
new file mode 100644
index 0000000000..8e0edd7851
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@@ -0,0 +1,169 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Checks that RSA certs with key sizes below 2048 bits when verifying for EV
+// are rejected.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function getOCSPResponder(expectedCertNames) {
+  let expectedPaths = expectedCertNames.slice();
+  return startOCSPResponder(
+    SERVER_PORT,
+    "www.example.com",
+    "test_keysize_ev/",
+    expectedCertNames,
+    expectedPaths
+  );
+}
+
+function loadCert(certName, trustString) {
+  let certFilename = "test_keysize_ev/" + certName + ".pem";
+  addCertFromFile(certDB, certFilename, trustString);
+  return constructCertFromFile(certFilename);
+}
+
+/**
+ * Asynchronously runs a single EV key size test.
+ *
+ * @param {Array} expectedNamesForOCSP
+ *        An array of nicknames of the certs to be responded to.
+ * @param {string} rootCertFileName
+ *        The file name of the root cert. Can begin with ".." to reference
+ *        certs in folders other than "test_keysize_ev/".
+ * @param {Array} intCertFileNames
+ *        An array of file names of any intermediate certificates.
+ * @param {string} endEntityCertFileName
+ *        The file name of the end entity cert.
+ * @param {boolean} expectedResult
+ *        Whether the chain is expected to validate as EV.
+ */
+async function keySizeTestForEV(
+  expectedNamesForOCSP,
+  rootCertFileName,
+  intCertFileNames,
+  endEntityCertFileName,
+  expectedResult
+) {
+  clearOCSPCache();
+  let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+
+  loadCert(rootCertFileName, "CTu,CTu,CTu");
+  for (let intCertFileName of intCertFileNames) {
+    loadCert(intCertFileName, ",,");
+  }
+  await checkEVStatus(
+    certDB,
+    constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`),
+    certificateUsageSSLServer,
+    expectedResult
+  );
+
+  await stopOCSPResponder(ocspResponder);
+}
+
+/**
+ * For debug builds which have the test EV roots compiled in, checks RSA chains
+ * which contain certs with key sizes adequate for EV are validated as such,
+ * while chains that contain any cert with an inadequate key size fail EV and
+ * validate as DV.
+ * For opt builds which don't have the test EV roots compiled in, checks that
+ * none of the chains validate as EV.
+ *
+ * Note: This function assumes that the key size requirements for EV are greater
+ * than the requirements for DV.
+ *
+ * @param {number} inadequateKeySize
+ *        The inadequate key size of the generated certs.
+ * @param {number} adequateKeySize
+ *        The adequate key size of the generated certs.
+ */
+async function checkRSAChains(inadequateKeySize, adequateKeySize) {
+  // Reuse the existing test RSA EV root
+  let rootOKCertFileName = "../test_ev_certs/evroot";
+  let rootOKName = "evroot";
+  let rootNotOKName = "ev_root_rsa_" + inadequateKeySize;
+  let intOKName = "ev_int_rsa_" + adequateKeySize;
+  let intNotOKName = "ev_int_rsa_" + inadequateKeySize;
+  let eeOKName = "ev_ee_rsa_" + adequateKeySize;
+  let eeNotOKName = "ev_ee_rsa_" + inadequateKeySize;
+
+  // Chain with certs that have adequate sizes for EV and DV
+  // In opt builds, this chain is only validated for DV. Hence, an OCSP fetch
+  // will for example not be done for the "ev_int_rsa_2048-evroot" intermediate
+  // in such a build.
+  let intFullName = intOKName + "-" + rootOKName;
+  let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName;
+  let expectedNamesForOCSP = [eeFullName];
+  await keySizeTestForEV(
+    expectedNamesForOCSP,
+    rootOKCertFileName,
+    [intFullName],
+    eeFullName,
+    gEVExpected
+  );
+
+  // Chain with a root cert that has an inadequate size for EV, but
+  // adequate size for DV
+  intFullName = intOKName + "-" + rootNotOKName;
+  eeFullName = eeOKName + "-" + intOKName + "-" + rootNotOKName;
+  expectedNamesForOCSP = [eeFullName];
+  await keySizeTestForEV(
+    expectedNamesForOCSP,
+    rootNotOKName,
+    [intFullName],
+    eeFullName,
+    false
+  );
+
+  // Chain with an intermediate cert that has an inadequate size for EV, but
+  // adequate size for DV
+  intFullName = intNotOKName + "-" + rootOKName;
+  eeFullName = eeOKName + "-" + intNotOKName + "-" + rootOKName;
+  expectedNamesForOCSP = [eeFullName];
+  await keySizeTestForEV(
+    expectedNamesForOCSP,
+    rootOKCertFileName,
+    [intFullName],
+    eeFullName,
+    false
+  );
+
+  // Chain with an end entity cert that has an inadequate size for EV, but
+  // adequate size for DV
+  intFullName = intOKName + "-" + rootOKName;
+  eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName;
+  expectedNamesForOCSP = [eeFullName];
+  await keySizeTestForEV(
+    expectedNamesForOCSP,
+    rootOKCertFileName,
+    [intFullName],
+    eeFullName,
+    false
+  );
+}
+
+add_task(async function () {
+  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+  let smallKeyEVRoot = constructCertFromFile(
+    "test_keysize_ev/ev_root_rsa_2040.pem"
+  );
+  equal(
+    smallKeyEVRoot.sha256Fingerprint,
+    "40:AB:5D:A5:89:15:A9:4B:82:87:B8:A6:9A:84:B1:DB:" +
+      "7A:9D:DB:B8:4E:E1:23:E3:C6:64:E7:50:DC:35:8C:68",
+    "test sanity check: the small-key EV root must have the same " +
+      "fingerprint as the corresponding entry in ExtendedValidation.cpp"
+  );
+
+  await checkRSAChains(2040, 2048);
+});
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem
new file mode 100644
index 0000000000..394cb6caea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAk+gAwIBAgIUVZYfMEsZbV/AnYHYi9fRg/e/buYwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQ4LWV2cm9vdDAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff
+MjA0MC1ldl9pbnRfcnNhXzIwNDgtZXZyb290MIIBITANBgkqhkiG9w0BAQEFAAOC
+AQ4AMIIBCQKCAQAAusBlL9+8AFWIL/uurO7Ij6LQg8KX3V1AZk3T2Q9S+aoCvYpQ
++6FuD9mRh470dfmzUNn44+sqvXF84yewl4hTHxPfjj5OO51ha7ikHlMG7tJHIWMW
+EFEYASdqTrZvBzMbXLyLyucBao+bPU8qxFU8Ykz1JjvLNI6IQN5mEocJYKeSGRsT
+j7IX92XOx7/46U8Ws5QZv3UExZp+T3m9bRc+nHvz2dKk5zzBgLBZCnPVhPt/ybVP
+pURgflP8aFx6Vf1EqB1BQravUepvps6lKWWi6MXYTzygJNb7ubAFuWUc5dny7PQO
+1ASYGp/8AmNuMRsJXGMyoMh9w5JxtVUUgXdLAgMBAAGjgYQwgYEwXgYIKwYBBQUH
+AQEEUjBQME4GCCsGAQUFBzABhkJodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgv
+ZXZfZWVfcnNhXzIwNDAtZXZfaW50X3JzYV8yMDQ4LWV2cm9vdC8wHwYDVR0gBBgw
+FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEBADEl0bWl
+HI7w8k4AN2yIxDMFCzd4AJBqtqanL5JVkPFl4VCzmmK2okwdGq5TZYvbDRaQK4nQ
+FECjTuxDGY95BVd4brca/JKvaCk8HBXFbh4iv9OZJbr6gm+N2LiV78P8V8nz1RVw
+WfGB9T5TZAhsMBF8nMum9p3bPj5IJXA2IpQswtfAx19so9D7i+vt++F8g2M8MjHC
+FIwH5961OYBUvd1c+CAjE8ekZ/ajQnrEuayPVGacBwWmqJ8Lz6viyXIfPdRIWlvn
+0+rJB20eBXnoSW3k2kp0QwzTxuD/5RwRiTgGphGta0wHtaVCwrkdkWTH1u7R/OxW
+I+X16RQo8Ayto3o=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec
new file mode 100644
index 0000000000..e64c651bc7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_rsa_2048-evroot
+subject:ev_ee_rsa_2040-ev_int_rsa_2048-evroot
+subjectKey:rsa2040
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2040-ev_int_rsa_2048-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem
new file mode 100644
index 0000000000..c7b6b0ddab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAlCgAwIBAgIUZfXrSpbPemyhfINT4zz1d30Ek2wwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQwLWV2cm9vdDAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff
+MjA0OC1ldl9pbnRfcnNhXzIwNDAtZXZyb290MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GEMIGBMF4GCCsGAQUF
+BwEBBFIwUDBOBggrBgEFBQcwAYZCaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4
+L2V2X2VlX3JzYV8yMDQ4LWV2X2ludF9yc2FfMjA0MC1ldnJvb3QvMB8GA1UdIAQY
+MBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAAA0bpkI
+YZXUPMUehztpOIlqHZyliVXpt5P2KpBG/3lSwkomGszQZT4+mvZqGS7Hy/gIJNnF
+vE0Obol+2LT8WOsJuqlOZz2Q04ckggp+HsgwBZYTAvgSSPVbiXwsAVq9aMHcw9l1
+usGJC8Y3rEsQYdGx01/SBP/jAfq882yOSX/MmE0DElDDygLkpynttd60XBwUNiuM
+RdvE9HmQ1g8teQjXoZiOctgSmYeNGcjx0Tabr96ONhf1ol7tf0lVECweWl32G0PL
+Z9PnXtatiH4wcItb3S4P3jlCjEcaK6iq0PntcarxICyraOkWXvD+cAecptFSEhRh
+TGE7OM/RblZ1waQ=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec
new file mode 100644
index 0000000000..0b7bfd4269
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_rsa_2040-evroot
+subject:ev_ee_rsa_2048-ev_int_rsa_2040-evroot
+issuerKey:rsa2040
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2040-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem
new file mode 100644
index 0000000000..6743c1859a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhjCCAm6gAwIBAgIUSwd9p0zHyco2QXDr8tpsJc2ljTwwDQYJKoZIhvcNAQEL
+BQAwKzEpMCcGA1UEAwwgZXZfaW50X3JzYV8yMDQ4LWV2X3Jvb3RfcnNhXzIwNDAw
+IhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowOjE4MDYGA1UEAwwv
+ZXZfZWVfcnNhXzIwNDgtZXZfaW50X3JzYV8yMDQ4LWV2X3Jvb3RfcnNhXzIwNDAw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
+PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
+9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
+4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
+exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
+ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
+AgMBAAGjgY4wgYswaAYIKwYBBQUHAQEEXDBaMFgGCCsGAQUFBzABhkxodHRwOi8v
+d3d3LmV4YW1wbGUuY29tOjg4ODgvZXZfZWVfcnNhXzIwNDgtZXZfaW50X3JzYV8y
+MDQ4LWV2X3Jvb3RfcnNhXzIwNDAvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqF
+GgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAQBuSOtnkDe3ob+sBv9AIEUi4Rysxb3N
+Xhg3sAR6RFNP0kZnuROdWloSSfA9+H6f7l1w/LFTVFZhdQG2PqmJJ7vVzZYbgKXQ
+bWFri8W5Moj75f+Q3hpOczTqgBZfKl07gQp15/BfaUxsvmiw0IZBZHpaggYGerC3
+stamAyLWYI4hvQacoVz/2wRLa/NMs2qWElZ8+AjR10cCevvC15HD/U48s5NdLhGZ
+63x9dz7DCWQcrxz+eIS+S1qEeU7N4DTMYR5QRxPWM7s37hAZGASZlDmiL5fs3DRv
+IbynUqPgLPELvM+BvZN6edALZxGC2ngcqxVVmg/j8nl5Xcjqvq0cO1VH
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
new file mode 100644
index 0000000000..a36acf887d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ev_int_rsa_2048-ev_root_rsa_2040
+subject:ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem
new file mode 100644
index 0000000000..753a39f0e7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIUWW7gg8Czo9BnB6ui50M3Xu6ivEcwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQ4LWV2cm9vdDAiGA8yMDIxMTEy
+NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff
+MjA0OC1ldl9pbnRfcnNhXzIwNDgtZXZyb290MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GEMIGBMF4GCCsGAQUF
+BwEBBFIwUDBOBggrBgEFBQcwAYZCaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4
+L2V2X2VlX3JzYV8yMDQ4LWV2X2ludF9yc2FfMjA0OC1ldnJvb3QvMB8GA1UdIAQY
+MBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAQAZ6F/Z
+4Alyl3Mc7/QcrKEbu1BWIWt4e5wvWqAw3evX36OsFrkAD+26FHLgkjyMVxeX6g95
+LAbbQN2K48mIHGLdK8fAnLmNJpBJpetAEfIpcQzKf4BuNsCAB+TVRfAt0yeDDagQ
+va7jy8kzC+UG/OX2KW0SG5Zn6OwJTAIq6LLnGeyeMGqleBVW8HUsQBB4waPFfejJ
+AuPPiIuHh+6lOcSpjLel/xcEnnmMJFjO8zoOW32HuR02iUsrkZqPvIeRm6sVjQEs
+HWd0d+mAtzUWN4YkFqDdBJ71iK0ZZDlx4wPdjhshdDFLg/g0PW6sUEeUak6e3WQ4
+oNA9ie/2y779fkX6
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec
new file mode 100644
index 0000000000..0b34be6db8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ev_int_rsa_2048-evroot
+subject:ev_ee_rsa_2048-ev_int_rsa_2048-evroot
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem
new file mode 100644
index 0000000000..cf632da080
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjygAwIBAgIUAcFzVqJIY35fm8QGImTLo+kRhoowDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCExHzAdBgNVBAMMFmV2X2ludF9yc2FfMjA0MC1ldnJvb3QwggEh
+MA0GCSqGSIb3DQEBAQUAA4IBDgAwggEJAoIBAAC6wGUv37wAVYgv+66s7siPotCD
+wpfdXUBmTdPZD1L5qgK9ilD7oW4P2ZGHjvR1+bNQ2fjj6yq9cXzjJ7CXiFMfE9+O
+Pk47nWFruKQeUwbu0kchYxYQURgBJ2pOtm8HMxtcvIvK5wFqj5s9TyrEVTxiTPUm
+O8s0johA3mYShwlgp5IZGxOPshf3Zc7Hv/jpTxazlBm/dQTFmn5Peb1tFz6ce/PZ
+0qTnPMGAsFkKc9WE+3/JtU+lRGB+U/xoXHpV/USoHUFCtq9R6m+mzqUpZaLoxdhP
+PKAk1vu5sAW5ZRzl2fLs9A7UBJgan/wCY24xGwlcYzKgyH3DknG1VRSBd0sCAwEA
+AaOBkDCBjTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBPBggrBgEFBQcBAQRD
+MEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9ldl9p
+bnRfcnNhXzIwNDAtZXZyb290LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoB
+g3QJATANBgkqhkiG9w0BAQsFAAOCAQEAXXKAxLkrQ+U2XlsV87bacCpbpSpRsdps
+EGFUEZ1h1Pmlcea7I4tgLhavwnP48zSa3J15dCacXlupHlKspILYbWvkSM3P+64s
+MAo2Nt0av/eQsXZrasMNhLPPkvWXtA7MUB57eQm+2pKyy0hmNaZC2cOWsJw+FqXB
+9Nw2tPpo/rSXr5jkqEMKSUrA/B8dDNjl1QNe0nbr6pS2Ux3Eayuc57xg8envOkn+
+nTm6Wf9oJeE/+0D7Y4whiRJWDv/ANYW5b982sn4BA48jtxYDP1M8UZ/ZzWfMG7tE
+xtYL6EBZbZ9KOmPkPEzzKwM2IdFRexTAzVrid3VHbBYOQOfQBDP4pg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec
new file mode 100644
index 0000000000..80be711742
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec
@@ -0,0 +1,8 @@
+issuer:evroot
+subject:ev_int_rsa_2040-evroot
+issuerKey:ev
+subjectKey:rsa2040
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2040-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key
new file mode 100644
index 0000000000..63b267865f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEtwIBADANBgkqhkiG9w0BAQEFAASCBKEwggSdAgEAAoIBAAC6wGUv37wAVYgv
++66s7siPotCDwpfdXUBmTdPZD1L5qgK9ilD7oW4P2ZGHjvR1+bNQ2fjj6yq9cXzj
+J7CXiFMfE9+OPk47nWFruKQeUwbu0kchYxYQURgBJ2pOtm8HMxtcvIvK5wFqj5s9
+TyrEVTxiTPUmO8s0johA3mYShwlgp5IZGxOPshf3Zc7Hv/jpTxazlBm/dQTFmn5P
+eb1tFz6ce/PZ0qTnPMGAsFkKc9WE+3/JtU+lRGB+U/xoXHpV/USoHUFCtq9R6m+m
+zqUpZaLoxdhPPKAk1vu5sAW5ZRzl2fLs9A7UBJgan/wCY24xGwlcYzKgyH3DknG1
+VRSBd0sCAwEAAQKB/2A9smffl1VcvthrjfNVA0ryjx638+eCnSObzCc6fHppoQvo
+8h8bbEsCxrrjcxwxWLW7/0YF9Xq3t7Kgy6LsAFottbHqbgrO6lvHRdzS0OnWuA1+
+sOorwIEnvONfpQxCzEEYcbpZHiO6ajhISjPv8TR/kH7ppakqIxG7C0NVEAIPeOO7
+AAmdtNEYKSgJZQX8uoTzyhI4/R66XuofORu7zFQksWgGP8F+HKbhkSzLpE+dApIw
+ih/tuAYSUps59Z0KP4GAtbogETIZf5OlgV3tk43459k8mxV2ZYjzObtZEAr9pJSn
+5FLX3UyaGc4uw6M6GLIPC02t4XK+4Z8m8Ny+QQKBgA7Dhpy5LUBsrd96MZqylEi8
+UFoFkTcHhzNh/FuYakmftl7rgVp+N2h9GfEoCHKJ2buIGOe8ylAsSQCtmuzhF5vh
+L/PkZ9YG/IIOqPB6yev/4iNuOBaEEgKIIj5C2+aN/ZcqhaZEflFpXyNNp5EcZ8mr
+lTHzPfO5lDLU7ojJpO+7AoGADKY5NFSehf6sjg9WBDA/0YSf6Ir0t/fhITKDu8ei
+wqUJ+Sc8Qoxo3j25PmFF8bQAvW1KJiYU6QQ602LU66SmuZU5nIk0o5mRIZnoQdjo
+2/8EifaeZjeWcwspgFMLMctwaVohYl6irczAnZMFFvqHIhGpHiLdif2et9qFdLci
+NbECgYANfTp14X9l+KZYpIXECVwQpPZpeeK3O8qc+O8hJT4frKxtR5H1g5LOhlb4
+jxJAzJDCllPjEAxtejjtRLFjsznl87bjiRISbGmzzv8uUZJCbZZJtv/KGrt10rou
+1tmiaqODxZc9ViFv8u25DM+Id0Kg8YOskslM8YdldkXHdy2a1wKBgAP1UBlMEX8k
+vqKFsgkFgDL0KYX/Vazr6IsW35o3UntOYdyRpo28mmRRNFKM5fJIvaKJPJbLe+ee
+5zmWx8Ild/bC95BAbzRyrbOyEbfpRJTzLFxvzAl4g5/kckwxsGMYokiVZ7T8oDN6
+yxuEEieqpfbHSACiMGkp8CzgOLrZQ99BAoGACAp9v6jCWEgUxxZkxW62LOTK8Wr+
+iNRJkVnWdHdKOj7N3xJWwC/JFSXFJ2kkItCrqU5cQe4S3HG7Zvhnn6F+CW8oCAhR
+ugRusxiFwUFOiYWt5ZnZB68XRT0cyuosDQZEP4Nnpr4VSxJeOQ7g2Q90bwiAHdP1
+Nn9Z+6LlpnwF83U=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec
new file mode 100644
index 0000000000..f488e73a94
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec
@@ -0,0 +1 @@
+rsa2040
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem
new file mode 100644
index 0000000000..3460534a0b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcjCCAlugAwIBAgIUZSpbli3rGt5J38O5lKUHT1lCyUEwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZXZfcm9vdF9yc2FfMjA0MDAiGA8yMDIxMTEyNzAwMDAw
+MFoYDzIwMjQwMjA1MDAwMDAwWjArMSkwJwYDVQQDDCBldl9pbnRfcnNhXzIwNDgt
+ZXZfcm9vdF9yc2FfMjA0MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBmjCBlzAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIBBjBZBggrBgEFBQcBAQRNMEswSQYIKwYBBQUHMAGGPWh0dHA6Ly93d3cu
+ZXhhbXBsZS5jb206ODg4OC9ldl9pbnRfcnNhXzIwNDgtZXZfcm9vdF9yc2FfMjA0
+MC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQEL
+BQADggEAABBuxXUR0hyJquyO21vDSVBAfJxZzfanX2HTra0RQuHKsMJT+stYBaW5
+dyxwmRtOnWgn4FOYqVppLZe1jSws6zUoWgSBiAxKJiX3RvQ4aR5bSIm9DueBDR8u
+d/vwQOWR1+qqZb7FRvFkXkzFyBP9C5cT/INjmFiRzidMIWIPuoS3kSzIIcyLr4Gj
+CPb/TDGTL3pc5xdSIiQ3i43f1u17yeurjzbN8yzjIX3CuoeaOrBUWsBxnNgFhmVm
+KY8AP4GHKg0/If0cY1O+cVJ33meKLLxoV9sH98tAbBUs/jQ7mAH+lGQRBUtp5WxJ
+hIPwSS31RIFglSm9FVEraLU+dl+mzA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
new file mode 100644
index 0000000000..5bc5674b2c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ev_root_rsa_2040
+subject:ev_int_rsa_2048-ev_root_rsa_2040
+issuerKey:evRSA2040
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-ev_root_rsa_2040/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem
new file mode 100644
index 0000000000..982eb60fd4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVTCCAj2gAwIBAgIUaQnDkiefXQWH/NTUbBlfx7LtXIMwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy
+MDUwMDAwMDBaMCExHzAdBgNVBAMMFmV2X2ludF9yc2FfMjA0OC1ldnJvb3QwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT
+2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV
+JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N
+jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA
+BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh
+He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB
+AAGjgZAwgY0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEE
+QzBBMD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvZXZf
+aW50X3JzYV8yMDQ4LWV2cm9vdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUa
+AYN0CQEwDQYJKoZIhvcNAQELBQADggEBAFr4zW09JSWiZyP/xLgjaSwybNjNy844
++RveDtS0i9k3MgNI4pmG82CqfaMDdQYUSdiIDFLLZMbKYNU9pBG0WUr2AlPAMsU4
+Pt1I4/IT6xAQvB9reuKeHdM7r99W1r5IYmRFf4YHcGTeNOTBExaQCsnAwk1nWj4+
++dNQidDkzcvb2CMcp5DvILtYyFam9irx1K2u/pzH4naBeXjvuCk2gE+nK9nBZUuD
+Ot0Lg/hHNK/ultREiFoBXkEyuLHbUxfNug6SfUvppXy2tCR+bA98QkwM25LflG4J
+/Bej2fWYhDcO1keGO9A9STb6S/4T64AVbqDZNILRwFENWKoarvcE3YA=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec
new file mode 100644
index 0000000000..a0cb6250dc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:ev_int_rsa_2048-evroot
+issuerKey:ev
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key
new file mode 100644
index 0000000000..bcd996ab23
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEuQIBADANBgkqhkiG9w0BAQEFAASCBKMwggSfAgEAAoIBAADKcCDcIV9XkU00
+P65KAVERaXr5l6Xs6RhmSZ/CPxuIoRjL0wsQ2Rx7mg1O6JcvyuVsr1fyX8EnWipN
+vLmCQowy71h78jh0EDMKD/sWuAKb14OWnvZ19t44wY9nGTy2wHL4sj0LM3QRJiel
+e5AFV3HZ5iYD9TeI1/Y6+nJPXRCAlt8x+J8msetffENXmA4Aj81V2CfdJiOVyi9S
+ageJfMQMWTs4cW68DKpZZxnG8prJtzp6lEdIo6o+CenrTUYeoAJ+VAkmYUcoudJD
+l1z5oFQb79JedrUflREQsOdkT8fjhEF5G20iJzhMuABOIzQjcrHPXMPnPjG3u++h
+YOaGLrsCAwEAAQKCAQAAstt0vOkjYqv3KVWmOK6HILowM7t/lxyvORiNdULqocGr
+tdIFseIRH0eRwIkRouFB6M/XBUcC0jEAtWQsBuGjGxGK/R+aLzlsztQlxQHZFDXK
+hlZ2bO0rk7u4Zp/Om6zXJ9Hayz2vq8MpPjU4nu+OoLWOGusaIOamH5/NRT91Z/4x
+0SO2FqJv703x1sn3SQER0Cju/R2XIEWxokInPdemfr8RHbJ0GlqTx7IonMSiNvWp
+mm7HqCBv2uHB0EvbsZgNSimMWhfa5BhkdKX3g12IK87ySu9O1vFJ+U2WyffXjmR/
+x3ipAX/yCNO0oXaLGCFiECzasDL6u6s41SAKMkZJAoGADzhE0NTU1qIazXam/DcL
+hVDh1+xaYjQXLnkPACmuZR9tXFkzCrGYArnXogfeeh+3eON3T9vcQRdQYz2NGz/g
+dQBv/P0dEOdjx6kifS1fDC2t4cnmWcNQoVnTa7mG8SY21PmUKyiLwP4h2oeZR3Fz
+FEJJyi44nmxcJap4yMrX1N8CgYANTQvt0ZYvB6Hq1rI6TtZ66vEnDwUqbSm6B0lF
+xjYaXE+PB7+FngZ67T9ObjI+8qqKas00CwvcfP5P0ynjyX+HDH93NXksaqnQ9+dU
+KijtbwGw5VorjZwkplxtoxTJVIT1x8OVSoG7AWsH7RfumwYDlpW8oFmnn43CQj0y
+jVJlpQKBgAnymi/wW+ipbWFLoxsIk1QgqGxrxCuZpmkuoNpXY/AeWWlZt93Oc++c
+Lk9uW0BxCIdQDUS6DDzTEyy6J0dfOcLfdVLi0SOiSXpPlwZAKHaaSKNiRlf3K/U5
+89DeI0/szTvooKqQxr9umwvtQwcKJNBh/z7RdRo+8v9/a5C529X7AoGAAaZZ4XDK
+wSCgO+HPj53xyqNTsDWTvXR25YU72HTChziGAcbDQc6dHShKXu8aOmadMrgWpers
+2LeET+BwZLm8oMKzGNVAJ3s/fxUQ04a7NuA7BHceXSKeiIk+E7dTv7lFGLtjjiQE
+vW5qmTwWaNk/wLgv8IqvNDR9P+g5cQjIfKUCgYAEAlfA1KIcC5hDKXxlZS22YwT7
+Jjdz1yi2q/oG03rAymLGKAI+CeN9wKkB5M4SJBgOJYKjqktqGnuY4r1wB3rsFKyK
+tmp1XHHg/BAkcfm7wbRqlaoLZF8sOOdkUCiWGeo/XormEDe//PgknyKqTnbioBkJ
+8/6ykM6T7fV7EOvnlg==
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec
new file mode 100644
index 0000000000..a85e16858b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec
@@ -0,0 +1 @@
+evRSA2040
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem
new file mode 100644
index 0000000000..fe3abd78a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAcygAwIBAgIUJ7nCMgtzNcSPG7jAh3CWzlTGHQgwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQZXZfcm9vdF9yc2FfMjA0MDAiGA8yMDE1MDEwMTAwMDAw
+MFoYDzIwMzUwMTAxMDAwMDAwWjAbMRkwFwYDVQQDDBBldl9yb290X3JzYV8yMDQw
+MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAAynAg3CFfV5FNND+uSgFR
+EWl6+Zel7OkYZkmfwj8biKEYy9MLENkce5oNTuiXL8rlbK9X8l/BJ1oqTby5gkKM
+Mu9Ye/I4dBAzCg/7FrgCm9eDlp72dfbeOMGPZxk8tsBy+LI9CzN0ESYnpXuQBVdx
+2eYmA/U3iNf2OvpyT10QgJbfMfifJrHrX3xDV5gOAI/NVdgn3SYjlcovUmoHiXzE
+DFk7OHFuvAyqWWcZxvKaybc6epRHSKOqPgnp601GHqACflQJJmFHKLnSQ5dc+aBU
+G+/SXna1H5URELDnZE/H44RBeRttIic4TLgATiM0I3Kxz1zD5z4xt7vvoWDmhi67
+AgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
+CwUAA4IBAAA/4/YVyeRLPr05Uw5j0JOCx5WNUv2HxemfvTZgF4QEg4vDt8ba3VDR
+Xj3Z8hiGYG+s2Wz4k+82wCNRTglm3iutCJ/LbwOAZIa8dFyQUa03EssS0BBvVNhx
+uu6+kYMqGteIX5Q94daqZe+0KM9xKbydNCQJKSMD8IV1YHKvotF91MFQHDdnVAZX
+anpqDnw0j4YGknFHA1i++0GZC0aWxhRn6Epfza+bYCVogC5BviY6xYIg2kZE8kII
+msQ6iUrKQ2OV7HmZ03BdpsGADorycyJ/wRGR3xDDg8RYUur80jU/D0eBq8BX1md8
+Rc+IyDmcFcs7hYRUaJAoxuLPvQ+/vy4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec
new file mode 100644
index 0000000000..fd1ade8dea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec
@@ -0,0 +1,7 @@
+issuer:ev_root_rsa_2040
+subject:ev_root_rsa_2040
+issuerKey:evRSA2040
+subjectKey:evRSA2040
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_logoutAndTeardown.js b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js
new file mode 100644
index 0000000000..f1e5991f05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js
@@ -0,0 +1,195 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+
+"use strict";
+
+// This test ensures that in-progress https connections are cancelled when the
+// user logs out of a PKCS#11 token.
+
+// Get a profile directory and ensure PSM initializes NSS.
+do_get_profile();
+Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports);
+
+function getTestServerCertificate() {
+  const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  const certFile = do_get_file("test_certDB_import/encrypted_with_aes.p12");
+  certDB.importPKCS12File(certFile, "password");
+  for (const cert of certDB.getCerts()) {
+    if (cert.commonName == "John Doe") {
+      return cert;
+    }
+  }
+  return null;
+}
+
+class InputStreamCallback {
+  constructor(output) {
+    this.output = output;
+    this.stopped = false;
+  }
+
+  onInputStreamReady(stream) {
+    info("input stream ready");
+    if (this.stopped) {
+      info("input stream callback stopped - bailing");
+      return;
+    }
+    let available = 0;
+    try {
+      available = stream.available();
+    } catch (e) {
+      // onInputStreamReady may fire when the stream has been closed.
+      equal(
+        e.result,
+        Cr.NS_BASE_STREAM_CLOSED,
+        "error should be NS_BASE_STREAM_CLOSED"
+      );
+    }
+    if (available > 0) {
+      let request = NetUtil.readInputStreamToString(stream, available, {
+        charset: "utf8",
+      });
+      ok(
+        request.startsWith("GET / HTTP/1.1\r\n"),
+        "Should get a simple GET / HTTP/1.1 request"
+      );
+      let response =
+        "HTTP/1.1 200 OK\r\n" +
+        "Content-Length: 2\r\n" +
+        "Content-Type: text/plain\r\n" +
+        "\r\nOK";
+      let written = this.output.write(response, response.length);
+      equal(
+        written,
+        response.length,
+        "should have been able to write entire response"
+      );
+    }
+    this.output.close();
+    info("done with input stream ready");
+  }
+
+  stop() {
+    this.stopped = true;
+    this.output.close();
+  }
+}
+
+class TLSServerSecurityObserver {
+  constructor(input, output) {
+    this.input = input;
+    this.output = output;
+    this.callbacks = [];
+    this.stopped = false;
+  }
+
+  onHandshakeDone(socket, status) {
+    info("TLS handshake done");
+    info(`TLS version used: ${status.tlsVersionUsed}`);
+
+    if (this.stopped) {
+      info("handshake done callback stopped - bailing");
+      return;
+    }
+
+    let callback = new InputStreamCallback(this.output);
+    this.callbacks.push(callback);
+    this.input.asyncWait(callback, 0, 0, Services.tm.currentThread);
+
+    // We've set up everything needed for a successful request/response,
+    // but calling logoutAndTeardown should cause the request to be cancelled.
+    Cc["@mozilla.org/security/sdr;1"]
+      .getService(Ci.nsISecretDecoderRing)
+      .logoutAndTeardown();
+  }
+
+  stop() {
+    this.stopped = true;
+    this.input.close();
+    this.output.close();
+    this.callbacks.forEach(callback => {
+      callback.stop();
+    });
+  }
+}
+
+class ServerSocketListener {
+  constructor() {
+    this.securityObservers = [];
+  }
+
+  onSocketAccepted(socket, transport) {
+    info("accepted TLS client connection");
+    let connectionInfo = transport.securityCallbacks.getInterface(
+      Ci.nsITLSServerConnectionInfo
+    );
+    let input = transport.openInputStream(0, 0, 0);
+    let output = transport.openOutputStream(0, 0, 0);
+    let securityObserver = new TLSServerSecurityObserver(input, output);
+    this.securityObservers.push(securityObserver);
+    connectionInfo.setSecurityObserver(securityObserver);
+  }
+
+  // For some reason we get input stream callback events after we've stopped
+  // listening, so this ensures we just drop those events.
+  onStopListening() {
+    info("onStopListening");
+    this.securityObservers.forEach(observer => {
+      observer.stop();
+    });
+  }
+}
+
+function getStartedServer(cert) {
+  let tlsServer = Cc["@mozilla.org/network/tls-server-socket;1"].createInstance(
+    Ci.nsITLSServerSocket
+  );
+  tlsServer.init(-1, true, -1);
+  tlsServer.serverCert = cert;
+  tlsServer.setSessionTickets(false);
+  tlsServer.asyncListen(new ServerSocketListener());
+  return tlsServer;
+}
+
+const hostname = "example.com";
+
+function storeCertOverride(port, cert) {
+  let certOverrideService = Cc[
+    "@mozilla.org/security/certoverride;1"
+  ].getService(Ci.nsICertOverrideService);
+  certOverrideService.rememberValidityOverride(hostname, port, {}, cert, true);
+}
+
+function startClient(port) {
+  let req = new XMLHttpRequest();
+  req.open("GET", `https://${hostname}:${port}`);
+  return new Promise((resolve, reject) => {
+    req.onload = () => {
+      ok(false, "should not have gotten load event");
+      resolve();
+    };
+    req.onerror = () => {
+      ok(true, "should have gotten an error");
+      resolve();
+    };
+
+    req.send();
+  });
+}
+
+add_task(async function () {
+  Services.prefs.setCharPref("network.dns.localDomains", hostname);
+  let cert = getTestServerCertificate();
+
+  let server = getStartedServer(cert);
+  storeCertOverride(server.port, cert);
+  await startClient(server.port);
+  server.close();
+});
+
+registerCleanupFunction(function () {
+  Services.prefs.clearUserPref("network.dns.localDomains");
+});
diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate.js b/security/manager/ssl/tests/unit/test_missing_intermediate.js
new file mode 100644
index 0000000000..2a723b2a0f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_missing_intermediate.js
@@ -0,0 +1,92 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that if a server does not send a complete certificate chain, we can
+// make use of cached intermediates to build a trust path.
+
+const { TestUtils } = ChromeUtils.importESModule(
+  "resource://testing-common/TestUtils.sys.mjs"
+);
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+registerCleanupFunction(() => {
+  let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+  certDir.append("bad_certs");
+  Assert.ok(certDir.exists(), "bad_certs should exist");
+  let args = ["-D", "-n", "manually-added-missing-intermediate"];
+  run_certutil_on_directory(certDir.path, args, false);
+});
+
+function run_test() {
+  add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+  // If we don't know about the intermediate, we'll get an unknown issuer error.
+  add_connection_test(
+    "ee-from-missing-intermediate.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+
+  // Make BadCertAndPinningServer aware of the intermediate.
+  add_test(() => {
+    let args = [
+      "-A",
+      "-n",
+      "manually-added-missing-intermediate",
+      "-i",
+      "test_missing_intermediate/missing-intermediate.pem",
+      "-a",
+      "-t",
+      ",,",
+    ];
+    let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+    certDir.append("bad_certs");
+    Assert.ok(certDir.exists(), "bad_certs should exist");
+    run_certutil_on_directory(certDir.path, args);
+    run_next_test();
+  });
+
+  // We have to start observing the topic before there's a chance it gets
+  // emitted.
+  add_test(() => {
+    TestUtils.topicObserved("psm:intermediate-certs-cached").then(
+      subjectAndData => {
+        Assert.equal(subjectAndData.length, 2, "expecting [subject, data]");
+        Assert.equal(subjectAndData[1], "1", `expecting "1" cert imported`);
+        run_next_test();
+      }
+    );
+    run_next_test();
+  });
+  // Connect and cache the intermediate.
+  add_connection_test(
+    "ee-from-missing-intermediate.example.com",
+    PRErrorCodeSuccess
+  );
+
+  // Add a dummy test so that the only way we advance from here is by observing
+  // "psm:intermediate-certs-cached".
+  add_test(() => {});
+
+  // Delete the intermediate on the server again.
+  add_test(() => {
+    clearSessionCache();
+    let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+    certDir.append("bad_certs");
+    Assert.ok(certDir.exists(), "bad_certs should exist");
+    let args = ["-D", "-n", "manually-added-missing-intermediate"];
+    run_certutil_on_directory(certDir.path, args);
+    run_next_test();
+  });
+
+  // Since we cached the intermediate in gecko, this should succeed.
+  add_connection_test(
+    "ee-from-missing-intermediate.example.com",
+    PRErrorCodeSuccess
+  );
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem
new file mode 100644
index 0000000000..3ba4cc67d1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIUXVqax21Zg1E4snLU25SGHPmGws8wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRNaXNzaW5nIEludGVybWVkaWF0ZTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ
+6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk
+nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N
+/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG
+JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd
+7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA
+AaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQAD
+ggEBAJU1u07/x6ATZrK4/Cq6cqTbdkoUJRfZERwJBx4mBnQTbQXBhuo2y4qF+J7U
+SA3LKtfAHRJGkH7nBwRIlAxfN87saJcVXMA8n6WRHNjrDzhK7bZtt1sS23tBCtbs
+TxrMCmfrR2tVZApuGa3lwz8gWhzZkZvoENuqqFAM5nMroKjpKVDFRDAn/Ub7lsvQ
+vQqXti0EqMcg7e6rmBQEvwD0L9sagFLyIqtQM2n901vDlLUfnWrddVH3pA0O3KAr
+ft079b4Lh7RPyeocSU++xGtQ+jkx1WjNtNhVSUNjrmxQMhqAgFPONhJOTo3FqeYO
+T/Rt5MdiZpnMuD2C3VF2r9rTURU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec
new file mode 100644
index 0000000000..c21e757449
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Missing Intermediate
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_name_constraints.js b/security/manager/ssl/tests/unit/test_name_constraints.js
new file mode 100644
index 0000000000..ab38b96a31
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -0,0 +1,71 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// This test tests two specific items:
+// 1. Are name constraints properly enforced across the entire constructed
+// certificate chain? This makes use of a certificate hierarchy like so:
+//  - (trusted) root CA with permitted subtree dNSName example.com
+//  - intermediate CA with permitted subtree dNSName example.org
+//    a. end-entity with dNSNames example.com and example.org
+//       (the first entry is allowed by the root but not by the intermediate,
+//        and the second entry is allowed by the intermediate but not by the
+//        root)
+//    b. end-entity with dNSName example.com (not allowed by the intermediate)
+//    c. end-entity with dNSName examle.org (not allowed by the root)
+//    d. end-entity with dNSName example.test (not allowed by either)
+//  All of these cases should fail to verify with the error that the
+//  end-entity is not in the name space permitted by the hierarchy.
+//
+// 2. Are externally-imposed name constraints properly enforced? This makes use
+// of a certificate hierarchy rooted by a certificate with the same DN as an
+// existing hierarchy that has externally-imposed name constraints (DCISS).
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function certFromFile(name) {
+  return constructCertFromFile(`test_name_constraints/${name}.pem`);
+}
+
+function loadCertWithTrust(certName, trustString) {
+  addCertFromFile(certdb, `test_name_constraints/${certName}.pem`, trustString);
+}
+
+function checkCertNotInNameSpace(cert) {
+  return checkCertErrorGeneric(
+    certdb,
+    cert,
+    SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
+    certificateUsageSSLServer
+  );
+}
+
+function checkCertInNameSpace(cert) {
+  return checkCertErrorGeneric(
+    certdb,
+    cert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+}
+
+add_task(async function () {
+  // Test that name constraints from the entire certificate chain are enforced.
+  loadCertWithTrust("ca-example-com-permitted", "CTu,,");
+  loadCertWithTrust("int-example-org-permitted", ",,");
+  await checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
+  await checkCertNotInNameSpace(certFromFile("ee-example-com"));
+  await checkCertNotInNameSpace(certFromFile("ee-example-org"));
+  await checkCertNotInNameSpace(certFromFile("ee-example-test"));
+
+  // Test that externally-imposed name constraints are enforced (DCISS tests).
+  loadCertWithTrust("dciss", "CTu,,");
+  await checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
+  await checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
+});
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem
new file mode 100644
index 0000000000..8058f77b23
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVzCCAj+gAwIBAgIUByfcws/1BsAT11Q4PQoblWadQD0wDQYJKoZIhvcNAQEL
+BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh
+cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF
+SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEExCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJDQTEMMAoGA1UECgwDRm9vMRcwFQYDVQQDDA5mb28uZXhhbXBsZS5m
+cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG
+NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn
+RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu
+p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ
+Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p
+47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1
+7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADR+2W/J/dKAwAf8I06e89ZBKd0H5
+yxJqgpwCZfhtjT200R0KUy3Idml1TVdvM1J/hLKu5dMtQ6ewGZIEpf9A+TQ/CN8U
+0D1m94HUAIZDMt+I/9FjXff9OrLOBxU1AQtlK9dunE0751bqq2aIvdMYcD3D3sHQ
+jj1gxmsdoxWmoE7vTcwXzkTOX6s9SsylGmqWDuoNl2gioyAU0MFIgTkNRxuUOfSR
+0LtBHsqEmWYXAjLFqRwa09NZ49jRq+n64svv65gdkKeuecvdYEnFQPKhQJHh0UE8
+oq3T7HWiGkaPgQ2FfFwIXGSQD+jJTDV+hzH5wuWbnxW5bl/Tq1olAh0S+w==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec
new file mode 100644
index 0000000000..1a02a0cc1a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec
@@ -0,0 +1,2 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:/C=US/ST=CA/O=Foo/CN=foo.example.fr
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem
new file mode 100644
index 0000000000..4b29717d91
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDWDCCAkCgAwIBAgIUeThptwYWQpW7Kmc4xj2lLpzdjfIwDQYJKoZIhvcNAQEL
+BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh
+cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF
+SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEIxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJDQTEMMAoGA1UECgwDRm9vMRgwFgYDVQQDDA9mb28uZXhhbXBsZS5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHG3W9MHDLoH+PtllciSci7+QaNX
+lSb/+OyqCpx/XkjS2/Bd8+c4Pbn7GdrR/Nf17f/KZ5qgY+uO6NExeh3LrGvTKkig
+Kpt+Uij0iVBd9XTzTnHZdU3EW1Y3539TBT0ABilG1YlKlpJWA+fzUWRo9vHPcETm
+KJRH3eKtyXTHeRPpOSG2afJKzqfkiGSK/zvWe5YjTKLhJGRRnX37SG7GIA7l1kX7
+1UPJs2Wtr05qrUmSBSgP0k+T7pi4+94/TgMjai//E802m7EdfSfRsvUEnh6Lv1Mk
+iY8C6RsPQIhTr4dsp04TazciE42TfsPZ/zpgf5AHF+Xrz1AoFdNABpXAcNk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec
new file mode 100644
index 0000000000..eabee87e83
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec
@@ -0,0 +1,2 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:/C=US/ST=CA/O=Foo/CN=foo.example.com
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem
new file mode 100644
index 0000000000..f96b43db09
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIUI3lD7Re7UzKxqghLVnq19q1yxakwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2EtZXhhbXBsZS1jb20tcGVybWl0dGVkMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGNhLWV4YW1w
+bGUtY29tLXBlcm1pdHRlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG
+8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V
+gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3
+04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l
+0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz
+/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM5MDcwDAYDVR0TBAUwAwEB/zALBgNVHQ8E
+BAMCAQYwGgYDVR0eBBMwEaAPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUA
+A4IBAQCqe0psTB+mMNH5u+5ZNGy27aYGpl4hegtWQtNUYmNWL6xnSJwLB+4tKtHG
+I6HKMNQ9so3l0x28jitBbcnbSSkVV+Q2upVziZX8uNgg2613O//loKhvvSeJqeVw
+vGfPNnIkwcSpTMqDyYuY1tSA2dW3fMeX6kqnP5nupmERt60Xqxd56XZaAC4ZI0vY
+FVIbxCrxuBHDi/hcGCDFUB3gnwE+CNqTnNOh95w1nRLuBJxyrUF3SFrLVdlbSO9Q
+YXD20E7e79ZdGCcIZFIvCG5AKDzd0amEVJ/GGNuqZGa3+ScP5PVd571KcFB0nl7s
+hGWiQsC/9yJg0eZNZ64hlWLofeYf
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec
new file mode 100644
index 0000000000..1cc3c1d81b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-example-com-permitted
+subject:ca-example-com-permitted
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:example.com
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem
new file mode 100644
index 0000000000..632d60fd51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIULcsHU0vMF8j+8wH20P0dJztPKgEwDQYJKoZIhvcNAQEL
+BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh
+cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF
+SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw
+MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMIGFMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczEQMA4GA1UEChMHUE0vU0dE
+TjEOMAwGA1UECxMFRENTU0kxDjAMBgNVBAMTBUlHQy9BMSMwIQYJKoZIhvcNAQkB
+FhRpZ2NhQHNnZG4ucG0uZ291di5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x
+nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM
+wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF
+4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20
+yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx
+j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zAL
+BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABMUv/zQZiMOGUd8VhQ2Bpct
+bFy+LXpRmPZKuaxAeXWJOOO6YzXKWu5Ozvy1B0+2+OpS7eTWO/4p/sBcqmHuIf45
+jCPDm6RhRDXe+9zGKqv9dt0hXpZwUx7q9nUIlDsyVKrJ2XRd70EAvrpqbJBN2ztF
+dGwvVFXYINyOFVBfMbdUnbqtwUMUoYQ8UgoTAoJTA09nfIv6YXIebX553u/ZOcpk
+wQbyl69r8hc5pYxKdEBqjqfy6rrl7/h6ptTSJDp+z0EBCG592WVClVu3cpaRlnQt
+/gSHxGH+ZTFKqjrf2pP9a34DtepJL1K/LNHv+XpnmUK6hSLkW9aR+MtK5A7lROg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec
new file mode 100644
index 0000000000..5d53706bc5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+subject:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem
new file mode 100644
index 0000000000..f49fe5ebcc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIUa3sb3Kmjzf4Q38n9GGzgAluQs3UwDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAhMR8wHQYDVQQDDBZlZS1leGFt
+cGxlLWNvbS1hbmQtb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby
+a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC
+D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT
+iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT
+Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+
+SSP6clHEMdUDrNoYCjXtjQIDAQABoycwJTAjBgNVHREEHDAaggtleGFtcGxlLmNv
+bYILZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADggEBAEp9KUBTRs8erSIiiAj1
+HVtbJyvBipgvWQHG/4G7A3tm6E0ZGZRofhovLspsDCdoaEiHSmLpxAjzAcYNA68v
+OPloyfV8H0p/V0h/PzQKjJYcx4oQ5xt/TVo7oUgDL2ap37rMDYzXevSFJ/hFRJjX
+IWrWoCwweGJrXlyRyF84SmC1oMWDfwOxNpDDOc1qW/+6Rhftx361B3GBe7A9Xb5g
+X6I4xCFYSLnHMMBSfqsfLZkTb+rqpeLy1k0BBpJWZP1Dbgy3BCmWhyzMG1n6IYwr
+Nqg35i2YhCFlr/lNvwy+Jix9EjAmrYVl8rJ0eOHUoFGyphzv331kO4B8MiZo33rY
+Ci4=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec
new file mode 100644
index 0000000000..904ca65955
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-com-and-org
+extension:subjectAlternativeName:example.com,example.org
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem
new file mode 100644
index 0000000000..e1872fb869
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUNyYkQhaojroU27Ob3YEOgU/gSIowDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAZMRcwFQYDVQQDDA5lZS1leGFt
+cGxlLWNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZI
+hvcNAQELBQADggEBAEbqCfq2MUMQ9/Y3GYVUCJZOTQd6LFbk7edj/d5B0MLialsm
+xZ9+4/hv98hiL3V3rJPsZNLMgaZjE10Yer+HdwC8do2OsuIO85UA4oWJKKjjLbUO
+Mek36zrzcgrbWqGEthXgnUwvUGKedEgeIoPzhN4UT3Ifkf1u0L308kc+0bnhQlEJ
+V49YCMoyrIX/mzYs5D3zd1IxlWN3WNVfzF+pmQQ6LSfI8OtppCgRuNYDY3Md7Lqc
+x+QITmjJYZJJN2hpRJPMoUagF89M3XUj/6w4oLNBJmF02VrU/4JChEyKqmAqNCi/
+Z0nDqmRwXyO8tnTIzx7XJcb9CDIoaBCzgoP2nCc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec
new file mode 100644
index 0000000000..46630c4a1a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-com
+extension:subjectAlternativeName:example.com
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem
new file mode 100644
index 0000000000..9b820e9a3f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUK/q+41F1BJ5V5yLuTubosg8UyzowDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAZMRcwFQYDVQQDDA5lZS1leGFt
+cGxlLW9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwDQYJKoZI
+hvcNAQELBQADggEBAK38zSQwGdXOtrm9KyhDC2iUXdL+bmQyVPXqxgOsc39oG4kK
+yQ49cmkrdTfrOccrXVK80mJaSlMccQkv7++BlWhxE0yJw4nU5PGfGZ1wbKdYgTXx
+YYrqk7WTEZ28jvf42MXtz+YPceGLFI5jm4CACE4+RFjBUydRmadbIQytp5wz+rDX
+90RAHw6K5niEylXpkaqIUjZj27qQRHX7X/2N9rFj0Z8c7wSrCA4RsG9RPWtDgoE8
+NtgqMrRqDwbIzxWw4RtnirErgk+1aFAleNJ8bS3QBTO/a5PWFwUi5/ZePpI+7+Gf
+flEWX+zxAOdQCLNWRnk8BMjnuBN8rL9cj3s1okw=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec
new file mode 100644
index 0000000000..6a24090e51
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-org
+extension:subjectAlternativeName:example.org
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem
new file mode 100644
index 0000000000..53cd45391e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAdOgAwIBAgIULd4A5nOUpfcpueUvavcnGwnza44wDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx
+MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9lZS1leGFt
+cGxlLXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W
+1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq
+ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx
+0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV
+t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo
+4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx
+1QOs2hgKNe2NAgMBAAGjGzAZMBcGA1UdEQQQMA6CDGV4YW1wbGUudGVzdDANBgkq
+hkiG9w0BAQsFAAOCAQEAGclmIUn18xP9ZBL5dIZ6SDS1tYgwbDdczT6Lxe1QWILy
+QxM5cL30hxf/O9dOBqCnv1px72RemKx9H0S5dr1JSaq4q+cuwtIqWlIiBAF3APoj
+HpOct+VsLI+UxyfvTKVSvWXKgXdlvKYQ4FMu1CUI90dmRNP2fQbEMYqkbAoQXz47
+2Qk19gMhmTGah0RXE5cBfMf+3VD508dJejyzA+yA9hw5HUsH3tvSIX9JhP7s+wyu
+cyMUfovHS20ML1VQ+Lzf2YQO0lhxmS3UMSEg2h4MBUcgLaJEeGpDt2WCJKliISk5
+TaJDaiQBTrd6eupMegUQcVn0UrBD4hxrPiAg1ibU3Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec
new file mode 100644
index 0000000000..0926ce477a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int-example-org-permitted
+subject:ee-example-test
+extension:subjectAlternativeName:example.test
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem
new file mode 100644
index 0000000000..715ee48d57
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEjCCAfqgAwIBAgIUC12ZLFrh+TExo/zOUHTYqBfd0ZMwDQYJKoZIhvcNAQEL
+BQAwIzEhMB8GA1UEAwwYY2EtZXhhbXBsZS1jb20tcGVybWl0dGVkMCIYDzIwMjEx
+MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCQxIjAgBgNVBAMMGWludC1leGFt
+cGxlLW9yZy1wZXJtaXR0ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOTA3MAwGA1UdEwQFMAMBAf8wCwYDVR0P
+BAQDAgEGMBoGA1UdHgQTMBGgDzANggtleGFtcGxlLm9yZzANBgkqhkiG9w0BAQsF
+AAOCAQEAlnz9bttQ1SXr8R9fYrSQPPHXCQ2KfQNm3WWVj/jZwwcLokG3U8o9qpMn
+0LZ8AW9726SK2YzkBEHsCA58Vi+4Sh/m4GGue6RKx02w2H3r+D9U+oB2VvqK71ga
+HoS9FAy+Wy8f9dceZpJbteCpz/e7UTM+6BPXOp5F+VZoCk0jKhzhYEYqONTIL0Xk
+/1IhkUT5jf3WNbAuGXhgUMc4Q6UdXj4GcYM1rx3r3YOb+wX1Zh0rjgkIEyBT5JFH
+yBqBDWG9xhMoftQYkLb1VGIms/HcaEsP6ckz2sev6ZDRrhRQS+SU44X6bpKddqYo
+xRRqtHKbc7bjutoBFGxNzJNRPvzCLg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec
new file mode 100644
index 0000000000..87e2cf8a56
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ca-example-com-permitted
+subject:int-example-org-permitted
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:nameConstraints:permitted:example.org
diff --git a/security/manager/ssl/tests/unit/test_nonascii_path.js b/security/manager/ssl/tests/unit/test_nonascii_path.js
new file mode 100644
index 0000000000..3c31640d05
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nonascii_path.js
@@ -0,0 +1,52 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests to make sure that the certificate DB works with non-ASCII paths.
+
+// Append a single quote and non-ASCII characters to the profile path.
+let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR");
+let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
+file.initWithPath(profd);
+file.append("'÷1");
+Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path);
+
+file = do_get_profile(); // must be called before getting nsIX509CertDB
+Assert.ok(
+  /[^\x20-\x7f]/.test(file.path),
+  "the profile path should contain a non-ASCII character"
+);
+
+// Restore the original value.
+Services.env.set("XPCSHELL_TEST_PROFILE_DIR", profd);
+
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function load_cert(cert_name, trust_string) {
+  let cert_filename = cert_name + ".pem";
+  return addCertFromFile(
+    certdb,
+    "test_cert_trust/" + cert_filename,
+    trust_string
+  );
+}
+
+function run_test() {
+  let certList = ["ca", "int", "ee"];
+  let loadedCerts = [];
+  for (let certName of certList) {
+    loadedCerts.push(load_cert(certName, ",,"));
+  }
+
+  let ca_cert = loadedCerts[0];
+  notEqual(ca_cert, null, "CA cert should have successfully loaded");
+  let int_cert = loadedCerts[1];
+  notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
+  let ee_cert = loadedCerts[2];
+  notEqual(ee_cert, null, "EE cert should have successfully loaded");
+}
diff --git a/security/manager/ssl/tests/unit/test_nsCertType.js b/security/manager/ssl/tests/unit/test_nsCertType.js
new file mode 100644
index 0000000000..8341575473
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nsCertType.js
@@ -0,0 +1,32 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+//
+// While the Netscape certificate type extension is not a standard and has been
+// discouraged from use for quite some time, it is still encountered. Thus, we
+// handle it slightly differently from other unknown extensions.
+// If it is not marked critical, we ignore it.
+// If it is marked critical:
+//   If the basic constraints and extended key usage extensions are also
+//   present, we ignore it, because they are standardized and should convey the
+//   same information.
+//   Otherwise, we reject it with an error indicating an unknown critical
+//   extension.
+
+"use strict";
+
+function run_test() {
+  do_get_profile();
+  add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+  add_connection_test("nsCertTypeNotCritical.example.com", PRErrorCodeSuccess);
+  add_connection_test(
+    "nsCertTypeCriticalWithExtKeyUsage.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test(
+    "nsCertTypeCritical.example.com",
+    SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION
+  );
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js b/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js
new file mode 100644
index 0000000000..8650409df7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js
@@ -0,0 +1,25 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// This file tests the nsIX509CertValidity implementation.
+
+function run_test() {
+  // Date.parse("2013-01-01T00:00:00Z")
+  const NOT_BEFORE_IN_MS = 1356998400000;
+  // Date.parse("2014-01-01T00:00:00Z")
+  const NOT_AFTER_IN_MS = 1388534400000;
+  let cert = constructCertFromFile("bad_certs/expired-ee.pem");
+
+  equal(
+    cert.validity.notBefore,
+    NOT_BEFORE_IN_MS * 1000,
+    "Actual and expected notBefore should be equal"
+  );
+  equal(
+    cert.validity.notAfter,
+    NOT_AFTER_IN_MS * 1000,
+    "Actual and expected notAfter should be equal"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js b/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js
new file mode 100644
index 0000000000..6305b878b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js
@@ -0,0 +1,96 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks that various nsIX509Cert attributes correctly handle UTF-8.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function run_test() {
+  let cert = certDB.constructX509FromBase64(
+    "MIIF3DCCBMSgAwIBAgIEAJiZbzANBgkqhkiG9w0BAQUFADCCAQ0xYTBfBgNVBAMM" +
+      "WEkuQ0EgLSBRdWFsaWZpZWQgcm9vdCBjZXJ0aWZpY2F0ZSAoa3ZhbGlmaWtvdmFu" +
+      "w70gY2VydGlmaWvDoXQgcG9za3l0b3ZhdGVsZSkgLSBQU0VVRE9OWU0xCzAJBgNV" +
+      "BAYTAkNaMS8wLQYDVQQHDCZQb2R2aW5uw70gbWzDvW4gMjE3OC82LCAxOTAgMDAg" +
+      "UHJhaGEgOTEsMCoGA1UECgwjUHJ2bsOtIGNlcnRpZmlrYcSNbsOtIGF1dG9yaXRh" +
+      "IGEucy4xPDA6BgNVBAsMM0FrcmVkaXRvdmFuw70gcG9za3l0b3ZhdGVsIGNlcnRp" +
+      "ZmlrYcSNbsOtY2ggc2x1xb5lYjAeFw0wMjEyMTIxMzMzNDZaFw0wMzEyMTIxMzMz" +
+      "NDZaMIIBFDELMAkGA1UEBhMCQ1oxHzAdBgNVBAMeFgBMAHUAZAEbAGsAIABSAGEB" +
+      "YQBlAGsxGTAXBgNVBAgeEABWAHkAcwBvAQ0AaQBuAGExLzAtBgNVBAceJgBQAGEA" +
+      "YwBvAHYALAAgAE4A4QBkAHIAYQF+AG4A7QAgADcANgA5MSUwIwYJKoZIhvcNAQkB" +
+      "FhZsdWRlay5yYXNla0BjZW50cnVtLmN6MRMwEQYDVQQqHgoATAB1AGQBGwBrMQ0w" +
+      "CwYDVQQrHgQATABSMR8wHQYDVQQpHhYATAB1AGQBGwBrACAAUgBhAWEAZQBrMRMw" +
+      "EQYDVQQEHgoAUgBhAWEAZQBrMRcwFQYDVQQFEw5JQ0EgLSAxMDAwMzc2OTCBnzAN" +
+      "BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxc7dGd0cNlHZ7tUUl5k30bfYlY3lnOD0" +
+      "49JGbTXSt4jNFMRLj6s/777W3kcIdcIwdKxjQULBKgryDvZJ1DAWp2TwzhPDVYj3" +
+      "sU4Niqb7mOUcp/4ckteUxGF6FmXtJR9+XHTuLZ+omF9HOUefheBKnXvZuqrLM16y" +
+      "nbJn4sPwwdcCAwEAAaOCAbswggG3MCUGA1UdEQQeMBygGgYKKwMGAQQB3BkCAaAM" +
+      "DAoxNzYyODk2ODgzMGkGA1UdHwRiMGAwHqAcoBqGGGh0dHA6Ly9xLmljYS5jei9x" +
+      "aWNhLmNybDAeoBygGoYYaHR0cDovL2IuaWNhLmN6L3FpY2EuY3JsMB6gHKAahhho" +
+      "dHRwOi8vci5pY2EuY3ovcWljYS5jcmwwHwYDVR0jBBgwFoAUK1oKfvvlDYUsZTBy" +
+      "vGN701mca/UwHQYDVR0OBBYEFPAs70DB+LS0PnA6niPUfJ5wdQH5MIG4BgNVHSAE" +
+      "gbAwga0wgaoGCysGAQQBs2EBAQQEMIGaMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3" +
+      "LmljYS5jei9xY3AvY3BxcGljYTAyLnBkZjBnBggrBgEFBQcCAjBbGllUZW50byBj" +
+      "ZXJ0aWZpa2F0IGplIHZ5ZGFuIGpha28gS3ZhbGlmaWtvdmFueSBjZXJ0aWZpa2F0" +
+      "IHYgc291bGFkdSBzZSB6YWtvbmVtIDIyNy8yMDAwIFNiLjAYBggrBgEFBQcBAwQM" +
+      "MAowCAYGBACORgEBMA4GA1UdDwEB/wQEAwIE8DANBgkqhkiG9w0BAQUFAAOCAQEA" +
+      "v2V+nnYYMIgabmmgHx49CtlZIHdGS3TuWKXw130xFhbXDnNhEbx3alaskNsvjQQR" +
+      "Lqs1ZwKy58yynse+eJYHqenmHDACpAfVpCF9PXC/mDarVsoQw7NTcUpsAFhSd/zT" +
+      "v9jIf3twECyxx/RVzONVcob7nPePESHiKoG4FbtcuUh0wSHvCmTwRIQqPDCIuHcF" +
+      "StSt3Jr9iXcbXEhe4mSccOZ8N+r7Rv3ncKcevlRl7uFfDKDTyd43SZeRS/7J8KRf" +
+      "hD/h2nawrCFwc5gJW10aLJGFL/mcS7ViAIT9HCVk23j4TuBjsVmnZ0VKxB5edux+" +
+      "LIEqtU428UVHZWU/I5ngLw=="
+  );
+
+  equal(
+    cert.emailAddress,
+    "ludek.rasek@centrum.cz",
+    "Actual and expected emailAddress should match"
+  );
+  equal(
+    cert.subjectName,
+    'serialNumber=ICA - 10003769,SN=Rašek,name=Luděk Rašek,initials=LR,givenName=Luděk,E=ludek.rasek@centrum.cz,L="Pacov, Nádražní 769",ST=Vyso�ina,CN=Luděk Rašek,C=CZ',
+    "Actual and expected subjectName should match"
+  );
+  equal(
+    cert.commonName,
+    "Luděk Rašek",
+    "Actual and expected commonName should match"
+  );
+  equal(cert.organization, "", "Actual and expected organization should match");
+  equal(
+    cert.organizationalUnit,
+    "",
+    "Actual and expected organizationalUnit should match"
+  );
+  equal(
+    cert.displayName,
+    "Luděk Rašek",
+    "Actual and expected displayName should match"
+  );
+  equal(
+    cert.issuerName,
+    'OU=Akreditovaný poskytovatel certifika�ních služeb,O=První certifika�ní autorita a.s.,L="Podvinný mlýn 2178/6, 190 00 Praha 9",C=CZ,CN=I.CA - Qualified root certificate (kvalifikovaný certifikát poskytovatele) - PSEUDONYM',
+    "Actual and expected issuerName should match"
+  );
+  equal(
+    cert.issuerCommonName,
+    "I.CA - Qualified root certificate (kvalifikovaný certifikát poskytovatele) - PSEUDONYM",
+    "Actual and expected issuerCommonName should match"
+  );
+  equal(
+    cert.issuerOrganization,
+    "První certifika�ní autorita a.s.",
+    "Actual and expected issuerOrganization should match"
+  );
+  equal(
+    cert.issuerOrganizationUnit,
+    "Akreditovaný poskytovatel certifika�ních služeb",
+    "Actual and expected issuerOrganizationUnit should match"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_caching.js b/security/manager/ssl/tests/unit/test_ocsp_caching.js
new file mode 100644
index 0000000000..b964018518
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -0,0 +1,479 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Checks various aspects of the OCSP cache, mainly to to ensure we do not fetch
+// responses more than necessary.
+
+var gFetchCount = 0;
+var gGoodOCSPResponse = null;
+var gResponsePattern = [];
+
+function respondWithGoodOCSP(request, response) {
+  info("returning 200 OK");
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.setHeader("Content-Type", "application/ocsp-response");
+  response.write(gGoodOCSPResponse);
+}
+
+function respondWithSHA1OCSP(request, response) {
+  info("returning 200 OK with sha-1 delegated response");
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.setHeader("Content-Type", "application/ocsp-response");
+
+  let args = [["good-delegated", "default-ee", "delegatedSHA1Signer", 0]];
+  let responses = generateOCSPResponses(args, "ocsp_certs");
+  response.write(responses[0]);
+}
+
+function respondWithError(request, response) {
+  info("returning 500 Internal Server Error");
+  response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+  let body = "Refusing to return a response";
+  response.bodyOutputStream.write(body, body.length);
+}
+
+function generateGoodOCSPResponse(thisUpdateSkew) {
+  let args = [["good", "default-ee", "unused", thisUpdateSkew]];
+  let responses = generateOCSPResponses(args, "ocsp_certs");
+  return responses[0];
+}
+
+function add_ocsp_test(
+  aHost,
+  aExpectedResult,
+  aResponses,
+  aMessage,
+  aOriginAttributes
+) {
+  add_connection_test(
+    aHost,
+    aExpectedResult,
+    function () {
+      clearSessionCache();
+      gFetchCount = 0;
+      gResponsePattern = aResponses;
+    },
+    function () {
+      // check the number of requests matches the size of aResponses
+      equal(gFetchCount, aResponses.length, aMessage);
+    },
+    null,
+    aOriginAttributes
+  );
+}
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+  let ocspResponder = new HttpServer();
+  ocspResponder.registerPrefixHandler("/", function (request, response) {
+    info("gFetchCount: " + gFetchCount);
+    let responseFunction = gResponsePattern[gFetchCount];
+    Assert.notEqual(undefined, responseFunction);
+
+    ++gFetchCount;
+    responseFunction(request, response);
+  });
+  ocspResponder.start(8888);
+
+  add_tests();
+
+  add_test(function () {
+    ocspResponder.stop(run_next_test);
+  });
+  run_next_test();
+}
+
+function add_tests() {
+  // Test that verifying a certificate with a "short lifetime" doesn't result
+  // in OCSP fetching. Due to longevity requirements in our testing
+  // infrastructure, the certificate we encounter is valid for a very long
+  // time, so we have to define a "short lifetime" as something very long.
+  add_test(function () {
+    Services.prefs.setIntPref(
+      "security.pki.cert_short_lifetime_in_days",
+      12000
+    );
+    run_next_test();
+  });
+
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [],
+    "expected zero OCSP requests for a short-lived certificate"
+  );
+
+  add_test(function () {
+    Services.prefs.setIntPref("security.pki.cert_short_lifetime_in_days", 100);
+    run_next_test();
+  });
+
+  // If a "short lifetime" is something more reasonable, ensure that we do OCSP
+  // fetching for this long-lived certificate.
+
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [respondWithError],
+    "expected one OCSP request for a long-lived certificate"
+  );
+  add_test(function () {
+    Services.prefs.clearUserPref("security.pki.cert_short_lifetime_in_days");
+    run_next_test();
+  });
+  // ---------------------------------------------------------------------------
+
+  // Reset state
+  add_test(function () {
+    clearOCSPCache();
+    run_next_test();
+  });
+
+  // This test assumes that OCSPStaplingServer uses the same cert for
+  // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
+
+  // Get an Unknown response for the *.example.com cert and put it in the
+  // OCSP cache.
+  add_ocsp_test(
+    "ocsp-stapling-unknown.example.com",
+    SEC_ERROR_OCSP_UNKNOWN_CERT,
+    [],
+    "Stapled Unknown response -> a fetch should not have been attempted"
+  );
+
+  // A failure to retrieve an OCSP response must result in the cached Unknown
+  // response being recognized and honored.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    SEC_ERROR_OCSP_UNKNOWN_CERT,
+    [respondWithError, respondWithError],
+    "No stapled response -> a fetch should have been attempted"
+  );
+
+  // A valid Good response from the OCSP responder must override the cached
+  // Unknown response.
+  //
+  // Note that We need to make sure that the Unknown response and the Good
+  // response have different thisUpdate timestamps; otherwise, the Good
+  // response will be seen as "not newer" and it won't replace the existing
+  // entry.
+  add_test(function () {
+    gGoodOCSPResponse = generateGoodOCSPResponse(1200);
+    run_next_test();
+  });
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [respondWithGoodOCSP],
+    "Cached Unknown response, no stapled response -> a fetch" +
+      " should have been attempted"
+  );
+
+  // The Good response retrieved from the previous fetch must have replaced
+  // the Unknown response in the cache, resulting in the catched Good response
+  // being returned and no fetch.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [],
+    "Cached Good response -> a fetch should not have been attempted"
+  );
+
+  // ---------------------------------------------------------------------------
+
+  // Reset state
+  add_test(function () {
+    clearOCSPCache();
+    run_next_test();
+  });
+
+  // A failure to retrieve an OCSP response will result in an error entry being
+  // added to the cache.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [respondWithError],
+    "No stapled response -> a fetch should have been attempted"
+  );
+
+  // The error entry will prevent a fetch from happening for a while.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [],
+    "Noted OCSP server failure -> a fetch should not have been attempted"
+  );
+
+  // The error entry must not prevent a stapled OCSP response from being
+  // honored.
+  add_ocsp_test(
+    "ocsp-stapling-revoked.example.com",
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    [],
+    "Stapled Revoked response -> a fetch should not have been attempted"
+  );
+
+  // ---------------------------------------------------------------------------
+
+  // Ensure OCSP responses from signers with SHA1 certificates are OK. This
+  // is included in the OCSP caching tests since there were OCSP cache-related
+  // regressions when sha-1 telemetry probes were added.
+  add_test(function () {
+    clearOCSPCache();
+    // set security.OCSP.require so that checking the OCSP signature fails
+    Services.prefs.setBoolPref("security.OCSP.require", true);
+    run_next_test();
+  });
+
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    [respondWithSHA1OCSP],
+    "OCSP signing cert was issued with sha1 - should fail"
+  );
+
+  add_test(function () {
+    Services.prefs.setBoolPref("security.OCSP.require", false);
+    run_next_test();
+  });
+
+  // ---------------------------------------------------------------------------
+
+  // Reset state
+  add_test(function () {
+    clearOCSPCache();
+    run_next_test();
+  });
+
+  // This test makes sure that OCSP cache are isolated by firstPartyDomain.
+
+  let gObservedCnt = 0;
+  let protocolProxyService = Cc[
+    "@mozilla.org/network/protocol-proxy-service;1"
+  ].getService(Ci.nsIProtocolProxyService);
+
+  // Observe all channels and make sure the firstPartyDomain in their loadInfo's
+  // origin attributes are aFirstPartyDomain.
+  function startObservingChannels(aFirstPartyDomain) {
+    // We use a dummy proxy filter to catch all channels, even those that do not
+    // generate an "http-on-modify-request" notification.
+    let proxyFilter = {
+      applyFilter(aChannel, aProxy, aCallback) {
+        // We have the channel; provide it to the callback.
+        if (aChannel.originalURI.spec == "http://localhost:8888/") {
+          gObservedCnt++;
+          equal(
+            aChannel.loadInfo.originAttributes.firstPartyDomain,
+            aFirstPartyDomain,
+            "firstPartyDomain should match"
+          );
+        }
+        // Pass on aProxy unmodified.
+        aCallback.onProxyFilterResult(aProxy);
+      },
+    };
+    protocolProxyService.registerChannelFilter(proxyFilter, 0);
+    // Return the stop() function:
+    return () => protocolProxyService.unregisterChannelFilter(proxyFilter);
+  }
+
+  let stopObservingChannels;
+  add_test(function () {
+    stopObservingChannels = startObservingChannels("foo.com");
+    run_next_test();
+  });
+
+  // A good OCSP response will be cached.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [respondWithGoodOCSP],
+    "No stapled response (firstPartyDomain = foo.com) -> a fetch " +
+      "should have been attempted",
+    { firstPartyDomain: "foo.com" }
+  );
+
+  // The cache will prevent a fetch from happening.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [],
+    "Noted OCSP server failure (firstPartyDomain = foo.com) -> a " +
+      "fetch should not have been attempted",
+    { firstPartyDomain: "foo.com" }
+  );
+
+  add_test(function () {
+    stopObservingChannels();
+    equal(gObservedCnt, 1, "should have observed only 1 OCSP requests");
+    gObservedCnt = 0;
+    run_next_test();
+  });
+
+  add_test(function () {
+    stopObservingChannels = startObservingChannels("bar.com");
+    run_next_test();
+  });
+
+  // But using a different firstPartyDomain should result in a fetch.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [respondWithGoodOCSP],
+    "No stapled response (firstPartyDomain = bar.com) -> a fetch " +
+      "should have been attempted",
+    { firstPartyDomain: "bar.com" }
+  );
+
+  add_test(function () {
+    stopObservingChannels();
+    equal(gObservedCnt, 1, "should have observed only 1 OCSP requests");
+    gObservedCnt = 0;
+    run_next_test();
+  });
+
+  // ---------------------------------------------------------------------------
+
+  // Reset state
+  add_test(function () {
+    clearOCSPCache();
+    run_next_test();
+  });
+
+  // Test that the OCSP cache is not isolated by userContextId.
+
+  // A good OCSP response will be cached.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [respondWithGoodOCSP],
+    "No stapled response (userContextId = 1) -> a fetch " +
+      "should have been attempted",
+    { userContextId: 1 }
+  );
+
+  // The cache will prevent a fetch from happening.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [],
+    "Noted OCSP server failure (userContextId = 1) -> a " +
+      "fetch should not have been attempted",
+    { userContextId: 1 }
+  );
+
+  // Fetching is prevented even if in a different userContextId.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [],
+    "Noted OCSP server failure (userContextId = 2) -> a " +
+      "fetch should not have been attempted",
+    { userContextId: 2 }
+  );
+
+  // ---------------------------------------------------------------------------
+
+  // Reset state
+  add_test(function () {
+    clearOCSPCache();
+    run_next_test();
+  });
+
+  // This test makes sure that OCSP cache are isolated by partitionKey.
+
+  add_test(function () {
+    Services.prefs.setBoolPref(
+      "privacy.partition.network_state.ocsp_cache",
+      true
+    );
+    run_next_test();
+  });
+
+  // A good OCSP response will be cached.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [respondWithGoodOCSP],
+    "No stapled response (partitionKey = (https,foo.com)) -> a fetch " +
+      "should have been attempted",
+    { partitionKey: "(https,foo.com)" }
+  );
+
+  // The cache will prevent a fetch from happening.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [],
+    "Noted OCSP server failure (partitionKey = (https,foo.com)) -> a " +
+      "fetch should not have been attempted",
+    { partitionKey: "(https,foo.com)" }
+  );
+
+  // Using a different partitionKey should result in a fetch.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [respondWithGoodOCSP],
+    "Noted OCSP server failure (partitionKey = (https,bar.com)) -> a " +
+      "fetch should have been attempted",
+    { partitionKey: "(https,bar.com)" }
+  );
+
+  // ---------------------------------------------------------------------------
+
+  // Reset state
+  add_test(function () {
+    Services.prefs.clearUserPref("privacy.partition.network_state.ocsp_cache");
+    clearOCSPCache();
+    run_next_test();
+  });
+
+  // This test makes sure that OCSP cache are isolated by partitionKey in
+  // private mode.
+
+  // A good OCSP response will be cached.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [respondWithGoodOCSP],
+    "No stapled response (partitionKey = (https,foo.com)) -> a fetch " +
+      "should have been attempted",
+    { partitionKey: "(https,foo.com)", privateBrowsingId: 1 }
+  );
+
+  // The cache will prevent a fetch from happening.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [],
+    "Noted OCSP server failure (partitionKey = (https,foo.com)) -> a " +
+      "fetch should not have been attempted",
+    { partitionKey: "(https,foo.com)", privateBrowsingId: 1 }
+  );
+
+  // Using a different partitionKey should result in a fetch.
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    [respondWithGoodOCSP],
+    "Noted OCSP server failure (partitionKey = (https,bar.com)) -> a " +
+      "fetch should have been attempted",
+    { partitionKey: "(https,bar.com)", privateBrowsingId: 1 }
+  );
+
+  // ---------------------------------------------------------------------------
+
+  // Reset state
+  add_test(function () {
+    clearOCSPCache();
+    run_next_test();
+  });
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
new file mode 100644
index 0000000000..00b1fc02a9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
@@ -0,0 +1,146 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Checks that the security.OCSP.enabled pref correctly controls OCSP fetching
+// behavior.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function certFromFile(filename) {
+  return constructCertFromFile(`test_ev_certs/${filename}.pem`);
+}
+
+function loadCert(certName, trustString) {
+  addCertFromFile(gCertDB, `test_ev_certs/${certName}.pem`, trustString);
+}
+
+function getFailingOCSPResponder() {
+  return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
+}
+
+function getOCSPResponder(expectedCertNames) {
+  return startOCSPResponder(
+    SERVER_PORT,
+    "www.example.com",
+    "test_ev_certs",
+    expectedCertNames,
+    []
+  );
+}
+
+// Tests that in ocspOff mode, OCSP fetches are never done.
+async function testOff() {
+  Services.prefs.setIntPref("security.OCSP.enabled", 0);
+  info("Setting security.OCSP.enabled to 0");
+
+  // EV chains should verify successfully but never get EV status.
+  clearOCSPCache();
+  let ocspResponder = getFailingOCSPResponder();
+  await checkEVStatus(
+    gCertDB,
+    certFromFile("test-oid-path-ee"),
+    certificateUsageSSLServer,
+    false
+  );
+  await stopOCSPResponder(ocspResponder);
+
+  // A DV chain should verify successfully.
+  clearOCSPCache();
+  ocspResponder = getFailingOCSPResponder();
+  await checkCertErrorGeneric(
+    gCertDB,
+    certFromFile("non-ev-root-path-ee"),
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+  await stopOCSPResponder(ocspResponder);
+}
+
+// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
+async function testOn() {
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  info("Setting security.OCSP.enabled to 1");
+
+  // If a successful OCSP response is fetched, then an EV chain should verify
+  // successfully and get EV status as well.
+  clearOCSPCache();
+  let ocspResponder = getOCSPResponder(["test-oid-path-ee"]);
+  await checkEVStatus(
+    gCertDB,
+    certFromFile("test-oid-path-ee"),
+    certificateUsageSSLServer,
+    gEVExpected
+  );
+  await stopOCSPResponder(ocspResponder);
+
+  // If a successful OCSP response is fetched, then a DV chain should verify
+  // successfully.
+  clearOCSPCache();
+  ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
+  await checkCertErrorGeneric(
+    gCertDB,
+    certFromFile("non-ev-root-path-ee"),
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+  await stopOCSPResponder(ocspResponder);
+}
+
+// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
+async function testEVOnly() {
+  Services.prefs.setIntPref("security.OCSP.enabled", 2);
+  info("Setting security.OCSP.enabled to 2");
+
+  // If a successful OCSP response is fetched, then an EV chain should verify
+  // successfully and get EV status as well.
+  clearOCSPCache();
+  let ocspResponder = gEVExpected
+    ? getOCSPResponder(["test-oid-path-ee"])
+    : getFailingOCSPResponder();
+  await checkEVStatus(
+    gCertDB,
+    certFromFile("test-oid-path-ee"),
+    certificateUsageSSLServer,
+    gEVExpected
+  );
+  await stopOCSPResponder(ocspResponder);
+
+  // A DV chain should verify successfully even without doing OCSP fetches.
+  clearOCSPCache();
+  ocspResponder = getFailingOCSPResponder();
+  await checkCertErrorGeneric(
+    gCertDB,
+    certFromFile("non-ev-root-path-ee"),
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer
+  );
+  await stopOCSPResponder(ocspResponder);
+}
+
+add_task(async function () {
+  registerCleanupFunction(() => {
+    Services.prefs.clearUserPref("network.dns.localDomains");
+    Services.prefs.clearUserPref("security.OCSP.enabled");
+    Services.prefs.clearUserPref("security.OCSP.require");
+  });
+  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+  // Enable hard fail to ensure chains that should only succeed because they get
+  // a good OCSP response do not succeed due to soft fail leniency.
+  Services.prefs.setBoolPref("security.OCSP.require", true);
+
+  loadCert("evroot", "CTu,,");
+  loadCert("test-oid-path-int", ",,");
+  loadCert("non-evroot-ca", "CTu,,");
+  loadCert("non-ev-root-path-int", ",,");
+
+  await testOff();
+  await testOn();
+  await testEVOnly();
+});
diff --git a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
new file mode 100644
index 0000000000..32ac332e61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
@@ -0,0 +1,160 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests OCSP Must Staple handling by connecting to various domains (as faked by
+// a server running locally) that correspond to combinations of whether the
+// extension is present in intermediate and end-entity certificates.
+
+var gExpectOCSPRequest;
+
+function add_ocsp_test(
+  aHost,
+  aExpectedResult,
+  aStaplingEnabled,
+  aExpectOCSPRequest = false,
+  aWithSecurityInfo = undefined
+) {
+  add_connection_test(
+    aHost,
+    aExpectedResult,
+    function () {
+      gExpectOCSPRequest = aExpectOCSPRequest;
+      clearOCSPCache();
+      clearSessionCache();
+      Services.prefs.setBoolPref(
+        "security.ssl.enable_ocsp_stapling",
+        aStaplingEnabled
+      );
+    },
+    aWithSecurityInfo
+  );
+}
+
+function add_tests() {
+  // Next, a case where it's present in the intermediate, not the ee
+  add_ocsp_test(
+    "ocsp-stapling-plain-ee-with-must-staple-int.example.com",
+    MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    true
+  );
+
+  // We disable OCSP stapling in the next two tests so we can perform checks
+  // on TLS Features in the chain without needing to support the TLS
+  // extension values used.
+  // Test an issuer with multiple TLS features in matched in the EE
+  add_ocsp_test(
+    "multi-tls-feature-good.example.com",
+    PRErrorCodeSuccess,
+    false
+  );
+
+  // Finally, an issuer with multiple TLS features not matched by the EE.
+  add_ocsp_test(
+    "multi-tls-feature-bad.example.com",
+    MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    false
+  );
+
+  // Now a bunch of operations with only a must-staple ee
+  add_ocsp_test(
+    "ocsp-stapling-must-staple.example.com",
+    PRErrorCodeSuccess,
+    true
+  );
+
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-revoked.example.com",
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    true
+  );
+
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-missing.example.com",
+    MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    true,
+    true
+  );
+
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-empty.example.com",
+    SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+    true
+  );
+
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-missing.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+
+  // If the stapled response is expired, we will try to fetch a new one.
+  // If that fails, we should report the original error.
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-expired.example.com",
+    SEC_ERROR_OCSP_OLD_RESPONSE,
+    true,
+    true
+  );
+  // Similarly with a "try server later" response.
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-try-later.example.com",
+    SEC_ERROR_OCSP_TRY_SERVER_LATER,
+    true,
+    true
+  );
+  // And again with an invalid OCSP response signing certificate.
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-invalid-signer.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    true,
+    true
+  );
+
+  // check that disabling must-staple works
+  add_test(function () {
+    clearSessionCache();
+    Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false);
+    run_next_test();
+  });
+
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-missing.example.com",
+    PRErrorCodeSuccess,
+    true,
+    true
+  );
+}
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true);
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  // This test may sometimes fail on android due to an OCSP request timing out.
+  // That aspect of OCSP requests is not what we're testing here, so we can just
+  // bump the timeout and hopefully avoid these failures.
+  Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
+
+  let fakeOCSPResponder = new HttpServer();
+  fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+    ok(
+      gExpectOCSPRequest,
+      "Should be getting an OCSP request only when expected"
+    );
+  });
+  fakeOCSPResponder.start(8888);
+
+  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+  add_tests();
+
+  add_test(function () {
+    fakeOCSPResponder.stop(run_next_test);
+  });
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
new file mode 100644
index 0000000000..ed5d0a3e00
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
@@ -0,0 +1,58 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Test that if an OCSP request is made to a domain that (erroneously)
+// has HSTS status, the request is not upgraded from HTTP to HTTPS.
+
+function run_test() {
+  do_get_profile();
+  // OCSP required means this test will only pass if the request succeeds.
+  Services.prefs.setBoolPref("security.OCSP.require", true);
+
+  // We don't actually make use of stapling in this test. This is just how we
+  // get a TLS connection.
+  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+  let args = [["good", "default-ee", "unused", 0]];
+  let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
+  let goodOCSPResponse = ocspResponses[0];
+
+  let ocspResponder = new HttpServer();
+  ocspResponder.registerPrefixHandler("/", function (request, response) {
+    response.setStatusLine(request.httpVersion, 200, "OK");
+    response.setHeader("Content-Type", "application/ocsp-response");
+    response.write(goodOCSPResponse);
+  });
+  ocspResponder.start(8888);
+
+  // ocsp-stapling-none.example.com does not staple an OCSP response in the
+  // handshake, so the revocation checking code will attempt to fetch one.
+  // Since the domain of the certificate's OCSP AIA URI is an HSTS host
+  // (as added in the setup of this test, below), a buggy implementation would
+  // upgrade the OCSP request to HTTPS. We specifically prevent this. This
+  // test demonstrates that our implementation is correct in this regard.
+  add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess);
+  add_test(function () {
+    run_next_test();
+  });
+
+  add_test(function () {
+    ocspResponder.stop(run_next_test);
+  });
+
+  let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  let uri = Services.io.newURI("http://localhost");
+  SSService.processHeader(uri, "max-age=10000");
+  ok(
+    SSService.isSecureURI(uri),
+    "Domain for the OCSP AIA URI should be considered a HSTS host, otherwise" +
+      " we wouldn't be testing what we think we're testing"
+  );
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
new file mode 100644
index 0000000000..47b976cf71
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
@@ -0,0 +1,115 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// In which we connect to a host and encounter OCSP responses with the
+// Cache-Control header set, which normally Necko would cache. This test
+// ensures that these responses aren't cached. PSM has its own OCSP cache, so
+// Necko shouldn't also be caching them.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const SERVER_PORT = 8888;
+
+function add_flush_cache() {
+  add_test(() => {
+    // This appears to either fire multiple times or fire once for every
+    // observer that has ever been passed to flush. To prevent multiple calls to
+    // run_next_test, keep track of if this observer has already called it.
+    let observed = false;
+    let observer = {
+      observe: () => {
+        if (!observed) {
+          observed = true;
+          run_next_test();
+        }
+      },
+    };
+    Services.cache2.QueryInterface(Ci.nsICacheTesting).flush(observer);
+  });
+}
+
+function add_ocsp_necko_cache_test(loadContext) {
+  // Pre-testcase cleanup/setup.
+  add_test(() => {
+    Services.cache2.clear();
+    run_next_test();
+  });
+  add_flush_cache();
+
+  let responder;
+  add_test(() => {
+    clearOCSPCache();
+    clearSessionCache();
+    responder = startOCSPResponder(
+      SERVER_PORT,
+      "localhost",
+      "ocsp_certs",
+      ["default-ee"],
+      [],
+      [],
+      [],
+      [["Cache-Control", "max-age=1000"]]
+    );
+    run_next_test();
+  });
+
+  // Prepare a connection that will cause an OCSP request.
+  add_connection_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    null,
+    null,
+    null,
+    loadContext.originAttributes
+  );
+
+  add_flush_cache();
+
+  // Traverse the cache and ensure the response was not cached.
+  add_test(() => {
+    let foundEntry = false;
+    let visitor = {
+      onCacheStorageInfo() {},
+      onCacheEntryInfo(
+        aURI,
+        aIdEnhance,
+        aDataSize,
+        aFetchCount,
+        aLastModifiedTime,
+        aExpirationTime,
+        aPinned,
+        aInfo
+      ) {
+        Assert.equal(
+          aURI.spec,
+          "http://localhost:8888/",
+          "expected OCSP request URI should match"
+        );
+        foundEntry = true;
+      },
+      onCacheEntryVisitCompleted() {
+        Assert.ok(!foundEntry, "should not find a cached entry");
+        run_next_test();
+      },
+      QueryInterface: ChromeUtils.generateQI(["nsICacheStorageVisitor"]),
+    };
+    Services.cache2.asyncVisitAllStorages(visitor, true);
+  });
+
+  // Clean up (stop the responder).
+  add_test(() => {
+    responder.stop(run_next_test);
+  });
+}
+
+function run_test() {
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+  add_ocsp_necko_cache_test(Services.loadContextInfo.private);
+  add_ocsp_necko_cache_test(Services.loadContextInfo.default);
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_required.js b/security/manager/ssl/tests/unit/test_ocsp_required.js
new file mode 100644
index 0000000000..3b2cceed72
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -0,0 +1,95 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a domain (as faked by a server running locally) and
+// start up an OCSP responder (also basically faked) that gives a response with
+// a bad signature (and later, an empty response). With security.OCSP.require
+// set to true, these connections should fail (but they also shouldn't cause
+// assertion failures).
+
+var gOCSPRequestCount = 0;
+var gOCSPResponse;
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setBoolPref("security.OCSP.require", true);
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+  // We don't actually make use of stapling in this test. This is just how we
+  // get a TLS connection.
+  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+  let args = [["bad-signature", "default-ee", "unused", 0]];
+  let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
+  // Start by replying with a response with a bad signature.
+  gOCSPResponse = ocspResponses[0];
+
+  let ocspResponder = new HttpServer();
+  ocspResponder.registerPrefixHandler("/", function (request, response) {
+    response.setStatusLine(request.httpVersion, 200, "OK");
+    response.setHeader("Content-Type", "application/ocsp-response");
+    response.write(gOCSPResponse);
+    gOCSPRequestCount++;
+  });
+  ocspResponder.start(8888);
+
+  add_tests();
+
+  add_test(function () {
+    ocspResponder.stop(run_next_test);
+  });
+
+  run_next_test();
+}
+
+function add_tests() {
+  add_connection_test(
+    "ocsp-stapling-none.example.com",
+    SEC_ERROR_OCSP_BAD_SIGNATURE,
+    function () {},
+    function (aTransportSecurityInfo) {
+      Assert.ok(
+        aTransportSecurityInfo.madeOCSPRequests,
+        "An OCSP Request should have been made."
+      );
+    }
+  );
+  add_connection_test(
+    "ocsp-stapling-none.example.com",
+    SEC_ERROR_OCSP_BAD_SIGNATURE,
+    function () {},
+    function (aTransportSecurityInfo) {
+      Assert.ok(
+        !aTransportSecurityInfo.madeOCSPRequests,
+        "An OCSP Request should not have been made."
+      );
+    }
+  );
+  add_test(function () {
+    equal(
+      gOCSPRequestCount,
+      1,
+      "OCSP request count should be 1 due to OCSP response caching"
+    );
+    gOCSPRequestCount = 0;
+    // Now set the OCSP responder to reply with 200 OK but empty content.
+    gOCSPResponse = "";
+    clearOCSPCache();
+    run_next_test();
+  });
+
+  add_connection_test(
+    "ocsp-stapling-none.example.com",
+    SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+    function () {},
+    function (aTransportSecurityInfo) {
+      Assert.ok(
+        aTransportSecurityInfo.madeOCSPRequests,
+        "An OCSP Request should have been made."
+      );
+    }
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling.js b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
new file mode 100644
index 0000000000..990f286289
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -0,0 +1,393 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a number of domains (as faked by a server running
+// locally) with and without OCSP stapling enabled to determine that good
+// things happen and bad things don't.
+
+var gExpectOCSPRequest;
+
+function add_ocsp_test(
+  aHost,
+  aExpectedResult,
+  aStaplingEnabled,
+  aExpectOCSPRequest = false
+) {
+  add_connection_test(aHost, aExpectedResult, function () {
+    gExpectOCSPRequest = aExpectOCSPRequest;
+    clearOCSPCache();
+    clearSessionCache();
+    Services.prefs.setBoolPref(
+      "security.ssl.enable_ocsp_stapling",
+      aStaplingEnabled
+    );
+  });
+}
+
+function add_tests() {
+  // In the absence of OCSP stapling, these should actually all work.
+  add_ocsp_test(
+    "ocsp-stapling-good.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-revoked.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-good-other-ca.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-malformed.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-srverr.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-trylater.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-needssig.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-unauthorized.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-unknown.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-good-other.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-expired.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-expired-fresh-ca.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-skip-responseBytes.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-critical-extension.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-noncritical-extension.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-empty-extensions.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+
+  // Now test OCSP stapling
+  // The following error codes are defined in security/nss/lib/util/SECerrs.h
+
+  add_ocsp_test("ocsp-stapling-good.example.com", PRErrorCodeSuccess, true);
+
+  add_ocsp_test(
+    "ocsp-stapling-revoked.example.com",
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    true
+  );
+
+  // This stapled response is from a CA that is untrusted and did not issue
+  // the server's certificate.
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  let otherTestCA = constructCertFromFile("ocsp_certs/other-test-ca.pem");
+  add_test(function () {
+    certDB.setCertTrust(
+      otherTestCA,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.UNTRUSTED
+    );
+    run_next_test();
+  });
+  add_ocsp_test(
+    "ocsp-stapling-good-other-ca.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    true,
+    true
+  );
+
+  // The stapled response is from a CA that is trusted but did not issue the
+  // server's certificate.
+  add_test(function () {
+    certDB.setCertTrust(
+      otherTestCA,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.TRUSTED_SSL
+    );
+    run_next_test();
+  });
+  // TODO(bug 979055): When using ByName instead of ByKey, the error here is
+  // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases.
+  add_ocsp_test(
+    "ocsp-stapling-good-other-ca.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    true,
+    true
+  );
+
+  // TODO: Test the case where the signing cert can't be found at all, which
+  // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case.
+
+  add_ocsp_test(
+    "ocsp-stapling-malformed.example.com",
+    SEC_ERROR_OCSP_MALFORMED_REQUEST,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-srverr.example.com",
+    SEC_ERROR_OCSP_SERVER_ERROR,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-trylater.example.com",
+    SEC_ERROR_OCSP_TRY_SERVER_LATER,
+    true,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-needssig.example.com",
+    SEC_ERROR_OCSP_REQUEST_NEEDS_SIG,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-unauthorized.example.com",
+    SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-unknown.example.com",
+    SEC_ERROR_OCSP_UNKNOWN_CERT,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-good-other.example.com",
+    MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING,
+    true
+  );
+  // If the server doesn't staple an OCSP response, we continue as normal
+  // (this means that even though stapling is enabled, we expect an OCSP
+  // request).
+  add_connection_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    function () {
+      gExpectOCSPRequest = true;
+      clearOCSPCache();
+      clearSessionCache();
+      Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+    }
+  );
+  add_ocsp_test(
+    "ocsp-stapling-empty.example.com",
+    SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+    true
+  );
+
+  add_ocsp_test(
+    "ocsp-stapling-skip-responseBytes.example.com",
+    SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+    true
+  );
+
+  add_ocsp_test(
+    "ocsp-stapling-critical-extension.example.com",
+    SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-noncritical-extension.example.com",
+    PRErrorCodeSuccess,
+    true
+  );
+  // TODO(bug 997994): Disallow empty Extensions in responses
+  add_ocsp_test(
+    "ocsp-stapling-empty-extensions.example.com",
+    PRErrorCodeSuccess,
+    true
+  );
+
+  add_ocsp_test(
+    "ocsp-stapling-delegated-included.example.com",
+    PRErrorCodeSuccess,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-delegated-included-last.example.com",
+    PRErrorCodeSuccess,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-delegated-missing.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    true,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-delegated-missing-multiple.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    true,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-delegated-no-extKeyUsage.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    true,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-delegated-from-intermediate.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    true,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    true,
+    true
+  );
+  add_ocsp_test(
+    "ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    true,
+    true
+  );
+
+  // ocsp-stapling-expired.example.com and
+  // ocsp-stapling-expired-fresh-ca.example.com are handled in
+  // test_ocsp_stapling_expired.js
+
+  // Check that OCSP responder certificates with key sizes below 1024 bits are
+  // rejected, even when the main certificate chain keys are at least 1024 bits.
+  add_ocsp_test(
+    "keysize-ocsp-delegated.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    true,
+    true
+  );
+
+  add_ocsp_test(
+    "revoked-ca-cert-used-as-end-entity.example.com",
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    true
+  );
+}
+
+function check_ocsp_stapling_telemetry() {
+  let histogram = Services.telemetry
+    .getHistogramById("SSL_OCSP_STAPLING")
+    .snapshot();
+  equal(
+    histogram.values[0],
+    0,
+    "Should have 0 connections for unused histogram bucket 0"
+  );
+  equal(
+    histogram.values[1],
+    5,
+    "Actual and expected connections with a good response should match"
+  );
+  equal(
+    histogram.values[2],
+    18,
+    "Actual and expected connections with no stapled response should match"
+  );
+  equal(
+    histogram.values[3] || 0,
+    0,
+    "Actual and expected connections with an expired response should match"
+  );
+  equal(
+    histogram.values[4],
+    21,
+    "Actual and expected connections with bad responses should match"
+  );
+  run_next_test();
+}
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  // This test may sometimes fail on android due to an OCSP request timing out.
+  // That aspect of OCSP requests is not what we're testing here, so we can just
+  // bump the timeout and hopefully avoid these failures.
+  Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
+
+  let fakeOCSPResponder = new HttpServer();
+  fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+    ok(
+      gExpectOCSPRequest,
+      "Should be getting an OCSP request only when expected"
+    );
+  });
+  fakeOCSPResponder.start(8888);
+
+  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+  add_tests();
+
+  add_test(function () {
+    fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);
+  });
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
new file mode 100644
index 0000000000..22f552218c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -0,0 +1,317 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a number of domains (as faked by a server running
+// locally) with OCSP stapling enabled to determine that good things happen
+// and bad things don't, specifically with respect to various expired OCSP
+// responses (stapled and otherwise).
+// According to RFC 6066, if a stapled OCSP response can't be satisfactorilly
+// verified, the client should terminate the connection. Unfortunately, due to
+// some bugs where servers will staple any old garbage without verifying it, we
+// can't be this strict in practice. Originally this caveat only applied to
+// expired responses, but recent high-profile failures have caused us to expand
+// this to "try later" responses and responses where the signing certificate
+// doesn't verify successfully.
+
+var gCurrentOCSPResponse = null;
+var gOCSPRequestCount = 0;
+
+function add_ocsp_test(
+  aHost,
+  aExpectedResult,
+  aOCSPResponseToServe,
+  aExpectedRequestCount
+) {
+  add_connection_test(
+    aHost,
+    aExpectedResult,
+    function () {
+      clearOCSPCache();
+      clearSessionCache();
+      gCurrentOCSPResponse = aOCSPResponseToServe;
+      gOCSPRequestCount = 0;
+    },
+    function () {
+      equal(
+        gOCSPRequestCount,
+        aExpectedRequestCount,
+        "Should have made " +
+          aExpectedRequestCount +
+          " fallback OCSP request" +
+          (aExpectedRequestCount == 1 ? "" : "s")
+      );
+    }
+  );
+}
+
+do_get_profile();
+Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+// Sometimes this test will fail on android due to an OCSP request timing out.
+// That aspect of OCSP requests is not what we're testing here, so we can just
+// bump the timeout and hopefully avoid these failures.
+Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
+var args = [
+  ["good", "default-ee", "unused", 0],
+  ["expiredresponse", "default-ee", "unused", 0],
+  ["oldvalidperiod", "default-ee", "unused", 0],
+  ["revoked", "default-ee", "unused", 0],
+  ["unknown", "default-ee", "unused", 0],
+  ["good", "must-staple-ee", "unused", 0],
+];
+var ocspResponses = generateOCSPResponses(args, "ocsp_certs");
+// Fresh response, certificate is good.
+var ocspResponseGood = ocspResponses[0];
+// Expired response, certificate is good.
+var expiredOCSPResponseGood = ocspResponses[1];
+// Fresh signature, old validity period, certificate is good.
+var oldValidityPeriodOCSPResponseGood = ocspResponses[2];
+// Fresh signature, certificate is revoked.
+var ocspResponseRevoked = ocspResponses[3];
+// Fresh signature, certificate is unknown.
+var ocspResponseUnknown = ocspResponses[4];
+var ocspResponseGoodMustStaple = ocspResponses[5];
+
+// sometimes we expect a result without re-fetch
+var willNotRetry = 1;
+// but sometimes, since a bad response is in the cache, OCSP fetch will be
+// attempted for each validation - in practice, for these test certs, this
+// means 2 requests because various key sizes are tried.
+var willRetry = 2;
+
+function run_test() {
+  let ocspResponder = new HttpServer();
+  ocspResponder.registerPrefixHandler("/", function (request, response) {
+    if (gCurrentOCSPResponse) {
+      response.setStatusLine(request.httpVersion, 200, "OK");
+      response.setHeader("Content-Type", "application/ocsp-response");
+      response.write(gCurrentOCSPResponse);
+    } else {
+      response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+      response.write("Internal Server Error");
+    }
+    gOCSPRequestCount++;
+  });
+  ocspResponder.start(8888);
+  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+  // In these tests, the OCSP stapling server gives us a stapled
+  // response based on the host name ("ocsp-stapling-expired" or
+  // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
+  // properly falling back to fetching revocation information.
+  // For ocsp-stapling-expired.example.com, the OCSP stapling server
+  // staples an expired OCSP response. The certificate has not expired.
+  // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling
+  // server staples an OCSP response with a recent signature but with an
+  // out-of-date validity period. The certificate has not expired.
+  add_ocsp_test(
+    "ocsp-stapling-expired.example.com",
+    PRErrorCodeSuccess,
+    ocspResponseGood,
+    willNotRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-expired-fresh-ca.example.com",
+    PRErrorCodeSuccess,
+    ocspResponseGood,
+    willNotRetry
+  );
+  // if we can't fetch a more recent response when
+  // given an expired stapled response, we terminate the connection.
+  add_ocsp_test(
+    "ocsp-stapling-expired.example.com",
+    SEC_ERROR_OCSP_OLD_RESPONSE,
+    expiredOCSPResponseGood,
+    willRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-expired-fresh-ca.example.com",
+    SEC_ERROR_OCSP_OLD_RESPONSE,
+    expiredOCSPResponseGood,
+    willRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-expired.example.com",
+    SEC_ERROR_OCSP_OLD_RESPONSE,
+    oldValidityPeriodOCSPResponseGood,
+    willRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-expired-fresh-ca.example.com",
+    SEC_ERROR_OCSP_OLD_RESPONSE,
+    oldValidityPeriodOCSPResponseGood,
+    willRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-expired.example.com",
+    SEC_ERROR_OCSP_OLD_RESPONSE,
+    null,
+    willNotRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-expired.example.com",
+    SEC_ERROR_OCSP_OLD_RESPONSE,
+    null,
+    willNotRetry
+  );
+  // Of course, if the newer response indicates Revoked or Unknown,
+  // that status must be returned.
+  add_ocsp_test(
+    "ocsp-stapling-expired.example.com",
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    ocspResponseRevoked,
+    willNotRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-expired-fresh-ca.example.com",
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    ocspResponseRevoked,
+    willNotRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-expired.example.com",
+    SEC_ERROR_OCSP_UNKNOWN_CERT,
+    ocspResponseUnknown,
+    willRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-expired-fresh-ca.example.com",
+    SEC_ERROR_OCSP_UNKNOWN_CERT,
+    ocspResponseUnknown,
+    willRetry
+  );
+
+  // If the response is expired but indicates Revoked or Unknown and a
+  // newer status can't be fetched, the Revoked or Unknown status will
+  // be returned.
+  add_ocsp_test(
+    "ocsp-stapling-revoked-old.example.com",
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    null,
+    willNotRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-unknown-old.example.com",
+    SEC_ERROR_OCSP_UNKNOWN_CERT,
+    null,
+    willNotRetry
+  );
+  // If the response is expired but indicates Revoked or Unknown and
+  // a newer status can be fetched and successfully verified, this
+  // should result in a successful certificate verification.
+  add_ocsp_test(
+    "ocsp-stapling-revoked-old.example.com",
+    PRErrorCodeSuccess,
+    ocspResponseGood,
+    willNotRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-unknown-old.example.com",
+    PRErrorCodeSuccess,
+    ocspResponseGood,
+    willNotRetry
+  );
+  // If a newer status can be fetched but it fails to verify, the
+  // Revoked or Unknown status of the expired stapled response
+  // should be returned.
+  add_ocsp_test(
+    "ocsp-stapling-revoked-old.example.com",
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    expiredOCSPResponseGood,
+    willRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-unknown-old.example.com",
+    SEC_ERROR_OCSP_UNKNOWN_CERT,
+    expiredOCSPResponseGood,
+    willRetry
+  );
+
+  // These tests are verifying that an valid but very old response
+  // is rejected as a valid stapled response, requiring a fetch
+  // from the ocsp responder.
+  add_ocsp_test(
+    "ocsp-stapling-ancient-valid.example.com",
+    PRErrorCodeSuccess,
+    ocspResponseGood,
+    willNotRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-ancient-valid.example.com",
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    ocspResponseRevoked,
+    willNotRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-ancient-valid.example.com",
+    SEC_ERROR_OCSP_UNKNOWN_CERT,
+    ocspResponseUnknown,
+    willRetry
+  );
+
+  // Test how OCSP-must-staple (i.e. TLS feature) interacts with stapled OCSP
+  // responses that don't successfully verify.
+  // A strict reading of the relevant RFCs might say that these connections
+  // should all fail because a satisfactory stapled OCSP response is not
+  // present, but for compatibility reasons we fall back to active OCSP fetching
+  // in these situations. If the fetch succeeds, then connection succeeds.
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-expired.example.com",
+    PRErrorCodeSuccess,
+    ocspResponseGoodMustStaple,
+    willNotRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-try-later.example.com",
+    PRErrorCodeSuccess,
+    ocspResponseGoodMustStaple,
+    willNotRetry
+  );
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-invalid-signer.example.com",
+    PRErrorCodeSuccess,
+    ocspResponseGoodMustStaple,
+    willNotRetry
+  );
+
+  add_test(function () {
+    ocspResponder.stop(run_next_test);
+  });
+  add_test(check_ocsp_stapling_telemetry);
+  run_next_test();
+}
+
+function check_ocsp_stapling_telemetry() {
+  let histogram = Services.telemetry
+    .getHistogramById("SSL_OCSP_STAPLING")
+    .snapshot();
+  equal(
+    histogram.values[0] || 0,
+    0,
+    "Should have 0 connections for unused histogram bucket 0"
+  );
+  equal(
+    histogram.values[1] || 0,
+    0,
+    "Actual and expected connections with a good response should match"
+  );
+  equal(
+    histogram.values[2] || 0,
+    0,
+    "Actual and expected connections with no stapled response should match"
+  );
+  equal(
+    histogram.values[3],
+    22,
+    "Actual and expected connections with an expired response should match"
+  );
+  equal(
+    histogram.values[4],
+    2,
+    "Actual and expected connections with bad responses should match"
+  );
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
new file mode 100644
index 0000000000..d9c5986dd0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
@@ -0,0 +1,48 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a server that staples an OCSP response for a
+// certificate signed by an intermediate that has an OCSP AIA to ensure
+// that an OCSP request is not made for the intermediate.
+
+var gOCSPRequestCount = 0;
+
+function add_ocsp_test(aHost, aExpectedResult) {
+  add_connection_test(aHost, aExpectedResult, function () {
+    clearOCSPCache();
+    clearSessionCache();
+  });
+}
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+
+  let ocspResponder = new HttpServer();
+  ocspResponder.registerPrefixHandler("/", function (request, response) {
+    gOCSPRequestCount++;
+    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+    let body = "Refusing to return a response";
+    response.bodyOutputStream.write(body, body.length);
+  });
+  ocspResponder.start(8888);
+
+  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+  add_ocsp_test(
+    "ocsp-stapling-with-intermediate.example.com",
+    PRErrorCodeSuccess
+  );
+
+  add_test(function () {
+    ocspResponder.stop(run_next_test);
+  });
+  add_test(function () {
+    equal(gOCSPRequestCount, 0, "No OCSP requests should have been made");
+    run_next_test();
+  });
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_timeout.js b/security/manager/ssl/tests/unit/test_ocsp_timeout.js
new file mode 100644
index 0000000000..8d606bc028
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js
@@ -0,0 +1,100 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// This test connects to ocsp-stapling-none.example.com to test that OCSP
+// requests are cancelled if they're taking too long.
+// ocsp-stapling-none.example.com doesn't staple an OCSP response, so
+// connecting to it will cause a request to the OCSP responder. As with all of
+// these tests, the OCSP AIA (i.e. the url of the responder) in the certificate
+// is http://localhost:8888. Since this test opens a TCP socket listening on
+// port 8888 that just accepts connections and then ignores them (with
+// connect/read/write timeouts of 30 seconds), the OCSP requests should cancel
+// themselves. When OCSP hard-fail is enabled, connections will be terminated.
+// Otherwise, they will succeed.
+
+var gSocketListener = {
+  onSocketAccepted(serverSocket, socketTransport) {
+    socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_CONNECT, 30);
+    socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_READ_WRITE, 30);
+  },
+
+  onStopListening(serverSocket, status) {},
+};
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+  let socket = Cc["@mozilla.org/network/server-socket;1"].createInstance(
+    Ci.nsIServerSocket
+  );
+  socket.init(8888, true, -1);
+  socket.asyncListen(gSocketListener);
+
+  add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 1000);
+  add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 2000);
+  add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 4000);
+
+  add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 3000);
+  add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 10000);
+  add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 15000);
+
+  add_test(function () {
+    socket.close();
+    run_next_test();
+  });
+  run_next_test();
+}
+
+function add_one_test(useHardFail, timeoutPrefName, timeoutMilliseconds) {
+  let startTime;
+  add_test(function () {
+    Services.prefs.setBoolPref("security.OCSP.require", useHardFail);
+    Services.prefs.setIntPref(timeoutPrefName, timeoutMilliseconds);
+    startTime = new Date();
+    run_next_test();
+  });
+
+  add_connection_test(
+    "ocsp-stapling-none.example.com",
+    useHardFail ? SEC_ERROR_OCSP_SERVER_ERROR : PRErrorCodeSuccess,
+    clearSessionCache
+  );
+
+  add_test(function () {
+    let endTime = new Date();
+    let timeDifference = endTime - startTime;
+    info(`useHardFail = ${useHardFail}`);
+    info(`startTime = ${startTime.getTime()} (${startTime})`);
+    info(`endTime = ${endTime.getTime()} (${endTime})`);
+    info(`timeDifference = ${timeDifference}ms`);
+    // Date() is not guaranteed to be monotonic, so add extra fuzz time to
+    // prevent intermittent failures (this only appeared to be a problem on
+    // Windows XP). See Bug 1121117.
+    const FUZZ_MS = 300;
+    ok(
+      timeDifference + FUZZ_MS > timeoutMilliseconds,
+      `OCSP timeout should be ~${timeoutMilliseconds}s for ` +
+        `${useHardFail ? "hard" : "soft"}-fail`
+    );
+    // Make sure we didn't wait too long.
+    // (Unfortunately, we probably can't have a tight upper bound on
+    // how long is too long for this test, because we might be running
+    // on slow hardware.)
+    ok(
+      timeDifference < 60000,
+      "Automatic OCSP timeout shouldn't be more than 60s"
+    );
+
+    // Reset state
+    clearOCSPCache();
+    Services.prefs.clearUserPref("security.OCSP.require");
+    Services.prefs.clearUserPref(timeoutPrefName);
+    run_next_test();
+  });
+}
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url.js b/security/manager/ssl/tests/unit/test_ocsp_url.js
new file mode 100644
index 0000000000..6ff79df03f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -0,0 +1,122 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// In which we try to validate several ocsp responses, checking in particular
+// if the ocsp url is valid and the path expressed is correctly passed to
+// the caller.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function failingOCSPResponder() {
+  return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
+}
+
+function start_ocsp_responder(expectedCertNames, expectedPaths) {
+  return startOCSPResponder(
+    SERVER_PORT,
+    "www.example.com",
+    "test_ocsp_url",
+    expectedCertNames,
+    expectedPaths
+  );
+}
+
+function check_cert_err(cert_name, expected_error) {
+  let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem");
+  return checkCertErrorGeneric(
+    certdb,
+    cert,
+    expected_error,
+    certificateUsageSSLServer
+  );
+}
+
+add_task(async function () {
+  addCertFromFile(certdb, "test_ocsp_url/ca.pem", "CTu,CTu,CTu");
+  addCertFromFile(certdb, "test_ocsp_url/int.pem", ",,");
+
+  // Enabled so that we can force ocsp failure responses.
+  Services.prefs.setBoolPref("security.OCSP.require", true);
+
+  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+  // Note: We don't test the case of a well-formed HTTP URL with an empty port
+  //       because the OCSP code would then send a request to port 80, which we
+  //       can't use in tests.
+
+  clearOCSPCache();
+  let ocspResponder = failingOCSPResponder();
+  await check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
+
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
+
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
+
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
+
+  clearOCSPCache();
+  ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
+  await check_cert_err("hTTp-url", PRErrorCodeSuccess);
+  await stopOCSPResponder(ocspResponder);
+
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
+
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("no-host-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
+
+  clearOCSPCache();
+  ocspResponder = start_ocsp_responder(["no-path-url"], [""]);
+  await check_cert_err("no-path-url", PRErrorCodeSuccess);
+  await stopOCSPResponder(ocspResponder);
+
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err(
+    "no-scheme-host-port",
+    SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+  );
+  await stopOCSPResponder(ocspResponder);
+
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
+
+  clearOCSPCache();
+  ocspResponder = failingOCSPResponder();
+  await check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+  await stopOCSPResponder(ocspResponder);
+
+  // Note: We currently don't have anything that ensures user:pass sections
+  //       weren't sent. The following test simply checks that such sections
+  //       don't cause failures.
+  clearOCSPCache();
+  ocspResponder = start_ocsp_responder(["user-pass"], [""]);
+  await check_cert_err("user-pass", PRErrorCodeSuccess);
+  await stopOCSPResponder(ocspResponder);
+});
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
new file mode 100644
index 0000000000..4d31ad30e2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUcxiMVENAraxc4sbSRTxsifEGHjQwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBUxEzARBgNVBAMMCmJhZC1zY2hlbWUwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMTAvMC0GCCsGAQUF
+BwEBBCEwHzAdBggrBgEFBQcwAYYRL3d3dy5leGFtcGxlLmNvbS8wDQYJKoZIhvcN
+AQELBQADggEBADf/rIlagOSOthTQAOg21ESO5SKZuH/hOQkdagoSupiui6BX2E8d
+1wMoZPGGOQBwEo8XT3ak+0ANlznoFLCvac4UQlLEiN6TR5ODJTep/8vTMDxBguRd
+WoCIHtFFpcs8HGWvyZtoh+pr8UH38Csw9g8mqX3L6g5QcpDUIfVhPEOSK46HapVM
+15BBqYsOpM5B0Yd+7AiIhiZZiNRojPxSN8DT55J+sRGiXunzP4BV2GwOI2ldjRJ5
+yJYJfUF4D+hmM37/QsLocV3AnWzSegY8xc372bkaHc3jOgo+9DJPliOOhrWNLEDk
+1cM5IXNP+fQxkCCm6VMO5dUx/mM2OXPVldc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
new file mode 100644
index 0000000000..12cc072792
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:bad-scheme
+extension:authorityInformationAccess:/www.example.com/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem
new file mode 100644
index 0000000000..54b436cdab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUbd6irDfViDg0hGYGrBFpSOiAgmswDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBa/UJSVAkS4R5UUprUZ+VETh+G
+TbLf+xbhyhpXn39i7Rk0/U7IelYJN3qalF3eIL7ab4qij3jWLrdOJz1ERkxVWXeX
+a9rjQC7nQQqnOrdcEPvq297cHuwtKb+jTTKDI4ATy7UVeE3DDW6VWewmAz8VA7FH
+SxAwdLWgqKzAqLEhhrg6l0JtpDmCfoBZ5yVA9gPdcSouaQ+6WnL0TFmNtriZPZI5
+Sq7Ua1aM1X/Ca3kQLo1DD06lgR7bJbjH+2j0uRYbB7NeB5aeYYnnxRdXcbXtM2Wl
+dPg/8WETAK3hjbaY0Xq5UFP9tLkLbq3a1lew5BEz9xFz7P+offg8hSAONOZu
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec
new file mode 100644
index 0000000000..d809dbd635
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem
new file mode 100644
index 0000000000..9e014e046a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgIUfXZLX886ys6oYF2hFTD113w25vIwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBsxGTAXBgNVBAMMEGVtcHR5LXNjaGVtZS11cmwwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjODA2MDQG
+CCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYOi8vd3d3LmV4YW1wbGUuY29tOjg4
+ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB/FqFwqO/trl/aSBpjWE9+jPLtnJOUxWRt
+J0lx/7SREoxDlltp+qrDcpKgA4uEz2xeo/AVHpcEd8V1mjFJhiFCQR3IGuCIkBtX
+/fanzlYl49XTtGDHmVZOOgok3Q3NwV+qwv/Qah/PzL7C2z8QD9UDDSu5jeGUC5vP
+wSe8pr+LFMSB4Koe13biFiHZ2rerLuRrHXPCwlHytFXr6MeZyk8DrjBpQ4Qa0I6P
+tMXFRLIXm30dKxKZefY4Cxqce2M5iUhTJQ7AH6NDtV7SClbi8Px7yFeIAIBcGTbQ
+HauxBJ189pnzGpMTAZ7dheZW/tK++MCzu+oy1tGbjWEeSpFFD+92
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec
new file mode 100644
index 0000000000..e8959653f3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:empty-scheme-url
+extension:authorityInformationAccess:://www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem
new file mode 100644
index 0000000000..0e76de6922
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUP6gYyih9vcQFEmw6jInzA0Lcx5owDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBIxEDAOBgNVBAMMB2Z0cC11cmwwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg
+2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ
+5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ
+PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj
+DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W
+iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOzA5MDcGCCsGAQUFBwEB
+BCswKTAnBggrBgEFBQcwAYYbZnRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvMA0G
+CSqGSIb3DQEBCwUAA4IBAQB8Ts6atwiom8QSkIVDayT7fMWo6Qu0M/Uhd60/M8cI
+it4KBFBN1IimF8768ZmX/CPx0BaUopC5aOnkrZ69bJYrVao8nZ4Iv46IY1S1Xroa
+ty+lej25NkVKVJe6Vlc73rbt36nc9xW8hl/mXV63tXmbm7SXUIWOiYuZIa4HwmGw
+FkDexshf5QFoe8FfMix1ZiVj8oKr2Ah5Tpmc8oHOI1CfbKK4OACvA3zWSrfNRUL3
+QysUc8a5ivjRXNAerBdCUsCD0AGqxNKMKksAehaGw7QoH0lpsV0nhnB7sAfo3g23
+azcOr1kugLtYVU9zLjqXHXp85WQQNW6u7jjN7rZ7O27V
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec
new file mode 100644
index 0000000000..9f50a7d792
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:ftp-url
+extension:authorityInformationAccess:ftp://www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem
new file mode 100644
index 0000000000..0e9765db26
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIUPyIl+CW63MemORS1mNNtzeYU1PYwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBMxETAPBgNVBAMMCGhUVHAtdXJsMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo
+4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD
+SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX
+kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx
+owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/
+Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0QwQjBABggrBgEFBQcB
+AQQ0MDIwMAYIKwYBBQUHMAGGJGhUVHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9o
+VFRwLXVybDANBgkqhkiG9w0BAQsFAAOCAQEATB54EtpZ1EK2bz1gy9khuT9HJHqZ
+UvBlzz3wto/NXvq9Cd79bW93sydmKiNveiVrGuYJG5WX3VdxzHBlcTzpm+9ObsgH
+FRLu5KP4fLRhL49dix48k9Gl5VBgZfZSjjzpb/tpPjUvPnE2UPtDa8kC1Is9xN4m
+bL6hbwVpcusFBiRQWq37tzCCV1oce0S/MvvEMinnp6daLwI3BYAcmWexq0JdpRV+
+ixu3IL0chOIjM4W2Zv0WHPXtz0q9/rU7HbJ9X7k3e7lYmoU297tM5r3MKw2T8D/h
+9McUjgTMwqdcoUUM8iwCphbjmFO3yPLILiAMdXV/4OvhognLpL6wViD+Kw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec
new file mode 100644
index 0000000000..10b1504b29
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:hTTp-url
+extension:authorityInformationAccess:hTTp://www.example.com:8888/hTTp-url
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem
new file mode 100644
index 0000000000..233c7dbbb4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIUcYnrnPrivVifCZHI3B1RI9yhpcUwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBQxEjAQBgNVBAMMCWh0dHBzLXVybDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNGMEQwQgYIKwYBBQUH
+AQEENjA0MDIGCCsGAQUFBzABhiZodHRwczovL3d3dy5leGFtcGxlLmNvbTo4ODg4
+L2h0dHBzLXVybDANBgkqhkiG9w0BAQsFAAOCAQEAjx5EcBAumCFK8/lj8vr6N88i
+G6vq8vkUMFXjlqrxw4ODbajVVFnGBIfzG7usDajQr2f3Rvl6huLm1P4ljLfHwu60
+d7uJKExnjTXzxEjC6mrupOG8t3VvIjv4C9MgaD6P4I96opG0V1V22YDC+fHuRZgb
+7I0+9EwUqrM3BqBSob3AFkcl7oyjIovG/KU26GlMbtLBbt1F6UpI5DAiOsb/UfY9
+bhEevyv7L9Sn07CYRbLFXUy47D5MhJk9XLZJQmgalnAtWxK6G+i8Y6s9DDDz6g0n
+AYiRmOQydYgVMt8+h5KYzOnNO/vES41ATBgGPrp5J0LAxNvofme02+nU0sFQPw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec
new file mode 100644
index 0000000000..891005bf5c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:https-url
+extension:authorityInformationAccess:https://www.example.com:8888/https-url
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.key b/security/manager/ssl/tests/unit/test_ocsp_url/int.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec b/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.pem b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem
new file mode 100644
index 0000000000..f12ebf91fd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUS7UFd8kviZT6AzkUw+zBza2WxxcwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw
+MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
+A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAXr6DXGOqX+xkzyNm1YZc+wtm
+6yFQo2jgeCMxgOv4j07wEEgGPP4adgyHjAhqTtYNbdBCuPtEbMInVRHdJooWNGk7
+MeoyTmJLlEJlnzVHdCUDi0mb+E7w2vVWNeirXnUSBN8qStok8vNoHJDT7pX3QEQs
+zRRNHw5qs/xxZKxzxeBiljYlh1d1zVgqNWTx9LP5IOEKOQ9OzxpzsCpJtPZRxh/d
+gip6TZT9srCndY2jCFUEYdSFRWOjsb6ni9TGC2o4SUxxJvC8jmrLjgGqPGNdTMiX
+DOxuAjt1gue4kqK6r6nMqxOZ04TEe0c/M5+hF4dhQaxqga6vvGBl0oF2QMxXGA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec
new file mode 100644
index 0000000000..a7f6d81419
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
new file mode 100644
index 0000000000..07b3eece77
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgIUI+NlsiPCC51FapO6j10d1zhvVkYwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBgxFjAUBgNVBAMMDW5lZ2F0aXZlLXBvcnQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOjA4MDYGCCsG
+AQUFBwEBBCowKDAmBggrBgEFBQcwAYYaaHR0cDovL3d3dy5leGFtcGxlLmNvbTot
+MS8wDQYJKoZIhvcNAQELBQADggEBABCPXr4pvTLeDOPJ9G/A06wTpyoTAUa925GG
+hRTuEeEw5o83Uzgm/fT2bO6+RJCfdR0wA95897l/p6vzybobZe8w2GM4RYWzkzkL
+xMHrJQtzSdgG7tLRaxZ58A+Q1l8mRGtYpyAb14hwEsKY+8phG3XGP2w7ekQxODhM
+gTgaICYNoQaBlz4PqVdqhDv7ZgmF9QQyG0C3H5Hma0jinr5YcCYRkzPciZTwS8DP
+Jv7n+/9WbTK0rOc1n5omFwb0fPs64rpVgWqGmySPPT7G8aUo89a9ma8XJMoaHjzE
+T1TZL03SoOxxEN3NBB4+9i14qHfmiWu+pOFlcDxCnVkRACMk2d0=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
new file mode 100644
index 0000000000..fce6d43848
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:negative-port
+extension:authorityInformationAccess:http://www.example.com:-1/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem
new file mode 100644
index 0000000000..0358a13a65
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAcugAwIBAgIUJ/hWC/IA8OSkpAm4v2bLiFq5xlMwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBYxFDASBgNVBAMMC25vLWhvc3QtdXJsMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoy0wKzApBggrBgEF
+BQcBAQQdMBswGQYIKwYBBQUHMAGGDWh0dHA6Ly86ODg4OC8wDQYJKoZIhvcNAQEL
+BQADggEBAK4Fk3641sIxflNan2/JobCNeV8UoDpVn9ZaU9sUOfXHnVVPjUAnlzKj
+SdhI9Z9bVqsEt787B2UIGQeqYnot5x7Gu9hGSeGz7kfp/xURyx4CHmIC33n9jwKZ
+daWaiWvqHfbRljd6Mvm9lJYWx3w8Ggci61N+GeeRAmBhPJvpe6gzo/vCmO6rnSqG
+0AxiEb98DHaes4ofL/DTgDlHWryB5UByyf9FEenHFFizr/YuYEKc8FMf19nvbQiN
+VJFP6LMmIlmg4Xq7ED97U5VhDal1e6vro12d5Cv9EZkkTxaTQMKhG4W8iNHZlwFB
+BsQX7n6BT1Lg/MqVCUt265qDF3c7Pvc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec
new file mode 100644
index 0000000000..4ac76e7eb3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-host-url
+extension:authorityInformationAccess:http://:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem
new file mode 100644
index 0000000000..f7b346e338
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIUaz9vziBHmRLkLlxVoF1xxTuiNH4wDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBYxFDASBgNVBAMMC25vLXBhdGgtdXJsMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozswOTA3BggrBgEF
+BQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4
+ODANBgkqhkiG9w0BAQsFAAOCAQEAlMdLsu6jig7c3TW2eYVzA8uAuANVDpE49XXf
+6KJI/RCGjJZa5h6SEPRnvhmruc3TsY/3Tt1U8i9QqEgFTkFmFmFI+twqJGH/F2KM
+Ied4MBF970tkTVYRRUI0RCOdhBUfx1kDuA1D00YdDA3v5mYTcdsSIB7U6lqah/28
+Rga+PhQX6Yu2VVcQF48sO51vsa2Q3hhZEqyGwezWDml1IAgr5EXT3hDdVKTXtZpM
+g6lzAfcdF/vhDVtmABvDpyWhMcfTQ/nNel2/7ICJvukP5v1VW15XYzL4tsyMx4K7
+8CL1Ol6XMixU7Ov0liwN3s4ltvJqpVoyOrMWLoa3Qn7F4XHJMg==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec
new file mode 100644
index 0000000000..497bb28796
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-path-url
+extension:authorityInformationAccess:http://www.example.com:8888
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem
new file mode 100644
index 0000000000..2e4b35203d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3zCCAcegAwIBAgIUc6pGAyMLd73M5wLzGIk7VHQ1UGgwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMB4xHDAaBgNVBAMME25vLXNjaGVtZS1ob3N0LXBvcnQwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjITAf
+MB0GCCsGAQUFBwEBBBEwDzANBggrBgEFBQcwAYYBLzANBgkqhkiG9w0BAQsFAAOC
+AQEAoNZDLXjNXKUumNMieyWv67kOH/uoDS9tsX4+LIuZRgKLeb4xjstHxxKkaWWy
+HJCjBwHYjbndWXSqE+6NPm8oHTypPc0+vZOStKnj/OzxHWfxbEzqsy27qoWKFpxA
+HNzyt4/EWmSdoDRiCoXTYP4KuIPGrtqUS2wnJAoEcNa52wazsqSRJPfiK02r+N96
+N/z8+Olyudbgkl6QNMNaxmzYejENLfwxS1nH5R3orxEH2/L+6Mr3vKDMq9IQc3Ou
+vrHHtW7XiOaYNV+8p4ChaGe6yEEbnz53G7TwjoDKvxD1tV0AGqRqMxdCJ+CDQ7Ev
+xwxHLNIXGsaQs2H7m7eE9OpN/Q==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec
new file mode 100644
index 0000000000..42a555e411
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-scheme-host-port
+extension:authorityInformationAccess:/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem
new file mode 100644
index 0000000000..9a7530baa9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIUccG45Puc/if4zk65IRFmiwMkTyowDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBgxFjAUBgNVBAMMDW5vLXNjaGVtZS11cmwwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk
+e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg
+KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI
+YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi
+lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL
+HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjNTAzMDEGCCsG
+AQUFBwEBBCUwIzAhBggrBgEFBQcwAYYVd3d3LmV4YW1wbGUuY29tOjg4ODgvMA0G
+CSqGSIb3DQEBCwUAA4IBAQBTjpqXEXFANWFs+cs4nu2rUFEnvXkZzmkoRlPbWaKw
+naVdEJ5xetaX79sh5N3vSNPCsArAF1iCnv8jmgnQRzXRKWxrZGVrUGm+5a74O/99
+vvy7CIj90A7OytXUwyAhrz6hGxmWYrnJUY5RjZTmjxvr4wgiXXZuHc+/uZRn84RK
+sJnh+XDS3hFz0M78FQOSTgdwEI/hC/QFh0CIycrc4qR6xY+fwdfLvk8GepC6ABCG
+6hn9bEpt1POO7O7UmBtIYuiyHx/32hwVrCXFbD7sgnLvz0iQYvnO4gg4Cb42pK2N
+gBeej4JDWaxq3HOBCKEARgdpWML2E94Vx7a484EuLI0h
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec
new file mode 100644
index 0000000000..a82196a6d1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:no-scheme-url
+extension:authorityInformationAccess:www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
new file mode 100644
index 0000000000..798afe22d3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIUNW/IeKC4Vw2JT/VDNXHrYgCqKegwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBkxFzAVBgNVBAMMDnVua25vd24tc2NoZW1lMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozYwNDAyBggr
+BgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFnR0cDovL3d3dy5leGFtcGxlLmNvbS8w
+DQYJKoZIhvcNAQELBQADggEBALT6AXU+U5IK7KxE2FW8F719+2Solmn3WcbLP9z+
+klThJ2HcNlxZBxuV+DwS3kBhsocZDneuOvUfSMilswGrGi9pGNgdhQWN2gO41LUy
+QavfjRuSbGJghAZJSN5dVWBkF8kuv19ZiLMiM53C5vQo92/+Vww+Ue5S1HSagybI
+3mmBUyf+8nvVO5mDsfDL8OnH4ON66sxqgu6Kuwlr2wc3inZo7ZOW24m75KLJG2Ah
+KOs0sksn7DsG2VFUIJJj/qN9Co8ZjrnJbLYec57MBM8V8l1wIfVdqM/a7wof4tE3
+DVKvFl7uGK/u1nh4lRYQx7/MH1GU4ItULEbOZ2kCIpnozpU=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
new file mode 100644
index 0000000000..0089455398
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:unknown-scheme
+extension:authorityInformationAccess:ttp://www.example.com/
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem
new file mode 100644
index 0000000000..ab104a9f45
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIUJ7gBTm0Yo/h/kQT3ggLP9jbM3yIwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw
+MDAwMDBaMBQxEjAQBgNVBAMMCXVzZXItcGFzczCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNGMEQwQgYIKwYBBQUH
+AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vdXNlcjpwYXNzQHd3dy5leGFtcGxl
+LmNvbTo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAatrdhzPYl8dtK3j+q0F2cD0M
+QpgNpBZeRa+9puQK/mLlSNEI1ottNU+DbukELLpwAtS0YzN02qf48MptuWkyudT0
+3bDNWIGMmzXpGgD7OCE2iwuiWJD6URahLoCew0eByIhaywaexEtqiNFIBtD3xPJr
+vqxAJ7JvXpTNpE90dbnHCXlXQU6h9HFIfj8pIPDc/hXACjqVmqetwzK6d5XPLUaG
+D4Jxy+lHN90JvH9+oApumJj/i2g7Bpjbn1SFwg5UKamAFc4SsDbV/DsXy91rqpSJ
+Wtrq6EP8cPNQ5cTQ3nzs/cO7nSVrVXllxkcUpOo1JnAARmWlyePioomaqf1fKA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec
new file mode 100644
index 0000000000..337e67e5f9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:user-pass
+extension:authorityInformationAccess:http://user:pass@www.example.com:8888/
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem
new file mode 100644
index 0000000000..74a9711cf6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIBHzANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0
+IEludGVybWVkaWF0ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAw
+WjAwMS4wLAYDVQQDDCVBbm90aGVyIEVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMu
+dHh0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB2pHWaL4x9Z6EwRI54eDjBvbhW
+Nckc9QFYHdheA91DnlSkyeAIHcXe+fW0nvoCZ9xfnSjPlsXgs/qQyOHg+w6LgfhM
+3UaGRRRouIqOMMko1DgbrJRm2YFrUhCjmsnnKq99rp4eShc2kwBSd0Az6OGhBnE6
++CcU7a6wfOV/enX/KGiiWeQON5+jh9bBBDRO1trvFd7CDSMyAEkg+CEu6Mb53QlK
+cOBuev+Bc5GV6gng+I/X7vh3DsMIbsfOAU6llpqx0VO/evp4SFExSQI4zbjxQEqv
+/38YQAhJ7j97kupgPXL98q27TQaUZvOCok/Go8j0ZQZ1dlJFwRNZE6ZT393R
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec
new file mode 100644
index 0000000000..d3ba461104
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate
+subject:Another EE Revoked by revocations.txt
+serialNumber:31
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem
new file mode 100644
index 0000000000..f118e94dd3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIBTjANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0
+IEludGVybWVkaWF0ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAw
+WjAwMS4wLAYDVQQDDCVBbm90aGVyIEVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMu
+dHh0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62
+iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql
+WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq
+Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+
+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i
+b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY
+CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAD1fjkHeUSNoIXuGDYRYn2rZJS
+5oV2caQaXRv7FaB4M7oGx5FNTaooSJLr+M6yC+0dxkfU8316vJ4d2DAKyL1sVrpw
+QMhndYCKQXpJ/06F59khzZnsPVAdnuXJ99aLGVjiebN+NYWzLDPUQw9sERvw+lep
+wNWJAgBsjdc/9iyLR7Tj5Y72zB4tV961GLSX6WztKyuLhIHCFueU3IvbDe4NWLyT
+CNZOohGcpdAzGH18gPOJnuVKLzND629qUZrr8/orh0xk989/uk97Kg1oF5Wd6LaT
+4CuH3CIVA5ijYj6jwPbj6gkV5IdxW4QVYefH47G9xum7RDF/IVEs3rzwybPj
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec
new file mode 100644
index 0000000000..10f8f07cce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate
+subject:Another EE Revoked by revocations.txt
+serialNumber:78
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem
new file mode 100644
index 0000000000..566f6f227d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtzCCAZ+gAwIBAgIBKjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
+IENBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCgxJjAkBgNV
+BAMMHUVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMudHh0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds
+JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4
+ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25
+iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3
+4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42
+yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3
+DQEBCwUAA4IBAQBXENg6gQp2CVGvs2e5SFpj+9K0Df6qICkQeIsEsqL/loRbBhdf
+kRudVBVaXANEWdInLppGGfv8tk3VAre2Trlq8Owt3RuP4mdyrlSt3ZTNPbK3lPCU
+K51iqEX/URBvwo+dZpOZqBy+NQ1ZdLlWWTzABiXfQNnsg1z0U/laGYNvNoGxWmg0
+YDU/moLw4EOh8akvTRdoZ6WaSTRCwNISTPCUrwj4RvKeSlsuat+MsxCA4oQqquni
+iDD1Aq2MLDXAsMfCz7fB+FJ8hMA8nGOTNd4eRXsJIFRcIRSiPo6eADZaex88z84b
+NlE/N5/6MQ7EDsiumkHO35B1Nr2hKSnygrCl
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec
new file mode 100644
index 0000000000..a2a67d909c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test CA
+subject:EE Revoked by revocations.txt
+serialNumber:42
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem
new file mode 100644
index 0000000000..eb6db83ff8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzTCCAbWgAwIBAgIUF0SQAekyqW5LqQAmYGwNQpn7o18wDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjArMSkwJwYDVQQDDCBFRSBSZXZva2VkIEJ5IFN1YmplY3QgYW5k
+IFB1YktleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW
+Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk
+cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT
+AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3
+ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh
+s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV
+A6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAtqoXX2PHLaQdil4gzPbg
+vONLbChJFeN/rBwenDrYYvyyw/x7hEov3pedjiapzjQHZiEINFICipArwEkN3hBK
+5eSSdfRbHrfzZ3XIRwkgRlPkVSN0DPv1QXvRbym3OuKZLmDHYNLr0g4siTB9QT/X
+KuCCnJazaBrNclz2DmZq7tMjKi/82i5aMot7fCJ8Rc+TSOMgTGCS2BnvoM/F4+0e
+q3Nd7XfSrdEgd2qfzKON4qrJyDK8v9RnY3c1kG+JbpQHby70JPz9YBO8sa2Yuy1U
+Vxnh2zhmPBUWPNwDYefkGfA+Mw2cW48+6vvFxigWjoLyNAGVEH8zrYhgSGY67P1l
+2g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec
new file mode 100644
index 0000000000..cadbcf9038
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec
@@ -0,0 +1,2 @@
+issuer:Test CA
+subject:EE Revoked By Subject and PubKey
diff --git a/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem
new file mode 100644
index 0000000000..d524b4480b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDITCCAgmgAwIBAgIUKU+OMvdur/GbuU28D3WfX/xbV9AwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdBbm90aGVyIFRlc3QgRW5kLWVudGl0eTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9
+PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3
+HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg
+Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7
+EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK
+lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C
+AwEAAaNbMFkwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMDIG
+CCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4
+LzANBgkqhkiG9w0BAQsFAAOCAQEAReIPRx+jafffXyK50Ig6Juzjs51zXX3IrdA2
+HYcXGZsdsLL8CvlnwHJhrMBP+Eh/bs8u9UgfmC9rxDX2gLxfIDlbidryYGzONAQq
+jWiFlVzq30fz28uatwFYzUzKODtsCM+47Qg0Y+HY9506Bj7TNmPB/a9JBY76SSw0
+Rwk1LSaMEuzu62XXuT+jjVGWqQZktAAUCtpM39UlC8aazrk6ipfh6iKHcJCN5+U1
++IM4BOErevre0SxKTz7cNKr04lghxFFGUKm/jkoZeF/6Hm73Ke75EhKlfS3D1YAY
+rm3DuUnGaWn/00X6lAWrm/dCfq1uepp+Xmgsc27jFPnVAccuMw==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec
new file mode 100644
index 0000000000..8b20f03f59
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Another Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt b/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt
new file mode 100644
index 0000000000..2ee2b87b2a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt
@@ -0,0 +1,41 @@
+# a sample revocations.txt for tests
+# Lines starting with '#' are ignored - as are empty lines like this:
+
+# otherwise:
+# non-empty lines are treated as base-64 encoded DER DN data (e.g. issuer or
+# subject)
+# ...unless the line starts with a ' ' (space) character, in which case it's
+# assumed to be base-64 encoded DER serial data, or
+# the line starts with a '\t' (tab) character, in which case it's assumed to
+# be a base-64 encoded SHA256 hash of a public key
+
+# First a serial with no issuer to ensure this doesn't cause parsing to fail
+# (there should be an issuer first, but we need to test this won't fail)
+ dGVzdA==
+# next, let's ensure data that isn't valid base64 doesn't cause breakage.
+ this serial isn't valid base64 (but then there's no issuer anyway)
+Neither is this issuer, though the serial is fine
+ dGVzdA==
+dGVzdA==
+ in this case, issuer is fine but not the serial
+# Next two entries; we can add valid base-64 encoded data for some basic tests:
+# issuer is the base-64 encoded subject DN for the shared Test CA
+# serial is the base-64 encoded integer 42
+MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=
+ Kg==
+# issuer is the base-64 encoded subject DN for the shared Test Intermediate
+# the first serial is the base-64 encoded integer 78
+# the second serial is the base-64 encoded integer 31
+MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl
+ Tg==
+ Hw==
+ c2VyaWFsMi4=
+# subject is base-64 encoded subject DN "CN=EE Revoked By Subject and PubKey"
+# pubKeyHash is the base-64 encoded sha256 hash of the shared RSA SPKI
+MCsxKTAnBgNVBAMMIEVFIFJldm9rZWQgQnkgU3ViamVjdCBhbmQgUHViS2V5
+	VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=
+# and some more data to ensure that mixed items don't cause parsing failure
+a DN
+ a serial
+	a hash
+ another serial
diff --git a/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem
new file mode 100644
index 0000000000..525cd71c47
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCAdKgAwIBAgIUa4ks0VUTyrp6BlZyCB65lVeSFDgwDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw
+MDBaGA8yMDI0MDIwNTAwMDAwMFowJDEiMCAGA1UEAwwZRUUgaXNzdWVkIGJ5IGlu
+dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaMYMBYwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqG
+SIb3DQEBCwUAA4IBAQA1n1VzCy6MJBHPaZlsuILBLkNqd7Bhzalhp6ubI05DGgfq
+yIYSyEn7ALTwo0bsp9kndmijyB3T8BJoDekEHjcKRpnDuuBGKGVrvOWquIJ1YFRf
+1r+VxI7n0wC9RF953+rTgsyPYPS5q1DJrMx+q1PCzga4mP5Tm3OxTyMXsHpM7uxN
+9/imDY0gLndSUYjx0S5EADhmXul+SCLxzh+9TfdQPRSiDhFsNrUen31Ajh/5Iu34
+e0wc4UEEUJftqbmbFMk7OJiUi2UcezCJdt7WYZQJGLWHLQFugJmsE6sLy0fDXHVX
+65VKh/HrXYQ5xemJtJaQfImoHV5+SGkVxdyYFKwO
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec
new file mode 100644
index 0000000000..24792d540a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Test Intermediate
+subject:EE issued by intermediate
+extension:subjectAlternativeName:localhost
diff --git a/security/manager/ssl/tests/unit/test_osclientcerts_module.js b/security/manager/ssl/tests/unit/test_osclientcerts_module.js
new file mode 100644
index 0000000000..bebc0aa58b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_osclientcerts_module.js
@@ -0,0 +1,60 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that the platform can load the osclientcerts module.
+
+// Ensure that the appropriate initialization has happened.
+Services.prefs.setBoolPref("security.osclientcerts.autoload", false);
+do_get_profile();
+
+const { TestUtils } = ChromeUtils.importESModule(
+  "resource://testing-common/TestUtils.sys.mjs"
+);
+
+async function check_osclientcerts_module_loaded() {
+  // Loading happens asynchronously, so we have to wait for the notification.
+  await TestUtils.topicObserved("psm:load-os-client-certs-module-task-ran");
+  let testModule = checkPKCS11ModuleExists(
+    "OS Client Cert Module",
+    "osclientcerts"
+  );
+
+  // Check that listing the slots for the osclientcerts module works.
+  let testModuleSlotNames = Array.from(
+    testModule.listSlots(),
+    slot => slot.name
+  );
+  testModuleSlotNames.sort();
+  const expectedSlotNames = ["OS Client Cert Slot"];
+  deepEqual(
+    testModuleSlotNames,
+    expectedSlotNames,
+    "Actual and expected slot names should be equal"
+  );
+}
+
+add_task(async function run_test() {
+  // Check that if we haven't loaded the osclientcerts module, we don't find it
+  // in the module list.
+  checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts");
+
+  // Check that enabling the pref that loads the osclientcerts module makes it
+  // appear in the module list.
+  Services.prefs.setBoolPref("security.osclientcerts.autoload", true);
+  await check_osclientcerts_module_loaded();
+
+  // Check that disabling the pref that loads the osclientcerts module (thus
+  // unloading the module) makes it disappear from the module list.
+  Services.prefs.setBoolPref("security.osclientcerts.autoload", false);
+  checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts");
+
+  // Check that loading the module again succeeds.
+  Services.prefs.setBoolPref("security.osclientcerts.autoload", true);
+  await check_osclientcerts_module_loaded();
+
+  // And once more check that unloading succeeds.
+  Services.prefs.setBoolPref("security.osclientcerts.autoload", false);
+  checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts");
+});
diff --git a/security/manager/ssl/tests/unit/test_oskeystore.js b/security/manager/ssl/tests/unit/test_oskeystore.js
new file mode 100644
index 0000000000..028c308faf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_oskeystore.js
@@ -0,0 +1,413 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with nsIOSKeyStore.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+const LABELS = ["mylabel1", "mylabel2", "mylabel3"];
+
+async function delete_all_secrets() {
+  let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+    Ci.nsIOSKeyStore
+  );
+  for (let label of LABELS) {
+    if (await keystore.asyncSecretAvailable(label)) {
+      await keystore.asyncDeleteSecret(label);
+      ok(
+        !(await keystore.asyncSecretAvailable(label)),
+        label + " should be deleted now."
+      );
+    }
+  }
+}
+
+// Test that Firefox handles locking and unlocking of the OSKeyStore properly.
+// Does so by mocking out the actual dialog and "filling in" the
+// password. Also tests that providing an incorrect password will fail (well,
+// technically the user will just get prompted again, but if they then cancel
+// the dialog the overall operation will fail).
+
+var gMockPrompter = {
+  passwordToTry: null,
+  numPrompts: 0,
+
+  // This intentionally does not use arrow function syntax to avoid an issue
+  // where in the context of the arrow function, |this != gMockPrompter| due to
+  // how objects get wrapped when going across xpcom boundaries.
+  promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+    this.numPrompts++;
+    equal(
+      text,
+      "Please enter your Primary Password.",
+      "password prompt text should be as expected"
+    );
+    equal(checkMsg, null, "checkMsg should be null");
+    ok(this.passwordToTry, "passwordToTry should be non-null");
+    if (this.passwordToTry == "DontTryThisPassword") {
+      // Cancel the prompt in this case.
+      return false;
+    }
+    password.value = this.passwordToTry;
+    return true;
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+};
+
+// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
+// to call promptPassword. We return the mock one, above.
+var gWindowWatcher = {
+  getNewPrompter: () => gMockPrompter,
+  QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]),
+};
+
+async function encrypt_decrypt_test() {
+  let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+    Ci.nsIOSKeyStore
+  );
+  ok(
+    !(await keystore.asyncSecretAvailable(LABELS[0])),
+    "The secret should not be available yet."
+  );
+
+  let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+  ok(recoveryPhrase, "A recovery phrase should've been created.");
+  let recoveryPhrase2 = await keystore.asyncGenerateSecret(LABELS[1]);
+  ok(recoveryPhrase2, "A recovery phrase should've been created.");
+
+  let text = new Uint8Array([0x01, 0x00, 0x01]);
+  let ciphertext = "";
+  try {
+    ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+    ok(ciphertext, "We should have a ciphertext now.");
+  } catch (e) {
+    ok(false, "Error encrypting " + e);
+  }
+
+  // Decrypting should give us the plaintext bytes again.
+  try {
+    let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+    ok(
+      plaintext.toString() == text.toString(),
+      "Decrypted plaintext should be the same as text."
+    );
+  } catch (e) {
+    ok(false, "Error decrypting ciphertext " + e);
+  }
+
+  // Decrypting with a wrong key should throw an error.
+  try {
+    await keystore.asyncDecryptBytes(LABELS[1], ciphertext);
+    ok(false, "Decrypting with the wrong key should fail.");
+  } catch (e) {
+    ok(true, "Decrypting with the wrong key should fail " + e);
+  }
+}
+
+add_task(async function () {
+  let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+    Ci.nsIOSKeyStore
+  );
+  let windowWatcherCID;
+  if (keystore.isNSSKeyStore) {
+    windowWatcherCID = MockRegistrar.register(
+      "@mozilla.org/embedcomp/window-watcher;1",
+      gWindowWatcher
+    );
+    registerCleanupFunction(() => {
+      MockRegistrar.unregister(windowWatcherCID);
+    });
+  }
+
+  await delete_all_secrets();
+  await encrypt_decrypt_test();
+  await delete_all_secrets();
+
+  if (
+    AppConstants.platform == "macosx" ||
+    AppConstants.platform == "win" ||
+    AppConstants.platform == "linux"
+  ) {
+    ok(
+      !keystore.isNSSKeyStore,
+      "OS X, Windows, and Linux should use the non-NSS implementation"
+    );
+  }
+
+  if (keystore.isNSSKeyStore) {
+    // If we use the NSS key store implementation test that everything works
+    // when a master password is set.
+    // Set an initial password.
+    let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+      Ci.nsIPK11TokenDB
+    );
+    let token = tokenDB.getInternalKeyToken();
+    token.initPassword("hunter2");
+
+    // Lock the key store. This should be equivalent to token.logoutSimple()
+    await keystore.asyncLock();
+
+    // Set the correct password so that the test operations should succeed.
+    gMockPrompter.passwordToTry = "hunter2";
+    await encrypt_decrypt_test();
+    ok(
+      gMockPrompter.numPrompts == 1,
+      "There should've been one password prompt."
+    );
+    await delete_all_secrets();
+  }
+
+  // Check lock/unlock behaviour.
+  // Unfortunately we can only test this automatically for the NSS key store.
+  // Uncomment the outer keystore.isNSSKeyStore to test other key stores manually.
+  if (keystore.isNSSKeyStore) {
+    await delete_all_secrets();
+    await encrypt_decrypt_test();
+    await keystore.asyncLock();
+    info("Keystore should be locked. Cancel the login request.");
+    try {
+      if (keystore.isNSSKeyStore) {
+        gMockPrompter.passwordToTry = "DontTryThisPassword";
+      }
+      await keystore.asyncUnlock();
+      ok(false, "Unlock should've rejected.");
+    } catch (e) {
+      ok(
+        e.result == Cr.NS_ERROR_FAILURE || e.result == Cr.NS_ERROR_ABORT,
+        "Rejected login prompt."
+      );
+    }
+    // clean up
+    if (keystore.isNSSKeyStore) {
+      gMockPrompter.passwordToTry = "hunter2";
+    }
+    await delete_all_secrets();
+  }
+});
+
+// Test that if we kick off a background operation and then call a synchronous function on the
+// keystore, we don't deadlock.
+add_task(async function () {
+  await delete_all_secrets();
+
+  let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+    Ci.nsIOSKeyStore
+  );
+  let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+  ok(recoveryPhrase, "A recovery phrase should've been created.");
+
+  try {
+    let text = new Uint8Array(8192);
+    let promise = keystore.asyncEncryptBytes(LABELS[0], text);
+    /* eslint-disable no-unused-expressions */
+    keystore.isNSSKeyStore; // we don't care what this is - we just need to access it
+    /* eslint-enable no-unused-expressions */
+    let ciphertext = await promise;
+    ok(ciphertext, "We should have a ciphertext now.");
+  } catch (e) {
+    ok(false, "Error encrypting " + e);
+  }
+
+  await delete_all_secrets();
+});
+
+// Test that using a recovery phrase works.
+add_task(async function () {
+  await delete_all_secrets();
+
+  let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+    Ci.nsIOSKeyStore
+  );
+
+  let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+  ok(recoveryPhrase, "A recovery phrase should've been created.");
+
+  let text = new Uint8Array([0x01, 0x00, 0x01]);
+  let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+  ok(ciphertext, "We should have a ciphertext now.");
+
+  await keystore.asyncDeleteSecret(LABELS[0]);
+  // Decrypting should fail after deleting the secret.
+  await keystore
+    .asyncDecryptBytes(LABELS[0], ciphertext)
+    .then(() =>
+      ok(false, "decrypting didn't throw as expected after deleting the secret")
+    )
+    .catch(() =>
+      ok(true, "decrypting threw as expected after deleting the secret")
+    );
+
+  await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase);
+  let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+  ok(
+    plaintext.toString() == text.toString(),
+    "Decrypted plaintext should be the same as text."
+  );
+
+  await delete_all_secrets();
+});
+
+// Test that trying to use a non-base64 recovery phrase fails.
+add_task(async function () {
+  await delete_all_secrets();
+
+  let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+    Ci.nsIOSKeyStore
+  );
+  await keystore
+    .asyncRecoverSecret(LABELS[0], "@##$^&*()#$^&*(@#%&*_")
+    .then(() =>
+      ok(false, "base64-decoding non-base64 should have failed but didn't")
+    )
+    .catch(() => ok(true, "base64-decoding non-base64 failed as expected"));
+
+  ok(
+    !(await keystore.asyncSecretAvailable(LABELS[0])),
+    "we didn't recover a secret, so the secret shouldn't be available"
+  );
+  let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+  ok(
+    recoveryPhrase && !!recoveryPhrase.length,
+    "we should be able to re-use that label to generate a new secret"
+  );
+  await delete_all_secrets();
+});
+
+// Test that re-using a label overwrites any previously-stored secret.
+add_task(async function () {
+  await delete_all_secrets();
+
+  let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+    Ci.nsIOSKeyStore
+  );
+
+  let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+  ok(recoveryPhrase, "A recovery phrase should've been created.");
+
+  let text = new Uint8Array([0x66, 0x6f, 0x6f, 0x66]);
+  let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+  ok(ciphertext, "We should have a ciphertext now.");
+
+  let newRecoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+  ok(newRecoveryPhrase, "A new recovery phrase should've been created.");
+
+  // The new secret replaced the old one so we shouldn't be able to decrypt the ciphertext now.
+  await keystore
+    .asyncDecryptBytes(LABELS[0], ciphertext)
+    .then(() =>
+      ok(false, "decrypting without the original key should have failed")
+    )
+    .catch(() =>
+      ok(true, "decrypting without the original key failed as expected")
+    );
+
+  await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase);
+  let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+  ok(
+    plaintext.toString() == text.toString(),
+    "Decrypted plaintext should be the same as text (once we have the original key again)."
+  );
+
+  await delete_all_secrets();
+});
+
+// Test that re-using a label (this time using a recovery phrase) overwrites any previously-stored
+// secret.
+add_task(async function () {
+  await delete_all_secrets();
+
+  let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+    Ci.nsIOSKeyStore
+  );
+
+  let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+  ok(recoveryPhrase, "A recovery phrase should've been created.");
+
+  let newRecoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+  ok(newRecoveryPhrase, "A new recovery phrase should've been created.");
+
+  let text = new Uint8Array([0x66, 0x6f, 0x6f, 0x66]);
+  let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text);
+  ok(ciphertext, "We should have a ciphertext now.");
+
+  await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase);
+
+  // We recovered the old secret, so decrypting ciphertext that had been encrypted with the newer
+  // key should fail.
+  await keystore
+    .asyncDecryptBytes(LABELS[0], ciphertext)
+    .then(() => ok(false, "decrypting without the new key should have failed"))
+    .catch(() => ok(true, "decrypting without the new key failed as expected"));
+
+  await keystore.asyncRecoverSecret(LABELS[0], newRecoveryPhrase);
+  let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext);
+  ok(
+    plaintext.toString() == text.toString(),
+    "Decrypted plaintext should be the same as text (once we have the new key again)."
+  );
+
+  await delete_all_secrets();
+});
+
+// Test that trying to use recovery phrases that are the wrong size fails.
+add_task(async function () {
+  await delete_all_secrets();
+
+  let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService(
+    Ci.nsIOSKeyStore
+  );
+
+  await keystore
+    .asyncRecoverSecret(LABELS[0], "")
+    .then(() => ok(false, "'recovering' with an empty key should have failed"))
+    .catch(() => ok(true, "'recovering' with an empty key failed as expected"));
+  ok(
+    !(await keystore.asyncSecretAvailable(LABELS[0])),
+    "we didn't recover a secret, so the secret shouldn't be available"
+  );
+
+  await keystore
+    .asyncRecoverSecret(LABELS[0], "AAAAAA")
+    .then(() =>
+      ok(false, "recovering with a key that is too short should have failed")
+    )
+    .catch(() =>
+      ok(true, "recovering with a key that is too short failed as expected")
+    );
+  ok(
+    !(await keystore.asyncSecretAvailable(LABELS[0])),
+    "we didn't recover a secret, so the secret shouldn't be available"
+  );
+
+  await keystore
+    .asyncRecoverSecret(
+      LABELS[0],
+      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+    )
+    .then(() =>
+      ok(false, "recovering with a key that is too long should have failed")
+    )
+    .catch(() =>
+      ok(true, "recovering with a key that is too long failed as expected")
+    );
+  ok(
+    !(await keystore.asyncSecretAvailable(LABELS[0])),
+    "we didn't recover a secret, so the secret shouldn't be available"
+  );
+
+  let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]);
+  ok(
+    recoveryPhrase && !!recoveryPhrase.length,
+    "we should be able to use that label to generate a new secret"
+  );
+  ok(
+    await keystore.asyncSecretAvailable(LABELS[0]),
+    "the generated secret should now be available"
+  );
+
+  await delete_all_secrets();
+});
diff --git a/security/manager/ssl/tests/unit/test_osreauthenticator.js b/security/manager/ssl/tests/unit/test_osreauthenticator.js
new file mode 100644
index 0000000000..01784a5fef
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_osreauthenticator.js
@@ -0,0 +1,27 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests nsIOSReauthenticator.asyncReauthenticateUser().
+// As this gets implemented on various platforms, running this test
+// will result in a prompt from the OS. Consequently, we won't be able
+// to run this in automation, but it will help in testing locally.
+add_task(async function test_asyncReauthenticateUser() {
+  const reauthenticator = Cc[
+    "@mozilla.org/security/osreauthenticator;1"
+  ].getService(Ci.nsIOSReauthenticator);
+  ok(reauthenticator, "nsIOSReauthenticator should be available");
+  const EXPECTED = false; // Change this variable to suit your needs while testing.
+  ok(
+    (
+      await reauthenticator.asyncReauthenticateUser(
+        "this is the prompt string",
+        "this is the caption string",
+        null
+      )
+    )[0] == EXPECTED,
+    "nsIOSReauthenticator.asyncReauthenticateUser should return a boolean array with the first item being the authentication result of: " +
+      EXPECTED
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_password_prompt.js b/security/manager/ssl/tests/unit/test_password_prompt.js
new file mode 100644
index 0000000000..cf4c6db7bf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_password_prompt.js
@@ -0,0 +1,87 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that PSM can successfully ask for a password from the user and relay it
+// back to NSS. Does so by mocking out the actual dialog and "filling in" the
+// password. Also tests that providing an incorrect password will fail (well,
+// technically the user will just get prompted again, but if they then cancel
+// the dialog the overall operation will fail).
+
+var gMockPrompter = {
+  passwordToTry: null,
+  numPrompts: 0,
+
+  // This intentionally does not use arrow function syntax to avoid an issue
+  // where in the context of the arrow function, |this != gMockPrompter| due to
+  // how objects get wrapped when going across xpcom boundaries.
+  promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+    this.numPrompts++;
+    if (this.numPrompts > 1) {
+      // don't keep retrying a bad password
+      return false;
+    }
+    equal(
+      text,
+      "Please enter your Primary Password.",
+      "password prompt text should be as expected"
+    );
+    equal(checkMsg, null, "checkMsg should be null");
+    ok(this.passwordToTry, "passwordToTry should be non-null");
+    password.value = this.passwordToTry;
+    return true;
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+};
+
+// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
+// to call promptPassword. We return the mock one, above.
+var gWindowWatcher = {
+  getNewPrompter: () => gMockPrompter,
+  QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]),
+};
+
+function run_test() {
+  do_get_profile();
+
+  let windowWatcherCID = MockRegistrar.register(
+    "@mozilla.org/embedcomp/window-watcher;1",
+    gWindowWatcher
+  );
+  registerCleanupFunction(() => {
+    MockRegistrar.unregister(windowWatcherCID);
+  });
+
+  // Set an initial password.
+  let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+    Ci.nsIPK11TokenDB
+  );
+  let token = tokenDB.getInternalKeyToken();
+  token.initPassword("hunter2");
+  token.logoutSimple();
+
+  // Try with the correct password.
+  gMockPrompter.passwordToTry = "hunter2";
+  // Using nsISecretDecoderRing will cause the password prompt to come up if the
+  // token has a password and is logged out.
+  let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+    Ci.nsISecretDecoderRing
+  );
+  sdr.encryptString("poke");
+  equal(gMockPrompter.numPrompts, 1, "should have prompted for password once");
+
+  // Reset state.
+  gMockPrompter.numPrompts = 0;
+  token.logoutSimple();
+
+  // Try with an incorrect password.
+  gMockPrompter.passwordToTry = "*******";
+  throws(
+    () => sdr.encryptString("poke2"),
+    /NS_ERROR_FAILURE/,
+    "logging in with the wrong password should fail"
+  );
+  equal(gMockPrompter.numPrompts, 2, "should have prompted for password twice");
+}
diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js
new file mode 100644
index 0000000000..6661f3cc38
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pinning.js
@@ -0,0 +1,311 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+//
+// For all cases, the acceptable pinset includes only certificates pinned to
+// Test End Entity Cert (signed by issuer testCA). Other certificates
+// are issued by otherCA, which is never in the pinset but is a user-specified
+// trust anchor. This test covers multiple cases:
+//
+// Pinned domain include-subdomains.pinning.example.com includes subdomains
+// - PASS: include-subdomains.pinning.example.com serves a correct cert
+// - PASS: good.include-subdomains.pinning.example.com serves a correct cert
+// - FAIL (strict): bad.include-subdomains.pinning.example.com serves a cert
+// not in the pinset
+// - PASS (mitm): bad.include-subdomains.pinning.example.com serves a cert not
+// in the pinset, but issued by a user-specified trust domain
+//
+// Pinned domain exclude-subdomains.pinning.example.com excludes subdomains
+// - PASS: exclude-subdomains.pinning.example.com serves a correct cert
+// - FAIL: exclude-subdomains.pinning.example.com serves an incorrect cert
+// (TODO: test using verifyCertNow)
+// - PASS: sub.exclude-subdomains.pinning.example.com serves an incorrect cert
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function add_clear_override(host) {
+  add_test(function () {
+    let certOverrideService = Cc[
+      "@mozilla.org/security/certoverride;1"
+    ].getService(Ci.nsICertOverrideService);
+    certOverrideService.clearValidityOverride(host, 8443, {});
+    run_next_test();
+  });
+}
+
+function test_strict() {
+  // In strict mode, we always evaluate pinning data, regardless of whether the
+  // issuer is a built-in trust anchor. We only enforce pins that are not in
+  // test mode.
+  add_test(function () {
+    Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
+    run_next_test();
+  });
+
+  // Normally this is overridable. But, since we have pinning information for
+  // this host, we don't allow overrides.
+  add_prevented_cert_override_test(
+    "unknownissuer.include-subdomains.pinning.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+
+  // Issued by otherCA, which is not in the pinset for pinning.example.com.
+  add_connection_test(
+    "bad.include-subdomains.pinning.example.com",
+    MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+  );
+
+  // Check that using a FQDN doesn't bypass pinning.
+  add_connection_test(
+    "bad.include-subdomains.pinning.example.com.",
+    MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+  );
+  // For some reason this is also navigable (see bug 1118522).
+  add_connection_test(
+    "bad.include-subdomains.pinning.example.com..",
+    MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+  );
+
+  // These domains serve certs that match the pinset.
+  add_connection_test(
+    "include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test(
+    "good.include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test(
+    "exclude-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+
+  // This domain serves a cert that doesn't match the pinset, but subdomains
+  // are excluded.
+  add_connection_test(
+    "sub.exclude-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+
+  // This domain's pinset is exactly the same as
+  // include-subdomains.pinning.example.com, serves the same cert as
+  // bad.include-subdomains.pinning.example.com, but it should pass because
+  // it's in test_mode.
+  add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
+  // Similarly, this pin is in test-mode, so it should be overridable.
+  add_cert_override_test(
+    "unknownissuer.test-mode.pinning.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function test_mitm() {
+  // In MITM mode, we allow pinning to pass if the chain resolves to any
+  // user-specified trust anchor, even if it is not in the pinset.
+  add_test(function () {
+    Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1);
+    run_next_test();
+  });
+
+  add_connection_test(
+    "include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test(
+    "good.include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+
+  // Normally this is overridable. But, since we have pinning information for
+  // this host, we don't allow overrides (since building a trusted chain fails,
+  // we have no reason to believe this was issued by a user-added trust
+  // anchor, so we can't allow overrides for it).
+  add_prevented_cert_override_test(
+    "unknownissuer.include-subdomains.pinning.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+
+  // In this case, even though otherCA is not in the pinset, it is a
+  // user-specified trust anchor and the pinning check succeeds.
+  add_connection_test(
+    "bad.include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+
+  add_connection_test(
+    "exclude-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test(
+    "sub.exclude-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
+  add_cert_override_test(
+    "unknownissuer.test-mode.pinning.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function test_disabled() {
+  // Disable pinning.
+  add_test(function () {
+    Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 0);
+    run_next_test();
+  });
+
+  add_connection_test(
+    "include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test(
+    "good.include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test(
+    "bad.include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test(
+    "exclude-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test(
+    "sub.exclude-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
+
+  add_cert_override_test(
+    "unknownissuer.include-subdomains.pinning.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+  add_cert_override_test(
+    "unknownissuer.test-mode.pinning.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function test_enforce_test_mode() {
+  // In enforce test mode, we always enforce all pins, even test pins.
+  add_test(function () {
+    Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 3);
+    run_next_test();
+  });
+
+  // Normally this is overridable. But, since we have pinning information for
+  // this host, we don't allow overrides.
+  add_prevented_cert_override_test(
+    "unknownissuer.include-subdomains.pinning.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_clear_override("unknownissuer.include-subdomains.pinning.example.com");
+
+  // Issued by otherCA, which is not in the pinset for pinning.example.com.
+  add_connection_test(
+    "bad.include-subdomains.pinning.example.com",
+    MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+  );
+
+  // These domains serve certs that match the pinset.
+  add_connection_test(
+    "include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test(
+    "good.include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+  add_connection_test(
+    "exclude-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+
+  // This domain serves a cert that doesn't match the pinset, but subdomains
+  // are excluded.
+  add_connection_test(
+    "sub.exclude-subdomains.pinning.example.com",
+    PRErrorCodeSuccess
+  );
+
+  // This domain's pinset is exactly the same as
+  // include-subdomains.pinning.example.com, serves the same cert as
+  // bad.include-subdomains.pinning.example.com, is in test-mode, but we are
+  // enforcing test mode pins.
+  add_connection_test(
+    "test-mode.pinning.example.com",
+    MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+  );
+  // Normally this is overridable. But, since we have pinning information for
+  // this host (and since we're enforcing test mode), we don't allow overrides.
+  add_prevented_cert_override_test(
+    "unknownissuer.test-mode.pinning.example.com",
+    SEC_ERROR_UNKNOWN_ISSUER
+  );
+  add_clear_override("unknownissuer.test-mode.pinning.example.com");
+}
+
+function check_pinning_telemetry() {
+  let prod_histogram = Services.telemetry
+    .getHistogramById("CERT_PINNING_RESULTS")
+    .snapshot();
+  let test_histogram = Services.telemetry
+    .getHistogramById("CERT_PINNING_TEST_RESULTS")
+    .snapshot();
+  // Because all of our test domains are pinned to user-specified trust
+  // anchors, effectively only strict mode and enforce test-mode get evaluated
+  equal(
+    prod_histogram.values[0],
+    4,
+    "Actual and expected prod (non-Mozilla) failure count should match"
+  );
+  equal(
+    prod_histogram.values[1],
+    6,
+    "Actual and expected prod (non-Mozilla) success count should match"
+  );
+  equal(
+    test_histogram.values[0],
+    2,
+    "Actual and expected test (non-Mozilla) failure count should match"
+  );
+  equal(
+    test_histogram.values[1] || 0,
+    0,
+    "Actual and expected test (non-Mozilla) success count should match"
+  );
+
+  run_next_test();
+}
+
+function run_test() {
+  // Ensure that static pinning works when HPKP is disabled.
+  Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false);
+
+  add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+  // Add a user-specified trust anchor.
+  addCertFromFile(certdb, "bad_certs/other-test-ca.pem", "CTu,u,u");
+
+  test_strict();
+  test_mitm();
+  test_disabled();
+  test_enforce_test_mode();
+
+  add_test(function () {
+    check_pinning_telemetry();
+  });
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_module.js b/security/manager/ssl/tests/unit/test_pkcs11_module.js
new file mode 100644
index 0000000000..abad2dbb54
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_module.js
@@ -0,0 +1,58 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with a PKCS #11 module and
+// the module database.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+const gModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+  Ci.nsIPKCS11ModuleDB
+);
+
+function run_test() {
+  // Check that if we have never added the test module, that we don't find it
+  // in the module list.
+  checkPKCS11ModuleNotPresent("PKCS11 Test Module", "pkcs11testmodule");
+
+  // Check that adding the test module makes it appear in the module list.
+  let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+  libraryFile.append("pkcs11testmodule");
+  libraryFile.append(ctypes.libraryName("pkcs11testmodule"));
+  loadPKCS11Module(libraryFile, "PKCS11 Test Module", true);
+  let testModule = checkPKCS11ModuleExists(
+    "PKCS11 Test Module",
+    "pkcs11testmodule"
+  );
+
+  // Check that listing the slots for the test module works.
+  let testModuleSlotNames = Array.from(
+    testModule.listSlots(),
+    slot => slot.name
+  );
+  testModuleSlotNames.sort();
+  const expectedSlotNames = [
+    "Empty PKCS11 Slot",
+    "Test PKCS11 Slot",
+    "Test PKCS11 Slot 二",
+  ];
+  deepEqual(
+    testModuleSlotNames,
+    expectedSlotNames,
+    "Actual and expected slot names should be equal"
+  );
+
+  // Check that deleting the test module makes it disappear from the module list.
+  let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+    Ci.nsIPKCS11ModuleDB
+  );
+  pkcs11ModuleDB.deleteModule("PKCS11 Test Module");
+  checkPKCS11ModuleNotPresent("PKCS11 Test Module", "pkcs11testmodule");
+
+  // Check miscellaneous module DB methods and attributes.
+  ok(!gModuleDB.canToggleFIPS, "It should NOT be possible to toggle FIPS");
+  ok(!gModuleDB.isFIPSEnabled, "FIPS should not be enabled");
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js b/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js
new file mode 100644
index 0000000000..e8cbf17abf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js
@@ -0,0 +1,46 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that adding modules with invalid names are prevented.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function run_test() {
+  let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+  libraryFile.append("pkcs11testmodule");
+  libraryFile.append(ctypes.libraryName("pkcs11testmodule"));
+  ok(libraryFile.exists(), "The pkcs11testmodule file should exist");
+
+  let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+    Ci.nsIPKCS11ModuleDB
+  );
+  throws(
+    () => moduleDB.addModule("Root Certs", libraryFile.path, 0, 0),
+    /NS_ERROR_ILLEGAL_VALUE/,
+    "Adding a module named 'Root Certs' should fail."
+  );
+  throws(
+    () => moduleDB.addModule("", libraryFile.path, 0, 0),
+    /NS_ERROR_ILLEGAL_VALUE/,
+    "Adding a module with an empty name should fail."
+  );
+
+  let bundle = Services.strings.createBundle(
+    "chrome://pipnss/locale/pipnss.properties"
+  );
+  let rootsModuleName = bundle.GetStringFromName("RootCertModuleName");
+  let foundRootsModule = false;
+  for (let module of moduleDB.listModules()) {
+    if (module.name == rootsModuleName) {
+      foundRootsModule = true;
+      break;
+    }
+  }
+  ok(
+    foundRootsModule,
+    "Should be able to find builtin roots module by localized name."
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js b/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js
new file mode 100644
index 0000000000..e4e3467d79
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js
@@ -0,0 +1,58 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// In safe mode, PKCS#11 modules should not be loaded. This test tests this by
+// simulating starting in safe mode and then attempting to load a module.
+
+function run_test() {
+  do_get_profile();
+
+  // Simulate starting in safe mode.
+  let xulRuntime = {
+    inSafeMode: true,
+    logConsoleErrors: true,
+    OS: "XPCShell",
+    XPCOMABI: "noarch-spidermonkey",
+    invalidateCachesOnRestart: function invalidateCachesOnRestart() {
+      // Do nothing
+    },
+    QueryInterface: ChromeUtils.generateQI(["nsIXULRuntime"]),
+  };
+
+  let xulRuntimeFactory = {
+    createInstance(iid) {
+      return xulRuntime.QueryInterface(iid);
+    },
+  };
+
+  let registrar = Components.manager.QueryInterface(Ci.nsIComponentRegistrar);
+  const XULRUNTIME_CONTRACTID = "@mozilla.org/xre/runtime;1";
+  const XULRUNTIME_CID = Components.ID(
+    "{f0f0b230-5525-4127-98dc-7bca39059e70}"
+  );
+  registrar.registerFactory(
+    XULRUNTIME_CID,
+    "XULRuntime",
+    XULRUNTIME_CONTRACTID,
+    xulRuntimeFactory
+  );
+
+  // When starting in safe mode, the test module should fail to load.
+  let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+    Ci.nsIPKCS11ModuleDB
+  );
+  let libraryName = ctypes.libraryName("pkcs11testmodule");
+  let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+  libraryFile.append("pkcs11testmodule");
+  libraryFile.append(libraryName);
+  ok(libraryFile.exists(), "The pkcs11testmodule file should exist");
+  throws(
+    () =>
+      pkcs11ModuleDB.addModule("PKCS11 Test Module", libraryFile.path, 0, 0),
+    /NS_ERROR_FAILURE/,
+    "addModule should throw when in safe mode"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_slot.js b/security/manager/ssl/tests/unit/test_pkcs11_slot.js
new file mode 100644
index 0000000000..dba2a4d3a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_slot.js
@@ -0,0 +1,161 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with a PKCS #11 slot.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function find_slot_by_name(module, name) {
+  for (let slot of module.listSlots()) {
+    if (slot.name == name) {
+      return slot;
+    }
+  }
+  return null;
+}
+
+function find_module_by_name(moduleDB, name) {
+  for (let slot of moduleDB.listModules()) {
+    if (slot.name == name) {
+      return slot;
+    }
+  }
+  return null;
+}
+
+var gPrompt = {
+  QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+
+  // This intentionally does not use arrow function syntax to avoid an issue
+  // where in the context of the arrow function, |this != gPrompt| due to
+  // how objects get wrapped when going across xpcom boundaries.
+  alert(title, text) {
+    equal(
+      text,
+      "Please authenticate to the token “Test PKCS11 Tokeñ 2 Label�. " +
+        "How to do so depends on the token (for example, using a fingerprint " +
+        "reader or entering a code with a keypad)."
+    );
+  },
+};
+
+const gPromptFactory = {
+  QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]),
+  getPrompt: (aWindow, aIID) => gPrompt,
+};
+
+function run_test() {
+  MockRegistrar.register("@mozilla.org/prompter;1", gPromptFactory);
+
+  let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+  libraryFile.append("pkcs11testmodule");
+  libraryFile.append(ctypes.libraryName("pkcs11testmodule"));
+  loadPKCS11Module(libraryFile, "PKCS11 Test Module", false);
+
+  let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
+    Ci.nsIPKCS11ModuleDB
+  );
+  let testModule = find_module_by_name(moduleDB, "PKCS11 Test Module");
+  notEqual(testModule, null, "should be able to find test module");
+  let testSlot = find_slot_by_name(testModule, "Test PKCS11 Slot 二");
+  notEqual(testSlot, null, "should be able to find 'Test PKCS11 Slot 二'");
+
+  equal(
+    testSlot.name,
+    "Test PKCS11 Slot 二",
+    "Actual and expected name should match"
+  );
+  equal(
+    testSlot.desc,
+    "Test PKCS11 Slot 二",
+    "Actual and expected description should match"
+  );
+  equal(
+    testSlot.manID,
+    "Test PKCS11 Manufacturer ID",
+    "Actual and expected manufacturer ID should match"
+  );
+  equal(
+    testSlot.HWVersion,
+    "0.0",
+    "Actual and expected hardware version should match"
+  );
+  equal(
+    testSlot.FWVersion,
+    "0.0",
+    "Actual and expected firmware version should match"
+  );
+  equal(
+    testSlot.status,
+    Ci.nsIPKCS11Slot.SLOT_NOT_LOGGED_IN,
+    "Actual and expected status should match"
+  );
+  equal(
+    testSlot.tokenName,
+    "Test PKCS11 Tokeñ 2 Label",
+    "Actual and expected token name should match"
+  );
+
+  let testToken = testSlot.getToken();
+  notEqual(testToken, null, "getToken() should succeed");
+  equal(
+    testToken.tokenName,
+    "Test PKCS11 Tokeñ 2 Label",
+    "Spot check: the actual and expected test token names should be equal"
+  );
+  ok(!testToken.isInternalKeyToken, "This token is not the internal key token");
+
+  testToken.login(true);
+  ok(testToken.isLoggedIn(), "Should have 'logged in' successfully");
+
+  testSlot = find_slot_by_name(testModule, "Empty PKCS11 Slot");
+  notEqual(testSlot, null, "should be able to find 'Empty PKCS11 Slot'");
+  equal(testSlot.tokenName, null, "Empty slot is empty");
+  equal(
+    testSlot.status,
+    Ci.nsIPKCS11Slot.SLOT_NOT_PRESENT,
+    "Actual and expected status should match"
+  );
+
+  let bundle = Services.strings.createBundle(
+    "chrome://pipnss/locale/pipnss.properties"
+  );
+  let internalModule = find_module_by_name(
+    moduleDB,
+    "NSS Internal PKCS #11 Module"
+  );
+  notEqual(internalModule, null, "should be able to find internal module");
+  let cryptoSlot = find_slot_by_name(
+    internalModule,
+    bundle.GetStringFromName("TokenDescription")
+  );
+  notEqual(cryptoSlot, "should be able to find internal crypto slot");
+  equal(
+    cryptoSlot.desc,
+    bundle.GetStringFromName("SlotDescription"),
+    "crypto slot should have expected 'desc'"
+  );
+  equal(
+    cryptoSlot.manID,
+    bundle.GetStringFromName("ManufacturerID"),
+    "crypto slot should have expected 'manID'"
+  );
+  let keySlot = find_slot_by_name(
+    internalModule,
+    bundle.GetStringFromName("PrivateTokenDescription")
+  );
+  notEqual(keySlot, "should be able to find internal key slot");
+  equal(
+    keySlot.desc,
+    bundle.GetStringFromName("PrivateSlotDescription"),
+    "key slot should have expected 'desc'"
+  );
+  equal(
+    keySlot.manID,
+    bundle.GetStringFromName("ManufacturerID"),
+    "key slot should have expected 'manID'"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_token.js b/security/manager/ssl/tests/unit/test_pkcs11_token.js
new file mode 100644
index 0000000000..575fc26b88
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_token.js
@@ -0,0 +1,149 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods and attributes for interfacing with a PKCS #11 token, using
+// the internal key token.
+// We don't use either of the test tokens in the test PKCS #11 module because:
+//   1. Test token 1 cyclically inserts and removes itself in a tight loop.
+//      Using token 1 would complicate the test and introduce intermittent
+//      failures.
+//   2. Neither test token implements login or password related functionality.
+//      We want to test such functionality.
+//   3. Using the internal token lets us actually test the internal token works
+//      as expected.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function checkBasicAttributes(token) {
+  let bundle = Services.strings.createBundle(
+    "chrome://pipnss/locale/pipnss.properties"
+  );
+
+  let expectedTokenName = bundle.GetStringFromName("PrivateTokenDescription");
+  equal(
+    token.tokenName,
+    expectedTokenName,
+    "Actual and expected name should match"
+  );
+  equal(
+    token.tokenManID,
+    bundle.GetStringFromName("ManufacturerID"),
+    "Actual and expected manufacturer ID should match"
+  );
+  equal(
+    token.tokenHWVersion,
+    "0.0",
+    "Actual and expected hardware version should match"
+  );
+  equal(
+    token.tokenFWVersion,
+    "0.0",
+    "Actual and expected firmware version should match"
+  );
+  equal(
+    token.tokenSerialNumber,
+    "0000000000000000",
+    "Actual and expected serial number should match"
+  );
+}
+
+/**
+ * Checks the various password related features of the given token.
+ * The token should already have been init with a password and be logged into.
+ * The password of the token will be reset after calling this function.
+ *
+ * @param {nsIPK11Token} token
+ *        The token to test.
+ * @param {string} initialPW
+ *        The password that the token should have been init with.
+ */
+function checkPasswordFeaturesAndResetPassword(token, initialPW) {
+  ok(
+    !token.needsUserInit,
+    "Token should not need user init after setting a password"
+  );
+  ok(
+    token.hasPassword,
+    "Token should have a password after setting a password"
+  );
+
+  ok(
+    token.checkPassword(initialPW),
+    "checkPassword() should succeed if the correct initial password is given"
+  );
+  token.changePassword(initialPW, "newPW ÿ 一二三");
+  ok(
+    token.checkPassword("newPW ÿ 一二三"),
+    "checkPassword() should succeed if the correct new password is given"
+  );
+
+  ok(
+    !token.checkPassword("wrongPW"),
+    "checkPassword() should fail if an incorrect password is given"
+  );
+  ok(
+    !token.isLoggedIn(),
+    "Token should be logged out after an incorrect password was given"
+  );
+  ok(
+    !token.needsUserInit,
+    "Token should still be init with a password even if an incorrect " +
+      "password was given"
+  );
+
+  token.reset();
+  ok(token.needsUserInit, "Token should need password init after reset");
+  ok(!token.hasPassword, "Token should not have a password after reset");
+  ok(!token.isLoggedIn(), "Token should be logged out of after reset");
+}
+
+function run_test() {
+  let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+    Ci.nsIPK11TokenDB
+  );
+  let token = tokenDB.getInternalKeyToken();
+  notEqual(token, null, "The internal token should be present");
+  ok(
+    token.isInternalKeyToken,
+    "The internal token should be represented as such"
+  );
+
+  checkBasicAttributes(token);
+
+  ok(!token.isLoggedIn(), "Token should not be logged into yet");
+  // Test that attempting to log out even when the token was not logged into
+  // does not result in an error.
+  token.logoutSimple();
+  ok(!token.isLoggedIn(), "Token should still not be logged into");
+  ok(
+    !token.hasPassword,
+    "Token should not have a password before it has been set"
+  );
+
+  let initialPW = "foo 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/? 一二三";
+  token.initPassword(initialPW);
+  token.login(/* force */ false);
+  ok(token.isLoggedIn(), "Token should now be logged into");
+
+  checkPasswordFeaturesAndResetPassword(token, initialPW);
+
+  // We reset the password previously, so we need to initialize again.
+  token.initPassword("arbitrary");
+  ok(
+    token.isLoggedIn(),
+    "Token should be logged into after initializing password again"
+  );
+  token.logoutSimple();
+  ok(
+    !token.isLoggedIn(),
+    "Token should be logged out after calling logoutSimple()"
+  );
+
+  ok(
+    token.needsLogin(),
+    "The internal token should always need authentication"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js b/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js
new file mode 100644
index 0000000000..127c533439
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js
@@ -0,0 +1,20 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the methods for interfacing with the PKCS #11 token database.
+
+// Ensure that the appropriate initialization has happened.
+do_get_profile();
+
+function run_test() {
+  let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+    Ci.nsIPK11TokenDB
+  );
+
+  notEqual(
+    tokenDB.getInternalKeyToken(),
+    null,
+    "The internal token should be non-null"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem b/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem
new file mode 100644
index 0000000000..8401bd3e87
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAsegAwIBAgIQDGdiB3elq8S6U12Nrc+a1zAKBggqhkjOPQQDAzBhMQsw
+CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
+ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe
+Fw0xODEyMjExMjAwMDBaFw0zMTA2MDgxMjAwMDBaMGIxHDAaBgNVBAMME0FwcGxl
+IElTVCBDQSA4IC0gRzExIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABC1UjmiwEBPv9C3b2AmyQ+idZZluNLjUl8mOydaoIjcyyHFg
+7rDx8sVk9rpHX/zmB3gyLfbKgCDJ/XD4cpMhiEWjggFeMIIBWjAdBgNVHQ4EFgQU
+w8SkWAVj14MGupaN3LKPMva7t0EwHwYDVR0jBBgwFoAUs9tIpPmhxdiuNkHMEWNp
+Yim8S8YwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+BQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEF
+BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEIGA1UdHwQ7MDkwN6A1oDOG
+MWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RHMy5j
+cmwwWwYDVR0gBFQwUjAMBgoqhkiG92NkBQsEMAgGBmeBDAECAjA4BgpghkgBhv1s
+AAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMw
+CgYIKoZIzj0EAwMDZwAwZAIwaMzTwP/37zR/ZM5T7OGnd9hYStUPL3QlqDXGhNUZ
+cUZM7UmDZWvBS97XS9wKCtxPAjAeetP564whYQw4g3yLIEqpXNiHCW1Pf1e+uXMa
+g1fK+AQr8p7TR2320C8NorVUcfM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem b/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem
new file mode 100644
index 0000000000..5e3054e80e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGnzCCBkWgAwIBAgIQVwXojWDvTZtfUY6TR9QUTDAKBggqhkjOPQQDAjBiMRww
+GgYDVQQDDBNBcHBsZSBJU1QgQ0EgOCAtIEcxMSAwHgYDVQQLDBdDZXJ0aWZpY2F0
+aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMw
+HhcNMTkwMzExMjEzMjQxWhcNMjEwNDA5MjEzMjQxWjB2MRYwFAYDVQQDDA1jZHMu
+YXBwbGUuY29tMSUwIwYDVQQLDBxtYW5hZ2VtZW50OmlkbXMuZ3JvdXAuNjY1MDM1
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYD
+VQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJHADA5vqarO+Cj0Ha6T
+uh/JhKmaIVuz0z7dVZUIBgVbxNOE3FW8zJTH20k4NBAnls3IXkJEiOWtt8GZbzlS
+cXijggTHMIIEwzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMPEpFgFY9eDBrqW
+jdyyjzL2u7dBMH4GCCsGAQUFBwEBBHIwcDA0BggrBgEFBQcwAoYoaHR0cDovL2Nl
+cnRzLmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmRlcjA4BggrBgEFBQcwAYYsaHR0
+cDovL29jc3AuYXBwbGUuY29tL29jc3AwMy1hcHBsZWlzdGNhOGcxMDUwGAYDVR0R
+BBEwD4INY2RzLmFwcGxlLmNvbTCB/gYDVR0gBIH2MIHzMIHwBgoqhkiG92NkBQsE
+MIHhMIGkBggrBgEFBQcCAjCBlwyBlFJlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNh
+dGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiBhbnkgYXBwbGlj
+YWJsZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UgYW5kL29yIGNlcnRpZmlj
+YXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wOAYIKwYBBQUHAgIwLAwqaHR0cDov
+L3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMB0GA1UdJQQWMBQG
+CCsGAQUFBwMCBggrBgEFBQcDATA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmNybDAdBgNVHQ4EFgQUtfKFXS+GsdSn
+im90n/2GX/X47rgwDgYDVR0PAQH/BAQDAgOIMIICbgYKKwYBBAHWeQIEAgSCAl4E
+ggJaAlgAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWlutS/9
+AAAEAwBHMEUCIQC7JOfynh9ir4vZfE39sB2b7b9u6hwSo3i1A0WMCsB2kwIgHnqJ
+dmGCaGHryIgFREBginRf879Km3zjdnCR4XjGTN4AdgDuS723dc5guuFCaR+r4Z5m
+ow9+X7By2IMAxHuJeqj9ywAAAWlutS/9AAAEAwBHMEUCIQD+dYvPDT3PQ6T4eqqF
+SSHsHU+ETeeMIhPWF1+5xxt0igIgbjEPNy+PV3wa0+dw4Umqvlp4padXYhF/zxKQ
+UVSF5u0AdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWlutTHE
+AAAEAwBHMEUCIQCsggeANxAqJffU5L8inc3QZCQpC5f3ILhwSymugYaelQIgOKLJ
+RmDt2rvI10G661L9MO0g4SHSbGZcTnkMVzUlSOUAdgBvU3asMfAxGdiZAKRRFf93
+FRwR2QLBACkGjbIImjfZEwAAAWlutTH/AAAEAwBHMEUCIFA7S1eyu7kxhvnAmVyB
+fJUi7cy2/bizaC0LLE0w35dNAiEA+aIKxhYy6VAAyGAmTiAOA/VU/pDtQp4uUIKF
+azgRpscAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWlutTA2
+AAAEAwBHMEUCIQDkm2/8xF0dSiyO/o8iwKPjEgYYhokUM03KLiSZWUSRzQIgMp5z
+ryZTqIHFLgbE0y7L8CCDvgZRRyoKbnBcCaGJJ1gwCgYIKoZIzj0EAwIDSAAwRQIh
+AKJgejWMoWWP42EQIPsvua2biHvRng0QcgA3+0GLzcjXAiBr2xfk0vGWinDLG3gz
+m73X42sCFxyMZrLDbgyeBQNI8A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.key b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem
new file mode 100644
index 0000000000..5dc7cf4ef8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw
+MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0
+7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D
+/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw
+JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX
+rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd
+q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow
+gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp
+bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu
+ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs
+ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo
+b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti
+AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym
+qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc
+5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm
+lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo
+Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec
new file mode 100644
index 0000000000..554339ff52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec
@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem
new file mode 100644
index 0000000000..95316b235e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUN+Dcp+HeMvZhIJ3BD5af4bwrj4IwDQYJKoZIhvcNAQEL
+BQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
+HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwIhgPMjAxNjA2MDEwMDAwMDBa
+GA8yMDUwMDEwMTAwMDAwMFowKTEnMCUGA1UEAwweZWUtZnJvbS1hbGxvd2xpc3Qt
+YWZ0ZXItY3V0b2ZmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABozowODA2BgNVHREELzAtgitzeW1hbnRlYy1hbGxv
+d2xpc3QtYWZ0ZXItY3V0b2ZmLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IB
+AQB/2Pgyyje+T4uKkibYZ537NZB6OUvef4nrGtswjxKbUnHzrLK1kJd3mtyNpydK
+fzW8WV1CR+nltFI5oaoOAf26FuQfaoCADmlmFlirgnm2fEH2xCokDCQHIgQxNwXr
+Ok6JTHWeuaOsu+verDPjkuUATnONY+FRTBxfPh5B3OA+aBO62bAeNCAjIya1U60S
+emAnleYtwhXs0Q9TLsR7O7aSYP3FgnqnWPuOkPF3wrUiE8Nrd3givz5OJW42IU63
+ijiojHtPpjAiudbzD8y1zuDcxTxiI4jEjTDS1kIqnvHd3f4bSxpgcQUPk44nu+wO
+j5+as/TRu5dC+xHmWCVT10yd
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec
new file mode 100644
index 0000000000..c8a4249dfc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-allowlist-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-allowlist-after-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem
new file mode 100644
index 0000000000..0c8a52b8d6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIUVWP+EbM7hYQLOXoABvWpRwoPWJ0wDQYJKoZIhvcNAQEL
+BQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
+HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwIhgPMjAxNDA2MDEwMDAwMDBa
+GA8yMDUwMDEwMTAwMDAwMFowKjEoMCYGA1UEAwwfZWUtZnJvbS1hbGxvd2xpc3Qt
+YmVmb3JlLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI
+UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi
+r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x
+fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD
+7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv
+uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj
++nJRxDHVA6zaGAo17Y0CAwEAAaM7MDkwNwYDVR0RBDAwLoIsc3ltYW50ZWMtYWxs
+b3dsaXN0LWJlZm9yZS1jdXRvZmYuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD
+ggEBAFhn9xNv/Yp1Ua9OX7oXgbVgzxCIAm6/zDK7V4V37P5em/lI85OpbuuTO4ns
+9VB2/nijkELhSkiyCjmCaxQhlUBzA/2wJeNIfaWu9Mq5MR6jWShhNXND66lTCDIQ
+wGVQkBl8/3OqSD4IFI3pKAiPhCGsUnRIhGSARcrFMQpKssnN5XN1ump1YA7/u6Kv
+apNbKccgKvLekO8/kUpFrpHt+uQaNS2IeVrmOnNh4GtyD3DG1ZDcZ1VgLAnzbVUg
+xiUbs58mY0o1qumuzqJ0/ie5UPOjWnoXSNq6dd4jqsXcFeYXe106G6arV5BLN1Pa
+gNxxfOfBcebE1OwxZpfQwNy3JxI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec
new file mode 100644
index 0000000000..51cecd1f8e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-allowlist-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-allowlist-before-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem
new file mode 100644
index 0000000000..65eab919b5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUNWWgyC4I0/jmqdamoCRL0qhP3QQwDQYJKoZIhvcNAQEL
+BQAwTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5jLjEmMCQG
+A1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwIhgPMjAxNjA2MDEw
+MDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowKjEoMCYGA1UEAwwfZWUtbm90LWFsbG93
+bGlzdGVkLWFmdGVyLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab
+bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts
+Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI
+H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8
+rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX
+Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNAMD4wPAYDVR0RBDUwM4Ixc3ltYW50
+ZWMtbm90LWFsbG93bGlzdGVkLWFmdGVyLWN1dG9mZi5leGFtcGxlLmNvbTANBgkq
+hkiG9w0BAQsFAAOCAQEARlQNYz+w2ekzdX8FKwlWoMX6Df5o4ZhXreRK9V4SuYJg
+SvAucL35TuTKkBz9C5VPjAL/Qts4n5DKWaWQfsvoCJOGtTMEKd1MEL9RbMFOewI0
+tN9sV9aMNsmhNPL4PB3A7lKJb8gi/tyoN3BXjsaZBxmyi5A6Vt3lyybgMOSTdzR6
+u2XAPm+zNDrOzc2tavZEyhEKzptaJuCQrefcnAM9JTHtJhvJp30WWighJyclqmRX
+bLDYaHRRuRI0jkgrrcUKolau8YKsSoIBoxP2aels8drZDH4UAC86GW2iF/tK+J65
++JJ2Mk9erdcLoYGLxHZqQySpRaFtciSF+Uym1nmNxA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec
new file mode 100644
index 0000000000..85edcf742d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-allowlisted-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-not-allowlisted-after-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem
new file mode 100644
index 0000000000..23d6fec107
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTTCCAjWgAwIBAgIUaxGuzjOrA/2qScMaz5tKQTUrvAYwDQYJKoZIhvcNAQEL
+BQAwTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5jLjEmMCQG
+A1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwIhgPMjAxNDA2MDEw
+MDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowKzEpMCcGA1UEAwwgZWUtbm90LWFsbG93
+bGlzdGVkLWJlZm9yZS1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjQTA/MD0GA1UdEQQ2MDSCMnN5bWFu
+dGVjLW5vdC1hbGxvd2xpc3RlZC1iZWZvcmUtY3V0b2ZmLmV4YW1wbGUuY29tMA0G
+CSqGSIb3DQEBCwUAA4IBAQBCkIIEXnX/3rv0JuF0FZEpROnQw8zoa4vZjwG1NmvH
++PwnTL7FvBg9QBK0n8ZKfCMqJU98jR5+x6V9Eo2amXEYRAsxCU6kY/Xz43OxGLQz
+5cbr9eDswWmt7h/LXl0tsprpgfBNaQ9512UbPMkDG4MSwLjkuTgdnM4dBsLURrAU
+5lcukutuNYJ7x92/Ah7hffouB6QHyP80onxqqQTQs2j/0MvJxlUWrnKBzk+B475W
+/1iMOCE3r2q6+TVp1sun9mcn7UvRHQRPvjSdjujjJ++5fqH5s4cF2Sv4lv+dEGJn
+xrr/a9GA3bUE6Iq9PbAeX3l7RaP+q/znSDBtaLYZ1Xau
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec
new file mode 100644
index 0000000000..b736169a04
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-allowlisted-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-not-allowlisted-before-cutoff.example.com
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem
new file mode 100644
index 0000000000..70bfa802ce
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIUHayrfZ5YGkWYRPXIsNuGSemGyk8wDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv
+bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt
+YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMEkx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpHb29nbGUgSW5jMSUwIwYDVQQDExxHb29n
+bGUgSW50ZXJuZXQgQXV0aG9yaXR5IEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
+vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
+uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
+O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
+3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
+5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8EBAMCAQYw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUMbnz3c2Evfehzm1LU+L
+3UL3alL/C5jteDjrrNqkamAZF26klGAZ5AX2tW6yG4bOnmZMzqkW/NV8+ydE6HGW
+oVwm+qekOyR4nSPHS5mZRdHD3uBrVJ0PR2rUyk/6oIVBYEcNHY/vuHMorQ0q2plq
+Z+62i1SHuq5qxP9apKmhvmgwvna3ber9VH8DgiZLJRAuiDAXpanGZh37dm/e2ZVI
+OgVctvRIb7ETcDrSbj4oOKo4WwFaZHlsN1ee0hstxDnIVXWzu5cCdqGALlw2N1av
+RPUgDI0kshVojmvKFwnYptE1Ru+CYf403ZD7gt3ZvHueOTpEEKLRQp1QRELXIx/7
+XQ==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec
new file mode 100644
index 0000000000..518527b741
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+subject:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem
new file mode 100644
index 0000000000..819d8a30da
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIUBy1RVPb6jMqyBSQwtlK+jZftnKIwDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOVW5rbm93biBJc3N1ZXIwIhgPMjAxMDAxMDEwMDAwMDBa
+GA8yMDUwMDEwMTAwMDAwMFowTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3Ro
+ZXIgQ0EgSW5jLjEmMCQGA1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhl
+cnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI
+BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa
+p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB
+7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C
+kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv
+aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK
+Ne2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQAs7dfRClCtgzMfYVRIciVqdjNR+jeFLmYFCDDqx5h6zve4VfxK
+AEQPWNsIVdPlu+djILHHd9+RvLSHh5HqeXKppBevnux2SxwfXJQ3T+ysqGxH4tEQ
+BCgXryt8v5q/DL9H2+T352NJCh7ZMkftEta3Hchtr4TSaT7udtib1uQ9JeLx97LJ
+A6aI8SpfI/as1Ku1LAAV9rfhkJgMyeC0ppMfTVGj/gjgq8fL52/9Su9Id8l+SeYD
+yLCXjPX0rhAjTeJyiOpAK9OPQgk7i3DRvdO/F+JCkTNE9V6PLX0J+30g+3YZND+a
+R81zibhRfa6Ki5cqRflHYhAY4GCFk7mhHLsL
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec
new file mode 100644
index 0000000000..fdcb287cd1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Unknown Issuer
+subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem
new file mode 100644
index 0000000000..9057a0a0dc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkzCCAnugAwIBAgIUSyQ/MON3PZLW/WEcsIuOIT0kUlQwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv
+bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt
+YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaME8x
+CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Bbm90aGVyIENBIEluYy4xJjAkBgNVBAMT
+HVNvbWUgT3RoZXIgQ0EgVGhhbiBUaGUgT3RoZXJzMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E
+BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAfpCigqN5qPf/
+fD6N8a5taq4bsmggdNztYabFOFY8zIRNVYoVVAHd8a5FOlShKw1MTgRNEpzWcN4O
+rX16HCaKCJA6mGbkoE/XVqo/shQR1P0U8N75oeWgxd10IsWpJoYYtF38GIM+HZM4
+8NZ/aM2ViKWexlpa7KhmIjCNsP4U+VFXPwLLuKbegQ6miTwdyG5Sq2PLsjQEn4Xq
+/nHYyE3Nn+8H+dlyFuWn9XcJN9D9H3NqVGqAvnWWPR0Vz9Q5/iixw2Ym8NWNzlxa
+RXLC9Bfg1BDSJLttopU6qGPotuQkhlm1AElcauI9FaWATsdM82tNMK3hrHnTqV28
+C/BiYIunmA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec
new file mode 100644
index 0000000000..0c96819f94
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem
new file mode 100644
index 0000000000..77f5a05963
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUd4MA0Hhfw36r5rkFHdHo5/oSbTYwDQYJKoZIhvcNAQEL
+BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv
+bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt
+YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMIGU
+MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
+BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxRTBDBgNVBAMTPFN5bWFudGVj
+IENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u
+togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6
+pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL
+KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq
+fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv
+Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za
+GAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEGMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAKAdvWVDbB3GxOooXgqNElLvjYwmNcWk12CvQnwxglCRytY5
+DX4UhcCJ6TW8pcezPDEdqrkf4iR+UpgDyBUbVa4m5O5MHGYy3nRHfwT/js9hh2PH
+gcAmT0ivknTFlEcP4D0kp7HQr2kmlFuW64HOM+/3J7Zyvu3VNYAlqTlxgG7QyRaN
+3W3jfDvc5Ol0O0vyFmhHv0k1yOqLJiOmmOOujfltl4Grbvss+wsHjmP+WOH/BYRn
+ACDXdvGr9uu0Z2mymqP0Sy2ZKKrbA7dX5Q/RUr4p3EfyDuNgERx+pYXTUeQ3o9sL
+ynQmBa+9aWijUN2USC69EDX9zObn7lO8WV19dQM=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec
new file mode 100644
index 0000000000..f84697130c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+subject:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js b/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js
new file mode 100644
index 0000000000..4c3b9f406f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js
@@ -0,0 +1,95 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+do_get_profile();
+
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+add_tls_server_setup(
+  "SanctionsTestServer",
+  "test_sanctions",
+  /* Don't try to load non-existent test-ca.pem */ false
+);
+
+addCertFromFile(certDB, "test_sanctions/symantec-test-ca.pem", "CTu,u,u");
+
+// Add the necessary intermediates. This is important because the test server,
+// though it will attempt to send along an intermediate, isn't able to reliably
+// pick between the intermediate-other-crossigned and intermediate-other.
+add_test(function () {
+  addCertFromFile(
+    certDB,
+    "test_sanctions/symantec-intermediate-allowlisted.pem",
+    ",,"
+  );
+  addCertFromFile(
+    certDB,
+    "test_sanctions/symantec-intermediate-other.pem",
+    ",,"
+  );
+  run_next_test();
+});
+
+add_connection_test(
+  "symantec-not-allowlisted-before-cutoff.example.com",
+  MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+  null,
+  null
+);
+
+add_connection_test(
+  "symantec-not-allowlisted-after-cutoff.example.com",
+  MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+  null,
+  null
+);
+
+// Add a cross-signed intermediate into the database, and ensure we still get
+// the expected error.
+add_test(function () {
+  addCertFromFile(
+    certDB,
+    "test_sanctions/symantec-intermediate-other-crossigned.pem",
+    ",,"
+  );
+  run_next_test();
+});
+
+add_connection_test(
+  "symantec-not-allowlisted-before-cutoff.example.com",
+  MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+  null,
+  null
+);
+
+// Load the Apple EE cert and its intermediate, then verify
+// it at a reasonable time and make sure the allowlists work
+add_task(async function () {
+  addCertFromFile(
+    certDB,
+    "test_sanctions/apple-ist-ca-8-g1-intermediate.pem",
+    ",,"
+  );
+  let allowlistedCert = constructCertFromFile(
+    "test_sanctions/cds-apple-com.pem"
+  );
+
+  // Since we don't want to actually try to fetch OCSP for this certificate,
+  // (as an external fetch is bad in the tests), disable OCSP first.
+  Services.prefs.setIntPref("security.OCSP.enabled", 0);
+
+  // (new Date("2020-01-01")).getTime() / 1000
+  const VALIDATION_TIME = 1577836800;
+
+  await checkCertErrorGenericAtTime(
+    certDB,
+    allowlistedCert,
+    PRErrorCodeSuccess,
+    certificateUsageSSLServer,
+    VALIDATION_TIME
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_sdr.js b/security/manager/ssl/tests/unit/test_sdr.js
new file mode 100644
index 0000000000..e9e477efc5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr.js
@@ -0,0 +1,272 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests various aspects of the nsISecretDecoderRing implementation.
+
+do_get_profile();
+
+let gSetPasswordShownCount = 0;
+
+// Mock implementation of nsITokenPasswordDialogs.
+const gTokenPasswordDialogs = {
+  setPassword(ctx, tokenName) {
+    gSetPasswordShownCount++;
+    info(`setPassword() called; shown ${gSetPasswordShownCount} times`);
+    info(`tokenName: ${tokenName}`);
+    return false; // Returning false means "the user didn't cancel".
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsITokenPasswordDialogs"]),
+};
+
+let gMockPrompter = {
+  promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+    // Returning false simulates the user canceling the password prompt.
+    return false;
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+};
+
+// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
+// to call promptPassword. We return the mock one, above.
+let gWindowWatcher = {
+  getNewPrompter: () => gMockPrompter,
+  QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]),
+};
+
+add_task(function setup() {
+  let windowWatcherCID = MockRegistrar.register(
+    "@mozilla.org/embedcomp/window-watcher;1",
+    gWindowWatcher
+  );
+  registerCleanupFunction(() => {
+    MockRegistrar.unregister(windowWatcherCID);
+  });
+});
+
+add_task(function testEncryptString() {
+  let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+    Ci.nsISecretDecoderRing
+  );
+
+  // Test valid inputs for encryptString() and decryptString().
+  let inputs = [
+    "",
+    " ", // First printable latin1 character (code point 32).
+    "foo",
+    "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?",
+    "¡äöüÿ", // Misc + last printable latin1 character (code point 255).
+    "aaa 一二三", // Includes Unicode with code points outside [0, 255].
+  ];
+  for (let input of inputs) {
+    let converter = Cc[
+      "@mozilla.org/intl/scriptableunicodeconverter"
+    ].createInstance(Ci.nsIScriptableUnicodeConverter);
+    converter.charset = "UTF-8";
+
+    let convertedInput = converter.ConvertFromUnicode(input);
+    convertedInput += converter.Finish();
+
+    let encrypted = sdr.encryptString(convertedInput);
+
+    notEqual(
+      convertedInput,
+      encrypted,
+      "Encrypted input should not just be the input itself"
+    );
+
+    try {
+      atob(encrypted);
+    } catch (e) {
+      ok(false, `encryptString() should have returned Base64: ${e}`);
+    }
+
+    equal(
+      convertedInput,
+      sdr.decryptString(encrypted),
+      "decryptString(encryptString(input)) should return input"
+    );
+  }
+
+  // Test invalid inputs for decryptString().
+  throws(
+    () => sdr.decryptString("*"),
+    /NS_ERROR_ILLEGAL_VALUE/,
+    "decryptString() should throw if given non-Base64 input"
+  );
+
+  // Test calling changePassword() pops up the appropriate dialog.
+  // Note: On Android, nsITokenPasswordDialogs is apparently not implemented,
+  //       which also seems to prevent us from mocking out the interface.
+  if (AppConstants.platform != "android") {
+    let tokenPasswordDialogsCID = MockRegistrar.register(
+      "@mozilla.org/nsTokenPasswordDialogs;1",
+      gTokenPasswordDialogs
+    );
+    registerCleanupFunction(() => {
+      MockRegistrar.unregister(tokenPasswordDialogsCID);
+    });
+
+    equal(
+      gSetPasswordShownCount,
+      0,
+      "changePassword() dialog should have been shown zero times"
+    );
+    sdr.changePassword();
+    equal(
+      gSetPasswordShownCount,
+      1,
+      "changePassword() dialog should have been shown exactly once"
+    );
+  }
+});
+
+add_task(async function testAsyncEncryptStrings() {
+  let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+    Ci.nsISecretDecoderRing
+  );
+
+  // Test valid inputs for encryptString() and decryptString().
+  let inputs = [
+    "",
+    " ", // First printable latin1 character (code point 32).
+    "foo",
+    "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?",
+    "¡äöüÿ", // Misc + last printable latin1 character (code point 255).
+    "aaa 一二三", // Includes Unicode with code points outside [0, 255].
+  ];
+
+  let encrypteds = await sdr.asyncEncryptStrings(inputs);
+  for (let i = 0; i < inputs.length; i++) {
+    let encrypted = encrypteds[i];
+    let input = inputs[i];
+    let converter = Cc[
+      "@mozilla.org/intl/scriptableunicodeconverter"
+    ].createInstance(Ci.nsIScriptableUnicodeConverter);
+    converter.charset = "UTF-8";
+
+    let convertedInput = converter.ConvertFromUnicode(input);
+    convertedInput += converter.Finish();
+    notEqual(
+      convertedInput,
+      encrypted,
+      "Encrypted input should not just be the input itself"
+    );
+
+    try {
+      atob(encrypted);
+    } catch (e) {
+      ok(false, `encryptString() should have returned Base64: ${e}`);
+    }
+
+    equal(
+      convertedInput,
+      sdr.decryptString(encrypted),
+      "decryptString(encryptString(input)) should return input"
+    );
+  }
+});
+
+add_task(async function testAsyncDecryptStrings() {
+  let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+    Ci.nsISecretDecoderRing
+  );
+
+  // Test valid inputs for encryptString() and decryptString().
+  let testCases = [
+    "",
+    " ", // First printable latin1 character (code point 32).
+    "foo",
+    "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?",
+    "¡äöüÿ", // Misc + last printable latin1 character (code point 255).
+    "aaa 一二三", // Includes Unicode with code points outside [0, 255].
+  ];
+
+  let convertedTestCases = testCases.map(tc => {
+    let converter = Cc[
+      "@mozilla.org/intl/scriptableunicodeconverter"
+    ].createInstance(Ci.nsIScriptableUnicodeConverter);
+    converter.charset = "UTF-8";
+
+    let convertedInput = converter.ConvertFromUnicode(tc);
+    convertedInput += converter.Finish();
+    return convertedInput;
+  });
+
+  let encryptedStrings = convertedTestCases.map(tc => sdr.encryptString(tc));
+  let decrypteds = await sdr.asyncDecryptStrings(encryptedStrings);
+  for (let i = 0; i < encryptedStrings.length; i++) {
+    let decrypted = decrypteds[i];
+
+    equal(
+      decrypted,
+      testCases[i],
+      "decrypted string should match expected value"
+    );
+    equal(
+      sdr.decryptString(encryptedStrings[i]),
+      convertedTestCases[i],
+      "decryptString(encryptString(input)) should return the initial decrypted string value"
+    );
+  }
+});
+
+add_task(async function testAsyncDecryptInvalidStrings() {
+  let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+    Ci.nsISecretDecoderRing
+  );
+
+  // Test invalid inputs for sdr.asyncDecryptStrings
+  let testCases = [
+    "~bmV0cGxheQ==", // invalid base64 encoding
+    "bmV0cGxheQ==", // valid base64 characters but not encrypted
+    "https://www.example.com", // website address from erroneous migration
+  ];
+
+  let decrypteds = await sdr.asyncDecryptStrings(testCases);
+  equal(
+    decrypteds.length,
+    testCases.length,
+    "each testcase should still return a response"
+  );
+  for (let i = 0; i < decrypteds.length; i++) {
+    let decrypted = decrypteds[i];
+
+    equal(
+      decrypted,
+      "",
+      "decrypted string should be empty when trying to decrypt an invalid input with asyncDecryptStrings"
+    );
+
+    Assert.throws(
+      () => sdr.decryptString(testCases[i]),
+      /NS_ERROR_ILLEGAL_VALUE|NS_ERROR_FAILURE/,
+      `Check testcase would have thrown: ${testCases[i]}`
+    );
+  }
+});
+
+add_task(async function testAsyncDecryptLoggedOut() {
+  // Set a master password.
+  let token = Cc["@mozilla.org/security/pk11tokendb;1"]
+    .getService(Ci.nsIPK11TokenDB)
+    .getInternalKeyToken();
+  token.initPassword("password");
+  token.logoutSimple();
+
+  let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+    Ci.nsISecretDecoderRing
+  );
+
+  await Assert.rejects(
+    sdr.asyncDecryptStrings(["irrelevant"]),
+    /NS_ERROR_NOT_AVAILABLE/,
+    "Check error is thrown instead of returning empty strings"
+  );
+
+  token.reset();
+  token.initPassword("");
+});
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting.js b/security/manager/ssl/tests/unit/test_sdr_preexisting.js
new file mode 100644
index 0000000000..69b5c194df
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting.js
@@ -0,0 +1,79 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that the SDR implementation is able to decrypt strings encrypted using
+// a preexisting NSS key database. Creating the database is straight-forward:
+// simply run Firefox (or xpcshell) and encrypt something using
+// nsISecretDecoderRing (e.g. by saving a password or directly using the
+// interface). The resulting key4.db file (in the profile directory) now
+// contains the private key used to encrypt the data.
+
+function run_test() {
+  const keyDBName = "key4.db";
+  let profile = do_get_profile();
+  let keyDBFile = do_get_file(`test_sdr_preexisting/${keyDBName}`);
+  keyDBFile.copyTo(profile, keyDBName);
+
+  let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+    Ci.nsISecretDecoderRing
+  );
+
+  let testcases = [
+    // a full padding block
+    {
+      ciphertext:
+        "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d",
+      plaintext: "password",
+    },
+    // 7 bytes of padding
+    {
+      ciphertext:
+        "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==",
+      plaintext: "a",
+    },
+    // 6 bytes of padding
+    {
+      ciphertext:
+        "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==",
+      plaintext: "bb",
+    },
+    // 1 byte of padding
+    {
+      ciphertext:
+        "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==",
+      plaintext: "!seven!",
+    },
+    // 2 bytes of padding
+    {
+      ciphertext:
+        "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==",
+      plaintext: "sixsix",
+    },
+    // long plaintext requiring more than two blocks
+    {
+      ciphertext:
+        "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+      plaintext: "thisismuchlongerandsotakesupmultipleblocks",
+    },
+    // this differs from the previous ciphertext by one bit and demonstrates
+    // that this implementation does not enforce message integrity
+    {
+      ciphertext:
+        "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+      plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks",
+    },
+  ];
+
+  for (let testcase of testcases) {
+    let decrypted = sdr.decryptString(testcase.ciphertext);
+    equal(
+      decrypted,
+      testcase.plaintext,
+      "decrypted ciphertext should match expected plaintext"
+    );
+  }
+}
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db
new file mode 100644
index 0000000000..8f320dfdbd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js
new file mode 100644
index 0000000000..5c1b2bb653
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js
@@ -0,0 +1,135 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that the SDR implementation is able to decrypt strings encrypted using
+// a preexisting NSS key database that has a password.
+// To create such a database, run Firefox (or xpcshell), set a primary
+// password, and then encrypt something using nsISecretDecoderRing.
+
+var gMockPrompter = {
+  passwordToTry: "password",
+  numPrompts: 0,
+
+  // This intentionally does not use arrow function syntax to avoid an issue
+  // where in the context of the arrow function, |this != gMockPrompter| due to
+  // how objects get wrapped when going across xpcom boundaries.
+  promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+    this.numPrompts++;
+    if (this.numPrompts > 1) {
+      // don't keep retrying a bad password
+      return false;
+    }
+    equal(
+      text,
+      "Please enter your Primary Password.",
+      "password prompt text should be as expected"
+    );
+    equal(checkMsg, null, "checkMsg should be null");
+    ok(this.passwordToTry, "passwordToTry should be non-null");
+    password.value = this.passwordToTry;
+    return true;
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+};
+
+// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
+// to call promptPassword. We return the mock one, above.
+var gWindowWatcher = {
+  getNewPrompter: () => gMockPrompter,
+  QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]),
+};
+
+function run_test() {
+  let windowWatcherCID = MockRegistrar.register(
+    "@mozilla.org/embedcomp/window-watcher;1",
+    gWindowWatcher
+  );
+  registerCleanupFunction(() => {
+    MockRegistrar.unregister(windowWatcherCID);
+  });
+
+  // Append a single quote and non-ASCII characters to the profile path.
+  let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR");
+  let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
+  file.initWithPath(profd);
+  file.append("'÷1");
+  Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path);
+
+  let profile = do_get_profile(); // must be called before getting nsIX509CertDB
+  Assert.ok(
+    /[^\x20-\x7f]/.test(profile.path),
+    "the profile path should contain a non-ASCII character"
+  );
+
+  let key4DBFile = do_get_file("test_sdr_preexisting_with_password/key4.db");
+  key4DBFile.copyTo(profile, "key4.db");
+
+  let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
+    Ci.nsISecretDecoderRing
+  );
+
+  let testcases = [
+    // a full padding block
+    {
+      ciphertext:
+        "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d",
+      plaintext: "password",
+    },
+    // 7 bytes of padding
+    {
+      ciphertext:
+        "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==",
+      plaintext: "a",
+    },
+    // 6 bytes of padding
+    {
+      ciphertext:
+        "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==",
+      plaintext: "bb",
+    },
+    // 1 byte of padding
+    {
+      ciphertext:
+        "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==",
+      plaintext: "!seven!",
+    },
+    // 2 bytes of padding
+    {
+      ciphertext:
+        "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==",
+      plaintext: "sixsix",
+    },
+    // long plaintext requiring more than two blocks
+    {
+      ciphertext:
+        "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+      plaintext: "thisismuchlongerandsotakesupmultipleblocks",
+    },
+    // this differs from the previous ciphertext by one bit and demonstrates
+    // that this implementation does not enforce message integrity
+    {
+      ciphertext:
+        "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
+      plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks",
+    },
+  ];
+
+  for (let testcase of testcases) {
+    let decrypted = sdr.decryptString(testcase.ciphertext);
+    equal(
+      decrypted,
+      testcase.plaintext,
+      "decrypted ciphertext should match expected plaintext"
+    );
+  }
+  equal(
+    gMockPrompter.numPrompts,
+    1,
+    "Should have been prompted for a password once"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db
new file mode 100644
index 0000000000..959718da34
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs.js b/security/manager/ssl/tests/unit/test_self_signed_certs.js
new file mode 100644
index 0000000000..ef0a38f9bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs.js
@@ -0,0 +1,109 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// This test uses a specially-crafted NSS cert DB containing 12 self-signed certificates that all
+// have the same subject and issuer distinguished name. Since they all have different keys and none
+// of them are trust anchors, there are a large number of potential trust paths that could be
+// explored. If our trust domain were naive enough to allow mozilla::pkix to explore them all, it
+// would take a long time to perform (mozilla::pkix does have the concept of a path-building budget,
+// but even on a fast computer, it takes an unacceptable amount of time to exhaust). To prevent the
+// full exploration of this space, NSSCertDBTrustDomain skips searching through self-signed
+// certificates that aren't trust anchors, since those would never otherwise be essential to
+// complete a path (note that this is only true as long as the extensions we support are restrictive
+// rather than additive).
+// When we try to verify one of these certificates in this test, we should finish relatively
+// quickly, even on slow hardware.
+// Should these certificates ever need regenerating, they were produced with the following commands:
+// certutil -N -d . --empty-password
+// for num in 00 01 02 03 04 05 06 07 08 09 10 11; do
+//   echo -ne "5\n6\n9\ny\ny\n\ny\n" | certutil -d . -S -s "CN=self-signed cert" -t ,, \
+//   -q secp256r1 -x -k ec -z <(date +%s) -1 -2 -n cert$num; sleep 2;
+// done
+
+add_task(async function test_no_overlong_path_building() {
+  let profile = do_get_profile();
+  const CERT_DB_NAME = "cert9.db";
+  let srcCertDBFile = do_get_file(`test_self_signed_certs/${CERT_DB_NAME}`);
+  srcCertDBFile.copyTo(profile, CERT_DB_NAME);
+
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  let certToVerify = null;
+  for (let cert of certDB.getCerts()) {
+    if (cert.subjectName == "CN=self-signed cert") {
+      certToVerify = cert;
+      break;
+    }
+  }
+  notEqual(
+    certToVerify,
+    null,
+    "should have found one of the preloaded self-signed certs"
+  );
+  let timeBefore = Date.now();
+  // As mentioned above, mozilla::pkix limits how much it will search for a trusted path, even if a
+  // trust domain keeps providing potential issuers. So, if we only tried to verify a certificate
+  // once, this test could potentially pass on a fast computer even if we weren't properly skipping
+  // unnecessary paths. If we were to try and lower our time limit (the comparison with
+  // secondsElapsed, below), this test would intermittently fail on slow hardware. By trying to
+  // verify the certificate 10 times, we hopefully end up with a meaningful test (it should still
+  // fail on fast hardware if we don't properly skip unproductive paths) that won't intermittently
+  // time out on slow hardware.
+  for (let i = 0; i < 10; i++) {
+    let date = new Date("2019-05-15T00:00:00.000Z");
+    await checkCertErrorGenericAtTime(
+      certDB,
+      certToVerify,
+      SEC_ERROR_UNKNOWN_ISSUER,
+      certificateUsageSSLCA,
+      date.getTime() / 1000
+    );
+  }
+  let timeAfter = Date.now();
+  let secondsElapsed = (timeAfter - timeBefore) / 1000;
+  ok(secondsElapsed < 120, "verifications shouldn't take too long");
+});
+
+add_task(async function test_no_bad_signature() {
+  // If there are two self-signed CA certificates with the same subject and
+  // issuer but different keys, where one is trusted, test that using the other
+  // one as a server certificate doesn't result in a non-overridable "bad
+  // signature" error but rather a "self-signed cert" error.
+  let selfSignedCert = constructCertFromFile("test_self_signed_certs/ca1.pem");
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  addCertFromFile(certDB, "test_self_signed_certs/ca2.pem", "CTu,,");
+  await checkCertErrorGeneric(
+    certDB,
+    selfSignedCert,
+    MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
+    certificateUsageSSLServer,
+    false,
+    "example.com"
+  );
+});
+
+add_task(async function test_no_inadequate_key_usage() {
+  // If there are two different non-CA, self-signed certificates with the same
+  // subject and issuer but different keys, test that using one of them as a
+  // server certificate doesn't result in a non-overridable "inadequate key
+  // usage" error but rather a "self-signed cert" error.
+  let selfSignedCert = constructCertFromFile("test_self_signed_certs/ee1.pem");
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  addCertFromFile(certDB, "test_self_signed_certs/ee2.pem", ",,");
+  await checkCertErrorGeneric(
+    certDB,
+    selfSignedCert,
+    MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
+    certificateUsageSSLServer,
+    false,
+    "example.com"
+  );
+});
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem
new file mode 100644
index 0000000000..49c905eacc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIBATANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDDA5TZWxm
+LVNpZ25lZCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAZ
+MRcwFQYDVQQDDA5TZWxmLVNpZ25lZCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY
+H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk
+27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9
+0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM
+kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL
+L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB
+/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAGYbweuY4SItzbgVeI2G
+EvJKGbHGlPdB/pYA8j02AIajr8zY79b/mcuPmGmBJHXmmQc9ipV3QnVO3IYjKZwo
+HEAR7duowBrB36B3MXjelaruYwno2qw0+duiz0OLpo0DOstcMDIs2UiSoNTZ1wue
++tmrNlnWWC7V7hTLZZ4Z7v7bi55G0OviCNOdW+EBi9VoQBGJLxZFcW9uE//mBCNx
+nKANNdb4ube7ulIfox/pQ1+yE+ddY/MfQHd67oX4wPNRfHAePT4vvJkUWXiXap21
+gdkAUbbwz0r1mDzvvKmVauT7N5+m2Zj6b3wCBvtITuD4zi/og61o6xyQ52DTYu4M
+hPk=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem.certspec
new file mode 100644
index 0000000000..97bc2d4ad1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca1.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Self-Signed CA
+subject:Self-Signed CA
+serialNumber:1
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem
new file mode 100644
index 0000000000..7efca5da17
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgIBAjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDDA5TZWxm
+LVNpZ25lZCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAZ
+MRcwFQYDVQQDDA5TZWxmLVNpZ25lZCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJ
+isSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF
+2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElE
+WQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzS
+g3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0Y
+xMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMdMBswDAYDVR0TBAUwAwEB
+/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAL5sqCV7HbsLEO3Az1n4
+ulmzaJHdyrae6l46Fws849G65O2suhBS55ENGFLmpof12WOXSvYxRf6swswYnm6S
+oTcjg/A5gVfmRYl/wMR0qBZQV1stLmOsnMqiVqB5BSB1szAv/ItAo2DLtH+6FDaW
+1xl0bcJsRxhtKqK9ST9Jr+HLsGZOGlA1r5++PZXaa+OA+dARcjDmNnJUFZYR0/vq
+gMc2MHl4/4XvrPZvfbCV3Alzy7UDq05/9EodR+DlACs/LWExHi8nTW0ZtwkfsbHH
+cfRw7xa3KInaCVYVs3jXzsFNNxUYKCmvm0cojdf3S9Va9/4z555XIK/a30kCFBbf
+hJc=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem.certspec
new file mode 100644
index 0000000000..f827239d2a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ca2.pem.certspec
@@ -0,0 +1,7 @@
+issuer:Self-Signed CA
+subject:Self-Signed CA
+serialNumber:2
+issuerKey:alternate
+subjectKey:alternate
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db b/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db
new file mode 100644
index 0000000000..5450fe82e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem
new file mode 100644
index 0000000000..d61091216d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBTZWxm
+LVNpZ25lZCBDZXJ0MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBsxGTAXBgNVBAMMEFNlbGYtU2lnbmVkIENlcnQwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH
+Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr
+IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ
+sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA
+dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE
+LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBADHcrQaX6Vw4BP8YDSNQ9dACjWliS6NMIDlG9ZIck2NvnmiDY6yOiENX
+G/gOAI4k+Eq6l83ZtE3EEB0ljREzhoUkxuP8w8mKZUflvAxtYh5t1sLmhNnC7YCN
+KG2SspKJC2/7nKsxG6s2jvnCqkreeNNH7BdJ2AHwRPEu2UudXrooDh9mgPac0Woa
+wx0nT9Kqun7JYMXxro+/837+qvaAhWlFYKglq3PaNMQShBkjRARXpCMV0N5TWNFp
+f7MXUoKC/+R+4rRKgln4KTXtkk7Ggn13oBrGPhF3fvVZlP2ySAkTW8Ii58MA24N9
+TNM0MP661fQXHZGVg7EAKcqa2bxKIAY=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem.certspec
new file mode 100644
index 0000000000..9582f7b918
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee1.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Self-Signed Cert
+subject:Self-Signed Cert
+serialNumber:1
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem
new file mode 100644
index 0000000000..1a7ee50368
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBTZWxm
+LVNpZ25lZCBDZXJ0MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa
+MBsxGTAXBgNVBAMMEFNlbGYtU2lnbmVkIENlcnQwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbDf1zlOLBsSs0iscvUb6Za2ird
+QcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo
+828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst
+/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0i
+tqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6DKzW4kw90upCqi8dhZyQqsf1t
+YhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7AgMBAAEwDQYJKoZIhvcNAQEL
+BQADggEBAFqvHU0CJMIydbm8TKpLB5eI/gHE6dGxHKDyZlfTeGCGsILl/ejp46VU
+Cs+aDmLxyMuNmnsNNoHBa8oTV4jyVRR/zWkibVKM4Fzz1YJclOMVrcxJqhDk1Gcj
+og+N29pxG8BwCdNbKLFma6xjIGK7j6mc6kpb+dbURiEI7tPkEW2jGk77xkGM93co
+drRMCwsmTt2QTsQDVmpNnd5avfQgguBYy/5/kyvAo6vDQE1Sj7cBg0+YPASzjFR4
+oIfyo+neTITxDfd0QLBSSFa+dIZUGKVF+XKe4FCKLlfVmO/MI7llJilR8RiNcZCh
+eX/8OfjNpptiQBydCgKycHcXSVkvWRg=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem.certspec b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem.certspec
new file mode 100644
index 0000000000..fa45f13078
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_self_signed_certs/ee2.pem.certspec
@@ -0,0 +1,5 @@
+issuer:Self-Signed Cert
+subject:Self-Signed Cert
+serialNumber:2
+issuerKey:alternate
+subjectKey:alternate
diff --git a/security/manager/ssl/tests/unit/test_session_resumption.js b/security/manager/ssl/tests/unit/test_session_resumption.js
new file mode 100644
index 0000000000..fe7252a630
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_session_resumption.js
@@ -0,0 +1,291 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that PSM makes the correct determination of the security status of
+// loads involving session resumption (i.e. when a TLS handshake bypasses the
+// AuthCertificate callback).
+
+do_get_profile();
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+registerCleanupFunction(() => {
+  Services.prefs.clearUserPref("security.OCSP.enabled");
+});
+
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+addCertFromFile(certdb, "bad_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "bad_certs/ev-test-intermediate.pem", ",,");
+
+// For expired.example.com, the platform will make a connection that will fail.
+// Using information gathered at that point, an override will be added and
+// another connection will be made. This connection will succeed. At that point,
+// as long as the session cache isn't cleared, subsequent new connections should
+// use session resumption, thereby bypassing the AuthCertificate hook. We need
+// to ensure that the correct security state is propagated to the new connection
+// information object.
+function add_resume_non_ev_with_override_test() {
+  // This adds the override and makes one successful connection.
+  add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE);
+
+  // This connects again, using session resumption. Note that we don't clear
+  // the TLS session cache between these operations (that would defeat the
+  // purpose).
+  add_connection_test(
+    "expired.example.com",
+    PRErrorCodeSuccess,
+    null,
+    transportSecurityInfo => {
+      ok(transportSecurityInfo.resumed, "connection should be resumed");
+      ok(
+        transportSecurityInfo.securityState &
+          Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+        "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag"
+      );
+      equal(
+        transportSecurityInfo.succeededCertChain.length,
+        0,
+        "expired.example.com should not have succeededCertChain set"
+      );
+      equal(
+        transportSecurityInfo.failedCertChain.length,
+        2,
+        "expired.example.com should have failedCertChain set"
+      );
+      equal(
+        transportSecurityInfo.overridableErrorCategory,
+        Ci.nsITransportSecurityInfo.ERROR_TIME,
+        "expired.example.com should have time overridable error category"
+      );
+      ok(
+        !transportSecurityInfo.isExtendedValidation,
+        "expired.example.com should not have isExtendedValidation set"
+      );
+
+      let certOverrideService = Cc[
+        "@mozilla.org/security/certoverride;1"
+      ].getService(Ci.nsICertOverrideService);
+      certOverrideService.clearValidityOverride(
+        "expired.example.com",
+        8443,
+        {}
+      );
+    }
+  );
+}
+
+// Helper function that adds a test that connects to ev-test.example.com and
+// verifies that it validates as EV (or not, if we're running a non-debug
+// build). This assumes that an appropriate OCSP responder is running or that
+// good responses are cached.
+function add_one_ev_test(resumed) {
+  add_connection_test(
+    "ev-test.example.com",
+    PRErrorCodeSuccess,
+    null,
+    transportSecurityInfo => {
+      equal(
+        transportSecurityInfo.resumed,
+        resumed,
+        "connection should be resumed or not resumed as expected"
+      );
+      ok(
+        !(
+          transportSecurityInfo.securityState &
+          Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN
+        ),
+        "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag"
+      );
+      equal(
+        transportSecurityInfo.succeededCertChain.length,
+        3,
+        "ev-test.example.com should have succeededCertChain set"
+      );
+      equal(
+        transportSecurityInfo.failedCertChain.length,
+        0,
+        "ev-test.example.com should not have failedCertChain set"
+      );
+      equal(
+        transportSecurityInfo.overridableErrorCategory,
+        Ci.nsITransportSecurityInfo.ERROR_UNSET,
+        "ev-test.example.com should not have an overridable error category"
+      );
+      ok(
+        !gEVExpected || transportSecurityInfo.isExtendedValidation,
+        "ev-test.example.com should have isExtendedValidation set " +
+          "(or this is a non-debug build)"
+      );
+    }
+  );
+}
+
+// This test is similar, except with extended validation. We should connect
+// successfully, and the certificate should be EV in debug builds. Without
+// clearing the session cache, we should connect successfully again, this time
+// with session resumption. The certificate should again be EV in debug builds.
+function add_resume_ev_test() {
+  const SERVER_PORT = 8888;
+  let expectedRequestPaths = ["ev-test"];
+  let responseTypes = ["good"];
+  // Since we cache OCSP responses, we only ever actually serve one set.
+  let ocspResponder;
+  // If we don't wrap this in an `add_test`, the OCSP responder will be running
+  // while we are actually running unrelated testcases, which can disrupt them.
+  add_test(() => {
+    ocspResponder = startOCSPResponder(
+      SERVER_PORT,
+      "localhost",
+      "bad_certs",
+      expectedRequestPaths,
+      expectedRequestPaths.slice(),
+      null,
+      responseTypes
+    );
+    run_next_test();
+  });
+  // We should be able to connect and verify the certificate as EV (in debug
+  // builds).
+  add_one_ev_test(false);
+  // We should be able to connect again (using session resumption). In debug
+  // builds, the certificate should be noted as EV. Again, it's important that
+  // nothing clears the TLS cache in between these two operations.
+  add_one_ev_test(true);
+
+  add_test(() => {
+    ocspResponder.stop(run_next_test);
+  });
+}
+
+const GOOD_DOMAIN = "good.include-subdomains.pinning.example.com";
+
+// Helper function that adds a test that connects to a domain that should
+// succeed (but isn't EV) and verifies that its succeededCertChain gets set
+// appropriately.
+function add_one_non_ev_test() {
+  add_connection_test(
+    GOOD_DOMAIN,
+    PRErrorCodeSuccess,
+    null,
+    transportSecurityInfo => {
+      ok(
+        !(
+          transportSecurityInfo.securityState &
+          Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN
+        ),
+        `${GOOD_DOMAIN} should not have STATE_CERT_USER_OVERRIDDEN flag`
+      );
+      ok(
+        transportSecurityInfo.succeededCertChain,
+        `${GOOD_DOMAIN} should have succeededCertChain set`
+      );
+      equal(
+        transportSecurityInfo.overridableErrorCategory,
+        0,
+        `${GOOD_DOMAIN} should not have an overridable error category set`
+      );
+      ok(
+        !transportSecurityInfo.isExtendedValidation,
+        `${GOOD_DOMAIN} should not have isExtendedValidation set`
+      );
+    }
+  );
+}
+
+// This test is similar, except with non-extended validation. We should connect
+// successfully, and the certificate should not be EV. Without clearing the
+// session cache, we should connect successfully again, this time with session
+// resumption. In this case, though, we want to ensure the succeededCertChain is
+// set.
+function add_resume_non_ev_test() {
+  add_one_non_ev_test();
+  add_one_non_ev_test();
+}
+
+const statsPtr = getSSLStatistics();
+const toInt32 = ctypes.Int64.lo;
+
+// Connect to the same domain with two origin attributes and check if any ssl
+// session is resumed.
+function add_origin_attributes_test(
+  originAttributes1,
+  originAttributes2,
+  resumeExpected
+) {
+  add_connection_test(
+    GOOD_DOMAIN,
+    PRErrorCodeSuccess,
+    clearSessionCache,
+    null,
+    null,
+    originAttributes1
+  );
+
+  let hitsBeforeConnect;
+  let missesBeforeConnect;
+  let expectedHits = resumeExpected ? 1 : 0;
+  let expectedMisses = 1 - expectedHits;
+
+  add_connection_test(
+    GOOD_DOMAIN,
+    PRErrorCodeSuccess,
+    function () {
+      // Add the hits and misses before connection.
+      let stats = statsPtr.contents;
+      hitsBeforeConnect = toInt32(stats.sch_sid_cache_hits);
+      missesBeforeConnect = toInt32(stats.sch_sid_cache_misses);
+    },
+    function () {
+      let stats = statsPtr.contents;
+      equal(
+        toInt32(stats.sch_sid_cache_hits),
+        hitsBeforeConnect + expectedHits,
+        "Unexpected cache hits"
+      );
+      equal(
+        toInt32(stats.sch_sid_cache_misses),
+        missesBeforeConnect + expectedMisses,
+        "Unexpected cache misses"
+      );
+    },
+    null,
+    originAttributes2
+  );
+}
+
+function add_resumption_tests() {
+  add_resume_ev_test();
+  add_resume_non_ev_test();
+  add_resume_non_ev_with_override_test();
+  add_origin_attributes_test({}, {}, true);
+  add_origin_attributes_test({ userContextId: 1 }, { userContextId: 2 }, false);
+  add_origin_attributes_test({ userContextId: 3 }, { userContextId: 3 }, true);
+  add_origin_attributes_test(
+    { firstPartyDomain: "foo.com" },
+    { firstPartyDomain: "bar.com" },
+    false
+  );
+  add_origin_attributes_test(
+    { firstPartyDomain: "baz.com" },
+    { firstPartyDomain: "baz.com" },
+    true
+  );
+}
+
+function run_test() {
+  add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+  add_resumption_tests();
+  // Enable external session cache and reset the status.
+  add_test(function () {
+    Services.prefs.setBoolPref("network.ssl_tokens_cache_enabled", true);
+    certdb.clearOCSPCache();
+    run_next_test();
+  });
+  // Do tests again.
+  add_resumption_tests();
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_signed_apps.js b/security/manager/ssl/tests/unit/test_signed_apps.js
new file mode 100644
index 0000000000..4893bfd714
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps.js
@@ -0,0 +1,1038 @@
+"use strict";
+
+// Tests the API nsIX509CertDB.openSignedAppFileAsync, which backs add-on
+// signature verification. Testcases include various ways of tampering with
+// add-ons as well as different hash algorithms used in the various
+// signature/metadata files.
+
+// from prio.h
+const PR_RDWR = 0x04;
+const PR_CREATE_FILE = 0x08;
+const PR_TRUNCATE = 0x20;
+const PR_USEC_PER_MSEC = 1000;
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+// Creates a new app package based in the inFilePath package, with a set of
+// modifications (including possibly deletions) applied to the existing entries,
+// and/or a set of new entries to be included.
+function tamper(inFilePath, outFilePath, modifications, newEntries) {
+  let writer = Cc["@mozilla.org/zipwriter;1"].createInstance(Ci.nsIZipWriter);
+  writer.open(outFilePath, PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE);
+  try {
+    let reader = Cc["@mozilla.org/libjar/zip-reader;1"].createInstance(
+      Ci.nsIZipReader
+    );
+    reader.open(inFilePath);
+    try {
+      for (let entryName of reader.findEntries("")) {
+        let inEntry = reader.getEntry(entryName);
+        let entryInput = reader.getInputStream(entryName);
+        try {
+          let f = modifications[entryName];
+          let outEntry, outEntryInput;
+          if (f) {
+            [outEntry, outEntryInput] = f(inEntry, entryInput);
+            delete modifications[entryName];
+          } else {
+            [outEntry, outEntryInput] = [inEntry, entryInput];
+          }
+          // if f does not want the input entry to be copied to the output entry
+          // at all (i.e. it wants it to be deleted), it will return null.
+          if (outEntryInput) {
+            try {
+              writer.addEntryStream(
+                entryName,
+                outEntry.lastModifiedTime,
+                outEntry.compression,
+                outEntryInput,
+                false
+              );
+            } finally {
+              if (entryInput != outEntryInput) {
+                outEntryInput.close();
+              }
+            }
+          }
+        } finally {
+          entryInput.close();
+        }
+      }
+    } finally {
+      reader.close();
+    }
+
+    // Any leftover modification means that we were expecting to modify an entry
+    // in the input file that wasn't there.
+    for (let name in modifications) {
+      if (modifications.hasOwnProperty(name)) {
+        throw new Error("input file was missing expected entries: " + name);
+      }
+    }
+
+    // Now, append any new entries to the end
+    newEntries.forEach(function (newEntry) {
+      let sis = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+        Ci.nsIStringInputStream
+      );
+      try {
+        sis.setData(newEntry.content, newEntry.content.length);
+        writer.addEntryStream(
+          newEntry.name,
+          new Date() * PR_USEC_PER_MSEC,
+          Ci.nsIZipWriter.COMPRESSION_BEST,
+          sis,
+          false
+        );
+      } finally {
+        sis.close();
+      }
+    });
+  } finally {
+    writer.close();
+  }
+}
+
+function removeEntry(entry, entryInput) {
+  return [null, null];
+}
+
+function truncateEntry(entry, entryInput) {
+  if (entryInput.available() == 0) {
+    throw new Error(
+      "Truncating already-zero length entry will result in " +
+        "identical entry."
+    );
+  }
+
+  let content = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(
+    Ci.nsIStringInputStream
+  );
+  content.data = "";
+
+  return [entry, content];
+}
+
+function check_open_result(name, expectedRv) {
+  return function openSignedAppFileCallback(rv, aZipReader, aSignerCert) {
+    info("openSignedAppFileCallback called for " + name);
+    equal(rv, expectedRv, "Actual and expected return value should match");
+    equal(
+      aZipReader != null,
+      Components.isSuccessCode(expectedRv),
+      "ZIP reader should be null only if the return value denotes failure"
+    );
+    equal(
+      aSignerCert != null,
+      Components.isSuccessCode(expectedRv),
+      "Signer cert should be null only if the return value denotes failure"
+    );
+    run_next_test();
+  };
+}
+
+function original_app_path(test_name) {
+  return do_get_file("test_signed_apps/" + test_name + ".zip", false);
+}
+
+function tampered_app_path(test_name) {
+  return new FileUtils.File(
+    PathUtils.join(
+      Services.dirsvc.get("TmpD", Ci.nsIFile).path,
+      `test_signed_app-${test_name}.zip`
+    )
+  );
+}
+
+var hashTestcases = [
+  // SHA-256 in PKCS#7 + SHA-256 present elsewhere => OK
+  { name: "app_mf-1-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK },
+  { name: "app_mf-1-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK },
+  { name: "app_mf-1-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK },
+  { name: "app_mf-1-256_sf-256_p7-256", expectedResult: Cr.NS_OK },
+  { name: "app_mf-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK },
+  { name: "app_mf-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK },
+  { name: "app_mf-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK },
+  { name: "app_mf-256_sf-256_p7-256", expectedResult: Cr.NS_OK },
+
+  // SHA-1 in PKCS#7 + SHA-1 present elsewhere => OK
+  { name: "app_mf-1-256_sf-1-256_p7-1", expectedResult: Cr.NS_OK },
+  { name: "app_mf-1-256_sf-1_p7-1", expectedResult: Cr.NS_OK },
+  { name: "app_mf-1_sf-1-256_p7-1", expectedResult: Cr.NS_OK },
+  { name: "app_mf-1_sf-1_p7-1", expectedResult: Cr.NS_OK },
+
+  // SHA-256 in PKCS#7 + SHA-256 not present elsewhere => INVALID
+  {
+    name: "app_mf-1-256_sf-1_p7-1-256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-1-256_sf-1_p7-256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-1_sf-1-256_p7-1-256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-1_sf-1-256_p7-256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-1_sf-1_p7-1-256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-1_sf-1_p7-256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-1_sf-256_p7-1-256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-1_sf-256_p7-256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-256_sf-1_p7-1-256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-256_sf-1_p7-256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+
+  // SHA-1 in PKCS#7 + SHA-1 not present elsewhere => INVALID
+  {
+    name: "app_mf-1-256_sf-256_p7-1",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-1_sf-256_p7-1",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-256_sf-1-256_p7-1",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-256_sf-1_p7-1",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+  {
+    name: "app_mf-256_sf-256_p7-1",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+  },
+];
+
+// Policy values for the preference "security.signed_app_signatures.policy"
+const PKCS7WithSHA1OrSHA256 = 0b0;
+const PKCS7WithSHA256 = 0b1;
+const COSEAndPKCS7WithSHA1OrSHA256 = 0b10;
+const COSEAndPKCS7WithSHA256 = 0b11;
+const COSERequiredAndPKCS7WithSHA1OrSHA256 = 0b100;
+const COSERequiredAndPKCS7WithSHA256 = 0b101;
+const COSEOnly = 0b110;
+const COSEOnlyAgain = 0b111;
+
+function add_signature_test(policy, test) {
+  // First queue up a test to set the desired policy:
+  add_test(function () {
+    Services.prefs.setIntPref("security.signed_app_signatures.policy", policy);
+    run_next_test();
+  });
+  // Then queue up the test itself:
+  add_test(test);
+}
+
+for (let testcase of hashTestcases) {
+  add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+    certdb.openSignedAppFileAsync(
+      Ci.nsIX509CertDB.AppXPCShellRoot,
+      original_app_path(testcase.name),
+      check_open_result(testcase.name, testcase.expectedResult)
+    );
+  });
+}
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("empty_signerInfos"),
+    check_open_result(
+      "the signerInfos in the PKCS#7 signature is empty",
+      Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED
+    )
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("unsigned_app"),
+    check_open_result("unsigned", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED)
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("unknown_issuer_app"),
+    check_open_result(
+      "unknown_issuer",
+      getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)
+    )
+  );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("cose_signed_with_pkcs7"),
+    check_open_result("cose_signed_with_pkcs7", Cr.NS_OK)
+  );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("app_mf-256_sf-256_p7-256"),
+    check_open_result("no COSE but correct PK#7", Cr.NS_OK)
+  );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("app_mf-1_sf-256_p7-256"),
+    check_open_result(
+      "no COSE and wrong PK#7 hash",
+      Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+    )
+  );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("app_mf-256_sf-256_p7-256"),
+    check_open_result(
+      "COSE signature missing (SHA1 or 256)",
+      Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+    )
+  );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("app_mf-256_sf-256_p7-256"),
+    check_open_result(
+      "COSE signature missing (SHA256)",
+      Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+    )
+  );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("only_cose_signed"),
+    check_open_result(
+      "COSE signature only (PK#7 allowed, not present)",
+      Cr.NS_OK
+    )
+  );
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("only_cose_signed"),
+    check_open_result(
+      "COSE signature only (PK#7 allowed, not present)",
+      Cr.NS_OK
+    )
+  );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("cose_multiple_signed_with_pkcs7"),
+    check_open_result("cose_multiple_signed_with_pkcs7", Cr.NS_OK)
+  );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("cose_int_signed_with_pkcs7"),
+    check_open_result("COSE signed with an intermediate", Cr.NS_OK)
+  );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("only_cose_signed"),
+    check_open_result(
+      "PK7 signature missing",
+      Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED
+    )
+  );
+});
+
+add_signature_test(COSEOnly, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("cose_multiple_signed_with_pkcs7"),
+    check_open_result(
+      "Expected only COSE signature",
+      Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+    )
+  );
+});
+
+add_signature_test(COSEOnly, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("only_cose_multiple_signed"),
+    check_open_result("only Multiple COSE signatures", Cr.NS_OK)
+  );
+});
+
+add_signature_test(COSEOnly, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("only_cose_signed"),
+    check_open_result("only_cose_signed", Cr.NS_OK)
+  );
+});
+
+add_signature_test(COSEOnlyAgain, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("only_cose_signed"),
+    check_open_result("only_cose_signed (again)", Cr.NS_OK)
+  );
+});
+
+add_signature_test(COSEOnly, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("cose_signed_with_pkcs7"),
+    check_open_result(
+      "COSE only expected but also PK#7 signed",
+      Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+    )
+  );
+});
+
+// Sanity check to ensure a no-op tampering gives a valid result
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  let tampered = tampered_app_path("identity_tampering");
+  tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, []);
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("app_mf-1_sf-1_p7-1"),
+    check_open_result("identity_tampering", Cr.NS_OK)
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  let tampered = tampered_app_path("missing_rsa");
+  tamper(
+    original_app_path("app_mf-1_sf-1_p7-1"),
+    tampered,
+    { "META-INF/A.RSA": removeEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result("missing_rsa", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED)
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  let tampered = tampered_app_path("missing_sf");
+  tamper(
+    original_app_path("app_mf-1_sf-1_p7-1"),
+    tampered,
+    { "META-INF/A.SF": removeEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result("missing_sf", Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID)
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  let tampered = tampered_app_path("missing_manifest_mf");
+  tamper(
+    original_app_path("app_mf-1_sf-1_p7-1"),
+    tampered,
+    { "META-INF/MANIFEST.MF": removeEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "missing_manifest_mf",
+      Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+    )
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  let tampered = tampered_app_path("missing_entry");
+  tamper(
+    original_app_path("app_mf-1_sf-1_p7-1"),
+    tampered,
+    { "manifest.json": removeEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result("missing_entry", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING)
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  let tampered = tampered_app_path("truncated_entry");
+  tamper(
+    original_app_path("app_mf-1_sf-1_p7-1"),
+    tampered,
+    { "manifest.json": truncateEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result("truncated_entry", Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY)
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  let tampered = tampered_app_path("truncated_manifestFile");
+  tamper(
+    original_app_path("app_mf-1_sf-1_p7-1"),
+    tampered,
+    { "META-INF/MANIFEST.MF": truncateEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "truncated_manifestFile",
+      Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+    )
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  let tampered = tampered_app_path("truncated_signatureFile");
+  tamper(
+    original_app_path("app_mf-1_sf-1_p7-1"),
+    tampered,
+    { "META-INF/A.SF": truncateEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "truncated_signatureFile",
+      getXPCOMStatusFromNSS(SEC_ERROR_PKCS7_BAD_SIGNATURE)
+    )
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  let tampered = tampered_app_path("truncated_pkcs7File");
+  tamper(
+    original_app_path("app_mf-1_sf-1_p7-1"),
+    tampered,
+    { "META-INF/A.RSA": truncateEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result("truncated_pkcs7File", Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED)
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  let tampered = tampered_app_path("unsigned_entry");
+  tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, [
+    { name: "unsigned.txt", content: "unsigned content!" },
+  ]);
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result("unsigned_entry", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY)
+  );
+});
+
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  let tampered = tampered_app_path("unsigned_metainf_entry");
+  tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, [
+    { name: "META-INF/unsigned.txt", content: "unsigned content!" },
+  ]);
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "unsigned_metainf_entry",
+      Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+    )
+  );
+});
+
+add_signature_test(PKCS7WithSHA256, function testSHA1Disabled() {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("app_mf-1_sf-1_p7-1"),
+    check_open_result(
+      "SHA-1 should not be accepted if disabled by policy",
+      Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+    )
+  );
+});
+
+add_signature_test(PKCS7WithSHA256, function testSHA256WorksWithSHA1Disabled() {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("app_mf-256_sf-256_p7-256"),
+    check_open_result(
+      "SHA-256 should work if SHA-1 is disabled by policy",
+      Cr.NS_OK
+    )
+  );
+});
+
+add_signature_test(
+  PKCS7WithSHA256,
+  function testMultipleSignaturesWorkWithSHA1Disabled() {
+    certdb.openSignedAppFileAsync(
+      Ci.nsIX509CertDB.AppXPCShellRoot,
+      original_app_path("app_mf-1-256_sf-1-256_p7-1-256"),
+      check_open_result(
+        "Multiple signatures should work if SHA-1 is " +
+          "disabled by policy (if SHA-256 signature verifies)",
+        Cr.NS_OK
+      )
+    );
+  }
+);
+
+var cosePolicies = [
+  COSEAndPKCS7WithSHA1OrSHA256,
+  COSERequiredAndPKCS7WithSHA1OrSHA256,
+];
+
+// PS256 is not yet supported.
+var coseTestcasesStage = [
+  {
+    name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384",
+    expectedResult: Cr.NS_OK,
+    root: Ci.nsIX509CertDB.AddonsStageRoot,
+  },
+  {
+    name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+    root: Ci.nsIX509CertDB.AddonsStageRoot,
+  },
+  {
+    name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256",
+    expectedResult: Cr.NS_OK,
+    root: Ci.nsIX509CertDB.AddonsStageRoot,
+  },
+  {
+    name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+    root: Ci.nsIX509CertDB.AddonsStageRoot,
+  },
+];
+
+var coseTestcasesProd = [
+  {
+    name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384",
+    expectedResult: Cr.NS_OK,
+    root: Ci.nsIX509CertDB.AddonsPublicRoot,
+  },
+  {
+    name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+    root: Ci.nsIX509CertDB.AddonsPublicRoot,
+  },
+  {
+    name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256",
+    expectedResult: Cr.NS_OK,
+    root: Ci.nsIX509CertDB.AddonsPublicRoot,
+  },
+  {
+    name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256",
+    expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID,
+    root: Ci.nsIX509CertDB.AddonsPublicRoot,
+  },
+];
+
+for (let policy of cosePolicies) {
+  for (let testcase of [...coseTestcasesStage, ...coseTestcasesProd]) {
+    add_signature_test(policy, function () {
+      certdb.openSignedAppFileAsync(
+        testcase.root,
+        original_app_path(testcase.name),
+        check_open_result(testcase.name, testcase.expectedResult)
+      );
+    });
+  }
+}
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigTampered() {
+  let tampered = tampered_app_path("cose_sig_tampered");
+  tamper(
+    original_app_path("cose_signed_with_pkcs7"),
+    tampered,
+    { "META-INF/cose.sig": truncateEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "cose_sig_tampered",
+      Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+    )
+  );
+});
+
+// PKCS7 is processed before COSE, so if a COSE signature file is removed or
+// tampered with, this appears as a PKCS7 signature verification failure.
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigRemoved() {
+  let tampered = tampered_app_path("cose_sig_removed");
+  tamper(
+    original_app_path("cose_signed_with_pkcs7"),
+    tampered,
+    { "META-INF/cose.sig": removeEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result("cose_sig_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING)
+  );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestTampered() {
+  let tampered = tampered_app_path("cose_manifest_tampered");
+  tamper(
+    original_app_path("cose_signed_with_pkcs7"),
+    tampered,
+    { "META-INF/cose.manifest": truncateEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "cose_manifest_tampered",
+      Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+    )
+  );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestRemoved() {
+  let tampered = tampered_app_path("cose_manifest_removed");
+  tamper(
+    original_app_path("cose_signed_with_pkcs7"),
+    tampered,
+    { "META-INF/cose.manifest": removeEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "cose_manifest_removed",
+      Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING
+    )
+  );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileAdded() {
+  let tampered = tampered_app_path("cose_file_added");
+  tamper(original_app_path("cose_signed_with_pkcs7"), tampered, {}, [
+    { name: "unsigned.txt", content: "unsigned content!" },
+  ]);
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result("cose_file_added", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY)
+  );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileRemoved() {
+  let tampered = tampered_app_path("cose_file_removed");
+  tamper(
+    original_app_path("cose_signed_with_pkcs7"),
+    tampered,
+    { "manifest.json": removeEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result("cose_file_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING)
+  );
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileTampered() {
+  let tampered = tampered_app_path("cose_file_tampered");
+  tamper(
+    original_app_path("cose_signed_with_pkcs7"),
+    tampered,
+    { "manifest.json": truncateEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "cose_file_tampered",
+      Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+    )
+  );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSESigTampered() {
+  let tampered = tampered_app_path("only_cose_sig_tampered");
+  tamper(
+    original_app_path("only_cose_signed"),
+    tampered,
+    { "META-INF/cose.sig": truncateEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "only_cose_sig_tampered",
+      Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+    )
+  );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSESigRemoved() {
+  let tampered = tampered_app_path("only_cose_sig_removed");
+  tamper(
+    original_app_path("only_cose_signed"),
+    tampered,
+    { "META-INF/cose.sig": removeEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "only_cose_sig_removed",
+      Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+    )
+  );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEManifestTampered() {
+  let tampered = tampered_app_path("only_cose_manifest_tampered");
+  tamper(
+    original_app_path("only_cose_signed"),
+    tampered,
+    { "META-INF/cose.manifest": truncateEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "only_cose_manifest_tampered",
+      Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID
+    )
+  );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEManifestRemoved() {
+  let tampered = tampered_app_path("only_cose_manifest_removed");
+  tamper(
+    original_app_path("only_cose_signed"),
+    tampered,
+    { "META-INF/cose.manifest": removeEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "only_cose_manifest_removed",
+      Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE
+    )
+  );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEFileAdded() {
+  let tampered = tampered_app_path("only_cose_file_added");
+  tamper(original_app_path("only_cose_signed"), tampered, {}, [
+    { name: "unsigned.txt", content: "unsigned content!" },
+  ]);
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "only_cose_file_added",
+      Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY
+    )
+  );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEFileRemoved() {
+  let tampered = tampered_app_path("only_cose_file_removed");
+  tamper(
+    original_app_path("only_cose_signed"),
+    tampered,
+    { "manifest.json": removeEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "only_cose_file_removed",
+      Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING
+    )
+  );
+});
+
+add_signature_test(COSEOnly, function testOnlyCOSEFileTampered() {
+  let tampered = tampered_app_path("only_cose_file_tampered");
+  tamper(
+    original_app_path("only_cose_signed"),
+    tampered,
+    { "manifest.json": truncateEntry },
+    []
+  );
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    tampered,
+    check_open_result(
+      "only_cose_file_tampered",
+      Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+    )
+  );
+});
+
+// This was signed with only COSE first, and then the contents were tampered
+// with (making the signature invalid). Then, the file was signed with
+// PKCS7/SHA1. We need to ensure that if we're configured to process COSE, this
+// verification fails.
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("cose_tampered_good_pkcs7"),
+    check_open_result(
+      "tampered COSE with good PKCS7 signature should fail " +
+        "when COSE and PKCS7 is processed",
+      Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+    )
+  );
+});
+
+add_signature_test(COSEOnly, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("cose_tampered_good_pkcs7"),
+    check_open_result(
+      "tampered COSE with good PKCS7 signature should fail " +
+        "when only COSE is processed",
+      Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY
+    )
+  );
+});
+
+// If we're not processing COSE, this should verify successfully.
+add_signature_test(PKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("cose_tampered_good_pkcs7"),
+    check_open_result(
+      "tampered COSE with good PKCS7 signature should succeed" +
+        "when COSE is not processed",
+      Cr.NS_OK
+    )
+  );
+});
+
+add_test(function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("bug_1411458"),
+    check_open_result("bug 1411458", Cr.NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO)
+  );
+});
+
+// This has a big manifest file (~2MB). It should verify correctly.
+add_test(function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("big_manifest"),
+    check_open_result("add-on with big manifest file", Cr.NS_OK)
+  );
+});
+
+// This has a huge manifest file (~10MB). Manifest files this large are not
+// supported (8MB is the limit). It should not verify correctly.
+add_test(function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("huge_manifest"),
+    check_open_result(
+      "add-on with huge manifest file",
+      Cr.NS_ERROR_SIGNED_JAR_ENTRY_INVALID
+    )
+  );
+});
+
+// Verification should pass despite a not-yet-valid EE certificate.
+// Regression test for bug 1713628
+add_test(function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("validity_not_yet_valid"),
+    check_open_result("validity_not_yet_valid", Cr.NS_OK)
+  );
+});
+
+// Verification should pass despite an expired EE certificate.
+// Regression test for bug 1267318 and bug 1548973
+add_test(function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot,
+    original_app_path("validity_expired"),
+    check_open_result("validity_expired", Cr.NS_OK)
+  );
+});
+
+// TODO: tampered MF, tampered SF
+// TODO: too-large MF, too-large RSA, too-large SF
+// TODO: MF and SF that end immediately after the last main header
+//       (no CR nor LF)
+// TODO: broken headers to exercise the parser
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/README b/security/manager/ssl/tests/unit/test_signed_apps/app/README
new file mode 100644
index 0000000000..4f4db4f73e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app/README
@@ -0,0 +1 @@
+This is the readme for the test extension.
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png b/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png
new file mode 100644
index 0000000000..f4a62faddf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json b/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json
new file mode 100644
index 0000000000..eacaedfa7a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json
@@ -0,0 +1,5 @@
+{
+  "manifest_version": 2,
+  "name": "Test Extension",
+  "version": "0.0.1"
+}
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest
new file mode 100644
index 0000000000..be5069f57b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest
@@ -0,0 +1,10 @@
+Manifest-Version: 1.0
+
+Name: README
+SHA256-Digest: bY0l9xqGJYCpqYeJ0K6q4DWUQqu0mNBFM4H4emhjiJg=
+
+Name: manifest.json
+SHA256-Digest: BTnCpT154N26RZm8bhdD43WXd0tj5bg6ofM19NLI0OE=
+
+Name: data/image.png
+SHA256-Digest: EPjkNZwya9X+pruLlxG+FACLwGC48XU4S9oZOA0lVVQ=
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig
new file mode 100644
index 0000000000..ee9f3e2ce9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README
new file mode 100644
index 0000000000..46217087d8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README
@@ -0,0 +1,2 @@
+This is the readme for the test extension.
+This app was created by unzipping only_cose_signed.zip and adding this line (thus invalidating the COSE signature).
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png
new file mode 100644
index 0000000000..f4a62faddf
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json
new file mode 100644
index 0000000000..eacaedfa7a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json
@@ -0,0 +1,5 @@
+{
+  "manifest_version": 2,
+  "name": "Test Extension",
+  "version": "0.0.1"
+}
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip
new file mode 100644
index 0000000000..e8643ae4a1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip
new file mode 100644
index 0000000000..c796b05d89
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip
new file mode 100644
index 0000000000..65b1e7be43
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip
new file mode 100644
index 0000000000..eb6bbee0d4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip
new file mode 100644
index 0000000000..1efcaf4408
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip
new file mode 100644
index 0000000000..1554349f31
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip
new file mode 100644
index 0000000000..3beaf11361
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip
new file mode 100644
index 0000000000..7f2e5386bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip
new file mode 100644
index 0000000000..8bd0938986
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip
new file mode 100644
index 0000000000..6021fd3aa9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip
new file mode 100644
index 0000000000..54211eb519
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip
new file mode 100644
index 0000000000..704504a448
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip
new file mode 100644
index 0000000000..68941bf6e3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip
new file mode 100644
index 0000000000..727b148130
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip
new file mode 100644
index 0000000000..2bed33dce4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip
new file mode 100644
index 0000000000..d57b44b6e2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip
new file mode 100644
index 0000000000..6f17528f8b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip
new file mode 100644
index 0000000000..243113b8a7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip
new file mode 100644
index 0000000000..6735f81499
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip
new file mode 100644
index 0000000000..f213ac0990
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip
new file mode 100644
index 0000000000..7a0f561196
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip
new file mode 100644
index 0000000000..ce8a55dfa4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip
new file mode 100644
index 0000000000..0fc2f9368e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip
new file mode 100644
index 0000000000..79bd0249c3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip
new file mode 100644
index 0000000000..c7c76f6a6c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip
new file mode 100644
index 0000000000..9ed61ff6a8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip
new file mode 100644
index 0000000000..75e6434188
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
new file mode 100644
index 0000000000..40b4fc7857
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
new file mode 100644
index 0000000000..d364e590e5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip
new file mode 100644
index 0000000000..a4353bba19
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip
new file mode 100644
index 0000000000..51ae592ee9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
new file mode 100644
index 0000000000..b74e087620
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
new file mode 100644
index 0000000000..772c42e494
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip
new file mode 100644
index 0000000000..b1d1999551
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip
new file mode 100644
index 0000000000..0ce563680d
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip b/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip
new file mode 100644
index 0000000000..1daed90236
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip b/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip
new file mode 100644
index 0000000000..0b296945ab
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip
new file mode 100644
index 0000000000..f67c91c3ea
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip
new file mode 100644
index 0000000000..105f2be712
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip
new file mode 100644
index 0000000000..8edd1bd7c0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip
new file mode 100644
index 0000000000..a1565eb9f7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip b/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip
new file mode 100644
index 0000000000..53744b4a8e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip b/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip
new file mode 100644
index 0000000000..845c39c8b8
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/moz.build b/security/manager/ssl/tests/unit/test_signed_apps/moz.build
new file mode 100644
index 0000000000..8680c8d457
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/moz.build
@@ -0,0 +1,78 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+@template
+def SignedAppFile(name, flags, app_directory="app/"):
+    if not CONFIG["COMPILE_ENVIRONMENT"]:
+        return
+
+    GENERATED_FILES += [name]
+    props = GENERATED_FILES[name]
+    props.script = "/security/manager/ssl/tests/unit/sign_app.py"
+    props.inputs = [app_directory]
+    props.flags = flags
+    # Turn RELATIVEDIR into list entry: like
+    # 'security/manager/ssl/tests/unit/test_signed_apps' ->
+    # TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_signed_apps.
+    files = TEST_HARNESS_FILES.xpcshell
+    for part in RELATIVEDIR.split("/"):
+        files = files[part]
+    files += ["!%s" % name]
+
+
+# Except for unusual testcases (unknown issuer, unsigned app, empty
+# signerInfos), the naming scheme is as follows:
+# app_mf{-1,-256}_sf{-1,-256}_p7{-1,-256}.zip, where:
+# "mf" refers to the manifest file, "sf" refers to the signature file,
+# and "p7" refers to the pkcs#7 file. The "{-1,-256}" indicates which
+# hash algorithms are present in the corresponding file (both may be
+# present).
+# For example, "app_mf-1_sf-1-256_p7-256.zip" means that the manifest
+# file has sha-1 hashes, the signature file has sha-1 hashes and sha-256
+# hashes, and the pkcs#7 file only has sha-256.
+#
+# Temporarily disabled. See bug 1256495.
+# signed_app_files = (
+#    ['unknown_issuer_app.zip', '-i', 'unknown issuer', '-p', 'sha256'],
+#    ['unsigned_app.zip'],
+#    ['empty_signerInfos.zip', '-e'],
+# )
+#
+# for signed_app_file_params in signed_app_files:
+#    SignedAppFile(signed_app_file_params[0], signed_app_file_params[1:])
+#
+# for mf_algs in [['1'], ['256'], ['1', '256']]:
+#    for sf_algs in [['1'], ['256'], ['1', '256']]:
+#        for p7_algs in [['1'], ['256'], ['1', '256']]:
+#            filename = "app_mf-%s_sf-%s_p7-%s.zip" % ('-'.join(mf_algs), '-'.join(sf_algs), '-'.join(p7_algs))
+#            args = []
+#            for mf_alg in mf_algs:
+#                args.append('-m')
+#                args.append('sha%s' % mf_alg)
+#            for sf_alg in sf_algs:
+#                args.append('-s')
+#                args.append('sha%s' % sf_alg)
+#            for p7_alg in p7_algs:
+#                args.append('-p')
+#                args.append('sha%s' % p7_alg)
+#            SignedAppFile(filename, args)
+#
+# COSE test-cases
+# SignedAppFile('cose_signed_with_pkcs7.zip', ['-c', 'ES256', '-p', 'sha256'])
+# SignedAppFile('cose_int_signed_with_pkcs7.zip', ['-c', 'ES256', '-r', 'xpcshell signed apps test root', '-p', 'sha256'])
+# SignedAppFile('cose_multiple_signed_with_pkcs7.zip', ['-c', 'ES256', '-c', 'ES384', '-p', 'sha256'])
+# SignedAppFile('only_cose_signed.zip', ['-c', 'ES256'])
+# SignedAppFile('only_cose_multiple_signed.zip', ['-c', 'ES384', '-c', 'ES256'])
+# SignedAppFile('cose_tampered_good_pkcs7.zip', ['-m', 'sha1', '-s', 'sha1', '-p', 'sha1'], 'app_cose_tampered/')
+# SignedAppFile('big_manifest.zip', ['-p', 'sha256', '--pad-headers', '2'])
+# SignedAppFile('huge_manifest.zip', ['-p', 'sha256', '--pad-headers', '10'])
+# SignedAppFile('validity_expired.zip', ['-c', 'ES256', '-p', 'sha256', '--cert-validity', '19700101-19701212'])
+# SignedAppFile('validity_not_yet_valid.zip', ['-c', 'ES256', '-p', 'sha256', '--cert-validity', '99990101-99991212'])
+
+# To generate a new entry, add SignedAppFile, run mach build and copy from
+# objdir/_tests/xpcshell/security/manager/ssl/tests/unit/test_signed_apps/
+# to this directory.
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip
new file mode 100644
index 0000000000..4befbcd47f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip
new file mode 100644
index 0000000000..70ec223475
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip b/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip
new file mode 100644
index 0000000000..03f59a20bb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip b/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip
new file mode 100644
index 0000000000..162b1107fe
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip b/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip
new file mode 100644
index 0000000000..4b160fe736
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip b/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip
new file mode 100644
index 0000000000..82a8b4836a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der
new file mode 100644
index 0000000000..3c1869b13b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec
new file mode 100644
index 0000000000..500c4185cd
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec
@@ -0,0 +1,6 @@
+issuer:xpcshell signed apps test root
+subject:xpcshell signed apps test root
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyEncipherment,keyCertSign
+extension:extKeyUsage:codeSigning
diff --git a/security/manager/ssl/tests/unit/test_ssl_status.js b/security/manager/ssl/tests/unit/test_ssl_status.js
new file mode 100644
index 0000000000..e8df767c85
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ssl_status.js
@@ -0,0 +1,75 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+do_get_profile();
+
+function run_test() {
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+  let fakeOCSPResponder = new HttpServer();
+  fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+  });
+  fakeOCSPResponder.start(8888);
+
+  // Test successful connection (failedCertChain should be null,
+  // succeededCertChain should be set as expected)
+  add_connection_test(
+    "good.include-subdomains.pinning.example.com",
+    PRErrorCodeSuccess,
+    null,
+    function withSecurityInfo(aSecInfo) {
+      equal(
+        aSecInfo.failedCertChain.length,
+        0,
+        "failedCertChain for a successful connection should be empty"
+      );
+      ok(
+        areCertArraysEqual(
+          aSecInfo.succeededCertChain,
+          build_cert_chain(["default-ee", "test-ca"])
+        ),
+        "succeededCertChain for a successful connection should be as expected"
+      );
+    }
+  );
+
+  // Test failed connection (failedCertChain should be set as expected,
+  // succeededCertChain should be null)
+  add_connection_test(
+    "expired.example.com",
+    SEC_ERROR_EXPIRED_CERTIFICATE,
+    null,
+    function withSecurityInfo(aSecInfo) {
+      equal(
+        aSecInfo.succeededCertChain.length,
+        0,
+        "succeededCertChain for a failed connection should be null"
+      );
+      ok(
+        areCertArraysEqual(
+          aSecInfo.failedCertChain,
+          build_cert_chain(["expired-ee", "test-ca"])
+        ),
+        "failedCertChain for a failed connection should be as expected"
+      );
+    }
+  );
+
+  // Ensure the correct failed cert chain is set on cert override
+  let overrideStatus = {
+    failedCertChain: build_cert_chain(["expired-ee", "test-ca"]),
+  };
+  add_cert_override_test(
+    "expired.example.com",
+    SEC_ERROR_EXPIRED_CERTIFICATE,
+    undefined,
+    overrideStatus
+  );
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_eviction.js b/security/manager/ssl/tests/unit/test_sss_eviction.js
new file mode 100644
index 0000000000..eee9e00e22
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_eviction.js
@@ -0,0 +1,88 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to check that a frequently visited site
+// will not be evicted over an infrequently visited site.
+
+var gSSService = null;
+var gProfileDir = null;
+
+function do_state_written(aSubject, aTopic, aData) {
+  if (aData == CLIENT_AUTH_FILE_NAME) {
+    return;
+  }
+
+  equal(aData, SSS_STATE_FILE_NAME);
+
+  let stateFile = gProfileDir.clone();
+  stateFile.append(SSS_STATE_FILE_NAME);
+  ok(stateFile.exists());
+  let stateFileContents = readFile(stateFile);
+  // the last part is removed because it's the empty string after the final \n
+  let lines = stateFileContents.split("\n").slice(0, -1);
+  // We can receive multiple data-storage-written events. In particular, we
+  // may receive one where DataStorage wrote out data before we were done
+  // processing all of our headers. In this case, the data may not be
+  // as we expect. We only care about the final one being correct, however,
+  // so we return and wait for the next event if things aren't as we expect.
+  // There should be 1024 entries.
+  if (lines.length != 1024) {
+    return;
+  }
+
+  let foundLegitSite = false;
+  for (let line of lines) {
+    if (line.startsWith("frequentlyused.example.com:HSTS")) {
+      foundLegitSite = true;
+      break;
+    }
+  }
+
+  ok(foundLegitSite);
+  do_test_finished();
+}
+
+function do_state_read(aSubject, aTopic, aData) {
+  if (aData == CLIENT_AUTH_FILE_NAME) {
+    return;
+  }
+
+  equal(aData, SSS_STATE_FILE_NAME);
+
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://frequentlyused.example.com")
+    )
+  );
+  for (let i = 0; i < 2000; i++) {
+    let uri = Services.io.newURI("http://bad" + i + ".example.com");
+    gSSService.processHeader(uri, "max-age=1000");
+  }
+  do_test_pending();
+  Services.obs.addObserver(do_state_written, "data-storage-written");
+  do_test_finished();
+}
+
+function run_test() {
+  Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100);
+  gProfileDir = do_get_profile();
+  let stateFile = gProfileDir.clone();
+  stateFile.append(SSS_STATE_FILE_NAME);
+  // Assuming we're working with a clean slate, the file shouldn't exist
+  // until we create it.
+  ok(!stateFile.exists());
+  let outputStream = FileUtils.openFileOutputStream(stateFile);
+  let now = new Date().getTime();
+  let line =
+    "frequentlyused.example.com:HSTS\t4\t0\t" + (now + 100000) + ",1,0\n";
+  outputStream.write(line, line.length);
+  outputStream.close();
+  Services.obs.addObserver(do_state_read, "data-storage-ready");
+  do_test_pending();
+  gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  notEqual(gSSService, null);
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_originAttributes.js b/security/manager/ssl/tests/unit/test_sss_originAttributes.js
new file mode 100644
index 0000000000..280b0df5a6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_originAttributes.js
@@ -0,0 +1,99 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ * vim: sw=2 ts=2 sts=2
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// Ensures nsISiteSecurityService APIs respects origin attributes.
+
+const GOOD_MAX_AGE_SECONDS = 69403;
+const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
+
+do_get_profile(); // must be done before instantiating nsIX509CertDB
+
+let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
+let host = "a.pinning.example.com";
+let uri = Services.io.newURI("https://" + host);
+
+// Check if originAttributes1 and originAttributes2 are isolated with respect
+// to HSTS storage.
+function doTest(originAttributes1, originAttributes2, shouldShare) {
+  sss.clearAll();
+  let header = GOOD_MAX_AGE;
+  // Set HSTS for originAttributes1.
+  sss.processHeader(uri, header, originAttributes1);
+  ok(
+    sss.isSecureURI(uri, originAttributes1),
+    "URI should be secure given original origin attributes"
+  );
+  equal(
+    sss.isSecureURI(uri, originAttributes2),
+    shouldShare,
+    "URI should be secure given different origin attributes if and " +
+      "only if shouldShare is true"
+  );
+
+  if (!shouldShare) {
+    // Remove originAttributes2 from the storage.
+    sss.resetState(uri, originAttributes2);
+    ok(
+      sss.isSecureURI(uri, originAttributes1),
+      "URI should still be secure given original origin attributes"
+    );
+  }
+
+  // Remove originAttributes1 from the storage.
+  sss.resetState(uri, originAttributes1);
+  ok(
+    !sss.isSecureURI(uri, originAttributes1),
+    "URI should not be secure after removeState"
+  );
+
+  sss.clearAll();
+}
+
+function testInvalidOriginAttributes(originAttributes) {
+  let header = GOOD_MAX_AGE;
+
+  let callbacks = [
+    () => sss.processHeader(uri, header, originAttributes),
+    () => sss.isSecureURI(uri, originAttributes),
+    () => sss.resetState(uri, originAttributes),
+  ];
+
+  for (let callback of callbacks) {
+    throws(
+      callback,
+      /NS_ERROR_ILLEGAL_VALUE/,
+      "Should get an error with invalid origin attributes"
+    );
+  }
+}
+
+function run_test() {
+  sss.clearAll();
+
+  let originAttributesList = [];
+  for (let userContextId of [0, 1, 2]) {
+    for (let firstPartyDomain of ["", "foo.com", "bar.com"]) {
+      originAttributesList.push({ userContextId, firstPartyDomain });
+    }
+  }
+  for (let attrs1 of originAttributesList) {
+    for (let attrs2 of originAttributesList) {
+      // SSS storage is not isolated by userContext
+      doTest(
+        attrs1,
+        attrs2,
+        attrs1.firstPartyDomain == attrs2.firstPartyDomain
+      );
+    }
+  }
+
+  testInvalidOriginAttributes(undefined);
+  testInvalidOriginAttributes(null);
+  testInvalidOriginAttributes(1);
+  testInvalidOriginAttributes("foo");
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate.js b/security/manager/ssl/tests/unit/test_sss_readstate.js
new file mode 100644
index 0000000000..689df13495
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate.js
@@ -0,0 +1,123 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create a site security service state file
+// and see that the site security service reads it properly.
+
+var gSSService = null;
+
+function checkStateRead(aSubject, aTopic, aData) {
+  if (aData == CLIENT_AUTH_FILE_NAME) {
+    return;
+  }
+
+  equal(aData, SSS_STATE_FILE_NAME);
+
+  ok(
+    !gSSService.isSecureURI(Services.io.newURI("https://expired.example.com"))
+  );
+  ok(
+    gSSService.isSecureURI(Services.io.newURI("https://notexpired.example.com"))
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://includesubdomains.preloaded.test")
+    )
+  );
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://sub.includesubdomains.preloaded.test")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://incsubdomain.example.com")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://sub.incsubdomain.example.com")
+    )
+  );
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://includesubdomains2.preloaded.test")
+    )
+  );
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://sub.includesubdomains2.preloaded.test")
+    )
+  );
+
+  // Clearing the data should make everything go back to default.
+  gSSService.clearAll();
+  ok(
+    !gSSService.isSecureURI(Services.io.newURI("https://expired.example.com"))
+  );
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://notexpired.example.com")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://includesubdomains.preloaded.test")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://sub.includesubdomains.preloaded.test")
+    )
+  );
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://incsubdomain.example.com")
+    )
+  );
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://sub.incsubdomain.example.com")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://includesubdomains2.preloaded.test")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://sub.includesubdomains2.preloaded.test")
+    )
+  );
+  do_test_finished();
+}
+
+function run_test() {
+  let profileDir = do_get_profile();
+  let stateFile = profileDir.clone();
+  stateFile.append(SSS_STATE_FILE_NAME);
+  // Assuming we're working with a clean slate, the file shouldn't exist
+  // until we create it.
+  ok(!stateFile.exists());
+  let outputStream = FileUtils.openFileOutputStream(stateFile);
+  let now = Date.now();
+  let lines = [
+    `expired.example.com:HSTS\t0\t0\t${now - 100000},1,0`,
+    `notexpired.example.com:HSTS\t0\t0\t${now + 100000},1,0`,
+    // This overrides an entry on the preload list.
+    `includesubdomains.preloaded.test:HSTS\t0\t0\t${now + 100000},1,0`,
+    `incsubdomain.example.com:HSTS\t0\t0\t${now + 100000},1,1`,
+    // This overrides an entry on the preload list.
+    "includesubdomains2.preloaded.test:HSTS\t0\t0\t0,2,0",
+  ];
+  writeLinesAndClose(lines, outputStream);
+  Services.obs.addObserver(checkStateRead, "data-storage-ready");
+  do_test_pending();
+  gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  notEqual(gSSService, null);
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_empty.js b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
new file mode 100644
index 0000000000..83d96f5245
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js
@@ -0,0 +1,50 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create an empty site security service state
+// file and see that the site security service doesn't fail when reading it.
+
+var gSSService = null;
+
+function checkStateRead(aSubject, aTopic, aData) {
+  // nonexistent.example.com should never be an HSTS host
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://nonexistent.example.com")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://includesubdomains.preloaded.test")
+    )
+  );
+  // notexpired.example.com is an HSTS host in a different test - we
+  // want to make sure that test hasn't interfered with this one.
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://notexpired.example.com")
+    )
+  );
+  do_test_finished();
+}
+
+function run_test() {
+  let profileDir = do_get_profile();
+  let stateFile = profileDir.clone();
+  stateFile.append(SSS_STATE_FILE_NAME);
+  // Assuming we're working with a clean slate, the file shouldn't exist
+  // until we create it.
+  ok(!stateFile.exists());
+  stateFile.create(Ci.nsIFile.NORMAL_FILE_TYPE, 0x1a4); // 0x1a4 == 0o644
+  ok(stateFile.exists());
+  // Initialize nsISiteSecurityService after do_get_profile() so it
+  // can read the state file.
+  Services.obs.addObserver(checkStateRead, "data-storage-ready");
+  do_test_pending();
+  gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  notEqual(gSSService, null);
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
new file mode 100644
index 0000000000..00c79756d9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
@@ -0,0 +1,95 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create a mostly bogus site security service
+// state file and see that the site security service handles it properly.
+
+var gSSService = null;
+
+function checkStateRead(aSubject, aTopic, aData) {
+  if (aData == CLIENT_AUTH_FILE_NAME) {
+    return;
+  }
+
+  equal(aData, SSS_STATE_FILE_NAME);
+
+  const HSTS_HOSTS = [
+    "https://example1.example.com",
+    "https://example2.example.com",
+  ];
+  for (let host of HSTS_HOSTS) {
+    ok(
+      gSSService.isSecureURI(Services.io.newURI(host)),
+      `${host} should be HSTS enabled`
+    );
+  }
+
+  const NOT_HSTS_HOSTS = [
+    "https://example.com",
+    "https://example3.example.com",
+    "https://extra.comma.example.com",
+    "https://empty.statestring.example.com",
+    "https://rubbish.statestring.example.com",
+    "https://spaces.statestring.example.com",
+    "https://invalid.expirytime.example.com",
+    "https://text.securitypropertystate.example.com",
+    "https://invalid.securitypropertystate.example.com",
+    "https://text.includesubdomains.example.com",
+    "https://invalid.includesubdomains.example.com",
+  ];
+  for (let host of NOT_HSTS_HOSTS) {
+    ok(
+      !gSSService.isSecureURI(Services.io.newURI(host)),
+      `${host} should not be HSTS enabled`
+    );
+  }
+
+  do_test_finished();
+}
+
+function run_test() {
+  Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
+  let profileDir = do_get_profile();
+  let stateFile = profileDir.clone();
+  stateFile.append(SSS_STATE_FILE_NAME);
+  // Assuming we're working with a clean slate, the file shouldn't exist
+  // until we create it.
+  ok(!stateFile.exists());
+  let outputStream = FileUtils.openFileOutputStream(stateFile);
+  let expiryTime = Date.now() + 100000;
+  let lines = [
+    // General state file entry tests.
+    `example1.example.com:HSTS\t0\t0\t${expiryTime},1,0`,
+    "I'm a lumberjack and I'm okay; I work all night and I sleep all day!",
+    "This is a totally bogus entry\t",
+    "0\t0\t0\t0\t",
+    "\t\t\t\t\t\t\t",
+    "example.com:HSTS\t\t\t\t\t\t\t",
+    "example3.example.com:HSTS\t0\t\t\t\t\t\t",
+    `example2.example.com:HSTS\t0\t0\t${expiryTime},1,0`,
+    // HSTS state string parsing tests
+    `extra.comma.example.com:HSTS\t0\t0\t${expiryTime},,1,0`,
+    "empty.statestring.example.com:HSTS\t0\t0\t",
+    "rubbish.statestring.example.com:HSTS\t0\t0\tfoobar",
+    `spaces.statestring.example.com:HSTS\t0\t0\t${expiryTime}, 1,0 `,
+    `invalid.expirytime.example.com:HSTS\t0\t0\t${expiryTime}foo123,1,0`,
+    `text.securitypropertystate.example.com:HSTS\t0\t0\t${expiryTime},1foo,0`,
+    `invalid.securitypropertystate.example.com:HSTS\t0\t0\t${expiryTime},999,0`,
+    `text.includesubdomains.example.com:HSTS\t0\t0\t${expiryTime},1,1foo`,
+    `invalid.includesubdomains.example.com:HSTS\t0\t0\t${expiryTime},1,0foo`,
+  ];
+  writeLinesAndClose(lines, outputStream);
+  Services.obs.addObserver(checkStateRead, "data-storage-ready");
+  do_test_pending();
+  gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  notEqual(gSSService, null);
+
+  Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
+  registerCleanupFunction(() => {
+    Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
+  });
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_huge.js b/security/manager/ssl/tests/unit/test_sss_readstate_huge.js
new file mode 100644
index 0000000000..079fd598b4
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_huge.js
@@ -0,0 +1,80 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to create a site security service state file
+// that is too large and see that the site security service reads it properly
+// (this means discarding all entries after the 1024th).
+
+var gSSService = null;
+
+function checkStateRead(aSubject, aTopic, aData) {
+  if (aData == CLIENT_AUTH_FILE_NAME) {
+    return;
+  }
+
+  equal(aData, SSS_STATE_FILE_NAME);
+
+  ok(
+    gSSService.isSecureURI(Services.io.newURI("https://example0.example.com"))
+  );
+  ok(
+    gSSService.isSecureURI(Services.io.newURI("https://example423.example.com"))
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://example1023.example.com")
+    )
+  );
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://example1024.example.com")
+    )
+  );
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://example1025.example.com")
+    )
+  );
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://example9000.example.com")
+    )
+  );
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://example99999.example.com")
+    )
+  );
+  do_test_finished();
+}
+
+function run_test() {
+  let profileDir = do_get_profile();
+  let stateFile = profileDir.clone();
+  stateFile.append(SSS_STATE_FILE_NAME);
+  // Assuming we're working with a clean slate, the file shouldn't exist
+  // until we create it.
+  ok(!stateFile.exists());
+  let outputStream = FileUtils.openFileOutputStream(stateFile);
+  let expiryTime = Date.now() + 100000;
+  let lines = [];
+  for (let i = 0; i < 10000; i++) {
+    // The 0s will all get squashed down into one 0 when they are read.
+    // This is just to make the file size large (>2MB).
+    lines.push(
+      `example${i}.example.com:HSTS\t` +
+        "0000000000000000000000000000000000000000000000000\t" +
+        "00000000000000000000000000000000000000\t" +
+        `${expiryTime},1,0000000000000000000000000000000000000000000000000000000000000000000000000`
+    );
+  }
+  writeLinesAndClose(lines, outputStream);
+  Services.obs.addObserver(checkStateRead, "data-storage-ready");
+  do_test_pending();
+  gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  notEqual(gSSService, null);
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_resetState.js b/security/manager/ssl/tests/unit/test_sss_resetState.js
new file mode 100644
index 0000000000..4a667c05f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_resetState.js
@@ -0,0 +1,62 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that resetting HSTS state in the way the "forget about this site"
+// functionality does works as expected for preloaded and non-preloaded sites.
+
+do_get_profile();
+
+var gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+  Ci.nsISiteSecurityService
+);
+
+function test_removeState(originAttributes) {
+  info(`running test_removeState(originAttributes=${originAttributes})`);
+  // Simulate visiting a non-preloaded site by processing an HSTS header check
+  // that the HSTS bit gets set, simulate "forget about this site" (call
+  // removeState), and then check that the HSTS bit isn't set.
+  let notPreloadedURI = Services.io.newURI("https://not-preloaded.example.com");
+  ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+  gSSService.processHeader(notPreloadedURI, "max-age=1000;", originAttributes);
+  ok(gSSService.isSecureURI(notPreloadedURI, originAttributes));
+  gSSService.resetState(notPreloadedURI, originAttributes);
+  ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+
+  // Simulate visiting a non-preloaded site that unsets HSTS by processing
+  // an HSTS header with "max-age=0", check that the HSTS bit isn't
+  // set, simulate "forget about this site" (call removeState), and then check
+  // that the HSTS bit isn't set.
+  gSSService.processHeader(notPreloadedURI, "max-age=0;", originAttributes);
+  ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+  gSSService.resetState(notPreloadedURI, originAttributes);
+  ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+
+  // Simulate visiting a preloaded site by processing an HSTS header, check
+  // that the HSTS bit is still set, simulate "forget about this site"
+  // (call removeState), and then check that the HSTS bit is still set.
+  let preloadedHost = "includesubdomains.preloaded.test";
+  let preloadedURI = Services.io.newURI(`https://${preloadedHost}`);
+  ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+  gSSService.processHeader(preloadedURI, "max-age=1000;", originAttributes);
+  ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+  gSSService.resetState(preloadedURI, originAttributes);
+  ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+
+  // Simulate visiting a preloaded site that unsets HSTS by processing an
+  // HSTS header with "max-age=0", check that the HSTS bit is what we
+  // expect (see below), simulate "forget about this site" (call removeState),
+  // and then check that the HSTS bit is set.
+  gSSService.processHeader(preloadedURI, "max-age=0;", originAttributes);
+  ok(!gSSService.isSecureURI(preloadedURI, originAttributes));
+  gSSService.resetState(preloadedURI, originAttributes);
+  ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+}
+
+function run_test() {
+  test_removeState({});
+  test_removeState({ privateBrowsingId: 1 });
+}
diff --git a/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js b/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js
new file mode 100644
index 0000000000..d84920a977
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js
@@ -0,0 +1,66 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to ensure that Firefox sanitizes site security
+// service data on shutdown if configured to do so.
+
+ChromeUtils.defineESModuleGetters(this, {
+  Sanitizer: "resource:///modules/Sanitizer.sys.mjs",
+  TestUtils: "resource://testing-common/TestUtils.sys.mjs",
+});
+
+Sanitizer.onStartup();
+
+// This helps us away from test timed out. If service worker manager(swm) hasn't
+// been initilaized before profile-change-teardown, this test would fail due to
+// the shutdown blocker added by swm. Normally, swm should be initialized before
+// that and the similar crash signatures are fixed. So, assume this cannot
+// happen in the real world and initilaize swm here as a workaround.
+Cc["@mozilla.org/serviceworkers/manager;1"].getService(
+  Ci.nsIServiceWorkerManager
+);
+
+function getStateFileContents() {
+  let stateFile = do_get_profile();
+  stateFile.append(SSS_STATE_FILE_NAME);
+  ok(stateFile.exists());
+  return readFile(stateFile);
+}
+
+add_task(async function run_test() {
+  Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100);
+  do_get_profile();
+  let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  let header = "max-age=50000";
+  SSService.processHeader(Services.io.newURI("http://example.com"), header);
+  await TestUtils.topicObserved(
+    "data-storage-written",
+    (_, data) => data == SSS_STATE_FILE_NAME
+  );
+  let stateFileContents = getStateFileContents();
+  ok(
+    stateFileContents.includes("example.com"),
+    "should have written out state file"
+  );
+
+  // Configure Firefox to clear this data on shutdown.
+  Services.prefs.setBoolPref(
+    Sanitizer.PREF_SHUTDOWN_BRANCH + "siteSettings",
+    true
+  );
+  Services.prefs.setBoolPref(Sanitizer.PREF_SANITIZE_ON_SHUTDOWN, true);
+
+  // Simulate shutdown.
+  Services.startup.advanceShutdownPhase(
+    Services.startup.SHUTDOWN_PHASE_APPSHUTDOWNTEARDOWN
+  );
+  Services.startup.advanceShutdownPhase(
+    Services.startup.SHUTDOWN_PHASE_APPSHUTDOWN
+  );
+
+  equal(getStateFileContents(), "", "state file should be empty");
+});
diff --git a/security/manager/ssl/tests/unit/test_sss_savestate.js b/security/manager/ssl/tests/unit/test_sss_savestate.js
new file mode 100644
index 0000000000..1ab4ceaf40
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_savestate.js
@@ -0,0 +1,126 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// The purpose of this test is to see that the site security service properly
+// writes its state file.
+
+const EXPECTED_ENTRIES = 5;
+const EXPECTED_HSTS_COLUMNS = 3;
+
+var gProfileDir = null;
+var gExpectingWrites = true;
+
+// For reference, the format of the state file is a list of:
+// <domain name> <expiration time in milliseconds>,<sts status>,<includeSubdomains>
+// separated by newlines ('\n')
+
+function checkStateWritten(aSubject, aTopic, aData) {
+  if (aData == CLIENT_AUTH_FILE_NAME) {
+    return;
+  }
+
+  equal(aData, SSS_STATE_FILE_NAME);
+  ok(gExpectingWrites);
+
+  let stateFile = gProfileDir.clone();
+  stateFile.append(SSS_STATE_FILE_NAME);
+  ok(stateFile.exists());
+  let stateFileContents = readFile(stateFile);
+  // the last line is removed because it's just a trailing newline
+  let lines = stateFileContents.split("\n").slice(0, -1);
+  equal(lines.length, EXPECTED_ENTRIES);
+  let sites = {}; // a map of domain name -> [the entry in the state file]
+  for (let line of lines) {
+    let parts = line.split("\t");
+    let host = parts[0];
+    let entry = parts[3].split(",");
+    let expectedColumns = EXPECTED_HSTS_COLUMNS;
+    equal(entry.length, expectedColumns);
+    sites[host] = entry;
+  }
+
+  // While we're still processing headers, multiple writes of the backing data
+  // can be scheduled, and thus we can receive multiple data-storage-written
+  // notifications. In these cases, the data may not be as we expect. We only
+  // care about the final one being correct, however, so we return and wait for
+  // the next event if things aren't as we expect.
+  // each sites[url][1] should be SecurityPropertySet (i.e. 1).
+  // sites[url][2] corresponds to includeSubdomains, so every other one should
+  // be set (i.e. 1);
+  if (sites["includesubdomains.preloaded.test:HSTS"][1] != 1) {
+    return;
+  }
+  if (sites["includesubdomains.preloaded.test:HSTS"][2] != 0) {
+    return;
+  }
+  if (sites["a.example.com:HSTS"][1] != 1) {
+    return;
+  }
+  if (sites["a.example.com:HSTS"][2] != 1) {
+    return;
+  }
+  if (sites["b.example.com:HSTS"][1] != 1) {
+    return;
+  }
+  if (sites["b.example.com:HSTS"][2] != 0) {
+    return;
+  }
+  if (sites["c.c.example.com:HSTS"][1] != 1) {
+    return;
+  }
+  if (sites["c.c.example.com:HSTS"][2] != 1) {
+    return;
+  }
+  if (sites["d.example.com:HSTS"][1] != 1) {
+    return;
+  }
+  if (sites["d.example.com:HSTS"][2] != 0) {
+    return;
+  }
+
+  // If we get here, the file was as expected and we no longer expect any
+  // data-storage-written notifications.
+  gExpectingWrites = false;
+
+  // Process the headers again to test that seeing them again after such a
+  // short delay doesn't cause another write.
+  process_headers();
+
+  // Wait a bit before finishing the test, to see if another write happens.
+  do_timeout(2000, function () {
+    do_test_finished();
+  });
+}
+
+function process_headers() {
+  let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+
+  let uris = [
+    Services.io.newURI("http://includesubdomains.preloaded.test"),
+    Services.io.newURI("http://a.example.com"),
+    Services.io.newURI("http://b.example.com"),
+    Services.io.newURI("http://c.c.example.com"),
+    Services.io.newURI("http://d.example.com"),
+  ];
+
+  for (let i = 0; i < 1000; i++) {
+    let uriIndex = i % uris.length;
+    // vary max-age, but have it be within one day of one year
+    let maxAge = "max-age=" + (i + 31536000);
+    // have every other URI set includeSubdomains
+    let includeSubdomains = uriIndex % 2 == 1 ? "; includeSubdomains" : "";
+    SSService.processHeader(uris[uriIndex], maxAge + includeSubdomains);
+  }
+}
+
+function run_test() {
+  Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100);
+  gProfileDir = do_get_profile();
+  process_headers();
+  do_test_pending();
+  Services.obs.addObserver(checkStateWritten, "data-storage-written");
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_fqdn.js b/security/manager/ssl/tests/unit/test_sts_fqdn.js
new file mode 100644
index 0000000000..3c136a9d99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_fqdn.js
@@ -0,0 +1,40 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+"use strict";
+
+function run_test() {
+  let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  let uri = Services.io.newURI("https://example.com");
+  let uri1 = Services.io.newURI("https://example.com.");
+  let uri2 = Services.io.newURI("https://example.com..");
+  ok(!SSService.isSecureURI(uri));
+  ok(!SSService.isSecureURI(uri1));
+  // These cases are only relevant as long as bug 1118522 hasn't been fixed.
+  ok(!SSService.isSecureURI(uri2));
+
+  SSService.processHeader(uri, "max-age=1000;includeSubdomains");
+  ok(SSService.isSecureURI(uri));
+  ok(SSService.isSecureURI(uri1));
+  ok(SSService.isSecureURI(uri2));
+
+  SSService.resetState(uri);
+  ok(!SSService.isSecureURI(uri));
+  ok(!SSService.isSecureURI(uri1));
+  ok(!SSService.isSecureURI(uri2));
+
+  // Somehow creating this malformed URI succeeds - we need to handle it
+  // gracefully.
+  uri = Services.io.newURI("https://../foo");
+  equal(uri.host, "..");
+  throws(
+    () => {
+      SSService.isSecureURI(uri);
+    },
+    /NS_ERROR_UNEXPECTED/,
+    "Malformed URI should be rejected"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js b/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js
new file mode 100644
index 0000000000..4ffac59356
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js
@@ -0,0 +1,55 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+function check_ip(s, v, ip) {
+  let str = "https://";
+  if (v == 6) {
+    str += "[";
+  }
+  str += ip;
+  if (v == 6) {
+    str += "]";
+  }
+  str += "/";
+
+  let uri = Services.io.newURI(str);
+  ok(!s.isSecureURI(uri));
+
+  let parsedMaxAge = {};
+  let parsedIncludeSubdomains = {};
+  s.processHeader(
+    uri,
+    "max-age=1000;includeSubdomains",
+    {},
+    parsedMaxAge,
+    parsedIncludeSubdomains
+  );
+  ok(
+    !s.isSecureURI(uri),
+    "URI should not be secure if it contains an IP address"
+  );
+
+  /* Test that processHeader will ignore headers for an uri, if the uri
+   * contains an IP address not a hostname.
+   * If processHeader indeed ignore the header, then the output parameters will
+   * remain empty, and we shouldn't see the values passed as the header.
+   */
+  notEqual(parsedMaxAge.value, 1000);
+  notEqual(parsedIncludeSubdomains.value, true);
+  notEqual(parsedMaxAge.value, undefined);
+  notEqual(parsedIncludeSubdomains.value, undefined);
+}
+
+function run_test() {
+  let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+
+  check_ip(SSService, 4, "127.0.0.1");
+  check_ip(SSService, 4, "10.0.0.1");
+  check_ip(SSService, 6, "2001:db8::1");
+  check_ip(SSService, 6, "1080::8:800:200C:417A");
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_parser.js b/security/manager/ssl/tests/unit/test_sts_parser.js
new file mode 100644
index 0000000000..3d99a44e79
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_parser.js
@@ -0,0 +1,126 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ * vim: sw=2 ts=2 sts=2
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// STS parser tests
+
+let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
+
+function testSuccess(header, expectedMaxAge, expectedIncludeSubdomains) {
+  let dummyUri = Services.io.newURI("https://foo.com/bar.html");
+  let maxAge = {};
+  let includeSubdomains = {};
+
+  sss.processHeader(dummyUri, header, {}, maxAge, includeSubdomains);
+
+  equal(maxAge.value, expectedMaxAge, "Did not correctly parse maxAge");
+  equal(
+    includeSubdomains.value,
+    expectedIncludeSubdomains,
+    "Did not correctly parse presence/absence of includeSubdomains"
+  );
+}
+
+function testFailure(header) {
+  let dummyUri = Services.io.newURI("https://foo.com/bar.html");
+  let maxAge = {};
+  let includeSubdomains = {};
+
+  throws(
+    () => {
+      sss.processHeader(dummyUri, header, {}, maxAge, includeSubdomains);
+    },
+    /NS_ERROR_FAILURE/,
+    "Parsed invalid header: " + header
+  );
+}
+
+function run_test() {
+  // SHOULD SUCCEED:
+  testSuccess("max-age=100", 100, false);
+  testSuccess("max-age  =100", 100, false);
+  testSuccess(" max-age=100", 100, false);
+  testSuccess("max-age = 100 ", 100, false);
+  testSuccess('max-age = "100" ', 100, false);
+  testSuccess('max-age="100"', 100, false);
+  testSuccess(' max-age ="100" ', 100, false);
+  testSuccess('\tmax-age\t=\t"100"\t', 100, false);
+  testSuccess("max-age  =       100             ", 100, false);
+
+  testSuccess("maX-aGe=100", 100, false);
+  testSuccess("MAX-age  =100", 100, false);
+  testSuccess("max-AGE=100", 100, false);
+  testSuccess("Max-Age = 100 ", 100, false);
+  testSuccess("MAX-AGE = 100 ", 100, false);
+
+  testSuccess("max-age=100;includeSubdomains", 100, true);
+  testSuccess("max-age=100\t; includeSubdomains", 100, true);
+  testSuccess(" max-age=100; includeSubdomains", 100, true);
+  testSuccess("max-age = 100 ; includeSubdomains", 100, true);
+  testSuccess(
+    "max-age  =       100             ; includeSubdomains",
+    100,
+    true
+  );
+
+  testSuccess("maX-aGe=100; includeSUBDOMAINS", 100, true);
+  testSuccess("MAX-age  =100; includeSubDomains", 100, true);
+  testSuccess("max-AGE=100; iNcLuDeSuBdoMaInS", 100, true);
+  testSuccess("Max-Age = 100; includesubdomains ", 100, true);
+  testSuccess("INCLUDESUBDOMAINS;MaX-AgE = 100 ", 100, true);
+  // Turns out, the actual directive is entirely optional (hence the
+  // trailing semicolon)
+  testSuccess("max-age=100;includeSubdomains;", 100, true);
+
+  // these are weird tests, but are testing that some extended syntax is
+  // still allowed (but it is ignored)
+  testSuccess("max-age=100 ; includesubdomainsSomeStuff", 100, false);
+  testSuccess(
+    "\r\n\t\t    \tcompletelyUnrelated = foobar; max-age= 34520103" +
+      "\t \t; alsoUnrelated;asIsThis;\tincludeSubdomains\t\t \t",
+    34520103,
+    true
+  );
+  testSuccess('max-age=100; unrelated="quoted \\"thingy\\""', 100, false);
+
+  // Test a max-age greater than 100 years. It will be capped at 100 years.
+  testSuccess("max-age=4294967296", 60 * 60 * 24 * 365 * 100, false);
+
+  // SHOULD FAIL:
+  // invalid max-ages
+  testFailure("max-age");
+  testFailure("max-age ");
+  testFailure("max-age=p");
+  testFailure("max-age=*1p2");
+  testFailure("max-age=.20032");
+  testFailure("max-age=!20032");
+  testFailure("max-age==20032");
+
+  // invalid headers
+  testFailure("foobar");
+  testFailure("maxage=100");
+  testFailure("maxa-ge=100");
+  testFailure("max-ag=100");
+  testFailure("includesubdomains");
+  testFailure(";");
+  testFailure('max-age="100');
+  // The max-age directive here doesn't conform to the spec, so it MUST
+  // be ignored. Consequently, the REQUIRED max-age directive is not
+  // present in this header, and so it is invalid.
+  testFailure("max-age=100, max-age=200; includeSubdomains");
+  testFailure("max-age=100 includesubdomains");
+  testFailure("max-age=100 bar foo");
+  testFailure("max-age=100randomstuffhere");
+  // All directives MUST appear only once in an STS header field.
+  testFailure("max-age=100; max-age=200");
+  testFailure("includeSubdomains; max-age=200; includeSubdomains");
+  testFailure("max-age=200; includeSubdomains; includeSubdomains");
+  // The includeSubdomains directive is valueless.
+  testFailure("max-age=100; includeSubdomains=unexpected");
+  // LWS must have at least one space or horizontal tab
+  testFailure("\r\nmax-age=200");
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
new file mode 100644
index 0000000000..6b1b4a5ba6
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js
@@ -0,0 +1,269 @@
+"use strict";
+
+var gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+  Ci.nsISiteSecurityService
+);
+
+function Observer() {}
+Observer.prototype = {
+  observe(subject, topic, data) {
+    if (topic == "last-pb-context-exited") {
+      run_next_test();
+    }
+  },
+};
+
+var gObserver = new Observer();
+
+function cleanup() {
+  Services.obs.removeObserver(gObserver, "last-pb-context-exited");
+  gSSService.clearAll();
+}
+
+function run_test() {
+  do_get_profile();
+
+  registerCleanupFunction(cleanup);
+  Services.obs.addObserver(gObserver, "last-pb-context-exited");
+
+  add_test(test_part1);
+  add_test(test_private_browsing1);
+  add_test(test_private_browsing2);
+
+  run_next_test();
+}
+
+function test_part1() {
+  // check that a host not in the list is not identified as an sts host
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://nonexistent.example.com")
+    )
+  );
+
+  // check that an ancestor domain is not identified as an sts host
+  ok(!gSSService.isSecureURI(Services.io.newURI("https://com")));
+
+  // check that the pref to toggle using the preload list works
+  Services.prefs.setBoolPref(
+    "network.stricttransportsecurity.preloadlist",
+    false
+  );
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://includesubdomains.preloaded.test")
+    )
+  );
+  Services.prefs.setBoolPref(
+    "network.stricttransportsecurity.preloadlist",
+    true
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://includesubdomains.preloaded.test")
+    )
+  );
+
+  // check that a subdomain is an sts host (includeSubdomains is set)
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+    )
+  );
+
+  // check that another subdomain is an sts host (includeSubdomains is set)
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://a.b.c.def.includesubdomains.preloaded.test")
+    )
+  );
+
+  // check that a subdomain is not an sts host (includeSubdomains is not set)
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://subdomain.noincludesubdomains.preloaded.test")
+    )
+  );
+
+  // check that a host with a dot on the end won't break anything
+  ok(
+    !gSSService.isSecureURI(
+      Services.io.newURI("https://notsts.nonexistent.example.com.")
+    )
+  );
+
+  // check that processing a header with max-age: 0 will remove a preloaded
+  // site from the list
+  let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
+  let subDomainUri = Services.io.newURI(
+    "https://subdomain.includesubdomains.preloaded.test"
+  );
+  gSSService.processHeader(uri, "max-age=0");
+  ok(!gSSService.isSecureURI(uri));
+  ok(!gSSService.isSecureURI(subDomainUri));
+  // check that processing another header (with max-age non-zero) will
+  // re-enable a site's sts status
+  gSSService.processHeader(uri, "max-age=1000");
+  ok(gSSService.isSecureURI(uri));
+  // but this time include subdomains was not set, so test for that
+  ok(!gSSService.isSecureURI(subDomainUri));
+  gSSService.clearAll();
+
+  // check that processing a header with max-age: 0 from a subdomain of a site
+  // will not remove that (ancestor) site from the list
+  uri = Services.io.newURI(
+    "https://subdomain.noincludesubdomains.preloaded.test"
+  );
+  gSSService.processHeader(uri, "max-age=0");
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://noincludesubdomains.preloaded.test")
+    )
+  );
+  ok(!gSSService.isSecureURI(uri));
+
+  uri = Services.io.newURI(
+    "https://subdomain.includesubdomains.preloaded.test"
+  );
+  gSSService.processHeader(uri, "max-age=0");
+  // we received a header with "max-age=0", so we have "no information"
+  // regarding the sts state of subdomain.includesubdomains.preloaded.test specifically,
+  // but it is actually still an STS host, because of the preloaded
+  // includesubdomains.preloaded.test including subdomains.
+  // Here's a drawing:
+  // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host
+  //     |-- subdomain.includesubdomains.preloaded.test                          IS sts host
+  //     |   `-- another.subdomain.includesubdomains.preloaded.test              IS sts host
+  //     `-- sibling.includesubdomains.preloaded.test                            IS sts host
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://includesubdomains.preloaded.test")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://sibling.includesubdomains.preloaded.test")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI(
+        "https://another.subdomain.includesubdomains.preloaded.test"
+      )
+    )
+  );
+
+  gSSService.processHeader(uri, "max-age=1000");
+  // Here's what we have now:
+  // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host
+  //     |-- subdomain.includesubdomains.preloaded.test (include subdomains is false) IS sts host
+  //     |   `-- another.subdomain.includesubdomains.preloaded.test              IS sts host
+  //     `-- sibling.includesubdomains.preloaded.test                            IS sts host
+  // Note that another.subdomain.includesubdomains.preloaded.test IS still an sts host, because
+  // there exists a superdomain that is sts and asserts includeSubdomains (namely,
+  // includesubdomains.preloaded.test)
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://sibling.includesubdomains.preloaded.test")
+    )
+  );
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI(
+        "https://another.subdomain.includesubdomains.preloaded.test"
+      )
+    )
+  );
+
+  // Test that an expired non-private browsing entry results in correctly
+  // identifying a host that is on the preload list as no longer sts.
+  // (This happens when we're in regular browsing mode, we get a header from
+  // a site on the preload list, and that header later expires. We need to
+  // then treat that host as no longer an sts host.)
+  // (sanity check first - this should be in the preload list)
+  uri = Services.io.newURI("https://includesubdomains2.preloaded.test");
+  ok(gSSService.isSecureURI(uri));
+  gSSService.processHeader(uri, "max-age=1");
+  do_timeout(1250, function () {
+    ok(!gSSService.isSecureURI(uri));
+    run_next_test();
+  });
+}
+
+const PRIVATE_ORIGIN_ATTRIBUTES = { privateBrowsingId: 1 };
+
+function test_private_browsing1() {
+  gSSService.clearAll();
+  let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
+  let subDomainUri = Services.io.newURI(
+    "https://a.b.c.subdomain.includesubdomains.preloaded.test"
+  );
+  // sanity - includesubdomains.preloaded.test is preloaded, includeSubdomains set
+  ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+  ok(gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+  gSSService.processHeader(uri, "max-age=0", PRIVATE_ORIGIN_ATTRIBUTES);
+  ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+  ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+  // check adding it back in
+  gSSService.processHeader(uri, "max-age=1000", PRIVATE_ORIGIN_ATTRIBUTES);
+  ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+  // but no includeSubdomains this time
+  ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+  // do the hokey-pokey...
+  gSSService.processHeader(uri, "max-age=0", PRIVATE_ORIGIN_ATTRIBUTES);
+  ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+  ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES));
+
+  // Test that an expired private browsing entry results in correctly
+  // identifying a host that is on the preload list as no longer sts.
+  // (This happens when we're in private browsing mode, we get a header from
+  // a site on the preload list, and that header later expires. We need to
+  // then treat that host as no longer an sts host.)
+  // (sanity check first - this should be in the preload list)
+  uri = Services.io.newURI("https://includesubdomains2.preloaded.test");
+  ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+  gSSService.processHeader(uri, "max-age=1", PRIVATE_ORIGIN_ATTRIBUTES);
+  do_timeout(1250, function () {
+    ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES));
+    // Simulate leaving private browsing mode
+    Services.obs.notifyObservers(null, "last-pb-context-exited");
+  });
+}
+
+function test_private_browsing2() {
+  // if this test gets this far, it means there's a private browsing service
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://includesubdomains.preloaded.test")
+    )
+  );
+  // the includesubdomains.preloaded.test entry has includeSubdomains set
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://subdomain.includesubdomains.preloaded.test")
+    )
+  );
+
+  // Now that we're out of private browsing mode, we need to make sure
+  // we've "forgotten" that we "forgot" this site's sts status.
+  ok(
+    gSSService.isSecureURI(
+      Services.io.newURI("https://includesubdomains2.preloaded.test")
+    )
+  );
+
+  run_next_test();
+}
diff --git a/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
new file mode 100644
index 0000000000..334fbf8a7b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js
@@ -0,0 +1,22 @@
+"use strict";
+
+function run_test() {
+  let SSService = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  let uri = Services.io.newURI("https://includesubdomains.preloaded.test");
+
+  // check that a host on the preload list is identified as an sts host
+  ok(SSService.isSecureURI(uri));
+
+  // now simulate that it's 19 weeks later than it actually is
+  let offsetSeconds = 19 * 7 * 24 * 60 * 60;
+  Services.prefs.setIntPref("test.currentTimeOffsetSeconds", offsetSeconds);
+
+  // check that the preloaded host is no longer considered sts
+  ok(!SSService.isSecureURI(uri));
+
+  // just make sure we can get everything back to normal
+  Services.prefs.clearUserPref("test.currentTimeOffsetSeconds");
+  ok(SSService.isSecureURI(uri));
+}
diff --git a/security/manager/ssl/tests/unit/test_validity.js b/security/manager/ssl/tests/unit/test_validity.js
new file mode 100644
index 0000000000..e1ee44b060
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity.js
@@ -0,0 +1,106 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that chains containing an end-entity cert with an overly long validity
+// period are rejected.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function getOCSPResponder(expectedCertNames) {
+  let expectedPaths = expectedCertNames.slice();
+  return startOCSPResponder(
+    SERVER_PORT,
+    "www.example.com",
+    "test_validity",
+    expectedCertNames,
+    expectedPaths
+  );
+}
+
+function certFromFile(filename) {
+  return constructCertFromFile(`test_validity/${filename}`);
+}
+
+function loadCert(certFilename, trustString) {
+  addCertFromFile(certDB, `test_validity/${certFilename}`, trustString);
+}
+
+/**
+ * Asynchronously runs a single EV test.
+ *
+ * @param {Array} expectedNamesForOCSP
+ *        An array of nicknames of the certs to be responded to.
+ * @param {string} rootCertFileName
+ *        The file name of the root cert. Can begin with ".." to reference
+ *        certs in folders other than "test_validity/".
+ * @param {Array} intCertFileNames
+ *        An array of file names of any intermediate certificates.
+ * @param {string} endEntityCertFileName
+ *        The file name of the end entity cert.
+ * @param {boolean} expectedResult
+ *        Whether the chain is expected to validate as EV.
+ */
+async function doEVTest(
+  expectedNamesForOCSP,
+  rootCertFileName,
+  intCertFileNames,
+  endEntityCertFileName,
+  expectedResult
+) {
+  clearOCSPCache();
+  let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+
+  loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu");
+  for (let intCertFileName of intCertFileNames) {
+    loadCert(`${intCertFileName}.pem`, ",,");
+  }
+  await checkEVStatus(
+    certDB,
+    certFromFile(`${endEntityCertFileName}.pem`),
+    certificateUsageSSLServer,
+    expectedResult
+  );
+
+  await stopOCSPResponder(ocspResponder);
+}
+
+async function checkEVChains() {
+  // Chain with an end entity cert with a validity period that is acceptable
+  // for EV.
+  const intFullName = "ev_int_60_months-evroot";
+  let eeFullName = `ev_ee_27_months-${intFullName}`;
+  let expectedNamesForOCSP = [eeFullName];
+  await doEVTest(
+    expectedNamesForOCSP,
+    "../test_ev_certs/evroot",
+    [intFullName],
+    eeFullName,
+    gEVExpected
+  );
+
+  // Chain with an end entity cert with a validity period that is too long
+  // for EV.
+  eeFullName = `ev_ee_28_months-${intFullName}`;
+  expectedNamesForOCSP = [eeFullName];
+  await doEVTest(
+    expectedNamesForOCSP,
+    "../test_ev_certs/evroot",
+    [intFullName],
+    eeFullName,
+    false
+  );
+}
+
+add_task(async function () {
+  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+  await checkEVChains();
+});
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem
new file mode 100644
index 0000000000..cccff8d9eb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIUL3u0qxcophiFgaiJ2owryQeh3uwwDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZXZfaW50XzYwX21vbnRocy1ldnJvb3QwIhgPMjAyMTEx
+MTUxMjAwMDBaGA8yMDI0MDIxNjEyMDAwMFowMjEwMC4GA1UEAwwnZXZfZWVfMjdf
+bW9udGhzLWV2X2ludF82MF9tb250aHMtZXZyb290MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GGMIGDMGAGCCsG
+AQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4
+ODg4L2V2X2VlXzI3X21vbnRocy1ldl9pbnRfNjBfbW9udGhzLWV2cm9vdC8wHwYD
+VR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEB
+ABZH5/BLYkqjaKryxtGq1Yc6CbguhJUg4LfYfIT2ir/ehmvSOUAv0S8ZrLNmNmVn
+cDWDYehPoCuPlbuhgOpGM2+Oej+tWAA6k5SMZhOM0c/16x5Ljqc2ZtOL/JJwYV9z
+3YqW4TPWqdcARu7Ijf4cqonlZ+Uc398/wMiRlDQxOobtR+qN1QgyFri8Qnz22rBd
+JP+cRqjcyWAdhcHGT0c49dAk1fx7aO5zmithCJ6z+smrrruDms1aFb0kqi/TVkGv
+xYtvnkgdi09Pk6vXpX5JPwLBKPDawMBvZmlJSNfjCvDpoHhY6FCjyXFRQj6R7Uiq
+YP9z9sbvjS9D9lnYa3UjoGI=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec
new file mode 100644
index 0000000000..d2c7fa1275
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_60_months-evroot
+subject:ev_ee_27_months-ev_int_60_months-evroot
+validity:823
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_27_months-ev_int_60_months-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem
new file mode 100644
index 0000000000..5baed71ca9
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIUZf3qHuuMLRALksijM8PX7b+F3DQwDQYJKoZIhvcNAQEL
+BQAwIjEgMB4GA1UEAwwXZXZfaW50XzYwX21vbnRocy1ldnJvb3QwIhgPMjAyMTEw
+MzEwMDAwMDBaGA8yMDI0MDMwMzAwMDAwMFowMjEwMC4GA1UEAwwnZXZfZWVfMjhf
+bW9udGhzLWV2X2ludF82MF9tb250aHMtZXZyb290MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB
+xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT
+qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5
+kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS
+wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk
+BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GGMIGDMGAGCCsG
+AQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4
+ODg4L2V2X2VlXzI4X21vbnRocy1ldl9pbnRfNjBfbW9udGhzLWV2cm9vdC8wHwYD
+VR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEB
+AGG25tskpdAYzSwgXWQ8hC8Z44pkYGVHpu7LfszA4WPM+17I8iczxqHa9vANvEfh
+g95QEuBbXVkp+W1aXvgDcA0ZyKumBRMrFFMapOapsqYMCSbMMjMtIhUwvAiJgPav
+nmyap+Q5Ds0PY1d+MCT3PZQBTfk6zfusUTWhgQIaNZxXG7b6pxZ8AvUuZoxG9AWh
+GuysraUJbUyFRfiM+YybbyldVDouFzaqSYh2Z6+/5bwf96AksVeepPLitNYibmsg
+qBQsFje/90X6FU+GcD1PV91cC2j7hdENgSkmAJilBMBl5LclXMSH/lN5lTpyYll4
+YPNbYKy+3n64n0+PfW/JTus=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec
new file mode 100644
index 0000000000..2dcfb2e29c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec
@@ -0,0 +1,5 @@
+issuer:ev_int_60_months-evroot
+subject:ev_ee_28_months-ev_int_60_months-evroot
+validity:854
+extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_28_months-ev_int_60_months-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key
new file mode 100644
index 0000000000..09e044f5e0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec
new file mode 100644
index 0000000000..4ad96d5159
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec
@@ -0,0 +1 @@
+default
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem
new file mode 100644
index 0000000000..e46a1bed99
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVzCCAj+gAwIBAgIUEY63P4X1xogoyQ0ncUXjGGmc63YwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjAwNzAyMTIwMDAwWhgPMjAyNTA3
+MDExMjAwMDBaMCIxIDAeBgNVBAMMF2V2X2ludF82MF9tb250aHMtZXZyb290MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08
+E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc
+1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP
+DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ
+gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV
+YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID
+AQABo4GRMIGOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMFAGCCsGAQUFBwEB
+BEQwQjBABggrBgEFBQcwAYY0aHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2V2
+X2ludF82MF9tb250aHMtZXZyb290LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUa
+hRoBg3QJATANBgkqhkiG9w0BAQsFAAOCAQEAKiVH+FgOqh/HTMCPjgftKQ8icRJF
++TysMrjJTCZ+whi1uMtXNHZmWtckAd8xEjor4qhO3K8gaZv3wm56t6FPZp9zWNO2
+QYbNeWwex6Dd9uIl0h2/uCTnUAjBGjPcNZngYMVh5NANQ1vRcnZ4CalBew9oPQwG
+EEd2uerN+ikXUTAQD4Z1MuSZSoRaWw6vAB5sooFWc8TqDfWdAVtv+R7pKezIV76f
+3Pas+Tci+CeUkwSRCTKPAy3aqygtaD4ZGq9d6n9pBoxEHg8iJs7iMUaJCy7HTYUj
+t1Xou5AMJwEHm2OA+J9/okPxI1acDjTIxgkvLkmAYT6ieQsOXw5lpd2WxA==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec
new file mode 100644
index 0000000000..e169514ffa
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec
@@ -0,0 +1,8 @@
+issuer:evroot
+subject:ev_int_60_months-evroot
+issuerKey:ev
+validity:1825
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign
+extension:authorityInformationAccess:http://www.example.com:8888/ev_int_60_months-evroot/
+extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.key b/security/manager/ssl/tests/unit/test_validity/evroot.key
new file mode 100644
index 0000000000..1d88a930d5
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh
++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU
+dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H
+cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y
+1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t
+oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ
+5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB
+0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+
++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE
+vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9
+HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE
+MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V
+vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV
+7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH
+lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V
+jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv
+nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui
+p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ
+zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v
+4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA
+hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C
+pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV
+bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3
+mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j
+LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf
+UVFRDKpassHG6z7+kpXRbowlyRY=
+-----END PRIVATE KEY-----
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec
new file mode 100644
index 0000000000..1a3d76a550
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec
@@ -0,0 +1 @@
+ev
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.pem b/security/manager/ssl/tests/unit/test_validity/evroot.pem
new file mode 100644
index 0000000000..13c3031905
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx
+MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/
+EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN
+RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s
+33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd
+Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX
++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw
+AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+
+5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo
+UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf
+cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY
+Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH
+z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH
+HmbOwao=
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec
new file mode 100644
index 0000000000..3121f3486e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec
@@ -0,0 +1,7 @@
+issuer:evroot
+subject:evroot
+subjectKey:ev
+issuerKey:ev
+validity:20150101-20350101
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_x509.js b/security/manager/ssl/tests/unit/test_x509.js
new file mode 100644
index 0000000000..89fd01e819
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_x509.js
@@ -0,0 +1,124 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Tests X509.jsm functionality.
+
+function stringToArray(s) {
+  let b = [];
+  for (let i = 0; i < s.length; i++) {
+    b.push(s.charCodeAt(i));
+  }
+  return b;
+}
+
+function readPEMToBytes(filename) {
+  return stringToArray(atob(pemToBase64(readFile(do_get_file(filename)))));
+}
+
+function run_test() {
+  let certificate = new X509.Certificate();
+  // We use this certificate because it has a set validity period, which means that when
+  // the test certificates get regenerated each year, the values in this test won't change.
+  certificate.parse(readPEMToBytes("bad_certs/expired-ee.pem"));
+
+  equal(
+    certificate.tbsCertificate.version,
+    3,
+    "expired-ee.pem should be x509v3"
+  );
+
+  // serialNumber
+  deepEqual(
+    certificate.tbsCertificate.serialNumber,
+    [
+      0x63, 0xd1, 0x11, 0x00, 0x82, 0xa3, 0xd2, 0x3b, 0x3f, 0x61, 0xb8, 0x49,
+      0xa0, 0xca, 0xdc, 0x2e, 0x78, 0xfe, 0xfa, 0xea,
+    ],
+    "expired-ee.pem should have expected serialNumber"
+  );
+
+  deepEqual(
+    certificate.tbsCertificate.signature.algorithm._values,
+    [1, 2, 840, 113549, 1, 1, 11], // sha256WithRSAEncryption
+    "expired-ee.pem should have sha256WithRSAEncryption signature"
+  );
+  deepEqual(
+    certificate.tbsCertificate.signature.parameters._contents,
+    [],
+    "expired-ee.pem should have NULL parameters for signature"
+  );
+
+  equal(
+    certificate.tbsCertificate.issuer.rdns.length,
+    1,
+    "expired-ee.pem should have one RDN in issuer"
+  );
+  equal(
+    certificate.tbsCertificate.issuer.rdns[0].avas.length,
+    1,
+    "expired-ee.pem should have one AVA in RDN in issuer"
+  );
+  deepEqual(
+    certificate.tbsCertificate.issuer.rdns[0].avas[0].value.value,
+    stringToArray("Test CA"),
+    "expired-ee.pem should have issuer 'Test CA'"
+  );
+
+  equal(
+    certificate.tbsCertificate.validity.notBefore.time.getTime(),
+    Date.parse("2013-01-01T00:00:00.000Z"),
+    "expired-ee.pem should have the correct value for notBefore"
+  );
+  equal(
+    certificate.tbsCertificate.validity.notAfter.time.getTime(),
+    Date.parse("2014-01-01T00:00:00.000Z"),
+    "expired-ee.pem should have the correct value for notAfter"
+  );
+
+  equal(
+    certificate.tbsCertificate.subject.rdns.length,
+    1,
+    "expired-ee.pem should have one RDN in subject"
+  );
+  equal(
+    certificate.tbsCertificate.subject.rdns[0].avas.length,
+    1,
+    "expired-ee.pem should have one AVA in RDN in subject"
+  );
+  deepEqual(
+    certificate.tbsCertificate.subject.rdns[0].avas[0].value.value,
+    stringToArray("Expired Test End-entity"),
+    "expired-ee.pem should have subject 'Expired Test End-entity'"
+  );
+
+  deepEqual(
+    certificate.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm._values,
+    [1, 2, 840, 113549, 1, 1, 1], // rsaEncryption
+    "expired-ee.pem should have a spki algorithm of rsaEncryption"
+  );
+
+  equal(
+    certificate.tbsCertificate.extensions.length,
+    2,
+    "expired-ee.pem should have two extensions"
+  );
+
+  deepEqual(
+    certificate.signatureAlgorithm.algorithm._values,
+    [1, 2, 840, 113549, 1, 1, 11], // sha256WithRSAEncryption
+    "expired-ee.pem should have sha256WithRSAEncryption signatureAlgorithm"
+  );
+  deepEqual(
+    certificate.signatureAlgorithm.parameters._contents,
+    [],
+    "expired-ee.pem should have NULL parameters for signatureAlgorithm"
+  );
+
+  equal(
+    certificate.signatureValue.length,
+    2048 / 8,
+    "length of signature on expired-ee.pem should be 2048 bits"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
new file mode 100644
index 0000000000..1ccd5e876b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
@@ -0,0 +1,141 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that uses various bad certificates.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct BadCertAndPinningHost {
+  const char* mHostName;
+  const char* mCertName;
+};
+
+// Hostname, cert nickname pairs.
+const BadCertAndPinningHost sBadCertAndPinningHosts[] = {
+    {"expired.example.com", "expired-ee"},
+    {"notyetvalid.example.com", "notYetValid"},
+    {"before-epoch.example.com", "beforeEpoch"},
+    {"before-epoch-self-signed.example.com", "beforeEpochSelfSigned"},
+    {"selfsigned.example.com", "selfsigned"},
+    {"unknownissuer.example.com", "unknownissuer"},
+    {"mismatch.example.com", "mismatch"},
+    {"mismatch-CN.example.com", "mismatchCN"},
+    {"mitm.example.com", "mitm"},
+    {"expiredissuer.example.com", "expiredissuer"},
+    {"notyetvalidissuer.example.com", "notYetValidIssuer"},
+    {"before-epoch-issuer.example.com", "beforeEpochIssuer"},
+    {"md5signature.example.com", "md5signature"},
+    {"untrusted.example.com", "default-ee"},
+    {"untrustedissuer.example.com", "untrustedissuer"},
+    {"mismatch-expired.example.com", "mismatch-expired"},
+    {"mismatch-notYetValid.example.com", "mismatch-notYetValid"},
+    {"mismatch-untrusted.example.com", "mismatch-untrusted"},
+    {"untrusted-expired.example.com", "untrusted-expired"},
+    {"md5signature-expired.example.com", "md5signature-expired"},
+    {"mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired"},
+    {"inadequatekeyusage.example.com", "inadequatekeyusage-ee"},
+    {"selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU"},
+    {"self-signed-end-entity-with-cA-true.example.com",
+     "self-signed-EE-with-cA-true"},
+    {"ca-used-as-end-entity.example.com", "ca-used-as-end-entity"},
+    {"ca-used-as-end-entity-name-mismatch.example.com",
+     "ca-used-as-end-entity"},
+    // All of include-subdomains.pinning.example.com is pinned to End Entity
+    // Test Cert with nick default-ee. Any other nick will only
+    // pass pinning when security.cert_pinning.enforcement.level != strict and
+    // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h.
+    {"include-subdomains.pinning.example.com", "default-ee"},
+    {"good.include-subdomains.pinning.example.com", "default-ee"},
+    {"bad.include-subdomains.pinning.example.com", "other-issuer-ee"},
+    {"bad.include-subdomains.pinning.example.com.", "other-issuer-ee"},
+    {"bad.include-subdomains.pinning.example.com..", "other-issuer-ee"},
+    {"exclude-subdomains.pinning.example.com", "default-ee"},
+    {"sub.exclude-subdomains.pinning.example.com", "other-issuer-ee"},
+    {"test-mode.pinning.example.com", "other-issuer-ee"},
+    {"unknownissuer.include-subdomains.pinning.example.com", "unknownissuer"},
+    {"unknownissuer.test-mode.pinning.example.com", "unknownissuer"},
+    {"nsCertTypeNotCritical.example.com", "nsCertTypeNotCritical"},
+    {"nsCertTypeCriticalWithExtKeyUsage.example.com",
+     "nsCertTypeCriticalWithExtKeyUsage"},
+    {"nsCertTypeCritical.example.com", "nsCertTypeCritical"},
+    {"end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert"},
+    {"end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA"},
+    {"inadequate-key-size-ee.example.com", "inadequateKeySizeEE"},
+    {"badSubjectAltNames.example.com", "badSubjectAltNames"},
+    {"ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN"},
+    {"noValidNames.example.com", "noValidNames"},
+    {"bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate"},
+    {"emptyissuername.example.com", "emptyIssuerName"},
+    {"ev-test.example.com", "ev-test"},
+    {"ee-from-missing-intermediate.example.com",
+     "ee-from-missing-intermediate"},
+    {"imminently-distrusted.example.com", "ee-imminently-distrusted"},
+    {"localhost", "unknownissuer"},
+    {"a.pinning.example.com", "default-ee"},
+    {"b.pinning.example.com", "default-ee"},
+    {"not-preloaded.example.com", "default-ee"},
+    {"ee.example.com", "default-ee"},
+    {nullptr, nullptr}};
+
+int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
+                                     const SECItem* aSrvNameArr,
+                                     uint32_t aSrvNameArrSize) {
+  for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+    UniquePORTString name(
+        static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+    if (name) {
+      PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+      if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr,
+                                          nullptr) == SECSuccess) {
+        return 0;
+      }
+    }
+  }
+
+  return SSL_SNI_SEND_ALERT;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+                          uint32_t aSrvNameArrSize, void* aArg) {
+  const BadCertAndPinningHost* host =
+      GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sBadCertAndPinningHosts);
+  if (!host) {
+    // No static cert <-> hostname mapping found. This happens when we use a
+    // collection of certificates in a given directory and build a cert DB at
+    // runtime, rather than using an NSS cert DB populated at build time.
+    // (This will be the default in the future.)
+    // For all given server names, check if the runtime-built cert DB contains
+    // a certificate with a matching subject CN.
+    return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
+  }
+
+  if (gDebugLevel >= DEBUG_VERBOSE) {
+    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+  }
+
+  UniqueCERTCertificate cert;
+  SSLKEAType certKEA;
+  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+                                                    &certKEA, nullptr)) {
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  return 0;
+}
+
+int main(int argc, char* argv[]) {
+  return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp
new file mode 100644
index 0000000000..5f12756425
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp
@@ -0,0 +1,142 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server used to test Delegated Credentials
+// (see: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03).
+//
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <iostream>
+
+#include "TLSServer.h"
+
+#include "sslexp.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct DelegatedCertHost {
+  const char* mHostName;
+  const char* mCertName;
+  const char* mDCKeyNick;
+  bool mEnableDelegatedCredentials;
+};
+
+const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
+
+// {host, eeCert, dcCert, enableDC}
+const DelegatedCertHost sDelegatedCertHosts[] = {
+    {"delegated-enabled.example.com", "delegated-ee", "delegated.key", true},
+    {"standard-enabled.example.com", "default-ee", "delegated.key", true},
+    {"delegated-disabled.example.com", "delegated-ee",
+     /* anything non-null */ "delegated.key", false},
+    {nullptr, nullptr, nullptr, false}};
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+                          uint32_t aSrvNameArrSize, void* aArg) {
+  const DelegatedCertHost* host =
+      GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sDelegatedCertHosts);
+  if (!host) {
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  if (gDebugLevel >= DEBUG_VERBOSE) {
+    std::cerr << "Identified host " << host->mHostName << std::endl;
+  }
+
+  UniqueCERTCertificate delegatorCert(
+      PK11_FindCertFromNickname(host->mCertName, nullptr));
+  if (!delegatorCert) {
+    PrintPRError("PK11_FindCertFromNickname failed");
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+  if (!slot) {
+    PrintPRError("PK11_GetInternalKeySlot failed");
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  SSLExtraServerCertData extra_data = {ssl_auth_null,
+                                       /* Filled in by callee */ nullptr,
+                                       nullptr,
+                                       nullptr,
+                                       /* DC */ nullptr,
+                                       /* DC PrivKey */ nullptr};
+
+  UniqueSECKEYPrivateKey delegatorPriv(
+      PK11_FindKeyByDERCert(slot.get(), delegatorCert.get(), nullptr));
+  if (!delegatorPriv) {
+    PrintPRError("PK11_FindKeyByDERCert failed");
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  // Find the DC keypair by the file (nick) name.
+  ScopedAutoSECItem dc;
+  UniqueSECKEYPrivateKey dcPriv;
+  if (host->mEnableDelegatedCredentials) {
+    if (gDebugLevel >= DEBUG_VERBOSE) {
+      std::cerr << "Enabling a delegated credential for host "
+                << host->mHostName << std::endl;
+    }
+
+    if (PK11_NeedLogin(slot.get())) {
+      SECStatus rv = PK11_Authenticate(slot.get(), PR_TRUE, nullptr);
+      if (rv != SECSuccess) {
+        PrintPRError("PK11_Authenticate failed");
+        return SSL_SNI_SEND_ALERT;
+      }
+    }
+    UniqueSECKEYPrivateKeyList list(PK11_ListPrivKeysInSlot(
+        slot.get(), const_cast<char*>(host->mDCKeyNick), nullptr));
+    if (!list) {
+      PrintPRError("PK11_ListPrivKeysInSlot failed");
+      return SSL_SNI_SEND_ALERT;
+    }
+    SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(list);
+
+    dcPriv.reset(SECKEY_CopyPrivateKey(node->key));
+    if (!dcPriv) {
+      PrintPRError("PK11_ListPrivKeysInSlot could not find dcPriv");
+      return SSL_SNI_SEND_ALERT;
+    }
+
+    UniqueSECKEYPublicKey dcPub(SECKEY_ConvertToPublicKey(dcPriv.get()));
+    if (!dcPub) {
+      PrintPRError("SECKEY_ConvertToPublicKey failed");
+      return SSL_SNI_SEND_ALERT;
+    }
+
+    // Create and set the DC.
+    if (SSL_DelegateCredential(delegatorCert.get(), delegatorPriv.get(),
+                               dcPub.get(), ssl_sig_ecdsa_secp384r1_sha384,
+                               kDCValidFor, PR_Now(), &dc) != SECSuccess) {
+      PrintPRError("SSL_DelegateCredential failed");
+      return SSL_SNI_SEND_ALERT;
+    }
+    extra_data.delegCred = &dc;
+    extra_data.delegCredPrivKey = dcPriv.get();
+
+    // The list should only have a single key.
+    PORT_Assert(PRIVKEY_LIST_END(PRIVKEY_LIST_NEXT(node), list));
+  }
+
+  if (ConfigSecureServerWithNamedCert(aFd, host->mCertName, nullptr, nullptr,
+                                      &extra_data) != SECSuccess) {
+    PrintPRError("ConfigSecureServerWithNamedCert failed");
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  return 0;
+}
+
+int main(int argc, char* argv[]) {
+  return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp
new file mode 100644
index 0000000000..fd284874b3
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp
@@ -0,0 +1,178 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that offers TLS 1.3 Encrypted
+// Client Hello support.
+
+#include <stdio.h>
+
+#include "nspr.h"
+#include "ScopedNSSTypes.h"
+#include "ssl.h"
+#include "sslexp.h"
+#include "TLSServer.h"
+#include <pk11pub.h>
+#include <vector>
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct EchHost {
+  const char* mHostName;
+  const char* mCertName;
+};
+
+const std::vector<uint32_t> kSuiteChaCha = {
+    (static_cast<uint32_t>(HpkeKdfHkdfSha256) << 16) |
+    HpkeAeadChaCha20Poly1305};
+
+// Hostname, cert nickname pairs.
+const EchHost sEchHosts[] = {{"ech-public.example.com", "default-ee"},
+                             {"ech-private.example.com", "private-ee"},
+                             {"selfsigned.example.com", "selfsigned"},
+                             {nullptr, nullptr}};
+
+int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
+                                     const SECItem* aSrvNameArr,
+                                     uint32_t aSrvNameArrSize) {
+  for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+    UniquePORTString name(
+        static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+    if (name) {
+      PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+      if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr,
+                                          nullptr) == SECSuccess) {
+        return 0;
+      }
+    }
+  }
+
+  return SSL_SNI_SEND_ALERT;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+                          uint32_t aSrvNameArrSize, void* aArg) {
+  const EchHost* host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sEchHosts);
+  if (!host) {
+    PrintPRError("No cert found for hostname");
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  if (gDebugLevel >= DEBUG_VERBOSE) {
+    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+  }
+
+  UniqueCERTCertificate cert;
+  SSLKEAType certKEA;
+  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+                                                    &certKEA, nullptr)) {
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  return 0;
+}
+
+int32_t SetAlpnOptions(PRFileDesc* aFd, uint8_t flags) {
+  const std::vector<uint8_t> http1 = {0x08, 0x68, 0x74, 0x74, 0x70,
+                                      0x2f, 0x31, 0x2e, 0x31};
+  const std::vector<uint8_t> http2 = {0x02, 0x68, 0x32};
+  const std::vector<uint8_t> http3 = {0x02, 0x68, 0x33};
+  std::vector<uint8_t> alpnVec = {};
+  if (flags & 0b001) {
+    alpnVec.insert(alpnVec.end(), http1.begin(), http1.end());
+  }
+  if (flags & 0b010) {
+    alpnVec.insert(alpnVec.end(), http2.begin(), http2.end());
+  }
+  if (flags & 0b100) {
+    alpnVec.insert(alpnVec.end(), http3.begin(), http3.end());
+  }
+  fprintf(stderr, "ALPN Flags: %u\n", flags);
+  fprintf(stderr, "ALPN length: %zu\n", alpnVec.size());
+  if (SSL_SetNextProtoNego(aFd, alpnVec.data(), alpnVec.size()) != SECSuccess) {
+    fprintf(stderr, "Setting ALPN failed!\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+SECStatus ConfigureServer(PRFileDesc* aFd) {
+  const char* alpnFlag = PR_GetEnv("MOZ_TLS_ECH_ALPN_FLAG");
+  if (alpnFlag) {
+    uint8_t flag = atoi(alpnFlag);
+    SetAlpnOptions(aFd, flag);
+  }
+
+  UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+  if (!slot) {
+    PrintPRError("PK11_GetInternalKeySlot failed");
+    return SECFailure;
+  }
+
+  UniqueSECKEYPublicKey pubKey;
+  UniqueSECKEYPrivateKey privKey;
+  SECKEYPublicKey* tmpPubKey = nullptr;
+  SECKEYPrivateKey* tmpPrivKey = nullptr;
+
+  static const std::vector<uint8_t> pkcs8{
+      0x30, 0x67, 0x02, 0x01, 0x00, 0x30, 0x14, 0x06, 0x07, 0x2a, 0x86, 0x48,
+      0xce, 0x3d, 0x02, 0x01, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xda,
+      0x47, 0x0f, 0x01, 0x04, 0x4c, 0x30, 0x4a, 0x02, 0x01, 0x01, 0x04, 0x20,
+      0x8c, 0x49, 0x0e, 0x5b, 0x0c, 0x7d, 0xbe, 0x0c, 0x6d, 0x21, 0x92, 0x48,
+      0x4d, 0x2b, 0x7a, 0x04, 0x23, 0xb3, 0xb4, 0x54, 0x4f, 0x24, 0x81, 0x09,
+      0x5a, 0x99, 0xdb, 0xf2, 0x38, 0xfb, 0x35, 0x0f, 0xa1, 0x23, 0x03, 0x21,
+      0x00, 0x8a, 0x07, 0x56, 0x39, 0x49, 0xfa, 0xc6, 0x23, 0x29, 0x36, 0xed,
+      0x6f, 0x36, 0xc4, 0xfa, 0x73, 0x59, 0x30, 0xec, 0xde, 0xae, 0xf6, 0x73,
+      0x4e, 0x31, 0x4a, 0xea, 0xc3, 0x5a, 0x56, 0xfd, 0x0a};
+
+  SECItem pkcs8Item = {siBuffer, const_cast<uint8_t*>(pkcs8.data()),
+                       static_cast<unsigned int>(pkcs8.size())};
+  SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
+      slot.get(), &pkcs8Item, nullptr, nullptr, false, false, KU_ALL,
+      &tmpPrivKey, nullptr);
+
+  if (rv != SECSuccess) {
+    PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed");
+    return SECFailure;
+  }
+  privKey.reset(tmpPrivKey);
+  tmpPubKey = SECKEY_ConvertToPublicKey(privKey.get());
+  pubKey.reset(tmpPubKey);
+
+  if (!privKey || !pubKey) {
+    PrintPRError("ECH/HPKE Public or Private key is null!");
+    return SECFailure;
+  }
+
+  std::vector<uint8_t> echConfig(1000, 0);
+  unsigned int len = 0;
+  const PRUint8 configId = 77;
+  const HpkeSymmetricSuite echCipherSuite = {HpkeKdfHkdfSha256,
+                                             HpkeAeadChaCha20Poly1305};
+  rv = SSL_EncodeEchConfigId(configId, "ech-public.example.com", 100,
+                             HpkeDhKemX25519Sha256, pubKey.get(),
+                             &echCipherSuite, 1, echConfig.data(), &len,
+                             echConfig.size());
+  if (rv != SECSuccess) {
+    PrintPRError("SSL_EncodeEchConfig failed");
+    return rv;
+  }
+
+  rv = SSL_SetServerEchConfigs(aFd, pubKey.get(), privKey.get(),
+                               echConfig.data(), len);
+  if (rv != SECSuccess) {
+    PrintPRError("SSL_SetServerEchConfigs failed");
+    return rv;
+  }
+
+  return SECSuccess;
+}
+
+int main(int argc, char* argv[]) {
+  int rv = StartServer(argc, argv, DoSNISocketConfig, nullptr, ConfigureServer);
+  if (rv < 0) {
+    return rv;
+  }
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp
new file mode 100644
index 0000000000..4d30f8a87a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp
@@ -0,0 +1,206 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdio.h>
+
+#include "nspr.h"
+#include "ScopedNSSTypes.h"
+#include "ssl.h"
+#include "ssl3prot.h"
+#include "sslexp.h"
+#include "sslimpl.h"
+#include "TLSServer.h"
+
+#include "mozilla/Sprintf.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+enum FaultType {
+  None = 0,
+  ZeroRtt,
+  UnknownSNI,
+};
+
+struct FaultyServerHost {
+  const char* mHostName;
+  const char* mCertName;
+  FaultType mFaultType;
+};
+
+const char* kHostOk = "ok.example.com";
+const char* kHostUnknown = "unknown.example.com";
+const char* kHostZeroRttAlertBadMac = "0rtt-alert-bad-mac.example.com";
+const char* kHostZeroRttAlertVersion =
+    "0rtt-alert-protocol-version.example.com";
+const char* kHostZeroRttAlertUnexpected = "0rtt-alert-unexpected.example.com";
+const char* kHostZeroRttAlertDowngrade = "0rtt-alert-downgrade.example.com";
+
+const char* kCertWildcard = "default-ee";
+
+/* Each type of failure gets a different SNI.
+ * the "default-ee" cert has a SAN for *.example.com
+ * the "no-san-ee" cert is signed by the test-ca, but it doesn't have any SANs.
+ */
+const FaultyServerHost sFaultyServerHosts[]{
+    {kHostOk, kCertWildcard, None},
+    {kHostUnknown, kCertWildcard, UnknownSNI},
+    {kHostZeroRttAlertBadMac, kCertWildcard, ZeroRtt},
+    {kHostZeroRttAlertVersion, kCertWildcard, ZeroRtt},
+    {kHostZeroRttAlertUnexpected, kCertWildcard, ZeroRtt},
+    {kHostZeroRttAlertDowngrade, kCertWildcard, ZeroRtt},
+    {nullptr, nullptr},
+};
+
+nsresult SendAll(PRFileDesc* aSocket, const char* aData, size_t aDataLen) {
+  if (gDebugLevel >= DEBUG_VERBOSE) {
+    fprintf(stderr, "sending '%s'\n", aData);
+  }
+
+  int32_t len = static_cast<int32_t>(aDataLen);
+  while (len > 0) {
+    int32_t bytesSent = PR_Send(aSocket, aData, len, 0, PR_INTERVAL_NO_TIMEOUT);
+    if (bytesSent == -1) {
+      PrintPRError("PR_Send failed");
+      return NS_ERROR_FAILURE;
+    }
+
+    len -= bytesSent;
+    aData += bytesSent;
+  }
+
+  return NS_OK;
+}
+
+// returns 0 on success, non-zero on error
+int DoCallback(const char* path) {
+  UniquePRFileDesc socket(PR_NewTCPSocket());
+  if (!socket) {
+    PrintPRError("PR_NewTCPSocket failed");
+    return 1;
+  }
+
+  uint32_t port = 0;
+  const char* callbackPort = PR_GetEnv("FAULTY_SERVER_CALLBACK_PORT");
+  if (callbackPort) {
+    port = atoi(callbackPort);
+  }
+  if (!port) {
+    return 0;
+  }
+
+  PRNetAddr addr;
+  PR_InitializeNetAddr(PR_IpAddrLoopback, port, &addr);
+  if (PR_Connect(socket.get(), &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) {
+    PrintPRError("PR_Connect failed");
+    return 1;
+  }
+
+  char request[512];
+  SprintfLiteral(request, "GET %s HTTP/1.0\r\n\r\n", path);
+  SendAll(socket.get(), request, strlen(request));
+  char buf[4096];
+  memset(buf, 0, sizeof(buf));
+  int32_t bytesRead =
+      PR_Recv(socket.get(), buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT);
+  if (bytesRead < 0) {
+    PrintPRError("PR_Recv failed 1");
+    return 1;
+  }
+  if (bytesRead == 0) {
+    fprintf(stderr, "PR_Recv eof 1\n");
+    return 1;
+  }
+  // fprintf(stderr, "%s\n", buf);
+  return 0;
+}
+
+/* These are very rough examples. In practice the `arg` parameter to a callback
+ * might need to be an object that holds some state, like the various traffic
+ * secrets. */
+
+/* An SSLSecretCallback is called after every key derivation step in the TLS
+ * 1.3 key schedule.
+ *
+ * Epoch 1 is for the early traffic secret.
+ * Epoch 2 is for the handshake traffic secrets.
+ * Epoch 3 is for the application traffic secrets.
+ */
+void SecretCallbackFailZeroRtt(PRFileDesc* fd, PRUint16 epoch,
+                               SSLSecretDirection dir, PK11SymKey* secret,
+                               void* arg) {
+  fprintf(stderr, "0RTT handler epoch=%d dir=%d\n", epoch, (uint32_t)dir);
+  FaultyServerHost* host = static_cast<FaultyServerHost*>(arg);
+
+  if (epoch == 1 && dir == ssl_secret_read) {
+    sslSocket* ss = ssl_FindSocket(fd);
+    if (!ss) {
+      fprintf(stderr, "0RTT handler, no ss!\n");
+      return;
+    }
+
+    char path[256];
+    SprintfLiteral(path, "/callback/%d", epoch);
+    DoCallback(path);
+
+    fprintf(stderr, "0RTT handler, configuring alert\n");
+    if (!strcmp(host->mHostName, kHostZeroRttAlertBadMac)) {
+      SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+    } else if (!strcmp(host->mHostName, kHostZeroRttAlertVersion)) {
+      SSL3_SendAlert(ss, alert_fatal, protocol_version);
+    } else if (!strcmp(host->mHostName, kHostZeroRttAlertUnexpected)) {
+      SSL3_SendAlert(ss, alert_fatal, no_alert);
+    }
+  }
+}
+
+/* An SSLRecordWriteCallback can replace the TLS record layer. */
+SECStatus WriteCallbackExample(PRFileDesc* fd, PRUint16 epoch,
+                               SSLContentType contentType, const PRUint8* data,
+                               unsigned int len, void* arg) {
+  /* do something */
+  return SECSuccess;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+                          uint32_t aSrvNameArrSize, void* aArg) {
+  const FaultyServerHost* host =
+      GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sFaultyServerHosts);
+  if (!host || host->mFaultType == UnknownSNI) {
+    PrintPRError("No cert found for hostname");
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  if (gDebugLevel >= DEBUG_VERBOSE) {
+    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+  }
+
+  switch (host->mFaultType) {
+    case ZeroRtt:
+      SSL_SecretCallback(aFd, &SecretCallbackFailZeroRtt, (void*)host);
+      break;
+    case None:
+      break;
+    default:
+      break;
+  }
+
+  UniqueCERTCertificate cert;
+  SSLKEAType certKEA;
+  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+                                                    &certKEA, nullptr)) {
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  return 0;
+}
+
+SECStatus ConfigureServer(PRFileDesc* aFd) { return SECSuccess; }
+
+int main(int argc, char* argv[]) {
+  int rv = StartServer(argc, argv, DoSNISocketConfig, nullptr, ConfigureServer);
+  if (rv < 0) {
+    return rv;
+  }
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp
new file mode 100644
index 0000000000..113e668f89
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp
@@ -0,0 +1,168 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 sw=2 tw=80 et: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* This simple program takes a database directory, and one or more tuples like
+ * <typeOfResponse> <CertNick> <ExtraCertNick> <outPutFilename>
+ * to generate (one or more) ocsp responses.
+ */
+
+#include <stdio.h>
+#include <string>
+#include <vector>
+
+#include "mozilla/ArrayUtils.h"
+
+#include "cert.h"
+#include "nspr.h"
+#include "nss.h"
+#include "plarenas.h"
+#include "prerror.h"
+#include "ssl.h"
+#include "secerr.h"
+
+#include "OCSPCommon.h"
+#include "ScopedNSSTypes.h"
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct OCSPResponseName {
+  const char* mTypeString;
+  const OCSPResponseType mORT;
+};
+
+const static OCSPResponseName kOCSPResponseNameList[] = {
+    {"good", ORTGood},                         // the certificate is good
+    {"good-delegated", ORTDelegatedIncluded},  // the certificate is good, using
+                                               // a delegated signer
+    {"revoked", ORTRevoked},                // the certificate has been revoked
+    {"unknown", ORTUnknown},                // the responder doesn't know if the
+                                            //   cert is good
+    {"goodotherca", ORTGoodOtherCA},        // the wrong CA has signed the
+                                            //   response
+    {"expiredresponse", ORTExpired},        // the signature on the response has
+                                            //   expired
+    {"oldvalidperiod", ORTExpiredFreshCA},  // fresh signature, but old validity
+                                            //   period
+    {"empty", ORTEmpty},                    // an empty stapled response
+
+    {"malformed", ORTMalformed},         // the response from the responder
+                                         //   was malformed
+    {"serverr", ORTSrverr},              // the response indicates there was a
+                                         //   server error
+    {"trylater", ORTTryLater},           // the responder replied with
+                                         //   "try again later"
+    {"resp-unsigned", ORTNeedsSig},      // the response needs a signature
+    {"unauthorized", ORTUnauthorized},   // the responder does not know about
+                                         //   the cert
+    {"bad-signature", ORTBadSignature},  // the response has a bad signature
+    {"longvalidityalmostold",
+     ORTLongValidityAlmostExpired},  // the response is
+                                     // still valid, but the generation
+                                     // is almost a year old
+    {"ancientstillvalid", ORTAncientAlmostExpired},  // The response is still
+                                                     // valid but the generation
+                                                     // is almost two years old
+};
+
+bool StringToOCSPResponseType(const char* respText,
+                              /*out*/ OCSPResponseType* OCSPType) {
+  if (!OCSPType) {
+    return false;
+  }
+  for (auto ocspResponseName : kOCSPResponseNameList) {
+    if (strcmp(respText, ocspResponseName.mTypeString) == 0) {
+      *OCSPType = ocspResponseName.mORT;
+      return true;
+    }
+  }
+  return false;
+}
+
+bool WriteResponse(const char* filename, const SECItem* item) {
+  if (!filename || !item || !item->data) {
+    PR_fprintf(PR_STDERR, "invalid parameters to WriteResponse");
+    return false;
+  }
+
+  UniquePRFileDesc outFile(
+      PR_Open(filename, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0644));
+  if (!outFile) {
+    PrintPRError("cannot open file for writing");
+    return false;
+  }
+  int32_t rv = PR_Write(outFile.get(), item->data, item->len);
+  if (rv < 0 || (uint32_t)rv != item->len) {
+    PrintPRError("File write failure");
+    return false;
+  }
+
+  return true;
+}
+
+int main(int argc, char* argv[]) {
+  if (argc < 7 || (argc - 7) % 5 != 0) {
+    PR_fprintf(
+        PR_STDERR,
+        "usage: %s <NSS DB directory> <responsetype> "
+        "<cert_nick> <extranick> <this_update_skew> <outfilename> [<resptype> "
+        "<cert_nick> <extranick> <this_update_skew> <outfilename>]* \n",
+        argv[0]);
+    exit(EXIT_FAILURE);
+  }
+  SECStatus rv = InitializeNSS(argv[1]);
+  if (rv != SECSuccess) {
+    PR_fprintf(PR_STDERR, "Failed to initialize NSS\n");
+    exit(EXIT_FAILURE);
+  }
+  UniquePLArenaPool arena(PORT_NewArena(256 * argc));
+  if (!arena) {
+    PrintPRError("PORT_NewArena failed");
+    exit(EXIT_FAILURE);
+  }
+
+  for (int i = 2; i + 3 < argc; i += 5) {
+    const char* ocspTypeText = argv[i];
+    const char* certNick = argv[i + 1];
+    const char* extraCertname = argv[i + 2];
+    const char* skewChars = argv[i + 3];
+    const char* filename = argv[i + 4];
+
+    OCSPResponseType ORT;
+    if (!StringToOCSPResponseType(ocspTypeText, &ORT)) {
+      PR_fprintf(PR_STDERR, "Cannot generate OCSP response of type %s\n",
+                 ocspTypeText);
+      exit(EXIT_FAILURE);
+    }
+
+    UniqueCERTCertificate cert(PK11_FindCertFromNickname(certNick, nullptr));
+    if (!cert) {
+      PrintPRError("PK11_FindCertFromNickname failed");
+      PR_fprintf(PR_STDERR, "Failed to find certificate with nick '%s'\n",
+                 certNick);
+      exit(EXIT_FAILURE);
+    }
+
+    time_t skew = static_cast<time_t>(atoll(skewChars));
+
+    SECItemArray* response =
+        GetOCSPResponseForType(ORT, cert, arena, extraCertname, skew);
+    if (!response) {
+      PR_fprintf(PR_STDERR,
+                 "Failed to generate OCSP response of type %s "
+                 "for %s\n",
+                 ocspTypeText, certNick);
+      exit(EXIT_FAILURE);
+    }
+
+    if (!WriteResponse(filename, &response->items[0])) {
+      PR_fprintf(PR_STDERR, "Failed to write file %s\n", filename);
+      exit(EXIT_FAILURE);
+    }
+  }
+  return 0;
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp
new file mode 100644
index 0000000000..b35484572f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp
@@ -0,0 +1,153 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that delivers various stapled OCSP responses.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the OCSP response.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "OCSPCommon.h"
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+const OCSPHost sOCSPHosts[] = {
+    {"ocsp-stapling-good.example.com", ORTGood, nullptr, nullptr},
+    {"ocsp-stapling-revoked.example.com", ORTRevoked, nullptr, nullptr},
+    {"ocsp-stapling-revoked-old.example.com", ORTRevokedOld, nullptr, nullptr},
+    {"ocsp-stapling-unknown.example.com", ORTUnknown, nullptr, nullptr},
+    {"ocsp-stapling-unknown-old.example.com", ORTUnknownOld, nullptr, nullptr},
+    {"ocsp-stapling-good-other.example.com", ORTGoodOtherCert,
+     "ocspOtherEndEntity", nullptr},
+    {"ocsp-stapling-good-other-ca.example.com", ORTGoodOtherCA, "other-test-ca",
+     nullptr},
+    {"ocsp-stapling-expired.example.com", ORTExpired, nullptr, nullptr},
+    {"ocsp-stapling-expired-fresh-ca.example.com", ORTExpiredFreshCA, nullptr,
+     nullptr},
+    {"ocsp-stapling-none.example.com", ORTNone, nullptr, nullptr},
+    {"ocsp-stapling-empty.example.com", ORTEmpty, nullptr, nullptr},
+    {"ocsp-stapling-malformed.example.com", ORTMalformed, nullptr, nullptr},
+    {"ocsp-stapling-srverr.example.com", ORTSrverr, nullptr, nullptr},
+    {"ocsp-stapling-trylater.example.com", ORTTryLater, nullptr, nullptr},
+    {"ocsp-stapling-needssig.example.com", ORTNeedsSig, nullptr, nullptr},
+    {"ocsp-stapling-unauthorized.example.com", ORTUnauthorized, nullptr,
+     nullptr},
+    {"ocsp-stapling-with-intermediate.example.com", ORTGood, nullptr,
+     "ocspEEWithIntermediate"},
+    {"ocsp-stapling-bad-signature.example.com", ORTBadSignature, nullptr,
+     nullptr},
+    {"ocsp-stapling-skip-responseBytes.example.com", ORTSkipResponseBytes,
+     nullptr, nullptr},
+    {"ocsp-stapling-critical-extension.example.com", ORTCriticalExtension,
+     nullptr, nullptr},
+    {"ocsp-stapling-noncritical-extension.example.com", ORTNoncriticalExtension,
+     nullptr, nullptr},
+    {"ocsp-stapling-empty-extensions.example.com", ORTEmptyExtensions, nullptr,
+     nullptr},
+    {"ocsp-stapling-delegated-included.example.com", ORTDelegatedIncluded,
+     "delegatedSigner", nullptr},
+    {"ocsp-stapling-delegated-included-last.example.com",
+     ORTDelegatedIncludedLast, "delegatedSigner", nullptr},
+    {"ocsp-stapling-delegated-missing.example.com", ORTDelegatedMissing,
+     "delegatedSigner", nullptr},
+    {"ocsp-stapling-delegated-missing-multiple.example.com",
+     ORTDelegatedMissingMultiple, "delegatedSigner", nullptr},
+    {"ocsp-stapling-delegated-no-extKeyUsage.example.com", ORTDelegatedIncluded,
+     "invalidDelegatedSignerNoExtKeyUsage", nullptr},
+    {"ocsp-stapling-delegated-from-intermediate.example.com",
+     ORTDelegatedIncluded, "invalidDelegatedSignerFromIntermediate", nullptr},
+    {"ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
+     ORTDelegatedIncluded, "invalidDelegatedSignerKeyUsageCrlSigning", nullptr},
+    {"ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
+     ORTDelegatedIncluded, "invalidDelegatedSignerWrongExtKeyUsage", nullptr},
+    {"ocsp-stapling-ancient-valid.example.com", ORTAncientAlmostExpired,
+     nullptr, nullptr},
+    {"keysize-ocsp-delegated.example.com", ORTDelegatedIncluded,
+     "rsa-1016-keysizeDelegatedSigner", nullptr},
+    {"revoked-ca-cert-used-as-end-entity.example.com", ORTRevoked,
+     "ca-used-as-end-entity", nullptr},
+    {"ocsp-stapling-must-staple.example.com", ORTGood, nullptr,
+     "must-staple-ee"},
+    {"ocsp-stapling-must-staple-revoked.example.com", ORTRevoked, nullptr,
+     "must-staple-ee"},
+    {"ocsp-stapling-must-staple-missing.example.com", ORTNone, nullptr,
+     "must-staple-ee"},
+    {"ocsp-stapling-must-staple-empty.example.com", ORTEmpty, nullptr,
+     "must-staple-ee"},
+    {"ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", ORTGood,
+     nullptr, "must-staple-ee-with-must-staple-int"},
+    {"ocsp-stapling-plain-ee-with-must-staple-int.example.com", ORTGood,
+     nullptr, "must-staple-missing-ee"},
+    {"ocsp-stapling-must-staple-expired.example.com", ORTExpired, nullptr,
+     "must-staple-ee"},
+    {"ocsp-stapling-must-staple-try-later.example.com", ORTTryLater, nullptr,
+     "must-staple-ee"},
+    {"ocsp-stapling-must-staple-invalid-signer.example.com", ORTGoodOtherCA,
+     "other-test-ca", "must-staple-ee"},
+    {"multi-tls-feature-good.example.com", ORTNone, nullptr,
+     "multi-tls-feature-good-ee"},
+    {"multi-tls-feature-bad.example.com", ORTNone, nullptr,
+     "multi-tls-feature-bad-ee"},
+    {nullptr, ORTNull, nullptr, nullptr}};
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+                          uint32_t aSrvNameArrSize, void* aArg) {
+  const OCSPHost* host =
+      GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sOCSPHosts);
+  if (!host) {
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  if (gDebugLevel >= DEBUG_VERBOSE) {
+    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+  }
+
+  const char* certNickname =
+      host->mServerCertName ? host->mServerCertName : DEFAULT_CERT_NICKNAME;
+
+  UniqueCERTCertificate cert;
+  SSLKEAType certKEA;
+  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, certNickname, &cert,
+                                                    &certKEA, nullptr)) {
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  // If the OCSP response type is "none", don't staple a response.
+  if (host->mORT == ORTNone) {
+    return 0;
+  }
+
+  UniquePLArenaPool arena(PORT_NewArena(1024));
+  if (!arena) {
+    PrintPRError("PORT_NewArena failed");
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  // response is contained by the arena - freeing the arena will free it
+  SECItemArray* response = GetOCSPResponseForType(host->mORT, cert, arena,
+                                                  host->mAdditionalCertName, 0);
+  if (!response) {
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  // SSL_SetStapledOCSPResponses makes a deep copy of response
+  SECStatus st = SSL_SetStapledOCSPResponses(aFd, response, certKEA);
+  if (st != SECSuccess) {
+    PrintPRError("SSL_SetStapledOCSPResponses failed");
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  return 0;
+}
+
+int main(int argc, char* argv[]) {
+  return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp
new file mode 100644
index 0000000000..9371617305
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp
@@ -0,0 +1,87 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that uses various bad certificates.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct SanctionsCertHost {
+  const char* mHostName;
+  const char* mCertName;
+};
+
+// Hostname, cert nickname pairs.
+const SanctionsCertHost sSanctionsCertHosts[] = {
+    {"symantec-allowlist-after-cutoff.example.com",
+     "symantec-ee-from-allowlist-after-cutoff"},
+    {"symantec-allowlist-before-cutoff.example.com",
+     "symantec-ee-from-allowlist-before-cutoff"},
+    {"symantec-not-allowlisted-after-cutoff.example.com",
+     "symantec-ee-not-allowlisted-after-cutoff"},
+    {"symantec-not-allowlisted-before-cutoff.example.com",
+     "symantec-ee-not-allowlisted-before-cutoff"},
+    {"symantec-unaffected.example.com", "symantec-ee-unaffected"},
+    {nullptr, nullptr}};
+
+int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
+                                     const SECItem* aSrvNameArr,
+                                     uint32_t aSrvNameArrSize) {
+  for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+    UniquePORTString name(
+        static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+    if (name) {
+      PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+      if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr,
+                                          nullptr) == SECSuccess) {
+        return 0;
+      }
+    }
+  }
+
+  return SSL_SNI_SEND_ALERT;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+                          uint32_t aSrvNameArrSize, void* aArg) {
+  const SanctionsCertHost* host =
+      GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sSanctionsCertHosts);
+  if (!host) {
+    // No static cert <-> hostname mapping found. This happens when we use a
+    // collection of certificates in a given directory and build a cert DB at
+    // runtime, rather than using an NSS cert DB populated at build time.
+    // (This will be the default in the future.)
+    // For all given server names, check if the runtime-built cert DB contains
+    // a certificate with a matching subject CN.
+    return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
+  }
+
+  if (gDebugLevel >= DEBUG_VERBOSE) {
+    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+  }
+
+  UniqueCERTCertificate cert;
+  SSLKEAType certKEA;
+  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+                                                    &certKEA, nullptr)) {
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  return 0;
+}
+
+int main(int argc, char* argv[]) {
+  return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
new file mode 100644
index 0000000000..ebf8f8e3e7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
@@ -0,0 +1,45 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+GeckoSimplePrograms(
+    [
+        "BadCertAndPinningServer",
+        "DelegatedCredentialsServer",
+        "EncryptedClientHelloServer",
+        "GenerateOCSPResponse",
+        "OCSPStaplingServer",
+        "SanctionsTestServer",
+    ],
+    linkage=None,
+)
+
+if not CONFIG["MOZ_SYSTEM_NSS"]:
+    # Bug 1805371. See comment in ../lib/moz.build
+    GeckoSimplePrograms(
+        [
+            "FaultyServer",
+        ],
+        linkage=None,
+    )
+
+    DEFINES["NSS_USE_STATIC_LIBS"] = True
+
+    LOCAL_INCLUDES += [
+        "../../../../../../nss/lib/ssl",
+        "../lib",
+    ]
+    USE_LIBS += [
+        "tlsserver",
+    ]
+else:
+    LOCAL_INCLUDES += [
+        "../lib",
+    ]
+    USE_LIBS += ["mozpkix", "nspr", "nss", "tlsserver"]
+
+
+if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
+    CXXFLAGS += CONFIG["MOZ_GTK3_CFLAGS"]
diff --git a/security/manager/ssl/tests/unit/tlsserver/default-ee.der b/security/manager/ssl/tests/unit/tlsserver/default-ee.der
new file mode 100644
index 0000000000..3a9b8fa9bc
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/default-ee.der
@@ -0,0 +1,3 @@
+This is now an unused file. It exists to ease the coordination between gecko
+development trees and the automation infrastructure that runs periodic updates.
+See bug 1203312 and bug 1205406.
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
new file mode 100644
index 0000000000..be9a9af9b1
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@@ -0,0 +1,204 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "OCSPCommon.h"
+
+#include <stdio.h>
+
+#include "mozpkix/test/pkixtestutil.h"
+#include "mozpkix/test/pkixtestnss.h"
+#include "TLSServer.h"
+#include "secder.h"
+#include "secerr.h"
+
+using namespace mozilla;
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+using namespace mozilla::test;
+
+static TestKeyPair* CreateTestKeyPairFromCert(
+    const UniqueCERTCertificate& cert) {
+  ScopedSECKEYPrivateKey privateKey(PK11_FindKeyByAnyCert(cert.get(), nullptr));
+  if (!privateKey) {
+    return nullptr;
+  }
+  ScopedSECKEYPublicKey publicKey(CERT_ExtractPublicKey(cert.get()));
+  if (!publicKey) {
+    return nullptr;
+  }
+  return CreateTestKeyPair(RSA_PKCS1(), publicKey, privateKey);
+}
+
+SECItemArray* GetOCSPResponseForType(OCSPResponseType aORT,
+                                     const UniqueCERTCertificate& aCert,
+                                     const UniquePLArenaPool& aArena,
+                                     const char* aAdditionalCertName,
+                                     time_t aThisUpdateSkew) {
+  MOZ_ASSERT(aArena);
+  MOZ_ASSERT(aCert);
+  // Note: |aAdditionalCertName| may or may not need to be non-null depending
+  //       on the |aORT| value given.
+
+  if (aORT == ORTNone) {
+    if (gDebugLevel >= DEBUG_WARNINGS) {
+      fprintf(stderr,
+              "GetOCSPResponseForType called with type ORTNone, "
+              "which makes no sense.\n");
+    }
+    return nullptr;
+  }
+
+  if (aORT == ORTEmpty) {
+    SECItemArray* arr = SECITEM_AllocArray(aArena.get(), nullptr, 1);
+    arr->items[0].data = nullptr;
+    arr->items[0].len = 0;
+    return arr;
+  }
+
+  time_t now = time(nullptr) + aThisUpdateSkew;
+  time_t oldNow = now - (8 * Time::ONE_DAY_IN_SECONDS);
+
+  mozilla::UniqueCERTCertificate cert(CERT_DupCertificate(aCert.get()));
+
+  if (aORT == ORTGoodOtherCert) {
+    cert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr));
+    if (!cert) {
+      PrintPRError("PK11_FindCertFromNickname failed");
+      return nullptr;
+    }
+  }
+  // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic
+  mozilla::UniqueCERTCertificate issuerCert(
+      CERT_FindCertIssuer(aCert.get(), PR_Now(), certUsageSSLCA));
+  if (!issuerCert) {
+    PrintPRError("CERT_FindCertIssuer failed");
+    return nullptr;
+  }
+  Input issuer;
+  if (issuer.Init(cert->derIssuer.data, cert->derIssuer.len) != Success) {
+    return nullptr;
+  }
+  Input issuerPublicKey;
+  if (issuerPublicKey.Init(issuerCert->derPublicKey.data,
+                           issuerCert->derPublicKey.len) != Success) {
+    return nullptr;
+  }
+  Input serialNumber;
+  if (serialNumber.Init(cert->serialNumber.data, cert->serialNumber.len) !=
+      Success) {
+    return nullptr;
+  }
+  CertID certID(issuer, issuerPublicKey, serialNumber);
+  OCSPResponseContext context(certID, now);
+
+  mozilla::UniqueCERTCertificate signerCert;
+  if (aORT == ORTGoodOtherCA || aORT == ORTDelegatedIncluded ||
+      aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissing ||
+      aORT == ORTDelegatedMissingMultiple) {
+    signerCert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr));
+    if (!signerCert) {
+      PrintPRError("PK11_FindCertFromNickname failed");
+      return nullptr;
+    }
+  }
+
+  ByteString certs[5];
+
+  if (aORT == ORTDelegatedIncluded) {
+    certs[0].assign(signerCert->derCert.data, signerCert->derCert.len);
+    context.certs = certs;
+  }
+  if (aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissingMultiple) {
+    certs[0].assign(issuerCert->derCert.data, issuerCert->derCert.len);
+    certs[1].assign(cert->derCert.data, cert->derCert.len);
+    certs[2].assign(issuerCert->derCert.data, issuerCert->derCert.len);
+    if (aORT != ORTDelegatedMissingMultiple) {
+      certs[3].assign(signerCert->derCert.data, signerCert->derCert.len);
+    }
+    context.certs = certs;
+  }
+
+  switch (aORT) {
+    case ORTMalformed:
+      context.responseStatus = 1;
+      break;
+    case ORTSrverr:
+      context.responseStatus = 2;
+      break;
+    case ORTTryLater:
+      context.responseStatus = 3;
+      break;
+    case ORTNeedsSig:
+      context.responseStatus = 5;
+      break;
+    case ORTUnauthorized:
+      context.responseStatus = 6;
+      break;
+    default:
+      // context.responseStatus is 0 in all other cases, and it has
+      // already been initialized in the constructor.
+      break;
+  }
+  if (aORT == ORTSkipResponseBytes) {
+    context.skipResponseBytes = true;
+  }
+  if (aORT == ORTExpired || aORT == ORTExpiredFreshCA ||
+      aORT == ORTRevokedOld || aORT == ORTUnknownOld) {
+    context.thisUpdate = oldNow;
+    context.nextUpdate = oldNow + Time::ONE_DAY_IN_SECONDS;
+  }
+  if (aORT == ORTLongValidityAlmostExpired) {
+    context.thisUpdate = now - (320 * Time::ONE_DAY_IN_SECONDS);
+  }
+  if (aORT == ORTAncientAlmostExpired) {
+    context.thisUpdate = now - (640 * Time::ONE_DAY_IN_SECONDS);
+  }
+  if (aORT == ORTRevoked || aORT == ORTRevokedOld) {
+    context.certStatus = 1;
+  }
+  if (aORT == ORTUnknown || aORT == ORTUnknownOld) {
+    context.certStatus = 2;
+  }
+  if (aORT == ORTBadSignature) {
+    context.badSignature = true;
+  }
+  OCSPResponseExtension extension;
+  if (aORT == ORTCriticalExtension || aORT == ORTNoncriticalExtension) {
+    // python DottedOIDToCode.py --tlv
+    // some-Mozilla-OID 1.3.6.1.4.1.13769.666.666.666.1.500.9.2
+    static const uint8_t tlv_some_Mozilla_OID[] = {
+        0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85,
+        0x1a, 0x85, 0x1a, 0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x02};
+
+    extension.id.assign(tlv_some_Mozilla_OID, sizeof(tlv_some_Mozilla_OID));
+    extension.critical = (aORT == ORTCriticalExtension);
+    extension.value.push_back(0x05);  // tag: NULL
+    extension.value.push_back(0x00);  // length: 0
+    extension.next = nullptr;
+    context.responseExtensions = &extension;
+  }
+  if (aORT == ORTEmptyExtensions) {
+    context.includeEmptyExtensions = true;
+  }
+
+  if (!signerCert) {
+    signerCert.reset(CERT_DupCertificate(issuerCert.get()));
+  }
+  context.signerKeyPair.reset(CreateTestKeyPairFromCert(signerCert));
+  if (!context.signerKeyPair) {
+    PrintPRError("PK11_FindKeyByAnyCert failed");
+    return nullptr;
+  }
+
+  ByteString response(CreateEncodedOCSPResponse(context));
+  if (ENCODING_FAILED(response)) {
+    PrintPRError("CreateEncodedOCSPResponse failed");
+    return nullptr;
+  }
+
+  SECItem item = {siBuffer, const_cast<uint8_t*>(response.data()),
+                  static_cast<unsigned int>(response.length())};
+  SECItemArray arr = {&item, 1};
+  return SECITEM_DupArray(aArena.get(), &arr);
+}
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h
new file mode 100644
index 0000000000..c72eae6a8e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h
@@ -0,0 +1,66 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// Implements generating OCSP responses of various types. Used by the
+// programs in tlsserver/cmd.
+
+#ifndef OCSPCommon_h
+#define OCSPCommon_h
+
+#include "ScopedNSSTypes.h"
+#include "certt.h"
+#include "seccomon.h"
+
+enum OCSPResponseType {
+  ORTNull = 0,
+  ORTGood,               // the certificate is good
+  ORTRevoked,            // the certificate has been revoked
+  ORTRevokedOld,         // same, but the response is old
+  ORTUnknown,            // the responder doesn't know if the cert is good
+  ORTUnknownOld,         // same, but the response is old
+  ORTGoodOtherCert,      // the response references a different certificate
+  ORTGoodOtherCA,        // the wrong CA has signed the response
+  ORTExpired,            // the signature on the response has expired
+  ORTExpiredFreshCA,     // fresh signature, but old validity period
+  ORTNone,               // no stapled response
+  ORTEmpty,              // an empty stapled response
+  ORTMalformed,          // the response from the responder was malformed
+  ORTSrverr,             // the response indicates there was a server error
+  ORTTryLater,           // the responder replied with "try again later"
+  ORTNeedsSig,           // the response needs a signature
+  ORTUnauthorized,       // the responder is not authorized for this certificate
+  ORTBadSignature,       // the response has a signature that does not verify
+  ORTSkipResponseBytes,  // the response does not include responseBytes
+  ORTCriticalExtension,  // the response includes a critical extension
+  ORTNoncriticalExtension,  // the response includes an extension that is not
+                            // critical
+  ORTEmptyExtensions,  // the response includes a SEQUENCE OF Extension that is
+                       // empty
+  ORTDelegatedIncluded,      // the response is signed by an included delegated
+                             // responder
+  ORTDelegatedIncludedLast,  // same, but multiple other certificates are
+                             // included
+  ORTDelegatedMissing,  // the response is signed by a not included delegated
+                        // responder
+  ORTDelegatedMissingMultiple,   // same, but multiple other certificates are
+                                 // included
+  ORTLongValidityAlmostExpired,  // a good response, but that was generated a
+                                 // almost a year ago
+  ORTAncientAlmostExpired,  // a good response, with a validity of almost two
+                            // years almost expiring
+};
+
+struct OCSPHost {
+  const char* mHostName;
+  OCSPResponseType mORT;
+  const char* mAdditionalCertName;  // useful for ORTGoodOtherCert, etc.
+  const char* mServerCertName;
+};
+
+SECItemArray* GetOCSPResponseForType(
+    OCSPResponseType aORT, const mozilla::UniqueCERTCertificate& aCert,
+    const mozilla::UniquePLArenaPool& aArena, const char* aAdditionalCertName,
+    time_t aThisUpdateSkew);
+
+#endif  // OCSPCommon_h
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
new file mode 100644
index 0000000000..401b982346
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
@@ -0,0 +1,692 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "TLSServer.h"
+
+#include <stdio.h>
+#include <string>
+#include <thread>
+#include <vector>
+#include <fstream>
+#include <iostream>
+#ifdef XP_WIN
+#  include <windows.h>
+#else
+#  include <unistd.h>
+#endif
+
+#include <utility>
+
+#include "base64.h"
+#include "mozilla/Sprintf.h"
+#include "nspr.h"
+#include "nss.h"
+#include "plarenas.h"
+#include "prenv.h"
+#include "prerror.h"
+#include "prnetdb.h"
+#include "prtime.h"
+#include "ssl.h"
+#include "sslexp.h"
+#include "sslproto.h"
+
+namespace mozilla {
+namespace test {
+
+static const uint16_t LISTEN_PORT = 8443;
+
+SSLAntiReplayContext* antiReplay = nullptr;
+
+DebugLevel gDebugLevel = DEBUG_ERRORS;
+uint16_t gCallbackPort = 0;
+
+const std::string kPEMBegin = "-----BEGIN ";
+const std::string kPEMEnd = "-----END ";
+const char DEFAULT_CERT_NICKNAME[] = "default-ee";
+
+struct Connection {
+  PRFileDesc* mSocket;
+  char mByte;
+
+  explicit Connection(PRFileDesc* aSocket);
+  ~Connection();
+};
+
+Connection::Connection(PRFileDesc* aSocket) : mSocket(aSocket), mByte(0) {}
+
+Connection::~Connection() {
+  if (mSocket) {
+    PR_Close(mSocket);
+  }
+}
+
+void PrintPRError(const char* aPrefix) {
+  const char* err = PR_ErrorToName(PR_GetError());
+  if (err) {
+    if (gDebugLevel >= DEBUG_ERRORS) {
+      fprintf(stderr, "%s: %s\n", aPrefix, err);
+    }
+  } else {
+    if (gDebugLevel >= DEBUG_ERRORS) {
+      fprintf(stderr, "%s\n", aPrefix);
+    }
+  }
+}
+
+// This decodes a PEM file into `item`. The line endings need to be
+// UNIX-style, or there will be cross-platform issues.
+static bool DecodePEMFile(const std::string& filename, SECItem* item) {
+  std::ifstream in(filename);
+  if (in.bad()) {
+    return false;
+  }
+
+  char buf[1024];
+  in.getline(buf, sizeof(buf));
+  if (in.bad()) {
+    return false;
+  }
+
+  if (strncmp(buf, kPEMBegin.c_str(), kPEMBegin.size()) != 0) {
+    return false;
+  }
+
+  std::string value;
+  for (;;) {
+    in.getline(buf, sizeof(buf));
+    if (in.bad()) {
+      return false;
+    }
+
+    if (strncmp(buf, kPEMEnd.c_str(), kPEMEnd.size()) == 0) {
+      break;
+    }
+
+    value += buf;
+  }
+
+  unsigned int binLength;
+  UniquePORTString bin(BitwiseCast<char*, unsigned char*>(
+      ATOB_AsciiToData(value.c_str(), &binLength)));
+  if (!bin || binLength == 0) {
+    PrintPRError("ATOB_AsciiToData failed");
+    return false;
+  }
+
+  if (SECITEM_AllocItem(nullptr, item, binLength) == nullptr) {
+    return false;
+  }
+
+  PORT_Memcpy(item->data, bin.get(), binLength);
+  return true;
+}
+
+static SECStatus AddKeyFromFile(const std::string& path,
+                                const std::string& filename) {
+  ScopedAutoSECItem item;
+
+  std::string file = path + "/" + filename;
+  if (!DecodePEMFile(file, &item)) {
+    return SECFailure;
+  }
+
+  UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+  if (!slot) {
+    PrintPRError("PK11_GetInternalKeySlot failed");
+    return SECFailure;
+  }
+
+  if (PK11_NeedUserInit(slot.get())) {
+    if (PK11_InitPin(slot.get(), nullptr, nullptr) != SECSuccess) {
+      PrintPRError("PK11_InitPin failed");
+      return SECFailure;
+    }
+  }
+
+  SECKEYPrivateKey* privateKey = nullptr;
+  SECItem nick = {siBuffer,
+                  BitwiseCast<unsigned char*, const char*>(filename.data()),
+                  static_cast<unsigned int>(filename.size())};
+  if (PK11_ImportDERPrivateKeyInfoAndReturnKey(
+          slot.get(), &item, &nick, nullptr, true, false, KU_ALL, &privateKey,
+          nullptr) != SECSuccess) {
+    PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed");
+    return SECFailure;
+  }
+
+  SECKEY_DestroyPrivateKey(privateKey);
+  return SECSuccess;
+}
+
+static SECStatus AddCertificateFromFile(const std::string& path,
+                                        const std::string& filename) {
+  ScopedAutoSECItem item;
+
+  std::string file = path + "/" + filename;
+  if (!DecodePEMFile(file, &item)) {
+    return SECFailure;
+  }
+
+  UniqueCERTCertificate cert(CERT_NewTempCertificate(
+      CERT_GetDefaultCertDB(), &item, nullptr, false, true));
+  if (!cert) {
+    PrintPRError("CERT_NewTempCertificate failed");
+    return SECFailure;
+  }
+
+  UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+  if (!slot) {
+    PrintPRError("PK11_GetInternalKeySlot failed");
+    return SECFailure;
+  }
+  // The nickname is the filename without '.pem'.
+  std::string nickname = filename.substr(0, filename.length() - 4);
+  SECStatus rv = PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE,
+                                 nickname.c_str(), false);
+  if (rv != SECSuccess) {
+    PrintPRError("PK11_ImportCert failed");
+    return rv;
+  }
+
+  return SECSuccess;
+}
+
+SECStatus LoadCertificatesAndKeys(const char* basePath) {
+  // The NSS cert DB path could have been specified as "sql:path". Trim off
+  // the leading "sql:" if so.
+  if (strncmp(basePath, "sql:", 4) == 0) {
+    basePath = basePath + 4;
+  }
+
+  UniquePRDir fdDir(PR_OpenDir(basePath));
+  if (!fdDir) {
+    PrintPRError("PR_OpenDir failed");
+    return SECFailure;
+  }
+  // On the B2G ICS emulator, operations taken in AddCertificateFromFile
+  // appear to interact poorly with readdir (more specifically, something is
+  // causing readdir to never return null - it indefinitely loops through every
+  // file in the directory, which causes timeouts). Rather than waste more time
+  // chasing this down, loading certificates and keys happens in two phases:
+  // filename collection and then loading. (This is probably a good
+  // idea anyway because readdir isn't reentrant. Something could change later
+  // such that it gets called as a result of calling AddCertificateFromFile or
+  // AddKeyFromFile.)
+  std::vector<std::string> certificates;
+  std::vector<std::string> keys;
+  for (PRDirEntry* dirEntry = PR_ReadDir(fdDir.get(), PR_SKIP_BOTH); dirEntry;
+       dirEntry = PR_ReadDir(fdDir.get(), PR_SKIP_BOTH)) {
+    size_t nameLength = strlen(dirEntry->name);
+    if (nameLength > 4) {
+      if (strncmp(dirEntry->name + nameLength - 4, ".pem", 4) == 0) {
+        certificates.push_back(dirEntry->name);
+      } else if (strncmp(dirEntry->name + nameLength - 4, ".key", 4) == 0) {
+        keys.push_back(dirEntry->name);
+      }
+    }
+  }
+  SECStatus rv;
+  for (std::string& certificate : certificates) {
+    rv = AddCertificateFromFile(basePath, certificate.c_str());
+    if (rv != SECSuccess) {
+      return rv;
+    }
+  }
+  for (std::string& key : keys) {
+    rv = AddKeyFromFile(basePath, key.c_str());
+    if (rv != SECSuccess) {
+      return rv;
+    }
+  }
+  return SECSuccess;
+}
+
+SECStatus InitializeNSS(const char* nssCertDBDir) {
+  // Try initializing an existing DB.
+  if (NSS_Init(nssCertDBDir) == SECSuccess) {
+    return SECSuccess;
+  }
+
+  // Create a new DB if there is none...
+  SECStatus rv = NSS_Initialize(nssCertDBDir, nullptr, nullptr, nullptr, 0);
+  if (rv != SECSuccess) {
+    return rv;
+  }
+
+  // ...and load all certificates into it.
+  return LoadCertificatesAndKeys(nssCertDBDir);
+}
+
+nsresult SendAll(PRFileDesc* aSocket, const char* aData, size_t aDataLen) {
+  if (gDebugLevel >= DEBUG_VERBOSE) {
+    fprintf(stderr, "sending '%s'\n", aData);
+  }
+
+  while (aDataLen > 0) {
+    int32_t bytesSent =
+        PR_Send(aSocket, aData, aDataLen, 0, PR_INTERVAL_NO_TIMEOUT);
+    if (bytesSent == -1) {
+      PrintPRError("PR_Send failed");
+      return NS_ERROR_FAILURE;
+    }
+
+    aDataLen -= bytesSent;
+    aData += bytesSent;
+  }
+
+  return NS_OK;
+}
+
+nsresult ReplyToRequest(Connection* aConn) {
+  // For debugging purposes, SendAll can print out what it's sending.
+  // So, any strings we give to it to send need to be null-terminated.
+  char buf[2] = {aConn->mByte, 0};
+  return SendAll(aConn->mSocket, buf, 1);
+}
+
+nsresult SetupTLS(Connection* aConn, PRFileDesc* aModelSocket) {
+  PRFileDesc* sslSocket = SSL_ImportFD(aModelSocket, aConn->mSocket);
+  if (!sslSocket) {
+    PrintPRError("SSL_ImportFD failed");
+    return NS_ERROR_FAILURE;
+  }
+  aConn->mSocket = sslSocket;
+
+  /* anti-replay must be configured to accept 0RTT */
+  if (antiReplay) {
+    SECStatus rv = SSL_SetAntiReplayContext(sslSocket, antiReplay);
+    if (rv != SECSuccess) {
+      PrintPRError("error configuring anti-replay ");
+      return NS_ERROR_FAILURE;
+    }
+  }
+
+  SSL_OptionSet(sslSocket, SSL_SECURITY, true);
+  SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, false);
+  SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, true);
+  // Unconditionally enabling 0RTT makes test_session_resumption.js fail
+  SSL_OptionSet(sslSocket, SSL_ENABLE_0RTT_DATA,
+                !!PR_GetEnv("MOZ_TLS_SERVER_0RTT"));
+
+  SSL_ResetHandshake(sslSocket, /* asServer */ 1);
+
+  return NS_OK;
+}
+
+nsresult ReadRequest(Connection* aConn) {
+  int32_t bytesRead =
+      PR_Recv(aConn->mSocket, &aConn->mByte, 1, 0, PR_INTERVAL_NO_TIMEOUT);
+  if (bytesRead < 0) {
+    PrintPRError("PR_Recv failed");
+    return NS_ERROR_FAILURE;
+  } else if (bytesRead == 0) {
+    PR_SetError(PR_IO_ERROR, 0);
+    PrintPRError("PR_Recv EOF in ReadRequest");
+    return NS_ERROR_FAILURE;
+  } else {
+    if (gDebugLevel >= DEBUG_VERBOSE) {
+      fprintf(stderr, "read '0x%hhx'\n", aConn->mByte);
+    }
+  }
+  return NS_OK;
+}
+
+void HandleConnection(PRFileDesc* aSocket,
+                      const UniquePRFileDesc& aModelSocket) {
+  Connection conn(aSocket);
+  nsresult rv = SetupTLS(&conn, aModelSocket.get());
+  if (NS_FAILED(rv)) {
+    PR_SetError(PR_INVALID_STATE_ERROR, 0);
+    PrintPRError("PR_Recv failed");
+    exit(1);
+  }
+
+  // TODO: On tests that are expected to fail (e.g. due to a revoked
+  // certificate), the client will close the connection wtihout sending us the
+  // request byte. In those cases, we should keep going. But, in the cases
+  // where the connection is supposed to suceed, we should verify that we
+  // successfully receive the request and send the response.
+  rv = ReadRequest(&conn);
+  if (NS_SUCCEEDED(rv)) {
+    rv = ReplyToRequest(&conn);
+  }
+}
+
+// returns 0 on success, non-zero on error
+int DoCallback() {
+  UniquePRFileDesc socket(PR_NewTCPSocket());
+  if (!socket) {
+    PrintPRError("PR_NewTCPSocket failed");
+    return 1;
+  }
+
+  PRNetAddr addr;
+  PR_InitializeNetAddr(PR_IpAddrLoopback, gCallbackPort, &addr);
+  if (PR_Connect(socket.get(), &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) {
+    PrintPRError("PR_Connect failed");
+    return 1;
+  }
+
+  const char* request = "GET / HTTP/1.0\r\n\r\n";
+  SendAll(socket.get(), request, strlen(request));
+  char buf[4096];
+  memset(buf, 0, sizeof(buf));
+  int32_t bytesRead =
+      PR_Recv(socket.get(), buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT);
+  if (bytesRead < 0) {
+    PrintPRError("PR_Recv failed 1");
+    return 1;
+  }
+  if (bytesRead == 0) {
+    fprintf(stderr, "PR_Recv eof 1\n");
+    return 1;
+  }
+  fprintf(stderr, "%s\n", buf);
+  return 0;
+}
+
+SECStatus ConfigSecureServerWithNamedCert(
+    PRFileDesc* fd, const char* certName,
+    /*optional*/ UniqueCERTCertificate* certOut,
+    /*optional*/ SSLKEAType* keaOut,
+    /*optional*/ SSLExtraServerCertData* extraData) {
+  UniqueCERTCertificate cert(PK11_FindCertFromNickname(certName, nullptr));
+  if (!cert) {
+    PrintPRError("PK11_FindCertFromNickname failed");
+    return SECFailure;
+  }
+  // If an intermediate certificate issued the server certificate (rather than
+  // directly by a trust anchor), we want to send it along in the handshake so
+  // we don't encounter unknown issuer errors when that's not what we're
+  // testing.
+  UniqueCERTCertificateList certList;
+  UniqueCERTCertificate issuerCert(
+      CERT_FindCertByName(CERT_GetDefaultCertDB(), &cert->derIssuer));
+  // If we can't find the issuer cert, continue without it.
+  if (issuerCert) {
+    // Sadly, CERTCertificateList does not have a CERT_NewCertificateList
+    // utility function, so we must create it ourselves. This consists
+    // of creating an arena, allocating space for the CERTCertificateList,
+    // and then transferring ownership of the arena to that list.
+    UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+    if (!arena) {
+      PrintPRError("PORT_NewArena failed");
+      return SECFailure;
+    }
+    certList.reset(static_cast<CERTCertificateList*>(
+        PORT_ArenaAlloc(arena.get(), sizeof(CERTCertificateList))));
+    if (!certList) {
+      PrintPRError("PORT_ArenaAlloc failed");
+      return SECFailure;
+    }
+    certList->arena = arena.release();
+    // We also have to manually copy the certificates we care about to the
+    // list, because there aren't any utility functions for that either.
+    certList->certs = static_cast<SECItem*>(
+        PORT_ArenaAlloc(certList->arena, 2 * sizeof(SECItem)));
+    if (SECITEM_CopyItem(certList->arena, certList->certs, &cert->derCert) !=
+        SECSuccess) {
+      PrintPRError("SECITEM_CopyItem failed");
+      return SECFailure;
+    }
+    if (SECITEM_CopyItem(certList->arena, certList->certs + 1,
+                         &issuerCert->derCert) != SECSuccess) {
+      PrintPRError("SECITEM_CopyItem failed");
+      return SECFailure;
+    }
+    certList->len = 2;
+  }
+
+  UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+  if (!slot) {
+    PrintPRError("PK11_GetInternalKeySlot failed");
+    return SECFailure;
+  }
+  UniqueSECKEYPrivateKey key(
+      PK11_FindKeyByDERCert(slot.get(), cert.get(), nullptr));
+  if (!key) {
+    PrintPRError("PK11_FindKeyByDERCert failed");
+    return SECFailure;
+  }
+
+  if (extraData) {
+    SSLExtraServerCertData dataCopy = {ssl_auth_null, nullptr, nullptr,
+                                       nullptr,       nullptr, nullptr};
+    memcpy(&dataCopy, extraData, sizeof(dataCopy));
+    dataCopy.certChain = certList.get();
+
+    if (SSL_ConfigServerCert(fd, cert.get(), key.get(), &dataCopy,
+                             sizeof(dataCopy)) != SECSuccess) {
+      PrintPRError("SSL_ConfigServerCert failed");
+      return SECFailure;
+    }
+
+  } else {
+    // This is the deprecated setup mechanism, to be cleaned up in Bug 1569222
+    SSLKEAType certKEA = NSS_FindCertKEAType(cert.get());
+    if (SSL_ConfigSecureServerWithCertChain(fd, cert.get(), certList.get(),
+                                            key.get(), certKEA) != SECSuccess) {
+      PrintPRError("SSL_ConfigSecureServer failed");
+      return SECFailure;
+    }
+
+    if (keaOut) {
+      *keaOut = certKEA;
+    }
+  }
+
+  if (certOut) {
+    *certOut = std::move(cert);
+  }
+
+  SSL_OptionSet(fd, SSL_NO_CACHE, false);
+  SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, true);
+  // Unconditionally enabling 0RTT makes test_session_resumption.js fail
+  SSL_OptionSet(fd, SSL_ENABLE_0RTT_DATA, !!PR_GetEnv("MOZ_TLS_SERVER_0RTT"));
+
+  return SECSuccess;
+}
+
+#ifdef XP_WIN
+using PidType = DWORD;
+constexpr bool IsValidPid(long long pid) {
+  // Excluding `(DWORD)-1` because it is not a valid process ID.
+  // See https://devblogs.microsoft.com/oldnewthing/20040223-00/?p=40503
+  return pid > 0 && pid < std::numeric_limits<PidType>::max();
+}
+#else
+using PidType = pid_t;
+constexpr bool IsValidPid(long long pid) {
+  return pid > 0 && pid <= std::numeric_limits<PidType>::max();
+}
+#endif
+
+PidType ConvertPid(const char* pidStr) {
+  long long pid = strtoll(pidStr, nullptr, 10);
+  if (!IsValidPid(pid)) {
+    return 0;
+  }
+  return static_cast<PidType>(pid);
+}
+
+int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig,
+                void* sniSocketConfigArg, ServerConfigFunc configFunc) {
+  if (argc != 3) {
+    fprintf(stderr, "usage: %s <NSS DB directory> <ppid>\n", argv[0]);
+    return 1;
+  }
+  const char* nssCertDBDir = argv[1];
+  PidType ppid = ConvertPid(argv[2]);
+
+  const char* debugLevel = PR_GetEnv("MOZ_TLS_SERVER_DEBUG_LEVEL");
+  if (debugLevel) {
+    int level = atoi(debugLevel);
+    switch (level) {
+      case DEBUG_ERRORS:
+        gDebugLevel = DEBUG_ERRORS;
+        break;
+      case DEBUG_WARNINGS:
+        gDebugLevel = DEBUG_WARNINGS;
+        break;
+      case DEBUG_VERBOSE:
+        gDebugLevel = DEBUG_VERBOSE;
+        break;
+      default:
+        PrintPRError("invalid MOZ_TLS_SERVER_DEBUG_LEVEL");
+        return 1;
+    }
+  }
+
+  const char* callbackPort = PR_GetEnv("MOZ_TLS_SERVER_CALLBACK_PORT");
+  if (callbackPort) {
+    gCallbackPort = atoi(callbackPort);
+  }
+
+  if (InitializeNSS(nssCertDBDir) != SECSuccess) {
+    PR_fprintf(PR_STDERR, "InitializeNSS failed");
+    return 1;
+  }
+
+  if (NSS_SetDomesticPolicy() != SECSuccess) {
+    PrintPRError("NSS_SetDomesticPolicy failed");
+    return 1;
+  }
+
+  if (SSL_ConfigServerSessionIDCache(0, 0, 0, nullptr) != SECSuccess) {
+    PrintPRError("SSL_ConfigServerSessionIDCache failed");
+    return 1;
+  }
+
+  UniquePRFileDesc serverSocket(PR_NewTCPSocket());
+  if (!serverSocket) {
+    PrintPRError("PR_NewTCPSocket failed");
+    return 1;
+  }
+
+  PRSocketOptionData socketOption;
+  socketOption.option = PR_SockOpt_Reuseaddr;
+  socketOption.value.reuse_addr = true;
+  PR_SetSocketOption(serverSocket.get(), &socketOption);
+
+  PRNetAddr serverAddr;
+  PR_InitializeNetAddr(PR_IpAddrLoopback, LISTEN_PORT, &serverAddr);
+  if (PR_Bind(serverSocket.get(), &serverAddr) != PR_SUCCESS) {
+    PrintPRError("PR_Bind failed");
+    return 1;
+  }
+
+  if (PR_Listen(serverSocket.get(), 1) != PR_SUCCESS) {
+    PrintPRError("PR_Listen failed");
+    return 1;
+  }
+
+  UniquePRFileDesc rawModelSocket(PR_NewTCPSocket());
+  if (!rawModelSocket) {
+    PrintPRError("PR_NewTCPSocket failed for rawModelSocket");
+    return 1;
+  }
+
+  UniquePRFileDesc modelSocket(SSL_ImportFD(nullptr, rawModelSocket.release()));
+  if (!modelSocket) {
+    PrintPRError("SSL_ImportFD of rawModelSocket failed");
+    return 1;
+  }
+
+  SSLVersionRange range = {0, 0};
+  if (SSL_VersionRangeGet(modelSocket.get(), &range) != SECSuccess) {
+    PrintPRError("SSL_VersionRangeGet failed");
+    return 1;
+  }
+
+  if (range.max < SSL_LIBRARY_VERSION_TLS_1_3) {
+    range.max = SSL_LIBRARY_VERSION_TLS_1_3;
+    if (SSL_VersionRangeSet(modelSocket.get(), &range) != SECSuccess) {
+      PrintPRError("SSL_VersionRangeSet failed");
+      return 1;
+    }
+  }
+
+  if (PR_GetEnv("MOZ_TLS_SERVER_0RTT")) {
+    if (SSL_CreateAntiReplayContext(PR_Now(), 1L * PR_USEC_PER_SEC, 7, 14,
+                                    &antiReplay) != SECSuccess) {
+      PrintPRError("Unable to create anti-replay context for 0-RTT.");
+      return 1;
+    }
+  }
+
+  if (SSL_SNISocketConfigHook(modelSocket.get(), sniSocketConfig,
+                              sniSocketConfigArg) != SECSuccess) {
+    PrintPRError("SSL_SNISocketConfigHook failed");
+    return 1;
+  }
+
+  // We have to configure the server with a certificate, but it's not one
+  // we're actually going to end up using. In the SNI callback, we pick
+  // the right certificate for the connection.
+  //
+  // Provide an empty |extra_data| to force config via SSL_ConfigServerCert.
+  // This is a temporary mechanism to work around inconsistent setting of
+  // |authType| in the deprecated API (preventing the default cert from
+  // being removed in favor of the SNI-selected cert). This may be removed
+  // after Bug 1569222 removes the deprecated mechanism.
+  SSLExtraServerCertData extra_data = {ssl_auth_null, nullptr, nullptr,
+                                       nullptr,       nullptr, nullptr};
+  if (ConfigSecureServerWithNamedCert(modelSocket.get(), DEFAULT_CERT_NICKNAME,
+                                      nullptr, nullptr,
+                                      &extra_data) != SECSuccess) {
+    return 1;
+  }
+
+  // Call back to implementation-defined configuration func, if provided.
+  if (configFunc) {
+    if (((configFunc)(modelSocket.get())) != SECSuccess) {
+      PrintPRError("configFunc failed");
+      return 1;
+    }
+  }
+
+  if (gCallbackPort != 0) {
+    if (DoCallback()) {
+      return 1;
+    }
+  }
+
+  std::thread([ppid] {
+    if (!ppid) {
+      if (gDebugLevel >= DEBUG_ERRORS) {
+        fprintf(stderr, "invalid ppid\n");
+      }
+      return;
+    }
+#ifdef XP_WIN
+    HANDLE parent = OpenProcess(SYNCHRONIZE, false, ppid);
+    if (!parent) {
+      if (gDebugLevel >= DEBUG_ERRORS) {
+        fprintf(stderr, "OpenProcess failed\n");
+      }
+      return;
+    }
+    WaitForSingleObject(parent, INFINITE);
+    CloseHandle(parent);
+#else
+    while (getppid() == ppid) {
+      sleep(1);
+    }
+#endif
+    if (gDebugLevel >= DEBUG_ERRORS) {
+      fprintf(stderr, "Parent process crashed\n");
+    }
+    exit(1);
+  }).detach();
+
+  while (true) {
+    PRNetAddr clientAddr;
+    PRFileDesc* clientSocket =
+        PR_Accept(serverSocket.get(), &clientAddr, PR_INTERVAL_NO_TIMEOUT);
+    HandleConnection(clientSocket, modelSocket);
+  }
+}
+
+}  // namespace test
+}  // namespace mozilla
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h
new file mode 100644
index 0000000000..3927b3e541
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h
@@ -0,0 +1,93 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef TLSServer_h
+#define TLSServer_h
+
+// This is a standalone server for testing SSL features of Gecko.
+// The client is expected to connect and initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to). If all is good, the client then
+// sends one encrypted byte and receives that same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdint.h>
+
+#include "ScopedNSSTypes.h"
+#include "mozilla/Casting.h"
+#include "prio.h"
+#include "secerr.h"
+#include "ssl.h"
+
+namespace mozilla {
+
+MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePRDir, PRDir, PR_CloseDir);
+
+}  // namespace mozilla
+
+namespace mozilla {
+namespace test {
+
+typedef SECStatus (*ServerConfigFunc)(PRFileDesc* fd);
+
+enum DebugLevel { DEBUG_ERRORS = 1, DEBUG_WARNINGS = 2, DEBUG_VERBOSE = 3 };
+
+extern DebugLevel gDebugLevel;
+
+void PrintPRError(const char* aPrefix);
+
+// The default certificate is trusted for localhost and *.example.com
+extern const char DEFAULT_CERT_NICKNAME[];
+
+// ConfigSecureServerWithNamedCert sets up the hostname name provided. If the
+// extraData parameter is presented, extraData->certChain will be automatically
+// filled in using database information.
+// Pass DEFAULT_CERT_NICKNAME as certName unless you need a specific
+// certificate.
+SECStatus ConfigSecureServerWithNamedCert(
+    PRFileDesc* fd, const char* certName,
+    /*optional*/ UniqueCERTCertificate* cert,
+    /*optional*/ SSLKEAType* kea,
+    /*optional*/ SSLExtraServerCertData* extraData);
+
+SECStatus InitializeNSS(const char* nssCertDBDir);
+
+// StartServer initializes NSS, sockets, the SNI callback, and a default
+// certificate. configFunc (optional) is a pointer to an implementation-
+// defined configuration function, which is called on the model socket
+// prior to handling any connections.
+int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig,
+                void* sniSocketConfigArg,
+                ServerConfigFunc configFunc = nullptr);
+
+template <typename Host>
+inline const Host* GetHostForSNI(const SECItem* aSrvNameArr,
+                                 uint32_t aSrvNameArrSize, const Host* hosts) {
+  for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+    for (const Host* host = hosts; host->mHostName; ++host) {
+      SECItem hostName;
+      hostName.data = BitwiseCast<unsigned char*, const char*>(host->mHostName);
+      hostName.len = strlen(host->mHostName);
+      if (SECITEM_ItemsAreEqual(&hostName, &aSrvNameArr[i])) {
+        if (gDebugLevel >= DEBUG_VERBOSE) {
+          fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+        }
+        return host;
+      }
+    }
+  }
+
+  if (gDebugLevel >= DEBUG_VERBOSE) {
+    fprintf(stderr, "could not find host info from SNI\n");
+  }
+
+  PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
+  return nullptr;
+}
+
+}  // namespace test
+}  // namespace mozilla
+
+#endif  // TLSServer_h
diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/moz.build b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
new file mode 100644
index 0000000000..54820f9b52
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
@@ -0,0 +1,48 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+UNIFIED_SOURCES += [
+    "OCSPCommon.cpp",
+    "TLSServer.cpp",
+]
+
+USE_LIBS += [
+    "mozpkix-testlib",
+]
+
+if not CONFIG["MOZ_SYSTEM_NSS"]:
+    # Bug 1805371: The FaultyServer binary added in Bug 1754746 needs to
+    # be statically linked against NSS, but the configuration here breaks
+    # builds with system NSS. A complete solution involves some changes
+    # to the NSS build system. For now we're disabling FaultyServer when
+    # using system NSS and linking the rest of the tests dynamically.
+    DEFINES["NSS_USE_STATIC_LIBS"] = True
+
+    USE_LIBS += [
+        "certdb",
+        "certhi",
+        "cryptohi",
+        "freebl",
+        "mozpkix",
+        "mozpkix-testlib",
+        "nspr",
+        "nss_static",
+        "nssb",
+        "nssdev",
+        "nsspki",
+        "pk11wrap",
+        "smime",
+        "softokn3",
+        "sqlite",
+        "ssl",
+    ]
+
+    if CONFIG["MOZ_FOLD_LIBS"]:
+        USE_LIBS += ["nssutil"]
+    else:
+        USE_LIBS += ["nssutil3"]
+
+Library("tlsserver")
diff --git a/security/manager/ssl/tests/unit/tlsserver/moz.build b/security/manager/ssl/tests/unit/tlsserver/moz.build
new file mode 100644
index 0000000000..1488352914
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/moz.build
@@ -0,0 +1,8 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# lib must be first, because cmd depends on its output
+DIRS += ["lib", "cmd"]
diff --git a/security/manager/ssl/tests/unit/xpcshell-smartcards.ini b/security/manager/ssl/tests/unit/xpcshell-smartcards.ini
new file mode 100644
index 0000000000..0a240f3e59
--- /dev/null
+++ b/security/manager/ssl/tests/unit/xpcshell-smartcards.ini
@@ -0,0 +1,17 @@
+[DEFAULT]
+head = head_psm.js
+tail =
+tags = psm
+skip-if = toolkit == 'android'
+support-files =
+
+[test_osclientcerts_module.js]
+skip-if =
+  os == "linux"
+  os == "android"
+[test_pkcs11_module.js]
+[test_pkcs11_moduleDB.js]
+[test_pkcs11_safe_mode.js]
+[test_pkcs11_slot.js]
+[test_pkcs11_token.js]
+[test_pkcs11_tokenDB.js]
diff --git a/security/manager/ssl/tests/unit/xpcshell.ini b/security/manager/ssl/tests/unit/xpcshell.ini
new file mode 100644
index 0000000000..f559d83a73
--- /dev/null
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -0,0 +1,242 @@
+[DEFAULT]
+head = head_psm.js
+tags = psm condprof
+firefox-appdir = browser
+skip-if = os == 'win' && msix # https://bugzilla.mozilla.org/show_bug.cgi?id=1809477
+support-files =
+  corrupted_crlite_helper.js
+  bad_certs/**
+  ocsp_certs/**
+  test_baseline_requirements/**
+  test_broken_fips/**
+  test_cert_eku/**
+  test_cert_embedded_null/**
+  test_cert_isBuiltInRoot_reload/**
+  test_cert_keyUsage/**
+  test_cert_overrides_read_only/**
+  test_cert_sha1/**
+  test_cert_signatures/**
+  test_cert_storage_direct/**
+  test_cert_storage_preexisting/**
+  test_cert_storage_preexisting_crlite/**
+  test_cert_trust/**
+  test_cert_utf8/**
+  test_cert_version/**
+  test_certDB_import/**
+  test_client_auth_remember_service/**
+  test_content_signing/**
+  test_crlite_filters/**
+  test_crlite_preexisting/**
+  test_crlite_corrupted/**
+  test_ct/**
+  test_delegated_credentials/**
+  test_encrypted_client_hello/**
+  test_ev_certs/**
+  test_faulty_server/**
+  test_intermediate_basic_usage_constraints/**
+  test_intermediate_preloads/**
+  test_keysize/**
+  test_keysize_ev/**
+  test_missing_intermediate/**
+  test_name_constraints/**
+  test_ocsp_url/**
+  test_onecrl/**
+  test_sanctions/**
+  test_sdr_preexisting/**
+  test_sdr_preexisting_with_password/**
+  test_self_signed_certs/**
+  test_signed_apps/**
+  test_validity/**
+  tlsserver/**
+
+[test_add_preexisting_cert.js]
+[test_baseline_requirements_subject_common_name.js]
+[test_blocklist_onecrl.js]
+# Skip signature tests for Thunderbird (Bug 1341983).
+skip-if = appname == "thunderbird"
+tags = remote-settings blocklist psm
+[test_broken_fips.js]
+# FIPS has never been a thing on Android, so the workaround doesn't
+# exist on that platform.
+# FIPS still works on Linux, so this test doesn't make any sense there.
+# FIPS still works on Windows, but running the test to ensure that it does not
+# break with a non-ASCII profile path.
+skip-if = toolkit == 'android' || os == 'linux'
+[test_cert_storage.js]
+tags = addons psm blocklist
+[test_cert_storage_broken_db.js]
+[test_cert_storage_direct.js]
+[test_cert_storage_preexisting.js]
+[test_cert_storage_preexisting_crlite.js]
+# This test cannot succeed on 32-bit platforms. See bugs 1546361 and 1548956.
+skip-if = bits != 64
+[test_cert_chains.js]
+run-sequentially = hardcoded ports
+[test_cert_dbKey.js]
+[test_cert_eku.js]
+[test_cert_embedded_null.js]
+[test_cert_expiration_canary.js]
+run-if = nightly_build
+[test_cert_keyUsage.js]
+[test_cert_isBuiltInRoot.js]
+[test_cert_isBuiltInRoot_reload.js]
+[test_cert_overrides.js]
+run-sequentially = hardcoded ports
+[test_cert_overrides_read_only.js]
+run-sequentially = hardcoded ports
+[test_cert_override_read.js]
+[test_cert_sha1.js]
+[test_cert_signatures.js]
+[test_cert_trust.js]
+[test_cert_version.js]
+[test_cert_utf8.js]
+[test_certDB_export_pkcs12.js]
+[test_certDB_export_pkcs12_with_primary_password.js]
+[test_certDB_import.js]
+# nsCertificateDialogs not available in geckoview, bug 1554276
+skip-if = toolkit == 'android' && processor == 'x86_64'
+[test_certDB_import_pkcs12.js]
+[test_certDB_import_with_primary_password.js]
+# nsCertificateDialogs not available in geckoview, bug 1554276
+skip-if = toolkit == 'android' && processor == 'x86_64'
+[test_client_auth_remember_service_read.js]
+[test_constructX509FromBase64.js]
+[test_content_signing.js]
+[test_crlite_filters.js]
+tags = remote-settings psm
+[test_crlite_preexisting.js]
+[test_crlite_filter_corrupted.js]
+[test_crlite_stash_corrupted.js]
+[test_crlite_enrollment_version.js]
+[test_crlite_enrollment_trunc1.js]
+[test_crlite_coverage_version.js]
+[test_crlite_coverage_trunc1.js]
+[test_crlite_coverage_trunc2.js]
+[test_crlite_coverage_trunc3.js]
+[test_crlite_coverage_missing.js]
+[test_ct.js]
+# Requires hard-coded debug-only data
+skip-if = !debug
+run-sequentially = hardcoded ports
+[test_db_format_pref_new.js]
+# Android always has and always will use the new format, so
+# this test doesn't apply.
+skip-if = toolkit == 'android'
+  condprof  # Bug 1769154 - as designed
+[test_delegated_credentials.js]
+run-sequentially = hardcoded ports
+[test_encrypted_client_hello.js]
+run-sequentially = hardcoded ports
+[test_encrypted_client_hello_client_only.js]
+run-sequentially = hardcoded ports
+[test_der.js]
+[test_enterprise_roots.js]
+# This feature is implemented for Windows and OS X. However, we don't currently
+# have a way to test it on OS X.
+skip-if = os != 'win'
+[test_ev_certs.js]
+tags = blocklist psm
+run-sequentially = hardcoded ports
+[test_forget_about_site_security_headers.js]
+[test_hash_algorithms.js]
+[test_hash_algorithms_wrap.js]
+# bug 1124289 - run_test_in_child violates the sandbox on android
+skip-if = toolkit == 'android'
+[test_intermediate_basic_usage_constraints.js]
+[test_intermediate_preloads.js]
+run-sequentially = hardcoded ports
+tags = blocklist psm remote-settings
+[test_allow_all_cert_errors.js]
+run-sequentially = hardcoded ports
+[test_keysize.js]
+[test_keysize_ev.js]
+run-sequentially = hardcoded ports
+[test_logoutAndTeardown.js]
+skip-if = socketprocess_networking && os == "linux" && debug
+run-sequentially = hardcoded ports
+[test_missing_intermediate.js]
+run-sequentially = hardcoded ports
+[test_name_constraints.js]
+[test_nonascii_path.js]
+[test_nsCertType.js]
+run-sequentially = hardcoded ports
+[test_nsIX509Cert_utf8.js]
+[test_nsIX509CertValidity.js]
+[test_ocsp_caching.js]
+run-sequentially = hardcoded ports
+[test_ocsp_enabled_pref.js]
+run-sequentially = hardcoded ports
+[test_ocsp_must_staple.js]
+run-sequentially = hardcoded ports
+[test_ocsp_private_caching.js]
+run-sequentially = hardcoded ports
+skip-if = condprof  # Bug 1769154 - should look into this
+[test_ocsp_no_hsts_upgrade.js]
+run-sequentially = hardcoded ports
+[test_ocsp_required.js]
+run-sequentially = hardcoded ports
+[test_ocsp_stapling.js]
+run-sequentially = hardcoded ports
+[test_ocsp_stapling_expired.js]
+run-sequentially = hardcoded ports
+[test_ocsp_stapling_with_intermediate.js]
+run-sequentially = hardcoded ports
+[test_ocsp_timeout.js]
+skip-if = (os == "win" && socketprocess_networking)
+run-sequentially = hardcoded ports
+[test_ocsp_url.js]
+run-sequentially = hardcoded ports
+[test_oskeystore.js]
+skip-if = apple_silicon # bug 1729538
+[test_osreauthenticator.js]
+# Reauthentication has been implemented on Windows and MacOS, so running this
+# test results in the OS popping up a dialog, which means we can't run it in
+# automation.
+skip-if = os == 'win' || os == 'mac'
+[test_password_prompt.js]
+[test_pinning.js]
+run-sequentially = hardcoded ports
+[test_sdr.js]
+[test_sdr_preexisting.js]
+# Not relevant to Android. See the comment in the test.
+skip-if = toolkit == 'android'
+[test_sdr_preexisting_with_password.js]
+# Not relevant to Android. See the comment in the test.
+skip-if = toolkit == 'android'
+[test_self_signed_certs.js]
+[test_session_resumption.js]
+skip-if = 
+  os == "win" # Bug 1585916
+run-sequentially = hardcoded ports
+[test_signed_apps.js]
+[test_ssl_status.js]
+run-sequentially = hardcoded ports
+[test_sss_eviction.js]
+skip-if = condprof  # Bug 1769154 - as designed
+[test_sss_originAttributes.js]
+[test_sss_readstate.js]
+skip-if = condprof  # Bug 1769154 - as designed
+[test_sss_readstate_empty.js]
+skip-if = condprof  # Bug 1769154 - as designed
+[test_sss_readstate_garbage.js]
+skip-if = condprof  # Bug 1769154 - as designed
+[test_sss_readstate_huge.js]
+skip-if = condprof  # Bug 1769154 - as designed
+[test_sss_resetState.js]
+[test_sss_savestate.js]
+skip-if = condprof  # Bug 1769154 - as designed
+[test_sss_sanitizeOnShutdown.js]
+firefox-appdir = browser
+# Sanitization works differently on Android - this doesn't apply.
+# browser/modules/Sanitizer.jsm used by the test isn't available in Thunderbird.
+skip-if = toolkit == 'android' || appname == 'thunderbird'
+[test_sts_fqdn.js]
+[test_sts_ipv4_ipv6.js]
+[test_sts_parser.js]
+[test_sts_preloadlist_perwindowpb.js]
+[test_sts_preloadlist_selfdestruct.js]
+[test_sanctions_symantec_apple_google.js]
+run-sequentially = hardcoded ports
+[test_validity.js]
+run-sequentially = hardcoded ports
+[test_x509.js]