Bug 969188 - Part 3/3 - Test handling of v1/v2/v3 certificates from PSM. r=keeler

--HG--
extra : rebase_source : 321d603913f07a0afe64400e300146873e8a81af

security/manager/ssl/tests/unit/head_psm.js

@@ -31,6 +31,7 @@ const SEC_ERROR_BAD_DATABASE                            = SEC_ERROR_BASE +  18;
 const SEC_ERROR_UNTRUSTED_ISSUER                        = SEC_ERROR_BASE +  20; // -8172
 const SEC_ERROR_UNTRUSTED_CERT                          = SEC_ERROR_BASE +  21; // -8171
 const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE              = SEC_ERROR_BASE +  30; // -8162
+const SEC_ERROR_EXTENSION_VALUE_INVALID                 = SEC_ERROR_BASE +  34; // -8158
 const SEC_ERROR_EXTENSION_NOT_FOUND                     = SEC_ERROR_BASE +  35; // -8157
 const SEC_ERROR_CA_CERT_INVALID                         = SEC_ERROR_BASE +  36;
 const SEC_ERROR_INADEQUATE_KEY_USAGE                    = SEC_ERROR_BASE +  90; // -8102

security/manager/ssl/tests/unit/test_cert_version.js

@@ -0,0 +1,784 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+
+function cert_from_file(filename) {
+  return constructCertFromFile("test_cert_version/" + filename);
+}
+
+function load_cert(cert_name, trust_string) {
+  var cert_filename = cert_name + ".der";
+  addCertFromFile(certdb, "test_cert_version/" + cert_filename, trust_string);
+}
+
+function check_cert_err_generic(cert, expected_error, usage) {
+  do_print("cert cn=" + cert.commonName);
+  do_print("cert issuer cn=" + cert.issuerCommonName);
+  let hasEVPolicy = {};
+  let verifiedChain = {};
+  let error = certdb.verifyCertNow(cert, usage,
+                                   NO_FLAGS, verifiedChain, hasEVPolicy);
+  do_check_eq(error, expected_error);
+}
+
+function check_cert_err(cert, expected_error) {
+  check_cert_err_generic(cert, expected_error, certificateUsageSSLServer)
+}
+
+function check_ca_err(cert, expected_error) {
+  check_cert_err_generic(cert, expected_error, certificateUsageSSLCA)
+}
+
+function check_ok(x) {
+  return check_cert_err(x, 0);
+}
+
+function check_ok_ca(x) {
+  return check_cert_err_generic(x, 0, certificateUsageSSLCA);
+}
+
+function run_tests_in_mode(useMozillaPKIX)
+{
+  Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                             useMozillaPKIX);
+
+  check_ok_ca(cert_from_file('v1_ca.der'));
+  check_ca_err(cert_from_file('v1_ca_bc.der'),
+               useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
+  check_ca_err(cert_from_file('v2_ca.der'),
+               useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
+  check_ca_err(cert_from_file('v2_ca_bc.der'),
+               useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
+  check_ok_ca(cert_from_file('v3_ca.der'));
+  check_ca_err(cert_from_file('v3_ca_missing_bc.der'),
+               useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
+
+  // Classic allows v1 and v2 certs to be CA certs in trust anchor positions and
+  // intermediates when they have a v3 basic constraints extenstion (which
+  // makes them invalid certs). Insanity only allows v1 certs to be CA in
+  // anchor position (even if they have invalid encodings), v2 certs are not
+  // considered CAs in any position.
+  // Note that currently there are no change of behavior based on the
+  // version of the end entity.
+
+  let ee_error = 0;
+  let ca_error = 0;
+
+  //////////////
+  // v1 CA supersection
+  //////////////////
+
+  // v1 intermediate with v1 trust anchor
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error);
+  if (useMozillaPKIX) {
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error);
+
+  // v1 intermediate with v3 extensions. CA is invalid.
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
+
+  // A v2 intermediate with a v1 CA
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error);
+  if (useMozillaPKIX) {
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error);
+
+  // A v2 intermediate with basic constraints (not allowed in insanity)
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
+
+  // Section is OK. A x509 v3 CA MUST have bc
+  // http://tools.ietf.org/html/rfc5280#section-4.2.1.9
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+ check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
+  if (useMozillaPKIX) {
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
+
+  // It is valid for a v1 ca to sign a v3 intemediate.
+  check_ok_ca(cert_from_file('v3_int-v1_ca.der'));
+  check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der'));
+  check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der'));
+  check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der'));
+  check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der'));
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error);
+
+  // The next groups change the v1 ca for a v1 ca with base constraints
+  // (invalid trust anchor). The error pattern is the same as the groups
+  // above
+
+  // Using A v1 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
+  if (useMozillaPKIX) {
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
+
+  // Using a v1 intermediate with v3 extenstions (invalid).
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
+
+  // Using v2 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
+  if (useMozillaPKIX) {
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
+
+  // Using a v2 intermediate with basic constraints (invalid)
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
+
+  // Using a v3 intermediate that is missing basic constraints (invalid)
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
+  if (useMozillaPKIX) {
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
+
+  // these should pass assuming we are OK with v1 ca signing v3 intermediates
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
+
+
+  //////////////
+  // v2 CA supersection
+  //////////////////
+
+  // v2 ca, v1 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error)
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error);
+
+  // v2 ca, v1 intermediate with basic constraints (invalid)
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
+
+  // v2 ca, v2 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error)
+
+  // v2 ca, v2 intermediate with basic constraints (invalid)
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
+
+  // v2 ca, v3 intermediate missing basic constraints
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
+
+  // v2 ca, v3 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error);
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error);
+
+  // v2 ca, v1 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
+
+  // v2 ca, v1 intermediate with bc (invalid)
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
+
+  // v2 ca, v2 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
+
+  // v2 ca, v2 intermediate with bc (invalid)
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
+
+  // v2 ca, invalid v3 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error)
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
+
+  // v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics)
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
+
+  //////////////
+  // v3 CA supersection
+  //////////////////
+
+  // v3 ca, v1 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error);
+
+  // A v1 intermediate with v3 extensions
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error)
+
+  // reject a v2 cert as intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error);
+
+  // v2 intermediate with bc (invalid)
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
+
+  // invalid v3 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
+
+  // I dont think that v3 intermediates should be allowed to sign v1 or v2
+  // certs, but other thanthat this  is what we usually get in the wild.
+  check_ok_ca(cert_from_file('v3_int-v3_ca.der'));
+  check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der'));
+  check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der'));
+  check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der'));
+  check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der'));
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error);
+
+  // v3 CA, invalid v3 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
+
+  // Int v1 with BC that is just invalid (classic fail insanity OK)
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
+
+  // Good section (all fail)
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
+
+  // v2 intermediate (even with basic constraints) is invalid
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
+
+  // v3 intermediate missing basic constraints is invalid
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
+    ee_error = SEC_ERROR_UNKNOWN_ISSUER;
+  }
+  check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
+  if (useMozillaPKIX) {
+     ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
+
+  // With a v3 root missing bc and valid v3 intermediate
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_CA_CERT_INVALID;
+    ee_error = SEC_ERROR_CA_CERT_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error);
+  check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
+  if (useMozillaPKIX) {
+    ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+    ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+  } else {
+    ca_error = 0;
+    ee_error = 0;
+  }
+  check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
+  check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
+}
+
+function run_test() {
+  load_cert("v1_ca", "CTu,CTu,CTu");
+  load_cert("v1_ca_bc", "CTu,CTu,CTu");
+  load_cert("v2_ca", "CTu,CTu,CTu");
+  load_cert("v2_ca_bc", "CTu,CTu,CTu");
+  load_cert("v3_ca", "CTu,CTu,CTu");
+  load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
+
+  run_tests_in_mode(false);
+  run_tests_in_mode(true);
+}

security/manager/ssl/tests/unit/test_cert_version/generate.py

@@ -0,0 +1,128 @@
+#!/usr/bin/python
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import tempfile, os, sys, pexpect
+import random
+import time
+
+srcdir = os.getcwd()
+db = tempfile.mkdtemp()
+
+def init_nss_db(db_dir):
+  #create noise file
+  noise_file = db_dir + "/noise"
+  nf = open(noise_file, 'w')
+  nf.write(str(time.time()))
+  nf.close()
+  #create pwd file
+  pwd_file = db_dir + "/pwfile"
+  pf = open(pwd_file, 'w')
+  pf.write("\n")
+  pf.close()
+  #create nss db
+  os.system("certutil -d " + db_dir + " -N -f "+ pwd_file);
+  return [noise_file, pwd_file]
+
+def generate_ca_cert(db_dir, dest_dir, noise_file,  name, version, do_bc):
+  out_name = dest_dir + "/" + name + ".der"
+  base_exec_string = ("certutil -S -z " + noise_file + " -g 2048 -d "+ db_dir +"/ -n " +
+                      name +" -v 120 -s 'CN=" + name +
+                      ",O=PSM Testing,L=Mountain View,ST=California,C=US'" +
+                      " -t C,C,C -x --certVersion="+ str(int(version)))
+  if (do_bc):
+    child = pexpect.spawn(base_exec_string + " -2")
+    child.logfile = sys.stdout
+    child.expect('Is this a CA certificate \[y/N\]?')
+    child.sendline('y')
+    child.expect('Enter the path length constraint, enter to skip \[<0 for unlimited path\]: >')
+    child.sendline('')
+    child.expect('Is this a critical extension \[y/N\]?')
+    child.sendline('')
+    child.expect(pexpect.EOF)
+  else:
+    os.system(base_exec_string)
+  os.system("certutil -d "+ db_dir + "/ -L -n "+ name +" -r > " + out_name)
+
+def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick, cert_version, do_bc, is_ee):
+  out_name = dest_dir + "/" + name + ".der"
+  base_exec_string = ("certutil -S -z " + noise_file + " -g 2048 -d "+ db_dir +"/ -n " +
+              name +" -v 120 -m "+ str(random.randint(100,40000000)) +" -s 'CN=" + name +
+              ",O=PSM Testing,L=Mountain View,ST=California,C=US'" +
+              " -t C,C,C -c "+ ca_nick +" --certVersion="+ str(int(cert_version)))
+  if (do_bc):
+    child = pexpect.spawn(base_exec_string + " -2")
+    child.logfile = sys.stdout
+    child.expect('Is this a CA certificate \[y/N\]?')
+    if (is_ee):
+        child.sendline('N')
+    else:
+        child.sendline('y')
+    child.expect('Enter the path length constraint, enter to skip \[<0 for unlimited path\]: >')
+    child.sendline('')
+    child.expect('Is this a critical extension \[y/N\]?')
+    child.sendline('')
+    child.expect(pexpect.EOF)
+  else:
+    os.system(base_exec_string)
+  os.system("certutil -d "+ db_dir + "/ -L -n "+ name +" -r > " + out_name)
+
+def generate_ee_family(db_dir, dest_dir, noise_file, ca_name):
+  name = "v1_ee-"+ ca_name;
+  generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 1, False, True)
+  name = "v1_bc_ee-"+ ca_name;
+  generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 1, True, True)
+
+  name = "v2_ee-"+ ca_name;
+  generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 2, False, True)
+  name = "v2_bc_ee-"+ ca_name;
+  generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 2, True, True)
+
+  name = "v3_missing_bc_ee-"+ ca_name;
+  generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 3, False, True)
+  name = "v3_bc_ee-"+ ca_name;
+  generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 3, True, True)
+
+  name = "v4_bc_ee-"+ ca_name;
+  generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 4, True, True)
+
+def generate_intermediates_and_ee_set(db_dir, dest_dir, noise_file, ca_name):
+  name =  "v1_int-" + ca_name;
+  generate_child_cert(db, srcdir, noise_file, name, ca_name, 1, False, False)
+  generate_ee_family(db, srcdir, noise_file, name)
+  name = "v1_int_bc-" + ca_name;
+  generate_child_cert(db, srcdir, noise_file, name, ca_name, 1, True, False)
+  generate_ee_family(db, srcdir, noise_file, name)
+
+  name =  "v2_int-" + ca_name;
+  generate_child_cert(db, srcdir, noise_file, name, ca_name, 2, False, False)
+  generate_ee_family(db, srcdir, noise_file, name)
+  name = "v2_int_bc-" + ca_name;
+  generate_child_cert(db, srcdir, noise_file, name, ca_name, 2, True, False)
+  generate_ee_family(db, srcdir, noise_file, name)
+
+  name =  "v3_int_missing_bc-" + ca_name;
+  generate_child_cert(db, srcdir, noise_file, name, ca_name, 3, False, False)
+  generate_ee_family(db, srcdir, noise_file, name)
+  name = "v3_int-" + ca_name;
+  generate_child_cert(db, srcdir, noise_file, name, ca_name, 3, True, False)
+  generate_ee_family(db, srcdir, noise_file, name)
+
+def generate_ca(db_dir, dest_dir, noise_file,  name, version, do_bc):
+  generate_ca_cert(db_dir, dest_dir, noise_file,  name, version, do_bc)
+  generate_intermediates_and_ee_set(db_dir, dest_dir, noise_file, name)
+
+def generate_certs():
+  [noise_file, pwd_file] = init_nss_db(db)
+  generate_ca(db, srcdir, noise_file, "v1_ca", 1, False )
+  generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True)
+  generate_ca(db, srcdir, noise_file, "v2_ca", 2, False )
+  generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True)
+  generate_ca(db, srcdir, noise_file, "v3_ca", 3, True )
+  generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False)
+
+generate_certs();